While doing some browser forensics research, I stumbled upon a Chrome extension named Collusion for Chrome. This extension provides a visual representation of the tracking information shared with third party sites during web browsing . While the notion of browser tracking is hardly surprising these days, Collusion provides some of the most compelling evidence I have seen for the “Do Not Track” movement.
As an example, the image above shows my browser activity during a brief period. I selected a specific node corresponding to Wired.com and you can see the vast number of external connections a visit to Wired spawns. Information about the various contacted sites can be identified using the following key:
- Blue nodes: Sites previously visited by the user
- Gray nodes: Third party sites receiving browser data (never visited by user)
- Red nodes: Known aggregators of tracking information (the slash indicates the site was blocked by Collusion)
Collusion gathers the displayed information by triggering on any data shared with third party sites. It tracks a wide range of shared information including HTTP and third-party cookies, locally stored objects (flash cookies), IP address data, and web bugs. In isolation, it may not seem important that a site can use your IP address to identify where you are sitting or parse a cookie revealing you have visited a specific URL seven times. But keep in mind this is just a small piece of what is actually shared. Your browser user agent, time zone, browser plugins, and in some cases even pieces of your browser history are available to these third parties. Aggregate the geo-location data with preferences and surfing habits across multiple sites sharing with the same third party and you can create shockingly accurate user profiles. Collusion does a fantastic job of showing this happening in real-time.
What does this have to do with forensics?
The simple fact is that “Web 2.0” technologies and the dynamic nature of web sites greatly complicate browser forensics. A single visit to Wired.com spawns connections to over thirty different domains, populates the browser cache with 150 entries, and creates over 60 different cookies.
It is no wonder why it is so difficult for a forensic examiner to separate user actions from the noise created by all of these unintended visits. Luckily, browser history is still a reliable means of showing actual sites visited by the user profile (if it hasn’t been cleared). Keep in mind that browser history is much more feature rich in Chrome and Firefox and you may see visits to third party sites recorded and marked as “hidden” content.
Temporal analysis can also be very helpful. If you are reviewing your timeline and see a site visited followed by a barrage of cookies and visits to additional sites, including known ad trackers, there is a high likelihood they are all related. This is another reason why our timeline tools and plugins need to report the full timestamp granularity afforded by the artifact. A lot can happen in one second and differentiating which domain cached content first can allow us to form some conclusions as to which site was actually visited by the user.