Saturday, August 23, 2008

Browser Artifact Analysis

There are a number of times where an analyst would need to know a bit about a user's web browsing activities in order to determine what was happening on a system; was the user in violation of acceptable use policies, or did the user go someplace that ended up getting the system infected, etc? Sometimes this is how systems initially get infected.

There are two excellent articles from Jones and Belani (published on SecurityFocus here and here) that, while a little more than 3 yrs old, are excellent sources of information and a great way to begin understanding what is available via browser forensics, and how to go about collecting information.

One of the things I tend to do when setting up an examination is to open the image in a ProDiscover project, and populate the Internet History Viewer. With PDIR v5.0, this is smoother than with previous versions, and it gives me a quick overview of the browser activity on the system. However, you don't need commercial tools to do this kind of analysis...there are tools out there that you can use either against live systems, or by mounting an image as a read-only file system.

At this point, what you look for is totally up to you. Many times when performing analysis, I have a timeframe in mind, based on information I received from the customer about the date and time of the incident. Other times, I may start with Registry analysis and have some key LastWrite times to work with. In several examinations, I had user profile creation dates, so I used that as my search criteria...locate anything useful that occurred prior to the profile creation date (which, by the way, I correlated with data extracted from the SAM file using RegRipper!!).

Don't forget this little tidbit about web history located for the Default User from Rob "van" Hensing's blog. I used to see this in the SQL injection exams, where the intruder would dump wget.exe on a system, and then use that to pull down his other tools. Wget.exe would use the WinInet APIs to do its work, which would end up as "browser history"...and because the intruder was running as System-level privileges, the history would end up in the Default User account. More recently, I've seen write-ups for malware that use a "hidden" IE window...running at System privileges will leave these same artifacts.

Tools and Resources:
Mork file format
mork.pl - Perl script for parsing the Mork file format
NirSoft.net browser tools
Mandiant WebHistorian
FoxAnalysis - FireFox 3 browser artifact analysis
CacheBack 2.0 - Internet browser cache and history analysis (commercial)
FireFox Forensics (F3) - Forensic artifact analysis tool for FireFox
Historian - Converts browser history files to .csv...also does LNK and INFO2 files
OperaCacheView - Thanks for the link, Claus!

6 comments:

Anonymous said...

Hi Harlan!

Great post. It's been a while since I read those particular Security Focus articles, but they still stand the test of time!

Nice list of tools as well!

Cheers!

Anonymous said...

Hi,

nice post.
I would also add NetAnalysis to the list of tools you mention, altough being commercial.

Nathaniel Richmond said...

Harlan, your post is timely.

I was reading the Security Focus articles earlier in the week because I am interested in examining what is left behind by common webmail clients like Squrrelmail, Horde IMP, and Outlook Web Access.

Are any of tools listed in your post useful for actually reassembling web pages? I'd like to investigate how difficult it is to reassemble and view mailboxes and emails for particular webmail clients, or whether they're even vulnerable to that kind of snooping. Any other tool suggestions? Anyone know of existing write-ups that are related to this topic? For instance, here is one from AusCERT.

Nathaniel Richmond said...

After playing with the tools list, I see IECacheView looks like it does what I want. Great list of tools.

Anonymous said...

I am curious what tools people are using to search for internet history artifacts in unallocated space.
For example, this is possible with NetAnalysis and EnCase 6.11.
Are there any other tools or techniques people are using to do this?

Anonymous said...

Having tested quite a few, I'd argue that NetAnalysis' HstEx and XWF's Trace are state of the art. They can extract index records from a physical disk or image. Such a recovery is essential to a thorough exam of browsing and file access activity. Coupling NetAnalysis with the output of HstEx makes the duo unsurpassed in terms of completeness and ease of use. Of course, there may be equally capable tools of which I'm unaware, so please suggest others.