RESEARCH

METHODOLOGY
Assignment 3
FORENSICS ANALYSIS OF WEB
BROWSERS
1.1 INTRODUCTION
Internet makes the access easy to any system. Cyber Crimes are increasing day by day and they
can cause different types of damage. If the information is not protected appropriately it becomes
open to misuse. A detailed forensics analysis is required to make a conclusion about an incident.
Some criminal activities like Hacking and identity theft can be traced and the criminals can be
punished if proper evidence is found against them. Web forensic analysis tells about the details
like when and in what manner did someone access a web page.
The victims of web based attacks can be clients and servers. They can be attacked using false
URLs and redirection to harmful sites. The medium of attack on the Internet includes Web
Browser, database servers and application servers. On the client side, forensic analysis is done to
Check the activities of a user. On the client side evidence can be found in the Browser history,
registry entries, index.dat, temporary files, favorites, cookies, unallocated spaces of html pages,
emails sent and received and the cache etc. On the server side, forensic analysis can be done by
examining access logs, FTP logs, network traffic and error logs. The intermediate site logs such
as antivirus server logs, Web filter logs, spam filter logs and firewall logs also help in collecting
evidences.
There are five steps to computer forensics:
1. Preparation
The investigator should be completely aware of the problem. He/she should have a proper plan
for investigation. He/she should acquire permissions to access the information that is needed.
2. Collection of the data
Collect the data required for the investigation. Precautions need to be taken while collecting the
data. Safety devices like write blockers should be used.
3. Examination
A careful examination should be done. Sophisticated tools should be used to make sure the tests
give correct results. All the possible situations should be kept in mind while an investigation is
being carried out.
4. Analysis
Analysis of results to reach a conclusion should be transparent. Analyzing could not lead to the
actual facts. If possible an interview should be conducted to back up the results.
5. Reporting
Reports should be given to the concerned authority securely. The reports should be archived and
saved for future references.
1.4 LITERATURE REVIEW
Presently forensics analyst laid focus on the stored files of web browsers. More importance is
placed on the structural analysis of internet log files to gather information about user’s activity.
Vendor of the web browsers are trying hard to provide secure browsing features at the same time
forensics analyst try anti forensics techniques to get maximum information about the user
activities that get stored on drive in private or portable mode. Numerous tools are available to do
forensics analysis of web browsers. Most the tools focus on single browser and one cannot get
accurate results if the user is using several different browsers.
NIST (National Institute of Standards & Technology) released architecture of a forensic Web
service (FWS) that would protect records between Web services. The secure records can be re-
linked to reproduce the history. [3]
Seunghee et al made use of image files of Web URL pages of the same time that is recorded in
the log files and made to properly document the evidence of a crime. These log entries serve as
traces of digital evidence of the crime. [3]
The approach proposed by Lin et al is a forensic system that extracts timestamps and any other
clue of the events that can be found in the log file.
Campidoglio et al [4] suggests Digital Rights Management (DRM) systems to safeguard the
legal rights of the data. The author further explained the different rights, laws against piracy and
effects of piracy. He is confident that the DRM systems surely helps support the legal rights
associated with the digital content.

Murillo et al explains how IE Browser deletes the history and ways to recover the deleted
history. A detailed Firefox forensic analysis is also presented using forensic utility tools. Murillo
et al proposes an algorithm to recover deleted SQLite entries based on known internal record
structures. [3]
Jim in his paper advised that proper investigation methodology should be followed which is as
follows:
1) Safeguard the system during investigation from possible data loss.
2) Discover all files needed for the forensic investigation
a. Web server and application server logs
b. Server side scripts
c. Configuration files of Application server and Webserver
d. Third party installed software logs and important files
e. OS logs and registry entries
(3) Group the collected evidences on the basis of time stamps.
(4) Analyze the data and try to reestablish the activity or chain of commands.
(5) Summarize the findings.

Emad Sayed Noorulla proposed two approaches. First was that file system monitoring tools
should be used to examine different read and writes on the file. On Windows based system
Regmon, Processmon and Filemon was used. For Linux and MAC OSX based systems
DaemonFS was used. Author uses data carving technique to extract specific type of data. Tools
used are RegMon, File Mon, DaemonFS, Recuva, Rekall, Magnet Forensics Internet Evidence
Finder and OSXPmem. The second approach was to launch the browser in Private mode and
browse any website and then close the browser. Then take a live memory capture using any
memory capture tool and save it on an external drive. After copying to external drive they run
data carving tool against the image to extract the required evidence.

Ahmad Ghafarian and Seyed Amin Hosseini Seno [5] performed Static Media Forensics and live
memory forensics. In static Forensics different logging files like registry keys, cache, Cookies,
temp and recent files were examined. In Live Memory Forensics RAM capture was done and
then analysis of the captured RAM was carried out. For RAM capture FTK and Dump it was
used.

Narmeen Shafqat [6] carried out her analysis on Google chrome running on windows 8. She
made her analysis in normal, private and portable mode. Two approaches were mentioned in the
paper, First one is to analyze the browser is to take the image of the drive, choose user’s search
words contained in the history file, and then use FTK Live Search option to search those
keywords in the imaged drive. The data obtained can then be authenticated using CRC (cyclic
redundancy check), SHA-1 (Secure Hash Algorithm) or MD-5 (Message Digest Algorithm).
The second approach for browser forensics used is to open each file present in the Default
Chrome folder and analyze it separately for internet evidences using various forensic tools and
techniques. Then, validate all the results with alternative open source tools too, if proprietary
software has not been used in the investigation. Female author mentions where an analyst can
found the related data, which is shown in the table below.

Content Found in file/folders

Website visited History, Cache, Cookies, Recovery Folders,
Suggested Sites
Visit count History

Visit time History, Cookie, Cache, Recovery Folders

Downloads Downloads, Cache

Sites Saved Bookmarks
Different forensics tools are mentioned in the paper and they are enlisted below.

Forensics tools Contents analyzed

Phrozen Browser Forensics Tool Scans browser’s history and keywords

History viewer History, top sites, cookies, key words,

downloads
Mylastsearch Search querries
Chrome cookie view cookies
Chrome analysis History, Bookmarks , Cookies, Search words,
Downloads

Chrome session parser Current and last session

Web historian History

Aditya Mahendrakar [9] did research on finding some traces left in the memory after using
private mode of browser. According to the author browsers are not created equally in regard to
the type and quantity of data that left behind. Firstly he developed a website which contained
pages that need to interact with ssl certificates, passwords, HTML files, JPEG files and cookies.
Each of these had signatures which were easily searched in a memory. This made quick
confirmation easy that particular artifact could be found in memory. Operating system windows
7 was installed on the VMware workstation and snapshots were taken and compared. Snapshots
gave the clear image of the physical memory.

Erhan Akbal, Fatma Güneş, Ayhan Akbal in their research paper[10] mentions that Information
like URLs, search terms, cookies, cache files, access time, and visit time is contained in
memory. Different users can access each other’s information. According to the authors web
browsers are important tools to di information about the cyber-crimes. Uncovering of suspect
profile and connections depends on web registry. In this paper, it was described how to get user
web browser activities from image of evidence. Application usage was shown and compared.
Tools used are IEF, WEFA, NetAnalysis, Browser History Examiner, FTK and Encase.

Esther D. Adautin and Nagoor Meeran A.R revealed in their paper [11] that portable web
browsing artifacts can be easily obtained from memory dumps. They suggested that all the
artifacts were not located on the hard drives and are left on the host machine. Every search made
such as image search, document search, video search together with accessed email accounts can
be recovered. This analysis is of great important because the recovered artifacts were obtained
without the flash drive contradicting the statement made by earliest researchers.
REFERENCES
[1]https://www.symantec.com/connect/articles/web-browser-forensics-part-1

[2] http://forensicmethods.com/category/browser-forensics

[3]http://sci.tamucc.edu/~cams/projects/345.pdf

[4]http://scholarworks.rit.edu/cgi/viewcontent.cgi?article=9474&context=theses

[5]http://www.ijcaonline.org/archives/volume147/number8/ghafarian-2016-ijca-911009.pdf

[6]http://paper.ijcsns.org/07_book/201609/20160919.pdf

[7]https://www.lowmanio.co.uk/blog/entries/how-google-chrome-stores-web-history/

[8]https://digital-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/

[9]https://pdfs.semanticscholar.org/9d1a/2ea16ee7fe722774ccabb4ec5e3bdfe0e9ec.pdf

[10]http://www.jsoftware.us/vol11/170-CS019.pdf

[11]http://www.ijcaonline.org/research/volume128/number18/adautin-2015-ijca-906741.pdf

[12]https://www.hackers-arise.com/single-post/2016/11/17/Digital-Forensics-Part-7-Browser-
Forensics

[13]https://davidkoepi.wordpress.com/category/browser-forensics/

[14]http://forensicmethods.com/collusion-tracking#more-1560

[15]http://www.acquireforensics.com/blog/google-chrome-browser-forensics.html

[16]http://www.forensicswiki.org/wiki/Google_Chrome