Module 6

Brower, Email forensic & Forensics investigation

Reporting
 Browser forensics

Browsers have become an inherent part of our virtual life and we all make use of browsers
for surfing the internet in some or the other way.
Also, browsers can be used not only for surfing, we can make use of browsers for
navigating through the file system of the OS.
You might have observed by default browsers store data like search queries, username,
password, form data, emails, credit card data and other sensitive information.
Also, browsers do contain downloaded media like Images, Videos, Exe’s, documents etc.
Bookmarks and browser history gives an idea of the user's surfing habit and interest.
You might have realised the browser stores a lot of sensitive information about the
user and its surfing habit. Thus they play a very important role in forensics due to the
nature and amount of data they store with them.
 Why browser forensics

With the help of Browser Forensics and with the assistance of forensics tools one can
extract sensitive data and chosen keywords from most web browsers.
One can retrieve deleted data and keywords, check whether history was cleared, retrieve
artifacts like Cookies, Downloads data, History, Saved Password, websites visited etc.
Also, Browser Forensics helps a lot to understand how an attack on a system was
conducted, helping in finding the source of Malwares/Adwares/Spywares, Malicious
Emails and Phishing Websites etc.
There are many web browsers available like Chrome, Firefox, Safari, IE, Opera etc.
depending upon the platform being used. Here, Lets see how to conduct forensics for
Google Chrome Browser.
 Chrome

Google Chrome is one of the most popular browsers of all the browsers available. It runs on all
platforms and has been developed by google.
Few salient features offered by chrome -
1) Can be integrated with all google services
2) Password synchronization between various devices
3) Plugins and extensions availability
4) Incognito mood support
Google chrome artifacts : An artifact is a remnant or trace left behind on the computer which
helps to identify the source of malicious traffic and attack conducted onto the system. Few
examples include cache data, History, Downloads etc.
 Chrome
Chrome stores these artifacts inside specific folders in the operating system. The file location
for every browser is different but the file format remains the same. Following are the common
artifacts stored by Chrome –
1) Navigation History – This reveals navigation history of the user. It can be used to track
whether a user has visited any malicious URL or not.
2) Autocomplete Data – This reveals data that has been used on various forms and search terms
etc. It is used with Navigation History for more insight.
3) Bookmarks - Self Explanatory
4) Add-ons, Extensions and Plugins - Self Explanatory
5) Cache – Contains cache data from various websites like Images, Javascript Files etc
 Chrome
6) Logins - Self Explanatory
7) Form Data - Self Explanatory
8) Favicons - Self Explanatory
9) Session Data - Self Explanatory
10) Thumbnails - Self Explanatory
11) Favorites - Self Explanatory
12) Sensitive data - Self Explanatory
Various artifacts and its location
Following are the location of various artifacts where one can have a look while doing forensics
investigation on Chrome –
1) Profile Path – This contains the majority of the artifacts and profile data of the user.
Location –
C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefault
C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultData
2) Downloads + Navigation History + Search History – This is stored in SQLite Database form
Location –
C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataDefaultHistory
C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataHistory
3) Cookies – This is also stored in SQLite Database form Location –
 Various artifacts and its location

4) Cache
Location –
C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultCache
C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataCache
5) Bookmarks – Stored in JSON Format
Location –
C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultBookmarks
C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataBook
marks
 Various artifacts and its location

6) Form History - Stored in SQLite Database Form

Location –
C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultWeb Data
C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataWeb
Data
7) Favicons - Stored in SQLite Database Form
Location –
C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultFavicons
C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataFavi
cons
Tools
Now we know different artifacts and their location let’s see what all tools can be used for
performing Browser Forensics –
● DB Browser – For opening .sqlite files.
● Nirsoft – Web Browser Tools
● BrowsingHistoryView
● ESEDatabaseView
● Sysinternals Strings
● OS Forensics
Recovery methods to recover deleted browser history:

Through cookies
Cookies that are stored by the browser is another way to get to the web history of the
user. We are talking about a tiny text file that gets stored in the browser. Use a
third-party software to open them and view history.

The below method could be used to

recover deleted cookies (through
System Restore).
When the data relating to the browser that is stored is deleted, there is still a possibility that
a periodic system restore has happened recently and a restoration point is available in the
operating system to go back to. This would mean that we can get the deleted files back, but
only dating back from the date and time at which the restoration point is created. This is
specific to the Windows OS.

Go to the Start menu and type System Restore to get to the Recovery window under
Control Panel and you can restore the system back to a previous restoration point using the
Open System Restore option. Once the restoration is done and the computer is restarted,
you should now have access to all the deleted files, of course from before the date of the
restoration point.
Access deleted browsing history with log files
By using this method, you can recover the history using the log files that are stored in the user’s
computer and you could use this method if you are looking to recover the file that has been deleted
a while back. This is done by getting access to the hidden index.dat file that is stored in the local
computer that contains the web history of the user. You can also use a third-party file recovery
software to get back the deleted data. You can look to recover the following information out of this:
–

● The web history including information on redirects and the count on how many times the user
has visited a particular website.
● Information on bookmarks created by the user.
● One can look for files in the default “Downloads” directory or any other directory to which the
downloads are possibly moved. This could be tracked using the file names download list.
● Cookies that give you web history as said before.
● Cache files that once again, store web history and relevant information temporarily, but on
user’s local computer.
Through Google History

This is another alternative place where the user’s web history is stored together with the
timestamps. The user’s web history is usually stored in the browser, but if the user has chosen to
log into multiple devices using his Google id then his surfing pattern, web history and the
searches are, by default, stored by Google in the “Activity” section.
If you want to look at the web history of the user, you can access the same by going to
activity.google.com. This information is available even when the user deletes the web history
from his browser(s), but there is a catch. For the user’s web-history to be available in his
activity.google.com, he should have not paused this logging by Google, which is on by default.
If at any time any Google user does not want his history to be logged in at
activity.google.com, he has the option to pause the same. The Google user can also
selectively delete his web history that is available in the activity section. One more catch is
that you have to be signed in as the user to get access to this information from the
activity.google.com website.
Through DNS Cache

This method works only when the computer is on and is connected to the internet and is
by-far the fastest method to restore the web-history.

Open the Command prompt and type in ipconfig/displaydns and then hit enter.

This will give a wall of text which will take time to stop if there are many websites to
display.

You can scroll up and check this out once the display lists everything and stops.
Email Forensics

E-mails have become the primary means of communication .

Email forensics is the analysis of emails and the content within to determine legitimacy ,
source , date , time , the actual sender and the actual receiving a forensically sound manner

The aim is to provide admissible digital evidence for use in civil or criminal courts

Email Authentication Techniques

● SPF
● DKIM
● DMARC
Email Forensics: Sender Policy Framework (SPF)?

Sender Policy Framework (SPF) is a protocol designed to restrict who can use an

organization's domain as the source of an email message.

SPF blocks spammers and other attackers from sending email that appears to be from a

legitimate organization.

SMTP (Simple Mail Transfer Protocol) does not place any restrictions on the source

address for emails, so SPF defines a process for the domain owners to identify which IP

addresses are authorized to forward email for their domains.

Email Forensics: Sender Policy Framework (SPF)?
How does Sender Policy Framework protect against spoofing and spam?

SPF defines a format for adding a record in the Domain Name System (DNS) that
indicates valid email servers.

Receiving email servers that get email from an email service under SPF must check
the TXT records when they perform DNS lookup on the inbound email.

The SPF policy framework is an authentication scheme and a machine-readable

language. Each participating domain declares attributes that uniquely describe their
mail, including authorized senders. This description is represented in an SPF record,
which is published in DNS records..
How does Sender Policy Framework protect against spoofing and spam?

An SPF client program performs a query searching for the correct SPF record, in
order to determine whether a message comes from an authorized source.

There are seven possible query results, including

pass, which means that the message meets the domain's definition for legitimate
messages;

fail, which means that a message does not meet that requirement; and further
stipulations for mail that don't fit either category, such as messages from domains
that do not publish SPF data.
How does Sender Policy Framework protect against spoofing and spam?

SPF and other authentication-based measures are designed to redress a vulnerability

in SMTP, the main protocol used in sending email, which does not include an
authentication mechanism.
 Domainkeys Identified Mail (DKIM) protocols

SPF is not the only email authentication strategy used against spammers.

Domainkeys Identified Mail (DKIM) and the Domain-based Message Authentication (DMARC)

protocols both work with SPF to enhance email security.

DKIM defines a protocol for claiming responsibility cryptographically for email messages sent

from a domain.

Cryptographic signatures are included in DKIM protocol headers, and refer to the MAIL FROM

field in the SMTP packet header. DKIM stops the unauthorized use of that field for email sent by

spammers.
Domainkeys Identified Mail (DKIM) protocols
Domain-based Message Authentication (DMARC) protocols

DMARC defines a mechanism that enables email-sending organizations to

define domain-level policies for email authentication and validation. This
mechanism uses both SPF and DKIM, which are the protocols that define how
DMARC policies are implemented.

To deploy DMARC , create DNS record for the domain you want to use in
FROM: address

Multiple values can be put in the record but include following two

Directs the receiving server to implement DMARC

Tells the server to do in case authentication fails

Domain-based Message Authentication (DMARC) protocols