E-Discovery, Examiner Welfare, Forensics 101, Law Enforcement, Windows Forensics

Browser Anti Forensics

This write-up is just to demonstrate that how one’s browser history can go off track misleading the examiner. An investigator can identify it by noticing the odd in history, sample given in Figure 2. Let’s first take a closer look at this page below (Figure 1)– the URL (says cnn.com) and the title of tab (says BBC-Homepage).


Imagine how the browser history would look like? Check out the below snapshot.


Now let’s see how that happened. Here is the little trick we did to demonstrate the idea. We set up a proxy in the browser, apply breaks and amend GET packets (see Figure 3).



What’s the point?

Above is just one technique of doing this, there might be other ways but the point is that being forensic investigators we should think in all directions and not just the result of the tools. Don’t ignore any inconsistency found in the logs; they might be there for some reason. Few of them might be:

  • System was compromised.
  • The user intentionally tried to cover the tracks.


3 thoughts on “Browser Anti Forensics

  1. Interesting approach to use a proxy server to accomplish this. I hadn’t thought about doing it that way. I’ve long shows students how you can use IE favorites as a means of obfuscating your browser activities, or to do an even better job at it you modify your hosts file. When typing an address in IE’s address bar it first looks for a favorite by that name. If none exists it then will use the hosts file to resolve the IP. If it’s not in the host file it will then go out to the public DNS (or in your scenario, to the proxy server). When modifying the hosts file you will see pretty much exactly what you illustrated above.

    I tell students imagine if I wanted to hide activity to a private site. I set up an entry in my hosts file for http://www.cnn.com to resolve to my private site’s IP, and set the title page to my private site to something consistent with what you see when you visit cnn.com. The resulting browser artifacts (URL and page title) in the browser’s history will both indicate that the user navigated to cnn.com. But the cache will tell the real story.

    The moral of that story, always examine the content of the hosts file in any analysis where you are dealing with IP traffic whether browser, P2P, IM, whatever. Remember that the content of the hosts file is used not only by your browser, but any TCP/IP program resolving an IP – you can download custom hosts file to frustrate banner ads and such by resolving their domain names to the loopback address (i.e. resolve doubleclick.com to so that when your computer attempts to reach out to doubleclick.com to get an ad, it will resolve to your loopback). See http://lifehacker.com/5817447/how-to-block-unwanted-ads-in-all-applications-and-speed-up-web-browsing-with-the-hosts-file to read an article on it (just Googled it to provide you with a link about it – there are many such articles on the topic).

    Posted by JB | July 7, 2014, 1:09 pm
  2. JB, thank you for taking the time out to comment and adding great info to the topic. Indeed very useful!

    Posted by Nasa Quba & Kausar Khizra | July 8, 2014, 3:12 am
  3. Excellent post. I was checking continuously this blog and I am impressed!

    Very helpful information specifically the last part :) I care for such info much.
    I was seeking this particular info for a very long time.
    Thank you and good luck.

    Posted by polska | October 18, 2014, 12:28 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 838 other followers

%d bloggers like this: