Magnet Forensics PowerPoint template · Browsers –Market Share . Browser Forensics 6/3/2015 3 ......

Browser Forensics 6/3/2015

1

PC and Mobile Browser Evidence Jad Saliba

Ryan Duquette

Agenda

• PC and Mobile based browsers

• Closer look into where they store data and what IEF recovers

• Specific Chrome and Firefox artifacts

• Refined Results

• Various URL Results

• Google Search URLs vs Parsed Search Queries

• Google Map Queries

• Our “Browser Activity” category

• In-Private/Recovery artifacts v PrivacIE

• Flash Cookies

• Google Analytics

• Rebuilt Webpages


2

IEF Browser Artifacts

PC Based Artifacts

Mobile Based Artifacts

Browsers – Market Share


3

Browsers – Market Share

Browsers


4

Chrome

PC Based Browsers - Chrome

• SQLite Database

• %root%/Users/%userprofile%/AppData/

Local/Google/Chrome/User

Data/Default

• Chrome Incognito


5

PC Based Browsers - Chrome Chrome

Web History Web Visits

Search Terms Downloads

Top Sites Autofill

Autofill Profiles Credit Cards

Logins Cookies

Archived Web History Fav Icons

History Index Bookmarks

Current Sessions Current Tabs

Last Sessions Last Tabs

Cache Records

Firefox


6

PC Based Browsers - Firefox

• SQLite Database

• %root%/Users/%userprofile%/AppData

/Local/Mozilla/Firefox/Profiles/*.default/

Cache

• Firefox Private Browsing

PC Based Browsers - Firefox

Firefox

Bookmarks Cookies

Downloads Fav Icons

Form History Form Input History

Web History Session Store

Cache Records Web Visits

Private Browsing History


7

Internet Explorer

PC Based Browsers – Internet Explorer (5-9)

• index.dat files

• \Documents and

Settings\[username]\Local

Settings\History\History.IE5


8

PC Based Browsers – Internet Explorer (5-9)

IE (5-9)

Cache Cookies

Downloads Main History

Daily History Weekly History

Leak PrivacIE

Redirect Typed URL’s

InPrivate/Recovery URL’s

PC Based Browsers – Internet Explorer (10+)

• No more index.dat

• ESE Databases

• Webcache.dat and log files

• %root%/Users/%userprofile%/AppData/

Local/Microsoft/Windows/History

• InPrivate Browsing


9

PC Based Browsers – Internet Explorer (10+)

IE (10+)

Content (similar to Cache) Cookies

Main History Daily/Weekly History

Dependency Entries Downloads

THIS IS MICROSOFT EDGE!


10

Browsers – Microsoft Edge

• The database filename is “WebCacheV01.dat” (unchanged from IE10/11).

• The recovery/InPrivate (“travel log”) record format has not changed either.

• It looks like the plan will be to keep both browsers on Windows 10 (IE11 and Edge)

at least for now, so IE11 can be used for older website compatibility.

• You’ll want to make sure to recover browser history from both browsers in their

respective locations

• (IE11 history is still stored in this folder:

C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache).

Browsers – Microsoft Edge

Some slight path differences:

• Cookies are located in this folder:

• C:\Users\<username>\AppData\Local\Packages\Microsoft.Spartan_8wekyb3d8b

bwe\AC\Spartan\Cookies

• The cache/Temporary Internet Files are located in this folder:


bwe\AC\Spartan\Cache

• Recovery URL files are located in this folder:


bwe\AC\Spartan\User\Default\Recovery

• The location for browsing history is in this folder:

• C:\Users\<username>\AppData\Local\Spartan\Database


11

Mobile

Mobile Based Browsers - Android

Chrome on Android:

Data stored in:

"ROOT/data/data/com.android.chrome/app_chrome/Default

• Sqlite.db files are not obfuscated/encrypted

Firefox for Android:

Data stored in ROOT/data/data/org.mozilla.firefox

• Sqlite.db files are not encrypted


12


Chrome - Android

Webkit Artifacts Downloads

Top Sites Autofill


Logins Login Data

Cookies Archived Web History

Fav Icons Bookmarks

Cache History

Searches


Firefox – Android

Cache Records Web History

Bookmarks Form History

Cookies


13

Mobile Based Browsers - iOS

Chrome on iOS:

• Data stored in ROOT/private/var/mobile/Applications/5661B076-549E-4480-B940-E96C6DA4E0BA (GUID may differ on each device)

• User data stored in ChromeROOT/Library/Application Support/Google/Chrome/Default/

• Not encrypted or obfuscated

Safari on iOS:

• Data stored at ROOT/private/var/mobile/Applications/6551E25E-89C0-4CCD-B8DE-9F3949D59EDB (GUID may differ on each device)

• User data in SafariROOT/Library/Caches/com.apple.mobilesafari

• Not encrypted or obfuscated


Chrome - iOS

Webkit Artifacts Downloads

Top Sites Autofill


Logins Login Data

Cookies Archived Web History

Fav Icons History Index

Bookmarks Current Sessions

Current Tabs Last Tab

Cache


14


Safari – iOS

Bookmarks Web History

Cache Records Bookmarks

Mobile Based Browsers – Windows Phone

Data Stored in:

• \User\DefApps\APPDATA{218A0EBB-1585-4C7E-A9EC-054CF4569A79\


15

Mobile Based Browsers - Windows Phone

Internet Explorer – Windows Phone

Cache Cookies

Downloads History Main

History Daily History Weekly

IE Leak IE Privacy

IE Redirect IE Cache

IE Cookies Typed URLs

Chrome Tabs / Sessions(Last / Current)


16

Chrome

Current Session

• Contains URLs from current

Chrome session

• “Last Session” file contains

data from the previous

session

Chrome Current Tabs

• Currently opened URLs /

tabs

• “Last Tabs” file also exists

• Data is in an “SNSS”

format (proprietary)


17

Chrome FavIcons, History Index, Top Sites, and more!

Chrome Logins

• Great place to start an

investigation to see

what websites a user

logged into


18

Chrome Favicons

• Stores the

“favicons.ico” data for

sites

• Timestamp is not

necessarily the last

visited time

Chrome

History Index

• Stores text content

from websites visited

• Can provide great

information regarding

site content

• Useful for keyword

searches


19

Chrome

Top Sites

• Stores a thumbnail of a

“top site”

• Top Sites are frequently

visited sites

Chrome

Web History

• Consolidated history

view

• Does not show every

visit time, only visit

counts, etc

• Useful for quick

overview


20

Chrome

Web Visits

• Every visit shown

• Useful for timelines,

extra detail

• http://bit.ly example

here lines up with

previous slide

Chrome/etc

Carved History

• Carved URLs that were

stored in the Chrome

SQLite format

• 360 Safe Browser,

Opera, and potentially

other browsers store

history in the same

format


21

Firefox Session Store

Firefox

Session Store

Artifacts

• SessionStore.js

SessionSore.bak

• Similar to Last

Session/Tabs in

Chrome

• Can be carved

• Can contain the

referring site


22

Refined Results

Refined Results

• Categorizes commonly investigated URLs

for easier analysis

• Multiple artifact sources/browsers

• Investigators can create custom lists or

add to existing list

• Recovers search queries from common

search engines such as Google and Bing


23

Refined Results – Various URL’s

IEF searches for:

• Classified URLS’s

• Cloud Services URL’s

• Dating Site URL’s

• Facebook URL’s

• Tax Site URL’s

• Web Chat URLS’s

• Pornography Site URL’s

• Social Media URL’s

• Torrent Site URL’s

• Malware URL’s

Social Media URL’s

• Good place to start investigation to see user activity in relation to social

media conversations.


24

Initial Introductions – LinkedIn

• Many social

media sites are

connected to an

email account

Facebook URLs


25

• Potential Activity

• Snapshot of FB Activity

Google Searches


26

Google Searches

• Original Search Query

• Timestamp differences

(favicon)

• &ei= parameter

• Search Session

timestamp


27

Refined Results –Google Searches vs Parsed Search Queries

IEF uses REGEX expressions and will search through all Browser data.

^https?://(?!maps).*\.google\..*/ | Google Searches

(\&|\#|\?)q= | Google Searches

Refined Results –Google Searches vs Parsed Search Queries

IEF will parse Search Queries from the following:

• bing | Bing

• yahoo | Yahoo

• youtube | YouTube

• piratebay | PirateBay

• facebook | Facebook

• ?value= | Facebook


28

Google Translate

• Translation string

• Language from/to


29

Google Maps

• Started in 2004

• Over 1,162,460 sites use Google Maps

• Overtook MapQuest in terms of traffic in 2009

• Google Maps Navigation, included on Android handsets,

has guided users 12 billion miles a year

• 200 million users on Google Maps for Mobile

• Cases involving runaway youths, kidnapping, luring, homicide

Google Maps

• Temporary Internet Files

• RAM captures

• pagefile.sys / hiberfil.sys


30

Google Maps

• Uses a tile system to display maps

• Each tile is 256x256 pixels

• Filename in Temporary Internet Files contains x, y, and z coordinates

• Coordinates are based on a world map

• x, y requires the z value (zoom)

Examples:

• lyrs=m@196000000&hl=en&src=app&x=5&y=8&z=4&s=Galileo[1].png

• &x=9054&y=11982&z=15.png

Google Maps


31

Google Maps

Tiles can be downloaded:

http://mt.google.com/vt/&x=XXX&y=XXX&z=XXX


32

http://www.darrinward.com/lat-long/

New Google Maps

• Newer version of Google Maps launched in March 2014

• Tile filenames and URLs are different now (thanks, Google!)

• It’s not pretty:

• pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3

m8!2sen!5e1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7

s!20m1!1b1[1].png


33

New Google Maps

The new URLs:

https://www.google.com/maps/@43.7242262,-79.4051719,12z

https://www.google.com/maps/place/Cambridge,+ON/@43.4022995,-80.332588,12z/data=!3m1!4b1!4m2!3m1!1s0x882b89b820e46c19:0x5037b28c7231d70

https://www.google.com/maps/dir/Ayr,+ON,+Canada/123+Gunn+Ave,+Cambridge,+ON+N3C+2Z6,+Canada/@43.3588082,-80.5205289,11z/data=!3m1!4b1!4m13!4m12!1m5!1m1!1s0x882c732d9485d199:0x581a671dca1a1705!2m2!1d-80.4507835!2d43.2854723!1m5!1m1!1s0x882b88f2ca61211d:0xf99f9dd46477f986!2m2!1d-80.2990956!2d43.4253036

New Google Maps

The new tiles:

• Sample filename:

• pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3m8!2sen!5e

1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7s!20m1!1b1[1].png

• Another sample, slightly different:

• pb=!1m5!1m4!1i15!2i18147!3i23991!4i128!2m1!1e0!3m3!5e1105!12m1!

1e47!4e0[1].png


34

Browser Activity

• Targeting Incognito,

Private browsing

• Why it’s called Browser

Activity

• Need to look at multiple

variables


35

Another example


36

The Source column

• A real hit

• User activity

• Source is helpful


37


Original

Search

Term

Google

Searches

Classified

URL’s


Never

visited this

webpage


38

InPrivate/Recovery URLs

• More context,

but still limited

• InPrivate vs

Recovery

• Source is a

clue again


39

• Hits from pagefile,

unallocated are

more difficult

Incognito/Private Browsing Mode


40

Firefox Private browsing



41


Observations:

• Nothing is written to disk (relating to web activity)

• Great deal of data left behind in RAM, pagefile.sys, and hiberfil.sys

• However, hard to pinpoint if records were from the user or browser

processes (cert authority URLs sometimes found)

• Also hard to label as Firefox history (could be from Chrome or other

browsers)



42

Chrome Incognito browsing



43


Observations:

• Nothing is written to disk (relating to web activity)

• Good deal of data left behind in RAM, pagefile.sys, and hiberfil.sys

• However, hard to pinpoint if records were from the user or browser

processes (cert authority URLs sometimes found)

• Like Firefox, also hard to label as Chrome history (could be from

Firefox or other browsers)



44


45

Flash Cookies / Local Shared Objects


46

• Cookies stored by

Macromedia Flash

• Different format and

location from traditional

browser cookies

• Can contain metadata or

user identifying info

• Not easily deleted

• Can reveal visited sites

even when Incognito/etc

• Stored in .sol files

• Under AppData or

Application Data

• Folder location can

be indicative as well


47

Google Analytics

Google Analytics Cookies

Google Analytics cookie data parsed

by IEF into sub-categoriesFirst Visit

Referral

Session

Each sub-category represents

separate record entries from the

same Google Analytics cookie file


48

Google Analytics First Visit Cookies

Timestamps stored as Unix numeric values

Rebuilt Webpages


49

THANK YOU!

Date post:	31-Aug-2018
Category:	Documents
Upload:	doanthuan
View:	220 times
Download:	1 times