Browser Anti Forensics

This write-up is just to demonstrate that how one’s browser history can go off track misleading the examiner. An investigator can identify it by noticing the odd in history, sample given in Figure 2. Let’s first take a closer look at this page below (Figure 1)– the URL (says cnn.com) and the title of tab (says BBC-Homepage).

ABF_Fig1

Imagine how the browser history would look like? Check out the below snapshot.

ABF_Fig2

Now let’s see how that happened. Here is the little trick we did to demonstrate the idea. We set up a proxy in the browser, apply breaks and amend GET packets (see Figure 3).


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

ABF_Fig3

 

What’s the point?

Above is just one technique of doing this, there might be other ways but the point is that being forensic investigators we should think in all directions and not just the result of the tools. Don’t ignore any inconsistency found in the logs; they might be there for some reason. Few of them might be:

  • System was compromised.
  • The user intentionally tried to cover the tracks.

2 thoughts on “Browser Anti Forensics”

  1. Excellent post. I was checking continuously this blog and I am impressed!

    Very helpful information specifically the last part 🙂 I care for such info much.
    I was seeking this particular info for a very long time.
    Thank you and good luck.

Leave a Comment

Latest Videos

Latest Articles