E-Discovery, Examiner Welfare, Forensics 101, Law Enforcement, Windows Forensics

Browser Anti Forensics

This write-up is just to demonstrate that how one’s browser history can go off track misleading the examiner. An investigator can identify it by noticing the odd in history, sample given in Figure 2. Let’s first take a closer look at this page below (Figure 1)– the URL (says cnn.com) and the title of tab (says BBC-Homepage).

ABF_Fig1

Imagine how the browser history would look like? Check out the below snapshot.

ABF_Fig2

Now let’s see how that happened. Here is the little trick we did to demonstrate the idea. We set up a proxy in the browser, apply breaks and amend GET packets (see Figure 3).

ABF_Fig3

 

What’s the point?

Above is just one technique of doing this, there might be other ways but the point is that being forensic investigators we should think in all directions and not just the result of the tools. Don’t ignore any inconsistency found in the logs; they might be there for some reason. Few of them might be:

  • System was compromised.
  • The user intentionally tried to cover the tracks.

About Nasa Quba & Kausar Khizra

Nasa Quba and Kausar Khizra graduated from University of Central Florida with MS degree in Digital Forensics. They are addicted to learn and work on diverse challenging projects and spread the knowledge to society.

Discussion

2 thoughts on “Browser Anti Forensics

  1. Interesting approach to use a proxy server to accomplish this. I hadn’t thought about doing it that way. I’ve long shows students how you can use IE favorites as a means of obfuscating your browser activities, or to do an even better job at it you modify your hosts file. When typing an address in IE’s address bar it first looks for a favorite by that name. If none exists it then will use the hosts file to resolve the IP. If it’s not in the host file it will then go out to the public DNS (or in your scenario, to the proxy server). When modifying the hosts file you will see pretty much exactly what you illustrated above.

    I tell students imagine if I wanted to hide activity to a private site. I set up an entry in my hosts file for http://www.cnn.com to resolve to my private site’s IP, and set the title page to my private site to something consistent with what you see when you visit cnn.com. The resulting browser artifacts (URL and page title) in the browser’s history will both indicate that the user navigated to cnn.com. But the cache will tell the real story.

    The moral of that story, always examine the content of the hosts file in any analysis where you are dealing with IP traffic whether browser, P2P, IM, whatever. Remember that the content of the hosts file is used not only by your browser, but any TCP/IP program resolving an IP – you can download custom hosts file to frustrate banner ads and such by resolving their domain names to the loopback address (i.e. resolve doubleclick.com to 127.0.0.1 so that when your computer attempts to reach out to doubleclick.com to get an ad, it will resolve to your loopback). See http://lifehacker.com/5817447/how-to-block-unwanted-ads-in-all-applications-and-speed-up-web-browsing-with-the-hosts-file to read an article on it (just Googled it to provide you with a link about it – there are many such articles on the topic).

    Posted by JB | July 7, 2014, 1:09 pm
  2. JB, thank you for taking the time out to comment and adding great info to the topic. Indeed very useful!

    Posted by Nasa Quba & Kausar Khizra | July 8, 2014, 3:12 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 649 other followers

%d bloggers like this: