Comparison of forensic toolkits for reconstructing browser sessions

Data Archeology

Conclusions

The Autopsy tool is the best suited to reconstruct browser-based offenses in our overall assessment. Many of the tools from the toolkits we looked at build on TSK by adding a graphical user interface. In our evaluation of the toolkits shown in Table 2, requirements that were completely fulfilled were marked with a plus (+), partially filled requirements with a circle (o), unfulfilled requirements with a dash (-), and performance not stated with a question mark (?). Some shortcomings are apparent in the testing of configurations and program operations, as well as in the HTTPS/SSL and DNS fields; in fact, none of the toolkits investigated produced actionable results.

Table 2

Requirements

Toolkit OSForensics DFF Autopsy SIFT BackTrack CAINE Paladin TSK
General Requirements
Image integration + + + o o o - +
Search/Filter function + o + + + + ? +
Combination of different data sources - - - - - - ? -
Logging o   o o o o ? -
Scenario-Specific Requirements
Browser Artifacts
Representation - - - - - - ? -
History - - + + + + ? +
Cache o - o o o o ? -
HTTPS/SSL - - - - - - ? -
Passwords o - - - - - ? -
Cookies - - + + + + ? -
Bookmarks o - + o o o ? o
Form data - - - - - - ? -
Downloads - - + - - - ? -
Information/Changes to Underlying Services
DNS/Name resolution o - o o o o ? -
TCP/IP protocol stack - - - - - - ? -
Changes to Configuration
Browser - - - - - - ? -
Components - - - - - - ? -
Modified Program Flow
Browser - - - - - - ? -
Components - - - - - - ? -
+  Requirements were completely fulfilled. o  Requirements were partially fulfilled. -  Requirements were not fulfilled. ?  Not stated.

The existing toolkits primarily offered functions for data analysis, hash verification of individual data sources, filtering, and searching. In the future, improvements in the sense of combining data from different sources are essential. Ideally, a browser session should be traceable in an overall picture, step by step. Along with an extensive analysis and reconstruction of browser-based offenses, additional data sources (e.g., the network components and servers involved) are analyzed with monitoring tools. See the "Browser-Specific Data Sources" box for more information.

Browser-Specific Data Sources

 

Browser Artifacts

  • Volatile data – This data changes from session to session. Recovered data includes opened windows with positions, tabs, scroll positions, and pop-ups. The cache contains the URLs of visited websites and their related elements (e.g., images, text). The history saves all websites visited with time stamps. Logfiles record all events, stating the date, time, and event source. The session key of an https/SSL connection with a website is saved on the user system after validating the site certificate and is used for symmetric encryption.
  • Less volatile data – Cookies are stored in the browser to identify a user's interests and website visits in order, for example, to show user-targeted advertising. Bookmarks are preferred URLs stored by the user in the browser. Login credentials are username-password combinations for logging in to user accounts. Autocompletion data are form data (e.g., name, address, passwords) that can be retrieved automatically and at any time after initial input.
  • Downloads – The download history includes information about which files were downloaded when, and which were canceled during downloading.
  • Configurations – Browser settings allow the investigator to track changes that caused vulnerabilities (e.g., the storage behavior of data).

Browser-Specific Services

The Domain Name System (DNS) is used to map IP addresses to domain names and offers the possibility of incorporating an automatic redirect to a spoofed website. The IP address – if it is not obfuscated – can reveal the user's location.

External Browser Components

A plugin is an additional program that is integrated with a host program through a predefined interface, thus extending the program's functionality. It helps process data on web pages (e.g., PDFs, Flash). Extensions, also known as add-ons, are enhancements to existing hardware or software (e.g., stock tickers, toolbars, pop-up ads).

Additionally, performing a live forensics investigation on volatile data (e.g., active network connections) would be useful. For a more detailed insight into the underlying scientific work, a digital version is available online [10].

Infos

  1. Guide to "Computer Forensics" from Germany's Federal Office for Security in Information Technology, 2011: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Internetsicherheit/Leitfaden_IT-Forensik_pdf.pdf?__blob=publicationFile (in German)
  2. Free computer forensic tools: http://forensiccontrol.com/resources/free-software/
  3. OSForensics: http://www.osforensics.com
  4. Autopsy: http://www.sleuthkit.org/autopsy
  5. Computer Aided Investigative Environment: http://www.caine-live.net
  6. Grep search limitations: http://www.sleuthkit.org/autopsy/help/grep_lim.html
  7. Galleta: http://www.mcafee.com/us/downloads/free-tools/galleta.aspx
  8. Pasco: http://www.mcafee.com/us/downloads/free-tools/pasco.aspx
  9. TSK: http://www.sleuthkit.org/sleuthkit
  10. "Analysis of forensic toolkits for reconstruction of browser-based offenses" by Sandy-Dorothea Hein, 2013: https://www.unibw.de/inf3/forschung/dreo/publikationen/ba-und-ma/2013_hein_browser-forensik.pdf (in German)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Forensic Tools

    Criminals often focus on browsers for various attacks because they are a worthwhile, attractive, and often easy target. However, admins can investigate such attacks with forensic tools that provide the ability to reconstruct browser sessions.

  • Forensic analysis with Autopsy and Sleuth Kit
    Forensic admins can use the Autopsy digital forensics platform to perform an initial analysis of a failed system, looking for traces of a potential attack.
  • Cloud Forensics

    Is your data really secure in the cloud? If a compromise occurs, current forensic approaches will not work and new techniques and standards will be needed.

  • Forensic Analysis on Linux

    In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

  • On the DVD
    CAINE 9.0 (Live, 64-bit)
comments powered by Disqus