Web browser forensics:Tools,Evidence collection and analysis

 Department of Information Technology

Chikitsak Samuha's S. S. & L. S. Patkar College of Arts & Science, and V. P. Varde College of Commerce & Economics University of Mumbai

Mumbai, India

astondsouza2008@gmail.com

 

 

 

 

Abstract- A web browser is a necessary piece of software for accessing and carrying out a variety of online tasks, including email, financial transactions, file and video downloads, social networking application access, and internet browsing. Web browsers are used by cybercriminals to commit internet crimes since they are the only means of accessing the internet. Digital forensics' main goal is to collect the "evidence" from crime scenes. An extension of computer forensic, digital forensic encompasses digital electrical devices like printers and cell phones. Because more criminal and civil cases may be founded on evidence gathered from user online activities, web browser forensics plays a significant role in computer forensics. Investigators and criminals both use the internet. Criminals utilize web browsers to gather information for new criminal tactics or to hide their crimes. Criminals leave traces on computers every time they use a web browser. The analysis of the browser's temporary files, index.dat, cookies, download files, free space, cache, and other data provides evidence for this claim. In this paper we have discussed and used various tools and methods to extract evidence for analysis.

 

Keywords-

Web browser,forencis.analysis,tools,evidence

                                                                                                                                                   I. Introduction

Nearly everyone, including suspects under investigation, uses the Internet. A suspect might use a web browser to gather information, mask their crime, or look for new ways to commit crimes. A key aspect of digital forensic investigations is often looking for Web browsing-related data [1]. Nearly all actions a suspect does while using a Web browser are recorded on the device, even looking for information in a Web browser. Therefore, this data can offer valuable information when a detective examines the suspect's computer. It is possible to examine evidence from a suspect's computer, such as cache, history, cookies, and download lists, to determine the websites visited, the timing and frequency of access, and the search engine terms the suspect used. There are numerous research papers and technologies available for analyzing Web browser log files, and many of them have features in common. [1] First, a particular Web browser or a particular log file from a particular Web browser is the focus of these studies and tools. The science of digital forensics entails the discovery, preservation, recovery, analysis, and presentation of information on digital evidences discovered on computers or other media storage devices.[2] Following standardized norms and methods, digital forensic investigations typically focus on data that has been gathered from storage media devices, such as hard drives and other devices. [2]. There are browser log files, and many of them have similar properties. To begin with, these studies and tools are focused on a particular Web browser or a particular log file from a particular Web browser. Today, a wide variety of Web browsers are available, making it possible for a single user to utilise several at once and compare them.[3] Because of this, running a different study for every Web browser is not the best technique to find proof of an Internet user's illicit activity. Furthermore, since the evidence could be dispersed throughout multiple files, it is not enough to only look into a single file from a single browser. [3]

                                                                                                                           II.    steps of digital forensics.

Figure 1: Process of Digital Forensics [4]

A.    IDENTIFICATION

Finding the devices and resources that have the data that will be examined as part of the inquiry is the first stage in a digital forensics’ investigation.[2] Data used in an inquiry may be stored on computers or laptops belonging to an organization or on users' personal devices like smartphones and tablets.[5] To ensure that there is no chance of tampering, these gadgets are then taken into custody and isolated. The investigator or organization must make sure that only the investigating team has access to the data, whether it is stored on a server, network, or in the cloud.

 

B.    EXTRACTION/PRESERVATION

The digital forensics investigator or forensics analyst employs forensic techniques to extract any data that may be relevant to the inquiry and keeps it securely after the devices engaged in the investigation have been confiscated and stored in a secure location.[5]

A "forensic image"—a digital replica of the pertinent data—could be made during this step.[2] The original data and equipment are stored in a safe place while this copy is used for analysis and evaluation. In the event that the investigation is hacked, this prevents any modification with the original data.

 

C.    ANALYSIS

 

Digital forensic investigators employ a number of ways to extract pertinent data and evaluate it in search of clues or evidence that leads to wrongdoing once the affected devices have been located and isolated and the data has been replicated and securely archived.[5] This frequently entails retrieving and looking through files that have been erased, corrupted, or encrypted using methods like:

• Reverse steganography: is a method for retrieving information from hidden data by looking at the underlying hash or character string that represents an image or other piece of data.
• File or Data Carving: the process of locating and restoring deleted files by looking for any leftover parts.
• Searching for material pertinent to the investigation using keywords, even deleted data, and analysing that information

 

D.   DOCUMENTATION

 

Following analysis, the investigation's findings are accurately recorded in a form that makes it simple to understand the complete investigation's methodology and results. A timeline of the actions involved in wrongdoing, such as theft, data leaking, or network breaches, can be created with the use of adequate documentation.[5]

 

E.    PRESENTATION

 

When an inquiry is finished, the results are handed to the committee or court that will decide whether to file a lawsuit or handle an internal complaint.[2] Digital forensics experts can testify in court as expert witnesses, summarizing, presenting, and revealing their findings.[5]

 

                                                                                                                                   III.  TYPE OF EVIDENCES

 

History: Tracks websites accessed by date and time, information kept for each local user account, frequency of visits, and access to local system files.[1]

 

Cookies: They revealed which websites were visited and possibly what actions were taken there.[1]

 

Cache: - Provides a "snapshot in time" of what a user was viewing online.

• Identifies websites that were visited
•   Provides the actual files that the user viewed on a given website.
• Cached files are linked to a specific local user account
• Timestamps demonstrate when the site was first saved and last viewed.

 

Session Restore: A built-in function of the browser's automatic crash recovery system.

 

Downloads: The investigator should also investigate the default download folder because all downloaded files are kept there.[1]

 

 

                                   IV.    TOOLS USED for extraction and analysis

A.      BROWSER HISTORY EXAMINER

A digital forensic investigation tool called Browser History Examiner was created by Foxton Forensics. It records, examines, and reports browsing history from web browsers and supported Google Chrome.

Edge, Internet Explorer, Mozilla Firefox, and Chrome.[2] Employee activity reporting, human resources investigations, and other digital forensic investigations are supported by BHE as well. It gathers and analyses several types of data, including information about visited websites, cookies, cache files, and downloaded objects.Some of its features are:

• By using an interactive webpage history, BHE can identify internet activities.
• It makes use of sophisticated filtering, including keywords and date/time ranges.
• It can use search engines to do historical searches.[2]
• It can view email addresses that were automatically collected from online browsers.
• It uses a URL category filter to block dangerous websites.
• It has the ability to convert time zones and different types of time.
• It can automatically gather and record a remote computer's network history.
• It provides the ability to export data and report builder in formats like PDF, XLSX, CSV, etc.

 

 

Figure 2: Cookies

 

 

Figure 3: Cached Images

 

 

Figure 4: Searched History

 

 

B.    NET ANALYSIS FORENSIC TOOLS

 

NetAnalysis is the most advanced, comprehensive forensic tool available for the extraction, analysis and presentation of web browser evidence.[6]It is a state-of-the-art application which offers the highest level of browser support along with the most powerful tools to help the forensic examiner analyse the extracted data[6]The Digital Detective Company created the digital forensic investigation application NetAnalysis to assist digital examiners in gathering, analysing, and presenting forensic evidence related to online browsers. It records and gathers all user activity on desktop and mobile web browsers like Mozilla Firefox, Google Chrome, Safari, Opera, and Internet Explorer. It also enables an investigator to look into cookies, cache, and other elements.Some of its features are:

• It offers a remarkable feature that allows you to retrieve the history from empty areas left by web browsers, notably those like Safari and Internet Explorer.
• It has the ability to reconstruct and inspect cache files.[2]
• The NetAnalysis tool can locate login information by using search engines.
• It is capable of identifying email addresses from Yahoo, Gmail, Hotmail, and other email services.[2]
• It can use digital forensic photographs to retrieve history.
• Without reinstalling the problematic drive, it may analyse web browsing history.
• It includes robust keyword searching with many options that let an examiner import or export his keyword list.
• When a user visits any website, NetAnalysis may recognise the user profile.

C.    AUTOPSY FORENSIC TOOLS

 

Law enforcement organisations, corporate investigators, the military, and others use Autopsy, an open source and digital forensic investigation programme. Sleuth Kit is used by Autopsy to examine images. Sleuth kit makes it possible to examine digital media and retrieve deleted content [2]. It is a potent forensic tool that can retrieve cookies and browsing data from a variety of browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer. It is quick, simple to use, affordable, and expandable with features like time analysis, hash filtering, web artefact and keyword searches, among others.[2]

 

Features of Autopsy

 

Numerous user cases: This enables multiple examiners to utilise the same tool simultaneously on a large case.

• Keyword Search: Allows a researcher to extract text, look up files that include certain terms, and look for regular expression patterns using index modules.
• It enables the removal of artefacts from web browsers by the examiner.
• Windows installation is simple
• It works with smartphones, external and internal hard discs.[2]
• It employs MD5sum and Hash Keeper format hash set filtering to separate known good files from known problematic files. It utilises PhotoRec to recover deleted file data from unallocated space.
•  It extracts EXIF from images and videos using multimedia.[2]

 

 

V.CONCLUSION

 

The investigation of data gathered from storage media devices like hard drives is known as digital forensic. The fundamental objective of a digital forensic investigation is to keep any discovered evidence in its purest form and to ensure that the evidence has not been altered. Digital forensic investigators use log files, such as history, cache, download, and cookies, to extract, analyse, and deliver a report based on the illicit activity discovered on online browsers.In this paper we saw various forensics tool used to extract browser artifacts and their features.

 

VI.ACKNOWLEDGEMENT

First and foremost, I want to thank all of my research teachers for teaching me how to write a research paper. Without their aid and active involvement at every stage of the process, this effort would not have been done. I'd want to thank you for your help, as well as my friends who provided me with ideas and educational resources that helped me succeed.

 

 

References

 

[1]	D. Mugisha, "WEB BROWSER FORENSICS: Evidence collection And Analysis for Most Popular Web Browsers usage in Windows 10," International Journal of Cyber Criminology, pp. 1-44, 2018.
[2]	A. A. A. H. B. G. Hassan Adamu, "Web Browser Forensic Tools: Autopsy, BHE and NetAnalysis," International Journal of Research and Scientific Innovation (IJRSI), vol. 08, no. 05, pp. 1-5, 2021.
[3]	D. B. B. M. Mayur Rajendra Jadhav, "Web Browser Forensics for Detecting User Activities," International Research Journal of Engineering and Technology (IRJET), vol. 05, no. 07, pp. 1-7, 2018.
[4]	L. Williams, "What is Digital Forensics? History, Process, Types, Challenges," 23 12 2022. [Online]. Available: https://www.guru99.com/digital-forensics.html. [Accessed 08 Feb 2023].
[5]	E. Staff, "What Are the 5 Stages of a Digital Forensics Investigation?," [Online]. Available: https://ermprotect.com/blog/what-are-the-5-stages-of-a-digital-forensics-investigation/. [Accessed 08 Feb 2023].
[6]	NetAnalysis, "Advanced Web Browser Forensics," [Online]. Available: https://www.digital-detective.net/digital-forensic-software/netanalysis-web-browser-forensics/. [Accessed 08 Feb 2023].