On the digital forensic analysis of the Firefox browser via recovery of SQLite artifacts from unallocated space

A technique and supporting tool for the recovery of browsing activity (both stored and deleted) from current and recent versions of the Firefox web-browser is presented. The generality of the technique is discussed: It is applicable to any software that uses the popular SQLite embedded database engine such as the Apple Safari web-browser and many Android apps

Web browser artefacts in private and portable modes: a forensic investigation

Web browsers are essential tools for accessing the internet. Extra complexities are added to forensic investigations when recovering browsing artefacts as portable and private browsing are now common and available in popular web browsers. Browsers claim that whilst operating in private mode, no data is stored on the system. This paper investigates whether the claims of web browsers discretion are true by analysing the remnants of browsing left by the latest versions of Internet Explorer, Chrome, Firefox, and Opera when used in a private browsing session, as a portable browser, and when the former is running in private mode. Some of our key findings show how forensic analysis of the file system recovers evidence from IE while running in private mode whereas other browsers seem to maintain better user privacy. We analyse volatile memory and demonstrate how physical memory by means of dump files, hibernate and page files are the key areas where evidence from all browsers will still be recoverable despite their mode or location they run from

Web Browser Private Mode Forensics Analysis

To maintain privacy of the end consumers the browser vendors provide a very good feature on the browser called the Private Mode . As per the browser vendors, the Private Mode ensures Cookies, Temporary Internet Files, Webpage history, Form data and passwords, Anti-phishing cache, Address bar and search AutoComplete, Automatic Crash Restore (ACR) and Document Object Model (DOM) storage information is not stored on the system [45]. To put to test the browser vendors claim, I had setup a test to confirm the claims. During the first test the file system was monitored for all reads and writes. On the second test the image of the RAM was taken after the browser was used in private mode. The image was analyzed to check if the RAM contained any data related to the user browsing. The browsers chosen to perform this test were: Internet Explorer, Firefox, Google Chrome and Safari. During the file system monitoring analysis for the browsers in private mode it was found that Google Chrome and Firefox didn\u27t write any data on the file system. Safari wrote data on just a single file called WebpageIcons.db . Internet Explorer wrote browsing data on the file system and then deleted it. This data can be recovered using any recovery tool such as Recuva. During the memory dump based analysis for the browsers in private mode, it was found that browser data was recoverable for all the browsers. Therefore from data privacy perspective Google Chrome and Firefox are safer to use than Safari and Internet Explorer

Investigating and analyzing the web-based contents on Chinese Shanzhai mobile phones

Chinese Shanzhai mobile phone has had a huge commercial market in China and overseas and was found to be involved in criminal cases. In this paper, a MTK-based Shanzhai phone with private web browser was investigated to extract user's web browsing data in the form of sites visited, received emails, attempted Internet searches and etc. Based on the findings, extracting Internet search conducted and web email received from the binary image was demonstrated. Besides, deleted browsing history can be recovered from snapshots in memory help reconstruct user's browsing activity and timeline analysis.postprintThe 7th International Workshop on Systematic Approaches to Digital Forensic Engineering (IEEE/SADFE 2012), Vancouver, BC., 26-28 September 2012, p. 1297-130

A Forensic Comparison: Windows 7 and Windows 8

Whenever a new operating system or new version of an operating system is released, forensic investigators must re-examine the new operating system or new version. They do so to determine if there are significant differences that will impact and change the way they perform their investigations. With the release of Microsoft\u27s latest operating system, Windows 8, and its update, Windows 8.1, understanding the similarities and differences between Windows 8 and previous operating systems such as Windows 7 is critical. This paper forensically examines Windows 7 and Windows 8 to determine those similarities and differences

A CRITICAL COMPARISON OF BRAVE BROWSER AND GOOGLE CHROME FORENSIC ARTEFACTS

Digital forensic practitioners are tasked with the identification, recovery and analysis of Internet browser artefacts which may have been used in the pursuit of committing a civil or criminal offence. This research paper critically compares the most downloaded browser, Google Chrome, against an increasingly popular Chromium browser known as Brave, said to offer privacy-by-default. With increasing forensic caseloads, data complexity, and requirements for method validation to satisfy ISO 17025 accreditation, recognising the similarities and differences between the browsers, developed on the same underlying technology is essential. The paper describes a series of conducted experiments and subsequent analysis to identify artefacts created as part of normal user browsing activity. Analysis of the artefacts found that Brave and Chrome share almost identical data structures, with on-disk artefact recovery successful, even for deleted data. The outcome of this research, based upon the results, serves to enrich understanding and provide best practice for practitioners and software developers, respectively responsible with the examination of Chromium artefacts for use in evidence production, and development of new forensic tools and techniques

Overcoming Forensic Implications with Enhancing Security in iOS

As the decades passed, smartphones have come to their greatest inventions. But their history has more than 2500 years starting from a basic thing of strings and beads, i.e. from the Abacus to the latest of our present iPhone. With every special invention in this area brought people together socially over the internet. This, in turn, raised the alarm for having secured communication. With these devices getting popular, development in the technology to enhance the security features in those devices has also been increasing. These advancements have brought Apple operating system (IOS) into light. These devices are one step ahead of all other smartphones regarding storage by having space for storing emails, GPS data and many more. This feature of storage has a major advantage in conducting forensics for investigation purposes. In this research, I performed data acquisition on iPhones with two different OS versions using various forensic tools and then compare the forensic implications with variant security features. I analyzed the forensic implications with enhancements in security and iPhone operating systems over the years. I also used to software to break the iPhone passcode which is the major forensic implication caused

Forensic acquisition of file systems with parallel processing of digital artifacts to generate an early case assessment report

A evolução da maneira como os seres humanos interagem e realizam tarefas rotineiras mudou nas últimas décadas e uma longa lista de atividades agora somente são possíveis com o uso de tecnologias da informação – entre essas pode-se destacar a aquisição de bens e serviços, gestão e operações de negócios e comunicações. Essas transformações são visíveis também em outras atividades menos legítimas, permitindo que crimes sejam cometidos através de meios digitais. Em linhas gerais, investigadores forenses trabalham buscando por indícios de ações criminais realizadas por meio de dispositivos digitais para finalmente, tentar identificar os autores, o nível do dano causado e a história atrás que possibilitou o crime. Na sua essência, essa atividade deve seguir normas estritas para garantir que as provas sejam admitidas em tribunal, mas quanto maior o número de novos artefatos e maior o volume de dispositivos de armazenamento disponíveis, maior o tempo necessário entre a identificação de um dispositivo de um suspeito e o momento em que o investigador começa a navegar no mar de informações alojadas no dispositivo. Esta pesquisa, tem como objetivo antecipar algumas etapas do EDRM através do uso do processamento em paralelo adjacente nas unidades de processamento (CPU) atuais para para traduzir multiplos artefactos forenses do sistema operativo Windows 10 e gerar um relatório com as informações mais cruciais sobre o dispositivo adquirido. Permitindo uma análise antecipada do caso (ECA) ao mesmo tempo em que uma aquisição completa do disco está em curso, desse modo causando um impacto mínimo no tempo geral de aquisição

A two-stage model for social network investigations in digital forensics

This paper proposes a two-stage model for identifying and contextualizing features from artefacts created as a result of social networking activity. This technique can be useful in digital investigations and is based on understanding and the deconstruction of the processes that take place prior to, during and after user activity; this includes corroborating artefacts. Digital Investigations are becoming more complex due to factors such as, the volume of data to be examined; different data formats; a wide range of sources for digital evidence; the volatility of data and the limitations of some of the standard digital forensic tools. This paper highlights the need for an approach that enables digital investigators to prioritize social network artefacts to be further analysed; determine social connections in the context of an investigation e.g. a user’s social relationships, how recovered artefacts came to be, and how they can successfully be used as evidence in cour

Smurf : A reliable method for contextualising social media artefacts

© Cranfield University 2020. All rights reserved. No part of this publication may be reproduced without the written permission of the copyright ownerThis research aims to evaluate whether artefacts other than the content of user com munication on social media can be used to attribute actions or relationships to a user. Social Media has enhanced the way users communicate on the Internet; providing the means for users to share content in real-time, and to establish connections and social relationships with like-minded individuals. However, as with all technology, social media can be leveraged for disagreeable and/or unlawful activities such as cyber bullying, trolling, grooming, or luring. There are reported cases where evidence from social media was used to secure convictions; for example, the tragic cases of Ashleigh Hall in 2009 and Kayleigh Haywood in 2015. The social media evidence e.g. the messages sent to the victim to arrange a meet up was used to link the suspect to the victim, and attribute actions to the suspect; in addition to other physical evidence presented as part of the case. Investigations with elements of social media is growing within digital forensics. This reinforces the need for a technique that can be used to make inferences about user actions and relationships, especially during a live triage investigation where the information needs to be obtained as quickly as possible. This research evaluates the use of live triage in the investigation of social media interactions, in order to determine the reliability of such a technique as a means of contextualising user activity, and attributing relationships or actions to a user. This research also evaluates the reliability of artefacts other than the actual content exchanged on social media; in the event that the content of communication is not immediately accessible/available to the investigator. To achieve this, it was important to break down the events that occur before, during and after user activity on social media; followed by the determination of what constitutes communication content in the context of this research. This research makes the following contributions: establishes a method for the cat egorisation of social media artefacts based on perceived user activity; communication content was characterised, thus highlighting evidential data of interest from user social media activity; the criteria for assessing the reliability of social media artefacts in a live triage investigation was proposed; a novel framework for social media investigation was developed with a Proof of Concept (PoC) to test its viability. The PoC demonstrates that it is possible to attribute actions or relationships to a user, using artefacts other than the actual content exchanged on social media.Ph