This write-up is just to demonstrate that how one’s browser history can go off track misleading the examiner. An investigator can identify it by noticing the odd in history, sample given in Figure 2. Let’s first take a closer look at this page below (Figure 1)– the URL (says cnn.com) and the title of tab (says BBC-Homepage).
Imagine how the browser history would look like? Check out the below snapshot.
Now let’s see how that happened. Here is the little trick we did to demonstrate the idea. We set up a proxy in the browser, apply breaks and amend GET packets (see Figure 3).
What’s the point?
Above is just one technique of doing this, there might be other ways but the point is that being forensic investigators we should think in all directions and not just the result of the tools. Don’t ignore any inconsistency found in the logs; they might be there for some reason. Few of them might be:
- System was compromised.
- The user intentionally tried to cover the tracks.