Jamie McQuaid, our Forensics Consultant, recently hosted a webinar: Investigating the Most Popular Browsers You’ve Never Heard of. This session touched on some of the browsers that examiners and investigators need to know about for their investigations – outside the big few like Chrome, Internet Explorer, and Safari.
The full webinar is archived here if you want to listen in.
The webinar was popular and the in-depth look meant that there was only a little time for questions. Below Jamie looks to answer some of the more popular questions we received around incognito mode, data syncing and the Browser Activity Artifact in Magnet AXIOM.
Q1. How do examiners handle cases when the user was using private browsing mode or incognito mode? How often are these encountered? Should they be examined/handled different than normal browsing activity?A1. It might not be apparent from the onset that a user is using private browsing mode or deleting their browsing history. Some investigations will reveal no browsing history whatsoever, while other times you may encounter only partial results. It’s important to make use of the obvious records but not ignore the possibility that there may be more data if you dig a bit deeper.
When examining private browsing modes, the data may vary depending on the browser being used. For Internet Explorer, private browsing simply deletes the history after it’s been cleared so there is a possibility that this data can be recovered if your tool can carve deleted browsing history (IEF and AXIOM do this for you).
Other browsers such as Chrome and Firefox, don’t actually write anything to disk when using incognito or private browsing mode so there is nothing to carve. For these browsers, it is essential that you capture any RAM if the system is live since your only sources for this evidence will be memory and/or the pagefile. The TOR browser works the same way as it is simply a separate installation of Firefox with private browsing turned on by default.
Q2. If a user has enabled sync capabilities in their browser, how do I know which device was actually used to browse the data and which one is simply sync’ing the data from another device?
A2. This can vary depending on the browser being used. It’s really important for examiners to understand that just because there are URLs found in the browser history, it doesn’t necessarily mean that it was browsed to in that particular browser.
For Chrome, the SyncData.sqlite database will contain details about the account. The history database will contain the main browsing history along with the “visit_source” table which contains the source from which that data came. This can be very valuable and the source values for Chrome can be found here.
For Firefox, the design is similar. The places.sqlite database contains a table called moz_historyvisits which contains a column called “visit_type” the values listed here will help examiners identify the source of the URL being examined. For a listing of the visit types in Firefox, see here here.
Q3. Often I will get browsing results in IEF/AXIOM that don’t contain any timestamps, what do these mean and are there timestamps available?
A3. Both IEF and AXIOM have several browser-related artifacts, some are tied to a particular browser, while others may just group or categorize URLs that are found in the evidence. Most of the time you’ll see a timestamp affiliated to a given browser artifact, such as the Last Visit Date/Time for Chrome Web History.
Sometimes we’re able to carve out deleted or partially deleted records that may be incomplete. These records may or may not have timestamps and it will depend whether we were able to get all the data (some data might have been overwritten, other data might come from multiple sources or tables).
The Browser Activity artifact is another one that will not have a timestamp associated to it. This artifact is for any URLs we find on the system, but cannot attribute to a given browser or app. This might be a random URL found in unallocated space or elsewhere. Finding these URLs can be useful but you may not be able to attribute any additional detail from it other than it was found on the system.
If you have more questions about investigating “off the beaten path” browsers, please reach out to Jamie at jamie.mcquaid@magnetforensics.com.
