Understanding Browser Artifacts
Geo-location artifacts demonstrate an interesting concept with regard to browser-based evidence. Among the various browser artifacts, Internet history is a fan favorite because it provides such rich information. There is no easier place to look to identify sites visited by a specific user at a specific time. Browser history is so useful, a critical shortcoming is often ignored; with today’s dynamic web pages, the vast number of web page requests go unrecorded. When a user visits a website, a multitude of requests are completed in the background to retrieve images and advertisements, populate web analytics, and load content from third parties. The content retrieved from these requests is stored within the cache, and an entry within the cache database is created. While the browser history database may only show the page visited, the cache holds most of the components retrieved to dynamically build that page.
Most browser-based geo-location artifacts are not stored within the browser history. Looking back at the HTML5 standard, this makes perfect sense. The fact that the API is JavaScript dependent is the first clue. Also, the multiple steps and asynchronous nature of a geographical lookup indicate a lot is going on behind the scenes when that initial web page is accessed. Luckily, data collected from the host must be passed to a geo-location service and those interactions are often recorded within the browser cache. When content is cached, the URLs associated with the web request are also stored. It is within these requests that we can mine geo-location parameters and coordinates passed to third parties such as Google Maps.
