If you can see this check that

Main Page

Browser Forensics


Web Browser Forensics

User:
Password:

Objectives

This practical will guide you through a small investigation using Linuxzoo Caine.

You will analyse Firefox forensic artefacts, which are stored mainly in SQLite databases, and explore what happens to deleted history.

It is expected that you use additional reference material as appropriate – some useful references are listed below and in the lecture / moodle.

Useful references and further reading

Morrill, D (2011), Firefox Forensics and SQLite Tables for Computer Forensics Analysis, available at http://resources.infosecinstitute.com/firefox-and-sqlite-forensics/ , gives a good overview of the different SQLite files and tables that Firefox uses to store user data.

Parsonage, H (2010), Web browser Session Restore Forensics, available at http://computerforensics.parsonage.co.uk/downloads/WebBrowserSessionRestoreForensics.pdf, takes an in-depth look at sessionstore.js files.

Boucher, J (2009). Mozilla Firefox Forensics Investigator's Reference Manual, Canadian Police College, available at http://cryptocomb.org/Mozilla%20Ref%20Manual.pdf. A very in depth look using Firefox 3; everything should still be applicable as there have been very few if any structural changes since.

Bagley, R, Ferguson I and Leimich P (2012), On the digital forensic analysis of the Firefox browser via recovery of SQLite artifacts from unallocated space, CFET 2012, 6th International Conference on Cybercrime Forensics Education & Training, Canterbury Christ Church University, investigates the recovery of deleted Firefox history from unallocated space. The full paper is available in Moodle (the hyperlink is to the conference programme which includes only the abstract).

I would also recommend the article Caithness, A (2012), The Forensic Implications of SQLite’s Write Ahead Log, available at http://www.cclgroupltd.com/the-forensic-implications-of-sqlites-write-ahead-log/.

Barbara J (2012) Firefox Forensics. DFI News. Blog post in four parts: http://www.forensicmag.com/articles/2012/09/mozilla-firefox-forensics, http://www.forensicmag.com/articles/2012/12/mozilla-firefox-forensics-part-2 http://www.forensicmag.com/articles/2012/12/mozilla-firefox-forensics-part-3 http://www.forensicmag.com/articles/2012/12/mozilla-firefox-forensics-part-4

Scenario

From CCTV, the police identified a female suspect entering an internet cafe in Edinburgh at approx. 19:30 on Sunday 15/2/15. Her name is as yet unknown. After she left the internet cafe at approx. 20:55, the police obtained a warrant to seize the PC she was using. During the acquisition, they found a USB stick connected to the PC, which may belong to the suspect. While it is known through the manager of the cafe that the suspect did use the internet, no traces of relevant browsing history were found on the PC itself, and the router is configured not to store packet content information. It is now your task to analyse the USB stick. The police would like to know:

Question 1: Load the case into Autopsy

Boot Linuxzoo Caine with a graphical interface. Autopsy was introduced in tutorial 5b, refer to that if you need more detailed instructions.

Create a new case in Autopsy. Make the case name "firefox".

Add a new host with the name "host1". Add a description; ignore the other options.

Associate this host with the image USB_dd.001 (this is a forensic disk image of the USB stick found). It can be found in /images/found_usb.

As before, select the type to be partition and the import method symlink. Autopsy should identify the File System Type as NTFS. Change the mount point to D: In the Data Integrity option, select Calculate. Leave the other options and click Add.

Tests - not attempted
Autopsy running on port 9999 UNTESTED
Case file exists for 'firefox' UNTESTED
Case file has a description UNTESTED
Host file exists for 'host1' UNTESTED
Image has been symlinked UNTESTED
Image parameters are correct UNTESTED

Question 2: Initial Inspection

Click on "Analyze" and choose "File Analysis". Inspect the directory listing. Which browser was used by the suspect?

Tests - not attempted
Browser Identified UNTESTED

Question 3: Firefox History - SQLite files

Where are the SQLite files stored that contain the Firefox history? Enter the full path including the drive letter. (The answer is case sensitive, and you should use "/" to delimit files and directories).
Full path:

Tests - not attempted
Full Path UNTESTED

What is the filename of the database which should contain the websites visited and bookmarks?
filename:

Tests - not attempted
Filename UNTESTED

Autopsy does not provide dedicated support for sqlite databases, but you can see some of its contents using the ASCII Strings display option. To view the file fully, you need to open it in a suitable SQLite viewer.

First, you need to extract the file from the disk image. To do this, simply select the file in Autopsy and click "Export" from the list below the directory listing.

Open the exported file in SQLite Database Browser (Forensics Tools > Database menu) or in the FireFox SQLite plugin (instructions for how to install this can be found in moodle). The file will be in /home/caine/Downloads.

The database contains 11 tables. Which table is used to store the main browsing history?
table:

Tests - not attempted
table name UNTESTED

Inspect this table. Which two entries look specifically useful for this investigation? Enter the ids stored in the table, not the row numbers. (Separate entries by commas but no spaces and list in ascending order. For example, 4,18
table ids:

Tests - not attempted
ids UNTESTED

The entries in the above table suggest that the suspect may be planning to travel.

To which cities? (enter the city names in the order in which they appear in the history, separated by comma but no spaces)
cities:

In which country are theose cities? (Case Sensitive)
country:

Tests - not attempted
cities UNTESTED
country UNTESTED

From this database table alone, do we know whether the relevant websites were visited during the time in question, i.e. the evening of the 15/2/2015?

Tests - not attempted
Time is evidence UNTESTED

Is there evidence that browsing history was deleted?

Tests - not attempted
Deleted UNTESTED

Is there evidence that private browsing was used?

Tests - not attempted
Deleted UNTESTED

Now look at the table moz_bookmarks. Which of these statements are true?

moz_bookmarks contains no additional information
moz_bookmarks contains URLs identifying additional websites that are directly relevant to the investigation
if a URL is bookmarked, this confirms that it was visited deliberately
the bookmark records include timestamps
The fk values for bookmarks 21 and 22 confirm that both sites identified in moz_places were bookmarked

Tests - not attempted
Correct Answers UNTESTED

When was the Expedia search bookmarked?


Enter the timestamp value:

Tests - not attempted
Time is evidence UNTESTED

In which format does Firefox store timestamps?

Tests - not attempted
Time format UNTESTED

Now convert the timestamp to human readable format (you can use an SQL query to do this or an online converter - I like http://www.epochconverter.com/. Enter it as dd/mm/yyyy hh:mm:ss).


Human readable timestamp value:

Tests - not attempted
Time is right UNTESTED

Question 4: Firefox History - cache and sessionstore.js

Where is the browser cache stored?
A - In the Cache subfolder, in the same folder as the SQLite files
B - Caching must have been disabled by the user, as there is no Cache subfolder on the USB.
C - Cache is always disabled in FF Portable to decrease disk size and the number of writes to the disk
D - Cache is stored on the hard drive of the host machine rather than the USB, to decrease disk size

Tests - not attempted
Browser cache stored UNTESTED

sessionstore.js is used by FireFox to:
A - allow a previous session to be restored after a crash
B - store security certificate settings
C - store user preference settings
D - store information for later forensic analysis

Tests - not attempted
Sessionstore usage UNTESTED

Like all JSON files, sessionstore.js can be opened in any text editor but the layout isn’t ideal for humans. In Autopsy I recommend using the "Text" tab. From there, you could copy and paste the contents into a JSON viewer such as http://jsonviewer.stack.hu/. Then click "Format" for a much nicer view.

Note: use the current sessionstore.js file (not a deleted one). A copy of the file is also available in moodle for download, which you may find more convenient.

If you get errors with the online viewer try Internet Explorer. Also in Linuxzoo we have added it to the safe pages in Firefox.

Based on your inspection of places.sqlite and sessionstore.js, fill in the table below with the potential travel plans you found. Enter all dates in the format dd/mm/yyyy. Order the entries by date and leave blank any fields that are not applicable.

Trip toArrival dateDeparture DateNo of AdultsNo of ChildrenChild Age

Tests - not attempted
Early trip - row 1 UNTESTED
Later trip - row 2 UNTESTED

Question 5: Deleted history

We discovered earlier that some browsing history seems to have been deleted.

SQLite by default keeps deleted data, but marks it internally as deleted. It also offers a SECURE_DELETE option, where data is overwritten with zeroes when deleted.

Which of the settings is used by Firefox? (Hint: inspect places.sqlite in a hex editor or in Autopsy using the Hex display option)

Tests - not attempted
Delete mode UNTESTED

Question 6: Unallocated Space

You have now pretty much exhausted the information available from files in allocated space.

Now search unallocated space to see what else you can discover. How you do this is up to you.

Here are some suggestions:

  1. You can view the unallocated space directly in Autopsy, but it is probably a better idea to extract the unallocated space only into a separate file and then work with that. In Caine, use the command blkls to do this. Alternatively you can download a zipped copy from moodle and use a windows hex editor such as HzD.
  2. Once you have all the unallocated space extracted, you can
    1. open the unallocated space directly in a hex editor and inspect / search there and/or
    2. use the strings command to extract readable text. (use the -t d option to include the byte offset where the string was found - this will allow you to search the string's context later. Also, send the output to a text file so that you don't have to redo strings for each search. You can then search the text file with grep, or inspect it.
  3. To carry out any searches, you need to think of some potentially useful strings you could search for. There are some fairly obvious ones like "http", "mail", "@", but these are not all that specific. Others you could try are "flight", "travel", or the place names that you discovered already, or look up the three letter abbreviations for the airports at these places (for example, Edinburgh has the code EDI) and search for them. Some searches may be better case sensitive, others case insensitive.
  4. You know from earlier work which search engine was used. All searches carried out with this search engine will have a common string as part of the URL. This could also be used for searches.

Using strategy 4, look through the data and identify the common search string used for all searches (do not include http:// or https:// as some searches could use either one).
Search string

Similarly, what string would be part of all map searches?
Map string

Tests - not attempted
Search String UNTESTED
Map search String UNTESTED

With the strategies discussed above, you should be able to find all the information to complete the questions below.

Information about people - fill in the table below. Use dd/mm/yyyy format for dates and enter everything else exactly as found.

traveller012
first nameJoanJohn
surname
date of birth
postcode
city
address
mobile number
email
Tests - not attempted
Traveller 0 UNTESTED
Traveller 1 UNTESTED
Traveller 2 UNTESTED

Enter travel information (for return trips enter each leg separately. Leave empty any cells that you have no information for. Enter dates in the format dd/mm/yyyy and times hh:mm. Separate flight numbers with commas but no space). Put them in date order.

datetimemodecompanyfromtoviaflight numbersadultschildren
flight
flight
flight
Tests - not attempted
First flight UNTESTED
Second flight UNTESTED
Third flight UNTESTED

How do you know that these travel plans were searched for during the time in question in the internet cafe?
A - as this is deleted information there are no timestamps, so we don't know
B - cacheKey and/or lastUpdate timestamps that confirm that the websites were visited during the time in question
C - there are timestamps which confirm that that the websites were not visited during the time in question

Tests - not attempted
Reason correct? UNTESTED

The police believe that the suspect may be planning to flee the country and not return to the UK. Does the evidence you found support this belief?

From the USB analysis alone, is there any indication that the suspect sent/received emails while in the internet cafe?

Tests - not attempted
Police correct? UNTESTED
Internet cafe confirmed? UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net SELinux1 SELinux2 fwall DNS diag Apache1 Apache2 Mail
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7a | 7b | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 |