In a recent case, the suspect is claiming that indecent material had arrived on his computer as a consequence of browser pop-up windows (over which he had no direct control).
Does anyone know of a conclusive method of determining whether browser URL records, within the recovered Internet history, are a result of normal browsing activity or of automated pop-ups ?
I've already got web-based searches using indecent terms, closely followed by browsing activity to suspicious web-sites, along with web-based e-mail access using a known e-mail address (although I still need to verify if this correlates with any suspicious browser activity). I'm also planning on double-checking the TypedURLs registry key (Internet Exploder was being used), for any record of manally entered web sites.
Phil H
TypedURLs as you indicated is where I'd start also. And then, if the downloads were really fresh, I'd start doing code analysis of web pages in the cache to see if they have popup functionality, and see what they are linking to. Depending on whether your agency is permitted to do online engagement, you could also use a VM to confirm the suspect's claimed functionality be revisiting pages in his history.
Phil
Tony has answered with the main points, just to add there is no easy way to prove a negative like this if the code in the pages is not available. It is a slog through the history entry by entry and looking at the matching pages in the cache. You need to try and find evidence of interaction by the user like finding a page that is very simple and has no code where all that can have happened is a user followed a link. There is usually a number of opportunities where you can get this detail if you have enough history.
I was just reviewing a similar case recently where a user had looked at page 1, then 2, then 3 in a forum and the pages were quite long required up to a dozen page scrolls. I questioned could we show he had looked at the whole of the page and we found he had saved just one picture on his desktop that had come from quite a way down in the page. The orientation of the picture in the page was such that it was rotated by 90 degrees and the one on his desktop was in the appropriate orientation. His pictures defaulted to Windows Picture Viewer testing showed that when you rotate a picture it creates two temporary files. The two temp files were present so we had a really good example of user interaction.
Link files are another key to showing user interaction, particularly showing access to a picture more than once through careful analysis.
H
Thanks for the responses guys ) I was hoping (in vain really) that IE might do something sensible like store pop-ups as a different type of Internet history record, that could then be checked - ah well, it looks like I'll be going back through the recovered Internet history and checking TypedURLs then … presumably timeline is useful here also, e.g. if a web page is visited one second after the preceding web page, then this may indicate that the web page is a pop-up ?
I've only ever looked at basic HTML code I'm afraid - what code would be used on a web page to force a pop-up (just in case I can recover any cached web pages of interest) ?
Cheers,
Phil
Some pop-ups show up through flash or other plug-in, which does not interact with the browser - that is, once the flash/other interpreter is launched, the browser no longer knows about what is going on. . .
but the interpreter may . . .
I've only ever looked at basic HTML code I'm afraid - what code would be used on a web page to force a pop-up (just in case I can recover any cached web pages of interest) ?
You will want to look for scripting languages. I know javascript best, but there is also vbscript, java, etc. In Javascript, you'll want to look for a window.open(args) method, where args will contain the decoration of the new window and more importantly the URL. With a quick bit of research, you could find the equivalent vbscript method.
You would then have to correlate that URL to the supposed pop-ups.
Hope this helps even a little.
You will want to look for scripting languages. I know javascript best, but there is also vbscript, java, etc. In Javascript, you'll want to look for a window.open(args) method, where args will contain the decoration of the new window and more importantly the URL. With a quick bit of research, you could find the equivalent vbscript method.
You would then have to correlate that URL to the supposed pop-ups.
Hope this helps even a little.
Thanks, that gives me something to look out for - assuming I can recover any cached web pages of interest )
I've got a pdf that may help. It's not on the web yet but I can e-mail it to you.
Chris
Just be careful with making statements regarding the TypedURLs registry key. Just because it is called TypedURLs doesn't mean the values contained in the key are necessarily the result of a user typing a URL in the address bar. In my testing, some time ago now so I can't remember all the specifics, I've seen this field updated dynamically. It is, after all, just a registry key and there aren't any hard and fast rules.
Who doesn't block pop-ups these days? Most browsers have a setting to block popups which is on by default, or/and toolbars that block popups. This is probably your best bet in showing that, at the time of acquisition, the browser was set to block them, maybe even on multiple levels if toolbars were also doing it.
Also, the way I would tackle it is to show examples of re-directs / pop-ups from within the same cache using cacheback or netanalysis (or even do a keyword search to find the urls from within other scripts) and to state, if this is the case, that the pages of note are not consistent with a pop-up.
I agree with Paul; check on the pop-up settings during the time in question to counter this response.
Another piece to take a look at is the flash "cookies". Many of the indecent materials sites use this feature heavily for streaming/storing/etc on the local machine.
Hope that helps!
EDIT - Looks like Jhup already covered the flash piece, my bad.