Lecture 11: Case study 1: Browser Forensics

Question 1

Source of evidence

Answer 1

– History
– Cookies
– Bookmarks
– Cache

Question 2

How to obtain all the database files?

Answer 2

file * | grep SQL

Question 3

Rebuild Web History of Google Chrome

Answer 3

• urls table: information on all URLs visited. There is one entry per URL.
• visits table: each visit made by the user

Question 4

Stappenplan

Answer 4

1. Examine the schema
2. Count the number of URLs that are in the urls
   table; SELECT COUNT (url) FROM urls;

Question 5

Substring LIKE

Answer 5

• Sub string is at the beginning: LIKE ‘[Sub string]%’
• Sub string is at the end: LIKE ‘%[Sub string]’
• Sub string is at the middle: LIKE ‘%[Sub string]%’

Question 6

Display web history

Answer 6

visit_time, url

Question 7

How to convert time to Unixepoch

Answer 7

SELECT (<Time>/1000000) ‐ 11644473600 AS time FROM <table></Time>

SELECT datetime(<Time>/1000000, únixepoch', 'utc'), ..........etc</Time>

Question 8

Google Chrome session cookies

Answer 8

Transient cookie: erased when the user closes the web browser

SELECT * FROM cookies
WHERE persistent =0;

Question 9

Where does Google Chrome store downloaded files

Answer 9

In the History database, in a table called downloads

Question 10

Rebuild Web History of Firefox

Answer 10

places.sqlite database: moz_places and moz_historyvisits
- moz_places table: information on URLs encountered
– moz_historyvisits table: each visit made by the user