Browser Forensics 6/3/2015
1
PC and Mobile Browser Evidence Jad Saliba
Ryan Duquette
Agenda
• PC and Mobile based browsers
• Closer look into where they store data and what IEF recovers
• Specific Chrome and Firefox artifacts
• Refined Results
• Various URL Results
• Google Search URLs vs Parsed Search Queries
• Google Map Queries
• Our “Browser Activity” category
• In-Private/Recovery artifacts v PrivacIE
• Flash Cookies
• Google Analytics
• Rebuilt Webpages
Browser Forensics 6/3/2015
2
IEF Browser Artifacts
PC Based Artifacts
Mobile Based Artifacts
Browsers – Market Share
Browser Forensics 6/3/2015
3
Browsers – Market Share
Browsers
Browser Forensics 6/3/2015
4
Chrome
PC Based Browsers - Chrome
• SQLite Database
• %root%/Users/%userprofile%/AppData/
Local/Google/Chrome/User
Data/Default
• Chrome Incognito
Browser Forensics 6/3/2015
5
PC Based Browsers - Chrome Chrome
Web History Web Visits
Search Terms Downloads
Top Sites Autofill
Autofill Profiles Credit Cards
Logins Cookies
Archived Web History Fav Icons
History Index Bookmarks
Current Sessions Current Tabs
Last Sessions Last Tabs
Cache Records
Firefox
Browser Forensics 6/3/2015
6
PC Based Browsers - Firefox
• SQLite Database
• %root%/Users/%userprofile%/AppData
/Local/Mozilla/Firefox/Profiles/*.default/
Cache
• Firefox Private Browsing
PC Based Browsers - Firefox
Firefox
Bookmarks Cookies
Downloads Fav Icons
Form History Form Input History
Web History Session Store
Cache Records Web Visits
Private Browsing History
Browser Forensics 6/3/2015
7
Internet Explorer
PC Based Browsers – Internet Explorer (5-9)
• index.dat files
• \Documents and
Settings\[username]\Local
Settings\History\History.IE5
Browser Forensics 6/3/2015
8
PC Based Browsers – Internet Explorer (5-9)
IE (5-9)
Cache Cookies
Downloads Main History
Daily History Weekly History
Leak PrivacIE
Redirect Typed URL’s
InPrivate/Recovery URL’s
PC Based Browsers – Internet Explorer (10+)
• No more index.dat
• ESE Databases
• Webcache.dat and log files
• %root%/Users/%userprofile%/AppData/
Local/Microsoft/Windows/History
• InPrivate Browsing
Browser Forensics 6/3/2015
9
PC Based Browsers – Internet Explorer (10+)
IE (10+)
Content (similar to Cache) Cookies
Main History Daily/Weekly History
Dependency Entries Downloads
THIS IS MICROSOFT EDGE!
Browser Forensics 6/3/2015
10
Browsers – Microsoft Edge
• The database filename is “WebCacheV01.dat” (unchanged from IE10/11).
• The recovery/InPrivate (“travel log”) record format has not changed either.
• It looks like the plan will be to keep both browsers on Windows 10 (IE11 and Edge)
at least for now, so IE11 can be used for older website compatibility.
• You’ll want to make sure to recover browser history from both browsers in their
respective locations
• (IE11 history is still stored in this folder:
C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache).
Browsers – Microsoft Edge
Some slight path differences:
• Cookies are located in this folder:
• C:\Users\<username>\AppData\Local\Packages\Microsoft.Spartan_8wekyb3d8b
bwe\AC\Spartan\Cookies
• The cache/Temporary Internet Files are located in this folder:
• C:\Users\<username>\AppData\Local\Packages\Microsoft.Spartan_8wekyb3d8b
bwe\AC\Spartan\Cache
• Recovery URL files are located in this folder:
• C:\Users\<username>\AppData\Local\Packages\Microsoft.Spartan_8wekyb3d8b
bwe\AC\Spartan\User\Default\Recovery
• The location for browsing history is in this folder:
• C:\Users\<username>\AppData\Local\Spartan\Database
Browser Forensics 6/3/2015
11
Mobile
Mobile Based Browsers - Android
Chrome on Android:
Data stored in:
"ROOT/data/data/com.android.chrome/app_chrome/Default
• Sqlite.db files are not obfuscated/encrypted
Firefox for Android:
Data stored in ROOT/data/data/org.mozilla.firefox
• Sqlite.db files are not encrypted
Browser Forensics 6/3/2015
12
Mobile Based Browsers - Android
Chrome - Android
Webkit Artifacts Downloads
Top Sites Autofill
Autofill Profiles Credit Cards
Logins Login Data
Cookies Archived Web History
Fav Icons Bookmarks
Cache History
Searches
Mobile Based Browsers - Android
Firefox – Android
Cache Records Web History
Bookmarks Form History
Cookies
Browser Forensics 6/3/2015
13
Mobile Based Browsers - iOS
Chrome on iOS:
• Data stored in ROOT/private/var/mobile/Applications/5661B076-549E-4480-B940-E96C6DA4E0BA (GUID may differ on each device)
• User data stored in ChromeROOT/Library/Application Support/Google/Chrome/Default/
• Not encrypted or obfuscated
Safari on iOS:
• Data stored at ROOT/private/var/mobile/Applications/6551E25E-89C0-4CCD-B8DE-9F3949D59EDB (GUID may differ on each device)
• User data in SafariROOT/Library/Caches/com.apple.mobilesafari
• Not encrypted or obfuscated
Mobile Based Browsers - iOS
Chrome - iOS
Webkit Artifacts Downloads
Top Sites Autofill
Autofill Profiles Credit Cards
Logins Login Data
Cookies Archived Web History
Fav Icons History Index
Bookmarks Current Sessions
Current Tabs Last Tab
Cache
Browser Forensics 6/3/2015
14
Mobile Based Browsers - iOS
Safari – iOS
Bookmarks Web History
Cache Records Bookmarks
Mobile Based Browsers – Windows Phone
Data Stored in:
• \User\DefApps\APPDATA{218A0EBB-1585-4C7E-A9EC-054CF4569A79\
Browser Forensics 6/3/2015
15
Mobile Based Browsers - Windows Phone
Internet Explorer – Windows Phone
Cache Cookies
Downloads History Main
History Daily History Weekly
IE Leak IE Privacy
IE Redirect IE Cache
IE Cookies Typed URLs
Chrome Tabs / Sessions(Last / Current)
Browser Forensics 6/3/2015
16
Chrome
Current Session
• Contains URLs from current
Chrome session
• “Last Session” file contains
data from the previous
session
Chrome Current Tabs
• Currently opened URLs /
tabs
• “Last Tabs” file also exists
• Data is in an “SNSS”
format (proprietary)
Browser Forensics 6/3/2015
17
Chrome FavIcons, History Index, Top Sites, and more!
Chrome Logins
• Great place to start an
investigation to see
what websites a user
logged into
Browser Forensics 6/3/2015
18
Chrome Favicons
• Stores the
“favicons.ico” data for
sites
• Timestamp is not
necessarily the last
visited time
Chrome
History Index
• Stores text content
from websites visited
• Can provide great
information regarding
site content
• Useful for keyword
searches
Browser Forensics 6/3/2015
19
Chrome
Top Sites
• Stores a thumbnail of a
“top site”
• Top Sites are frequently
visited sites
Chrome
Web History
• Consolidated history
view
• Does not show every
visit time, only visit
counts, etc
• Useful for quick
overview
Browser Forensics 6/3/2015
20
Chrome
Web Visits
• Every visit shown
• Useful for timelines,
extra detail
• http://bit.ly example
here lines up with
previous slide
Chrome/etc
Carved History
• Carved URLs that were
stored in the Chrome
SQLite format
• 360 Safe Browser,
Opera, and potentially
other browsers store
history in the same
format
Browser Forensics 6/3/2015
21
Firefox Session Store
Firefox
Session Store
Artifacts
• SessionStore.js
SessionSore.bak
• Similar to Last
Session/Tabs in
Chrome
• Can be carved
• Can contain the
referring site
Browser Forensics 6/3/2015
22
Refined Results
Refined Results
• Categorizes commonly investigated URLs
for easier analysis
• Multiple artifact sources/browsers
• Investigators can create custom lists or
add to existing list
• Recovers search queries from common
search engines such as Google and Bing
Browser Forensics 6/3/2015
23
Refined Results – Various URL’s
IEF searches for:
• Classified URLS’s
• Cloud Services URL’s
• Dating Site URL’s
• Facebook URL’s
• Tax Site URL’s
• Web Chat URLS’s
• Pornography Site URL’s
• Social Media URL’s
• Torrent Site URL’s
• Malware URL’s
Social Media URL’s
• Good place to start investigation to see user activity in relation to social
media conversations.
Browser Forensics 6/3/2015
24
Initial Introductions – LinkedIn
• Many social
media sites are
connected to an
email account
Facebook URLs
Browser Forensics 6/3/2015
25
• Potential Activity
• Snapshot of FB Activity
Google Searches
Browser Forensics 6/3/2015
26
Google Searches
• Original Search Query
• Timestamp differences
(favicon)
• &ei= parameter
• Search Session
timestamp
Browser Forensics 6/3/2015
27
Refined Results –Google Searches vs Parsed Search Queries
IEF uses REGEX expressions and will search through all Browser data.
^https?://(?!maps).*\.google\..*/ | Google Searches
(\&|\#|\?)q= | Google Searches
Refined Results –Google Searches vs Parsed Search Queries
IEF will parse Search Queries from the following:
• bing | Bing
• yahoo | Yahoo
• youtube | YouTube
• piratebay | PirateBay
• facebook | Facebook
• ?value= | Facebook
Browser Forensics 6/3/2015
28
Google Translate
• Translation string
• Language from/to
Browser Forensics 6/3/2015
29
Google Maps
• Started in 2004
• Over 1,162,460 sites use Google Maps
• Overtook MapQuest in terms of traffic in 2009
• Google Maps Navigation, included on Android handsets,
has guided users 12 billion miles a year
• 200 million users on Google Maps for Mobile
• Cases involving runaway youths, kidnapping, luring, homicide
Google Maps
• Temporary Internet Files
• RAM captures
• pagefile.sys / hiberfil.sys
Browser Forensics 6/3/2015
30
Google Maps
• Uses a tile system to display maps
• Each tile is 256x256 pixels
• Filename in Temporary Internet Files contains x, y, and z coordinates
• Coordinates are based on a world map
• x, y requires the z value (zoom)
Examples:
• lyrs=m@196000000&hl=en&src=app&x=5&y=8&z=4&s=Galileo[1].png
• &x=9054&y=11982&z=15.png
Google Maps
Browser Forensics 6/3/2015
31
Google Maps
Tiles can be downloaded:
http://mt.google.com/vt/&x=XXX&y=XXX&z=XXX
Browser Forensics 6/3/2015
32
http://www.darrinward.com/lat-long/
New Google Maps
• Newer version of Google Maps launched in March 2014
• Tile filenames and URLs are different now (thanks, Google!)
• It’s not pretty:
• pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3
m8!2sen!5e1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7
s!20m1!1b1[1].png
Browser Forensics 6/3/2015
33
New Google Maps
The new URLs:
https://www.google.com/maps/@43.7242262,-79.4051719,12z
https://www.google.com/maps/place/Cambridge,+ON/@43.4022995,-80.332588,12z/data=!3m1!4b1!4m2!3m1!1s0x882b89b820e46c19:0x5037b28c7231d70
https://www.google.com/maps/dir/Ayr,+ON,+Canada/123+Gunn+Ave,+Cambridge,+ON+N3C+2Z6,+Canada/@43.3588082,-80.5205289,11z/data=!3m1!4b1!4m13!4m12!1m5!1m1!1s0x882c732d9485d199:0x581a671dca1a1705!2m2!1d-80.4507835!2d43.2854723!1m5!1m1!1s0x882b88f2ca61211d:0xf99f9dd46477f986!2m2!1d-80.2990956!2d43.4253036
New Google Maps
The new tiles:
• Sample filename:
• pb=!1m4!1m3!1i11!2i564!3i751!2m3!1e0!2sm!3i258034118!3m8!2sen!5e
1105!12m1!1e47!12m1!1e1007!12m1!1e38!4e0!7s!20m1!1b1[1].png
• Another sample, slightly different:
• pb=!1m5!1m4!1i15!2i18147!3i23991!4i128!2m1!1e0!3m3!5e1105!12m1!
1e47!4e0[1].png
Browser Forensics 6/3/2015
34
Browser Activity
• Targeting Incognito,
Private browsing
• Why it’s called Browser
Activity
• Need to look at multiple
variables
Browser Forensics 6/3/2015
35
Another example
Browser Forensics 6/3/2015
36
The Source column
• A real hit
• User activity
• Source is helpful
Browser Forensics 6/3/2015
37
Refined Results – Various URL’s
Original
Search
Term
Searches
Classified
URL’s
Refined Results – Various URL’s
Never
visited this
webpage
Browser Forensics 6/3/2015
38
InPrivate/Recovery URLs
• More context,
but still limited
• InPrivate vs
Recovery
• Source is a
clue again
Browser Forensics 6/3/2015
39
• Hits from pagefile,
unallocated are
more difficult
Incognito/Private Browsing Mode
Browser Forensics 6/3/2015
40
Firefox Private browsing
Firefox Private browsing
Browser Forensics 6/3/2015
41
Firefox Private browsing
Observations:
• Nothing is written to disk (relating to web activity)
• Great deal of data left behind in RAM, pagefile.sys, and hiberfil.sys
• However, hard to pinpoint if records were from the user or browser
processes (cert authority URLs sometimes found)
• Also hard to label as Firefox history (could be from Chrome or other
browsers)
Firefox Private browsing
Browser Forensics 6/3/2015
42
Chrome Incognito browsing
Chrome Incognito browsing
Browser Forensics 6/3/2015
43
Chrome Incognito browsing
Observations:
• Nothing is written to disk (relating to web activity)
• Good deal of data left behind in RAM, pagefile.sys, and hiberfil.sys
• However, hard to pinpoint if records were from the user or browser
processes (cert authority URLs sometimes found)
• Like Firefox, also hard to label as Chrome history (could be from
Firefox or other browsers)
Chrome Incognito browsing
Browser Forensics 6/3/2015
44
Browser Forensics 6/3/2015
45
Flash Cookies / Local Shared Objects
Browser Forensics 6/3/2015
46
• Cookies stored by
Macromedia Flash
• Different format and
location from traditional
browser cookies
• Can contain metadata or
user identifying info
• Not easily deleted
• Can reveal visited sites
even when Incognito/etc
• Stored in .sol files
• Under AppData or
Application Data
• Folder location can
be indicative as well
Browser Forensics 6/3/2015
47
Google Analytics
Google Analytics Cookies
Google Analytics cookie data parsed
by IEF into sub-categoriesFirst Visit
Referral
Session
Each sub-category represents
separate record entries from the
same Google Analytics cookie file
Browser Forensics 6/3/2015
48
Google Analytics First Visit Cookies
Timestamps stored as Unix numeric values
Rebuilt Webpages
Browser Forensics 6/3/2015
49
THANK YOU!