« Previous 1 2 3
Comparison of forensic toolkits for reconstructing browser sessions
Data Archeology
Conclusions
The Autopsy tool is the best suited to reconstruct browser-based offenses in our overall assessment. Many of the tools from the toolkits we looked at build on TSK by adding a graphical user interface. In our evaluation of the toolkits shown in Table 2, requirements that were completely fulfilled were marked with a plus (+), partially filled requirements with a circle (o), unfulfilled requirements with a dash (-), and performance not stated with a question mark (?). Some shortcomings are apparent in the testing of configurations and program operations, as well as in the HTTPS/SSL and DNS fields; in fact, none of the toolkits investigated produced actionable results.
Table 2
Requirements
Toolkit | OSForensics | DFF | Autopsy | SIFT | BackTrack | CAINE | Paladin | TSK |
---|---|---|---|---|---|---|---|---|
General Requirements | ||||||||
Image integration | + | + | + | o | o | o | - | + |
Search/Filter function | + | o | + | + | + | + | ? | + |
Combination of different data sources | - | - | - | - | - | - | ? | - |
Logging | o | o | o | o | o | ? | - | |
Scenario-Specific Requirements | ||||||||
Browser Artifacts | ||||||||
Representation | - | - | - | - | - | - | ? | - |
History | - | - | + | + | + | + | ? | + |
Cache | o | - | o | o | o | o | ? | - |
HTTPS/SSL | - | - | - | - | - | - | ? | - |
Passwords | o | - | - | - | - | - | ? | - |
Cookies | - | - | + | + | + | + | ? | - |
Bookmarks | o | - | + | o | o | o | ? | o |
Form data | - | - | - | - | - | - | ? | - |
Downloads | - | - | + | - | - | - | ? | - |
Information/Changes to Underlying Services | ||||||||
DNS/Name resolution | o | - | o | o | o | o | ? | - |
TCP/IP protocol stack | - | - | - | - | - | - | ? | - |
Changes to Configuration | ||||||||
Browser | - | - | - | - | - | - | ? | - |
Components | - | - | - | - | - | - | ? | - |
Modified Program Flow | ||||||||
Browser | - | - | - | - | - | - | ? | - |
Components | - | - | - | - | - | - | ? | - |
+ Requirements were completely fulfilled. o Requirements were partially fulfilled. - Requirements were not fulfilled. ? Not stated. |
The existing toolkits primarily offered functions for data analysis, hash verification of individual data sources, filtering, and searching. In the future, improvements in the sense of combining data from different sources are essential. Ideally, a browser session should be traceable in an overall picture, step by step. Along with an extensive analysis and reconstruction of browser-based offenses, additional data sources (e.g., the network components and servers involved) are analyzed with monitoring tools. See the "Browser-Specific Data Sources" box for more information.
Browser-Specific Data Sources
Browser Artifacts
- Volatile data – This data changes from session to session. Recovered data includes opened windows with positions, tabs, scroll positions, and pop-ups. The cache contains the URLs of visited websites and their related elements (e.g., images, text). The history saves all websites visited with time stamps. Logfiles record all events, stating the date, time, and event source. The session key of an https/SSL connection with a website is saved on the user system after validating the site certificate and is used for symmetric encryption.
- Less volatile data – Cookies are stored in the browser to identify a user's interests and website visits in order, for example, to show user-targeted advertising. Bookmarks are preferred URLs stored by the user in the browser. Login credentials are username-password combinations for logging in to user accounts. Autocompletion data are form data (e.g., name, address, passwords) that can be retrieved automatically and at any time after initial input.
- Downloads – The download history includes information about which files were downloaded when, and which were canceled during downloading.
- Configurations – Browser settings allow the investigator to track changes that caused vulnerabilities (e.g., the storage behavior of data).
Browser-Specific Services
The Domain Name System (DNS) is used to map IP addresses to domain names and offers the possibility of incorporating an automatic redirect to a spoofed website. The IP address – if it is not obfuscated – can reveal the user's location.
External Browser Components
A plugin is an additional program that is integrated with a host program through a predefined interface, thus extending the program's functionality. It helps process data on web pages (e.g., PDFs, Flash). Extensions, also known as add-ons, are enhancements to existing hardware or software (e.g., stock tickers, toolbars, pop-up ads).
Additionally, performing a live forensics investigation on volatile data (e.g., active network connections) would be useful. For a more detailed insight into the underlying scientific work, a digital version is available online [10].
Infos
- Guide to "Computer Forensics" from Germany's Federal Office for Security in Information Technology, 2011: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Internetsicherheit/Leitfaden_IT-Forensik_pdf.pdf?__blob=publicationFile (in German)
- Free computer forensic tools: http://forensiccontrol.com/resources/free-software/
- OSForensics: http://www.osforensics.com
- Autopsy: http://www.sleuthkit.org/autopsy
- Computer Aided Investigative Environment: http://www.caine-live.net
- Grep search limitations: http://www.sleuthkit.org/autopsy/help/grep_lim.html
- Galleta: http://www.mcafee.com/us/downloads/free-tools/galleta.aspx
- Pasco: http://www.mcafee.com/us/downloads/free-tools/pasco.aspx
- TSK: http://www.sleuthkit.org/sleuthkit
- "Analysis of forensic toolkits for reconstruction of browser-based offenses" by Sandy-Dorothea Hein, 2013: https://www.unibw.de/inf3/forschung/dreo/publikationen/ba-und-ma/2013_hein_browser-forensik.pdf (in German)
« Previous 1 2 3