Archives For Browser Forensics

It has been over six months since Edward Snowden’s unprecedented NSA leaks, and we are still a long way from being able to assess the damage. Worldwide trust in United States tech companies has undoubtedly been shaken. Cisco Systems blamed a ten percent revenue drop on fallout from the leaks. Microsoft is offering the ability for foreign customers to have their data stored outside of the United States. And Silicon Valley stalwarts from Apple to Google to Yahoo have spent considerable resources defending themselves as each new embarrassing revelation becomes public. The trickle-down effect of this is even touching the small niche of digital forensics. Personal privacy has been central to the Snowden debate, and users today are more educated than ever about how their information is stored and transmitted. Web services companies are taking notice, and we have already seen some very useful artifacts disappear. I expect the trend to continue and would like to share a few examples.

Google Chrome

On October 1, 2013, version 30 of Google Chrome was released. Absent in this release was one of the most unique browser artifacts available: History Index files. Prior to version 30, Chrome not only stored browser history, cache and cookies but also recorded a full text index of each visited page. Since page content can change, this was a wonderful forensic artifact for proving what existed on a given page when a user viewed it. Chrome version 30 not only stopped recording this information, it also deleted any existing History Index files from the user’s profile.

Google Chrome Index c2body

Figure 1: The Chrome c2body field previously held a full text index of visited pages.

Continue Reading…

Collusion for Chrome Graph

While doing some browser forensics research, I stumbled upon a Chrome extension named Collusion for Chrome.     This extension provides a visual representation of the tracking information shared with third party sites during web browsing .  While the notion of browser tracking is hardly surprising these days, Collusion provides some of the most compelling evidence I have seen for the “Do Not Track” movement.

As an example, the image above shows my browser activity during a brief period.   I selected a specific node corresponding to Wired.com and you can see the vast number of external connections a visit to Wired spawns.  Information about the various contacted sites can be identified using the following key:

  • Blue nodes:  Sites previously visited by the user
  • Gray nodes:  Third party sites receiving browser data (never visited by user)
  • Red nodes:  Known aggregators of tracking information (the slash indicates the site was blocked by Collusion)

Continue Reading…