Windows Artifacts - Browsers Flashcards
Windows Browser Artifacts
This lesson will focus on artifacts that can be gathered from internet browsers. These can be a goldmine for information relevant to a digital forensic investigation, such as websites that have been visited when they were last visited, what the user did on the websites, files that have been downloaded, search form strings, autofill usernames and password, and lots more. We will be looking at the three most popular web browsers on Windows: Microsoft Edge, Google Chrome, and Mozilla Firefox. The artifacts we will be looking at are:
Cookies Favorites Downloaded Files URLs Visited Searches Cached Webpage Cached Images
For this lesson on browser forensics, we are going to be using three main tools, and approaching this from a live acquisition view, meaning that we are investigating a powered-on system that we have access to. We will be using:
KAPE – Download
Browser History Viewer – Download (Choose the 100% free version)
Browser History Capturer – Download
Acquisition via KAPE 1
We have already covered KAPE in DF3) Digital Evidence Collection – but for this lesson, we’re going to utilize the browser-based modules to collect information from a running system, retrieving data from Chrome, Edge, and Firefox. Feel free to download KAPE and follow along, analyzing your own systems browser files!
To start, let’s load up KAPE and select our target directory and output directory. We’ll be analyzing our host system’s C drive, with an output destination as /Desktop/KAPE Browser Forensics.
Acquisition via KAPE 2
Next, we need to select browser-based Targets, so we can collect the files we need to perform browser forensics. We’re going to enable the Targets for Chrome, Firefox, and Edge.
Acquisition via KAPE 3
That’s it – we can now run KAPE by clicking on “Execute!” in the bottom right corner. KAPE took 52 seconds to gather all the information we requested. Opening our defined output folder we can see the files we retrieved.
Acquisition via KAPE 4
We can find lots of interesting Google Chrome files at the following file path: KAPE Browser Forensics\C\Users\JBeam\AppData\Local\Google\Chrome\User Data
Acquisition via KAPE 5
We can also find interesting Firefox files at the following file path (please note we haven’t used Firefox much on this PC, so there’s limited data to display compared to Edge/Chrome): KAPE Browser Forensics\C\Users\JBeam\AppData\Roaming\Mozilla\Firefox\Profiles
The best way for you to get a feel of browser forensics is to try it out on your own system (or if you don’t run Windows as your host OS, create a Windows VM, spend a day browsing the web inside it, then complete the actions we’ve done above to analyze your browsing activity!). We highly suggest that students grab their own browser files via KAPE and take some time to mess around looking at what has been retrieved, and analyzing their own files.
Browser History Viewer
There’s another way we can retrieve browser information, using two tools: Browser History Capturer (BHC) and Browser History Viewer (BHV), free tools developed by Foxton Forensics. We can run Browser History Viewer on its own, but if you’re running it on the system you’re investigating, it will fail at trying to retrieve Microsoft Edge files, even if it is run with elevated admin privileges. That’s where Browser History Capturer comes in, we can forcefully retrieve all important files for browser forensics, and then import it into BHV. These tools allow us to view a huge amount of browsing history, when sites were accessed, visit counts, cached webpages, and cached images. If you want to follow along, download the tools, and analyze your own system!
First, let’s run Browser History Capturer to collect all the files we need. We need to select the User Profile we want to collect data on. The Browsers and Data tickboxes will be toggled on by default, so we can leave them as they are. The destination by default will be a new directory named “Capture” within the BHC folder. We can alter this or leave it as it is – for this example we won’t alter the destination location. Now we can click on Capture.
Browser History Viewer 2
We can now see a folder named “Capture” in our BHC directory.
Browser History Viewer 3
Next we need to import this directory into Browser History Viewer. Open BHV and go to File > Load History. Select “Load history captured using the Browser History Capturer tool” and navigate to the “Capture” directory we just created using BHC. Then click Load.
Browser History Viewer 4
Now that we’ve imported the data, let’s go through the different panes that Browser History Viewer has. We have split it into three regions.
Pane 1 – This is where the information imported is displayed, with three tabs: Website History, Cached Images, and Cached Web Pages. On the default tab Website History we can see the dates when sites were visited, the titles of the site if available, the full URL, visit counts, and the browser used to access the web resources.
Pane 2 – Website Visit Count, showing how many resources have been accessed per month.
Pane 3 – Filter Pane, allowing us to filter by keywords (such as website names), filter by date, or filter by web browser.
Browser History Viewer 5
Let’s filter on web resources that have been accessed via the Chrome browser by selecting Chrome from the dropdown list in Pane 3. In the below screenshot you can see it’s mainly us slaving away on the Blue Team Level 1 course! We can see when we visited certain webpages, how many times we’ve visited them, and that this activity occurred in the Chrome browser.
Browser History Viewer 6
Next let’s take a look at the Cached Images tab of Pane 1. Below is a screenshot that shows us navigating between different pages, which shows the URLs of images, and displays them where Pane 2 was previously. These are typically downloaded from adverts, but can also indicate user browsing activity.
Browser History Viewer 7
And finally, let’s take a look at the third tab of Pane 1, Cached Web Pages. This tab allows us to view webpages that have been downloaded to the system to speed up loading time. In the below screenshot we have selected a web request on 08/06/2020 at 17:40, which is a Google search for “linkedin security blue team”. In the bottom pane we can visually see the screen that the user would’ve viewed when performing this search.
If you haven’t already, we highly suggest you play around analyzing your own system to view browsing history, cached images, and cached web pages using KAPE, and Browser History Capturer and Browser History Viewer. In the next lesson we have designed a mock scenario, where you are taking part in a digital forensics and incident response situation, analyzing a user’s browsing history, as they have downloaded malware. Can you work out where it came from?
