Investigating The Most Popular Browsers You’ve Never Heard Of – Webinar Q&A

Jamie McQuaid, our Forensics Consultant, recently hosted a webinar: Investigating the Most Popular Browsers You’ve Never Heard of. This session touched on some of the browsers that examiners and investigators need to know about for their investigations – outside the big few like Chrome, Internet Explorer, and Safari.

The full webinar is archived here if you want to listen in.

The webinar was popular and the in-depth look meant that there was only a little time for questions. Below Jamie looks to answer some of the more popular questions we received around incognito mode, data syncing and the Browser Activity Artifact in Magnet AXIOM.

Q1. How do examiners handle cases when the user was using private browsing mode or incognito mode? How often are these encountered? Should they be examined/handled different than normal browsing activity?A1. It might not be apparent from the onset that a user is using private browsing mode or deleting their browsing history. Some investigations will reveal no browsing history whatsoever, while other times you may encounter only partial results. It’s important to make use of the obvious records but not ignore the possibility that there may be more data if you dig a bit deeper.

When examining private browsing modes, the data may vary depending on the browser being used. For Internet Explorer, private browsing simply deletes the history after it’s been cleared so there is a possibility that this data can be recovered if your tool can carve deleted browsing history (IEF and AXIOM do this for you).


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Other browsers such as Chrome and Firefox, don’t actually write anything to disk when using incognito or private browsing mode so there is nothing to carve. For these browsers, it is essential that you capture any RAM if the system is live since your only sources for this evidence will be memory and/or the pagefile. The TOR browser works the same way as it is simply a separate installation of Firefox with private browsing turned on by default.

Q2. If a user has enabled sync capabilities in their browser, how do I know which device was actually used to browse the data and which one is simply sync’ing the data from another device?

A2. This can vary depending on the browser being used. It’s really important for examiners to understand that just because there are URLs found in the browser history, it doesn’t necessarily mean that it was browsed to in that particular browser.

For Chrome, the SyncData.sqlite database will contain details about the account. The history database will contain the main browsing history along with the “visit_source” table which contains the source from which that data came. This can be very valuable and the source values for Chrome can be found here.

For Firefox, the design is similar. The places.sqlite database contains a table called moz_historyvisits which contains a column called “visit_type” the values listed here will help examiners identify the source of the URL being examined. For a listing of the visit types in Firefox, see here here.

Q3. Often I will get browsing results in IEF/AXIOM that don’t contain any timestamps, what do these mean and are there timestamps available?

A3. Both IEF and AXIOM have several browser-related artifacts, some are tied to a particular browser, while others may just group or categorize URLs that are found in the evidence. Most of the time you’ll see a timestamp affiliated to a given browser artifact, such as the Last Visit Date/Time for Chrome Web History.

Sometimes we’re able to carve out deleted or partially deleted records that may be incomplete. These records may or may not have timestamps and it will depend whether we were able to get all the data (some data might have been overwritten, other data might come from multiple sources or tables).

The Browser Activity artifact is another one that will not have a timestamp associated to it. This artifact is for any URLs we find on the system, but cannot attribute to a given browser or app. This might be a random URL found in unallocated space or elsewhere. Finding these URLs can be useful but you may not be able to attribute any additional detail from it other than it was found on the system.

If you have more questions about investigating “off the beaten path” browsers, please reach out to Jamie at [email protected]

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...