Lead Image © stockbksts, 123RF.com

Lead Image © stockbksts, 123RF.com

Comparison of forensic toolkits for reconstructing browser sessions

Data Archeology

Article from ADMIN 18/2013
By , By , By
Criminals often focus on browsers for various attacks because they are a worthwhile, attractive, and often easy target. However, admins can investigate such attacks with forensic tools that provide the ability to reconstruct browser sessions.

Fast innovation cycles make securing a system against all vulnerabilities virtually impossible. If an attack succeeds, taking certain steps can at least uncover the actions of the criminals to preserve evidence or to harden the system against repeat attacks.

To investigate how a postmortem analysis proceeds (see the "IT Forensics" box), we'll look at the following sample scenario: On his lunch break, an office clerk uses his colleague's computer, without the consent of his neighbor, to order several books under this neighbor's Amazon account and at his neighbor's expense. To conceal his actions, the attacker then shuts down the computer. How could you prove this crime took place?

IT Forensics

The computer forensics guide by Germany's Federal Office for Information Security (BSI) [1] defines computer forensics as "the strict, methodological data analysis of data carriers and computer networks to investigate incidents involving possibilities for strategic preparation, in particular from the point of view of the operator of an IT system."

Computer forensics is a distinction made in terms of timing between live forensics and postmortem analysis. Live forensics takes place before the affected system is shut down but after the occurrence of the incident. The focus is on securing and analyzing volatile data, such as RAM, active processes, and network connections. Because a data backup changes these data, however, the analysis results are contestable.

Postmortem analysis takes place after the first shutdown of the system. Thus, the volatile data is lost, which explains the focus on non-volatile data (renamed, deleted, hidden, or encrypted files).

On the basis of this scenario, researchers mutually define general and scenario-specific requirements

...
Use Express-Checkout link below to read the full article (PDF).

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Forensic Tools

    Criminals often focus on browsers for various attacks because they are a worthwhile, attractive, and often easy target. However, admins can investigate such attacks with forensic tools that provide the ability to reconstruct browser sessions.

    more »
  • Lead Image © Tomasz Pacyna, 123RF.com
    Forensic analysis with Autopsy and Sleuth Kit
    Forensic admins can use the Autopsy digital forensics platform to perform an initial analysis of a failed system, looking for traces of a potential attack.
    more »
  • On the DVD
    CAINE 9.0 (Live, 64-bit)
    more »
  • Cloud Forensics

    Is your data really secure in the cloud? If a compromise occurs, current forensic approaches will not work and new techniques and standards will be needed.

    more »
  • Forensic Analysis on Linux

    In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

    more »
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Most Popular

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”> </a> <hr> </div> </div> <div class=