Digital Forensics
Chapter 11
Web Forensics
1
Purpose of Investigation
Theft of intellectual property
Misuse of company resources
Stalking
Possession or distribution of contraband
Internet Addressing
Uniform Resource Locator (URL) points to a specific object with Internet availability
Scheme identifies protocol used to access the resource (http, https, ftp, etc.)
Domain name points to the specific network
Suffix (.com, .edu, etc.) points to top level domain
All together, they make the fully qualified domain name
Browsers
Uses markup language to open web pages
Hyperlinks redirect user to specific resources
Content can be either web pages or files that are the targets of hyperlinks
Function of Browsers
An address bar (manual mapping to URL)
Forward and Back buttons
Bookmarking capabilities
Intrapage search capabilities
Configuration utilities
Artifacts of Browsing
Internet history
Cookies
Temporary Internet files
Registry entries
Deleting Temporary Files
Browser settings can be adjusted to automatically delete files upon closing the browser
Temporary files can be recovered the same as any other deleted file
Cookies may or may not be included, depending on the browser and its configuration
Internet history files and cache files are not the same
Browser History
A database of recently visited sites
Cache files are stored separately
Each operating system/browser combination has a different default location for history and cache files
Some utilities that analyze Internet usage can automatically detect browser settings
Analyzing User Activity
Cookies generally identify the website from whence they came
History records are a database file that shows user activity (may be deleted periodically)
Temporary Internet files can be recovered by file recovery utilities even if automatically deleted
History Files
URL
File Name: as it exists on the local system
Record Type: browsed or redirected
Access Time: time the file was last accessed
Modified Time: time the file was last changed
Directory Name: local directory in which the file is stored
HTTP Headers: as originally received
Finding “Stuff” is Not Enough
The defendant has knowledge of possession of contraband
The defendant took specific actions to obtain the contraband
The defendant had control over the contraband
If deleted, the defendant took active measures to destroy the actual materials
There was sufficient quantity of contraband to justify prosecution
Knowledge of Possession
“Present Possession” concept: The user must know that it is there
Redirected sites will store temporary files and images without notifying the user
Any attempt to manipulate or manually delete the file suggests knowledge of possession
But what user was logged on when these actions took place?
Establishing User Actions
Repeated searches suggest intent
Innocent searches can bring up unexpected content
Popups are not under the control of the user
Meta-refresh will automatically redirect the user against their will
The TypedURL registry entry proves that a website was accessed intentionally
Establishing Control of Material
The Trojan Horse defense (the Devil made me do it)
A malware analysis can prove or disprove this claim
But rootkits can foil the malware analysis
Accessing a file a significant time after the original create date suggests control
Manually deleting or editing a file suggests control
Determining Active Measure
Intentional deletion
Modify dates after the create date
Moving a file from one location to another
Renaming a file
Determining Sufficient Quantity
That’s not your job – leave it to the legal team
Your job is only to ascertain the quantity
Tools for Browser Analysis
Virtually all commercial forensic suites
Pasco
Web Historian
Galleta
NetAnalyst
Investigating Web Servers
Server log files
Access logs
Error logs
Proxy Servers