Investigating The Most Popular Browsers You’ve Never Heard Of – Webinar Q&A

Jamie McQuaid, our Forensics Consultant, recently hosted a webinar: Investigating the Most Popular Browsers You’ve Never Heard of. This session touched on some of the browsers that examiners and investigators need to know about for their investigations – outside the big few like Chrome, Internet Explorer, and Safari.

The full webinar is archived here if you want to listen in.

The webinar was popular and the in-depth look meant that there was only a little time for questions. Below Jamie looks to answer some of the more popular questions we received around incognito mode, data syncing and the Browser Activity Artifact in Magnet AXIOM.

Q1. How do examiners handle cases when the user was using private browsing mode or incognito mode? How often are these encountered? Should they be examined/handled different than normal browsing activity?A1. It might not be apparent from the onset that a user is using private browsing mode or deleting their browsing history. Some investigations will reveal no browsing history whatsoever, while other times you may encounter only partial results. It’s important to make use of the obvious records but not ignore the possibility that there may be more data if you dig a bit deeper.

When examining private browsing modes, the data may vary depending on the browser being used. For Internet Explorer, private browsing simply deletes the history after it’s been cleared so there is a possibility that this data can be recovered if your tool can carve deleted browsing history (IEF and AXIOM do this for you).


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Other browsers such as Chrome and Firefox, don’t actually write anything to disk when using incognito or private browsing mode so there is nothing to carve. For these browsers, it is essential that you capture any RAM if the system is live since your only sources for this evidence will be memory and/or the pagefile. The TOR browser works the same way as it is simply a separate installation of Firefox with private browsing turned on by default.

Q2. If a user has enabled sync capabilities in their browser, how do I know which device was actually used to browse the data and which one is simply sync’ing the data from another device?

A2. This can vary depending on the browser being used. It’s really important for examiners to understand that just because there are URLs found in the browser history, it doesn’t necessarily mean that it was browsed to in that particular browser.

For Chrome, the SyncData.sqlite database will contain details about the account. The history database will contain the main browsing history along with the “visit_source” table which contains the source from which that data came. This can be very valuable and the source values for Chrome can be found here.

For Firefox, the design is similar. The places.sqlite database contains a table called moz_historyvisits which contains a column called “visit_type” the values listed here will help examiners identify the source of the URL being examined. For a listing of the visit types in Firefox, see here here.

Q3. Often I will get browsing results in IEF/AXIOM that don’t contain any timestamps, what do these mean and are there timestamps available?

A3. Both IEF and AXIOM have several browser-related artifacts, some are tied to a particular browser, while others may just group or categorize URLs that are found in the evidence. Most of the time you’ll see a timestamp affiliated to a given browser artifact, such as the Last Visit Date/Time for Chrome Web History.

Sometimes we’re able to carve out deleted or partially deleted records that may be incomplete. These records may or may not have timestamps and it will depend whether we were able to get all the data (some data might have been overwritten, other data might come from multiple sources or tables).

The Browser Activity artifact is another one that will not have a timestamp associated to it. This artifact is for any URLs we find on the system, but cannot attribute to a given browser or app. This might be a random URL found in unallocated space or elsewhere. Finding these URLs can be useful but you may not be able to attribute any additional detail from it other than it was found on the system.

If you have more questions about investigating “off the beaten path” browsers, please reach out to Jamie at jamie.mcquaid@magnetforensics.com.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, February 28 2024 #digitalforensics #dfir

Forensic Focus 29th February 2024 4:58 pm

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles