Review: Digital Forensic Analyses of Web Browser Records
Emily C. Lennert
Category: Digital
Keywords: web browser, internet, search, history, cache, cookies, downloads, data recovery, URL, Software Programs, Internet Providers
Article to be reviewed:
- Akhbal, E.; Günes, F.; Akbal, A. Digital forensic analyses of web browser records. Journal of Software. 2016, 11 (7), 631-637.
Disclaimer: The opinions expressed in this review are an interpretation of the research presented in the article. These opinions are those of the summation author and do not necessarily represent the position of the University of Central Florida or of the authors of the original article. The names presented herein are not an endorsement of their company or product, it is a summary of the work conducted by Akhbal et al.
Summary:
Whether for physical or cyber crimes, digital evidence can provide valuable information to investigators. Web browser information is a common form of digital evidence. Criminals may use web browsers for various purposes, such as to commit cyber crimes, communicate plans to commit a crime, or search for incriminating information while planning or attempting to cover up a crime. Digital forensic analysts may recover and analyze evidence including search history, caches, cookies, downloads, URLs visited, access time, and frequency of access. The information contained in this evidence can be a valuable tool for investigators. Therefore, it is vital to understand how different browsers store information and how a digital analyst may recover that information. The authors of this article reviewed the various ways which several browsers store information, and highlight a number of tools that may be used to recover and analyze browser data.
Figure 1 within the study presents a visual for ratio of use for the most common web browsers. Internet explorer is the most used browser, at approximately 50%, followed by Google Chrome, 31.4%, Firefox, 12.2%, and various other browsers. All browsers will store browser data under the username that is logged in on the computer, with the exception of computers running very old operating systems, i.e. Windows 95/98, as seen on Table 2 within the study. Table 2 outlines the file path for various browsers (Internet Explorer, Firefox, Safari, Opera, Google Chrome) under several different operating system (OS). Understanding the file path for a particular browser on each OS allows an analyst to locate browser data. Browser data is stored in a several formats, which vary by browser.
Web Browser | Data Storage Format |
Internet Explorer | .dat (binary) |
Safari | .plist (binary) |
Firefox | SQLite Database format (.sqlite) |
Opera | .dat (binary) |
Google Chrome | Preferences file |
In addition to the various data formats, each browser formats time records differently. The time formats are outlined in table 3 within the article. Experts must consider the time format used by the browser and adjust the file time to correspond with the actual time. Suspects may also delete browser data, which may be recovered by experts for use in investigation. Browser data may be deleted in two ways: 1) when an application is re-launched, existing data is overwritten and 2) manual deletion by the user, through the browser menu or index. When data is overwritten at re-launch, recovery is more difficult than when data is manually deleted. Analysts can access deletion records; table 4 in the article outlines the various file paths for deletion records from various browsers.
Various software programs exist to assist analysts in the recovery of web browser records. The authors highlighted six programs that can be used in web browser data recovery and analysis. One of these programs is used for analysis on mobile devices, and the programs can be use to analyze multiple browsers, as seen in the table below.
- Internet Evidence Finder (IEF) is program that is operated on computers running Windows and Mac OS. IEF is used to analyze browser information from mobile devices, like smart phones and tablets.
- WEFA is a free program than can be used to analyze a number of browsers within an active system or from an image, i.e. copy, of a system. Cache, cookies, internet history, download history, session data, temporary internet files, time data, and deleted data can be recovered. Data can be searched and viewed in multiple ways. User behavior can be classified and analyzed by detailed analysis of index.dat files through this program.
- NetAnalysis is a licensed program that allows for analysis of browser data including cache, cookies, internet history, and deleted data. A reporting feature in NetAnalysis allows the analyst to gather evidence based on user behaviors, and analytical tools in the software assist in decoding data.
- Browser History Examiner is a licensed program used to extract and analyze browser history. Data such as downloads, cache, and visited URLs can be extracted through this program, and activity can be traced within a specific timeline. Data can be searched, images from the browser cache can be viewed in a thumbnail gallery, visited websites stored in the browser cache can be reconstructed and analyzed, and time data can be converted to match the time zone in which the data was produced.
- FTK is intended to analyze entire systems by virtualizing browser history in detail. Deleted browser data can be recovered, and a built in feature can generate analysis result reports.
- Encase is another system meant to analyze entire systems. Browser history, cookies, cache, and deleted browser data can be recovered and analyzed through this program.
Program | Browser |
WEFA
(free program) |
Internet Explorer
Firefox Safari Opera Chromium Google Chrome Google Chrome Canary Comodo Dragon CoolNovo Swing |
NetAnalysis
(licensed program) |
Internet Explorer
Firefox Safari Opera Google Chrome |
Browser History Examiner | Internet Explorer
Firefox Google Chrome Edge |
FTK | Internet Explorer
Firefox Google Chrome Safari Opera |
Encase | Internet Explorer
Firefox Google Chrome Chromium Opera Safari |
WEFA, NetAnalysis, and Browser History Examiner were developed to analyze browsers digitally. FTK and Encase analyze files and systems, allowing for entire system analysis. To collect evidence, digital analysts need to understand how browsers store data on different OS and how to recover that data. The programs described above are some of the tools available for the recovery and analysis of web browser data.
Relevance: Digital forensic analysis requires an understanding of many complex computer systems. Important evidence can be gathered from web browser evidence, such as a suspect’s search or download history. To conduct web browser analysis, it is vital that an analyst understand the differences in how browsers store data in a variety of operating systems. Analysts must also know the tools available for the recovery and analysis of web browser data, and the capabilities of the programs that may be used for these purposes.
Potential Conclusions:
- Web browser data may be stored in a number of places on a computer, depending on the computer’s operating system and the browser being used.
- Each browser stores data differently, and analysts must be able to identify the browser used to find and recover data.
- Programs are available to assist analysts in the recovery and analysis of web browser data, and analysts must understand the capabilities of the programs to ensure that the desired data can be recovered and analyzed.