Browser Forensics 6/3/2015 1 PC and Mobile Browser Evidence Jad Saliba Ryan Duquette Agenda • PC and Mobile based browsers • Closer look into where they store data and what IEF recovers • Specific Chrome and Firefox artifacts • Refined Results • Various URL Results • Google Search URLs vs Parsed Search Queries • Google Map Queries • Our “Browser Activity” category • In-Private/Recovery artifacts v PrivacIE • Flash Cookies • Google Analytics • Rebuilt Webpages
49
Embed
Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ... Chrome Incognito browsing Observations: •Nothing is written to disk (relating
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Browser Forensics 6/3/2015
1
PC and Mobile Browser Evidence Jad Saliba
Ryan Duquette
Agenda
• PC and Mobile based browsers
• Closer look into where they store data and what IEF recovers
• Specific Chrome and Firefox artifacts
• Refined Results
• Various URL Results
• Google Search URLs vs Parsed Search Queries
• Google Map Queries
• Our “Browser Activity” category
• In-Private/Recovery artifacts v PrivacIE
• Flash Cookies
• Google Analytics
• Rebuilt Webpages
Browser Forensics 6/3/2015
2
IEF Browser Artifacts
PC Based Artifacts
Mobile Based Artifacts
Browsers – Market Share
Browser Forensics 6/3/2015
3
Browsers – Market Share
Browsers
Browser Forensics 6/3/2015
4
Chrome
PC Based Browsers - Chrome
• SQLite Database
• %root%/Users/%userprofile%/AppData/
Local/Google/Chrome/User
Data/Default
• Chrome Incognito
Browser Forensics 6/3/2015
5
PC Based Browsers - Chrome Chrome
Web History Web Visits
Search Terms Downloads
Top Sites Autofill
Autofill Profiles Credit Cards
Logins Cookies
Archived Web History Fav Icons
History Index Bookmarks
Current Sessions Current Tabs
Last Sessions Last Tabs
Cache Records
Firefox
Browser Forensics 6/3/2015
6
PC Based Browsers - Firefox
• SQLite Database
• %root%/Users/%userprofile%/AppData
/Local/Mozilla/Firefox/Profiles/*.default/
Cache
• Firefox Private Browsing
PC Based Browsers - Firefox
Firefox
Bookmarks Cookies
Downloads Fav Icons
Form History Form Input History
Web History Session Store
Cache Records Web Visits
Private Browsing History
Browser Forensics 6/3/2015
7
Internet Explorer
PC Based Browsers – Internet Explorer (5-9)
• index.dat files
• \Documents and
Settings\[username]\Local
Settings\History\History.IE5
Browser Forensics 6/3/2015
8
PC Based Browsers – Internet Explorer (5-9)
IE (5-9)
Cache Cookies
Downloads Main History
Daily History Weekly History
Leak PrivacIE
Redirect Typed URL’s
InPrivate/Recovery URL’s
PC Based Browsers – Internet Explorer (10+)
• No more index.dat
• ESE Databases
• Webcache.dat and log files
• %root%/Users/%userprofile%/AppData/
Local/Microsoft/Windows/History
• InPrivate Browsing
Browser Forensics 6/3/2015
9
PC Based Browsers – Internet Explorer (10+)
IE (10+)
Content (similar to Cache) Cookies
Main History Daily/Weekly History
Dependency Entries Downloads
THIS IS MICROSOFT EDGE!
Browser Forensics 6/3/2015
10
Browsers – Microsoft Edge
• The database filename is “WebCacheV01.dat” (unchanged from IE10/11).
• The recovery/InPrivate (“travel log”) record format has not changed either.
• It looks like the plan will be to keep both browsers on Windows 10 (IE11 and Edge)
at least for now, so IE11 can be used for older website compatibility.
• You’ll want to make sure to recover browser history from both browsers in their