Web Browser Forensics

/images/found_usb/USB_dd.001 is a forensic disk image of the USB stick found. Create a new case in Autopsy. Add a data source. Choose "Disk Image or VM File" and browse to /images/found_usb/USB_dd.001. Make sure that ONLY "recent activity" is checked in the Ingest modules. Click Next and Finish, and wait for the ingest to complete. This should take no more than 3 or 4 minutes.

Which browser was used by the suspect?

Google Chrome 45.0.24 Firefox 32.0.3 Firefox Portable 35.0.1 Internet Explorer 9

Where are the SQLite files stored that contain the Firefox history? Enter the full directory path as shown by Autopsy. (The answer is case sensitive, and you should use "/" to delimit directories. Do not include the filename itself nor the final slash.).
Full path:

What is the filename of the database which should contain the websites visited and bookmarks?
filename:

Autopsy does not provide dedicated support for sqlite databases, but you can see some of its contents using the ASCII Strings display option. To view the file fully, you need to open it in a suitable SQLite viewer.

First, you need to extract the file from the disk image. To do this, simply select the file in Autopsy and click "Export" from the list below the directory listing.

Open the exported file in SQLite Database Browser (Forensics Tools > Database menu) or in the FireFox SQLite plugin (instructions for how to install this can be found in moodle). The file will be in /home/caine/Downloads.

The database contains 11 tables. Which table is used to store the main browsing history?
table:

Inspect this table. Which two entries look specifically useful for this investigation? Enter the ids stored in the table, not the row numbers. (Separate entries by commas but no spaces and list in ascending order. For example, 4,18
table ids:

The entries in the above table suggest that the suspect may be planning to travel.

To which cities? (enter the city names in the order in which they appear in the history, separated by comma but no spaces)
cities:

In which country are theose cities? (Case Sensitive)
country:

From this database table alone, do we know whether the relevant websites were visited during the time in question, i.e. the evening of the 15/2/2015?

Yes No

Is there evidence that browsing history was deleted?

no yes - there are missing ID values yes - there are deleted records visible

Is there evidence that private browsing was used?

no yes - there are missing ID values yes - there are deleted records visible

Now look at the table moz_bookmarks. Which of these statements are true?

When was the Expedia search bookmarked?

Enter the timestamp value:

In which format does Firefox store timestamps?

DOS HFS Hindelbrox exchange format OLE Unix / Epoch (microseconds) Unix / Epoch (milliseconds) Windows

Now convert the timestamp to human readable format (you can use an SQL query to do this or an online converter - I like http://www.epochconverter.com/. Enter it as dd/mm/yyyy hh:mm:ss).

Human readable timestamp value:

Where is the browser cache stored?
A - In the Cache subfolder, in the same folder as the SQLite files
B - Caching must have been disabled by the user, as there is no Cache subfolder on the USB.
C - Cache is always disabled in FF Portable to decrease disk size and the number of writes to the disk
D - Cache is stored on the hard drive of the host machine rather than the USB, to decrease disk size

sessionstore.js is used by FireFox to:
A - allow a previous session to be restored after a crash
B - store security certificate settings
C - store user preference settings
D - store information for later forensic analysis

Like all JSON files, sessionstore.js can be opened in any text editor but the layout isn’t ideal for humans. In Autopsy I recommend using the "Text" tab. From there, you could copy and paste the contents into a JSON viewer such as http://jsonviewer.stack.hu/. Then click "Format" for a much nicer view.

Note: use the current sessionstore.js file (not a deleted one). A copy of the file is also available in moodle for download, which you may find more convenient.

If you get errors with the online viewer try Internet Explorer. Also in Linuxzoo we have added it to the safe pages in Firefox.

Based on your inspection of places.sqlite and sessionstore.js, fill in the table below with the potential travel plans you found. Enter all dates in the format dd/mm/yyyy. Order the entries by date and leave blank any fields that are not applicable.

We discovered earlier that some browsing history seems to have been deleted.

SQLite by default keeps deleted data, but marks it internally as deleted. It also offers a SECURE_DELETE option, where data is overwritten with zeroes when deleted.

Which of the settings is used by Firefox? (Hint: inspect places.sqlite in a hex editor or in Autopsy using the Hex display option)

Default - deleted data persists SECURE_DELETE turned on - deleted data is overwritten with zeroes

You have now pretty much exhausted the information available from files in allocated space.

Now search unallocated space to see what else you can discover. How you do this is up to you.

Here are some suggestions:

1. You can view the unallocated space directly in Autopsy, but it is probably a better idea to extract the unallocated space only into a separate file and then work with that. In Caine, use the command blkls to do this. Alternatively you can download a zipped copy from moodle and use a windows hex editor such as HxD.
2. Once you have all the unallocated space extracted, you can
   1. open the unallocated space directly in a hex editor and inspect / search there and/or
   2. use the strings command to extract readable text. (use the -t d option to include the byte offset where the string was found - this will allow you to search the string's context later. Also, send the output to a text file so that you don't have to redo strings for each search. You can then search the text file with grep, or inspect it.
3. To carry out any searches, you need to think of some potentially useful strings you could search for. There are some fairly obvious ones like "http", "mail", "@", but these are not all that specific. Others you could try are "flight", "travel", or the place names that you discovered already, or look up the three letter abbreviations for the airports at these places (for example, Edinburgh has the code EDI) and search for them. Some searches may be better case sensitive, others case insensitive.
4. You know from earlier work which search engine was used. All searches carried out with this search engine will have a common string as part of the URL. This could also be used for searches.

Using strategy 4, look through the data and identify the common search string used for all searches (do not include http:// or https:// as some searches could use either one).
Search string

Similarly, what string would be part of all map searches?
Map string

With the strategies discussed above, you should be able to find all the information to complete the questions below.

Information about people - fill in the table below. Use dd/mm/yyyy format for dates and enter everything else exactly as found.

Enter flight information (for return trips enter each leg separately. Leave empty any cells that you have no information for. Enter dates in the format dd/mm/yyyy and times hh:mm. Separate flight numbers with commas but no space). Put them in date order.

How do you know that these travel plans were searched for during the time in question in the internet cafe?
A - as this is deleted information there are no timestamps, so we don't know
B - cacheKey and/or lastUpdate timestamps that confirm that the websites were visited during the time in question
C - there are timestamps which confirm that that the websites were not visited during the time in question

The police believe that the suspect may be planning to flee the country and not return to the UK. Does the evidence you found support this belief?

From the USB analysis alone, is there any indication that the suspect sent/received emails while in the internet cafe?