Manual Browser Analysis
Manual Browser Analysis: A Deep Dive
Manual browser analysis is a crucial forensic approach that allows analysts to gain granular insights into browser artifacts. By using tools like DB Browser for SQLite and Strings, analysts can extract and interpret valuable information that might be missed by automated solutions. Below is a comprehensive overview of key browser artifacts and the methodologies employed for their analysis.
1. DB Browser for SQLite
DB Browser for SQLite is an essential tool for manually analyzing SQLite databases associated with browsers. These databases store structured data related to browsing activity, downloads, and saved user information.
Key Artifacts Analyzed
a. Web History (History Database)
Location:
Tables:
urls: Stores visited URLs and timestamps.
downloads: Stores details about downloaded files, including file paths and referrer URLs.
Forensic Value:
Reconstructs browsing activity.
Identifies potentially malicious downloads.
b. Favicon (Favicon Database)
Location:
Tables:
favicons: Maps domain names to their corresponding favicon images.
Forensic Value:
Persists even if history is deleted, offering evidence of visited websites.
c. Top Sites (Top Sites Database)
Location:
Forensic Value:
Tracks frequently visited websites, revealing user preferences.
d. Form Data (Web Data Database)
Location:
Tables:
autofill: Stores saved form data (e.g., emails, addresses).
autofill_profile_addresses: Contains detailed address entries.
credit_cards: Stores encrypted payment information.
Forensic Value:
Recovers sensitive user data such as emails, addresses, and saved credentials.
e. Extensions
Location:
Analysis:
Each extension is stored in a uniquely named folder containing metadata files.
These metadata files can reveal the extension’s purpose, permissions, and source.
Forensic Value:
Identifies malicious or risky extensions that could exfiltrate data or monitor user activity.
2. Strings Tool
The Strings utility extracts readable text from binary files. It is particularly effective for analyzing session files, which are often stored in non-human-readable formats.
Session Files
Location:
Command:
Forensic Value:
Extracts session data, including open URLs and tabs.
Can recover activity even if the browser history has been deleted.
Practical Use Cases
1. Incident Investigation
Scenario: A terminated employee is suspected of leaking sensitive company data.
Artifacts Analyzed:
History Database: Checked for visits to competitor websites or suspicious external platforms.
Web Data: Retrieved saved credentials and autofill data.
Session Files: Examined the last session to identify user activity prior to termination.
Outcome: Identified unauthorized data access and potential data transfer to external parties.
2. Identifying Malicious Downloads
Scenario: A phishing email led to the download of a malware-laden file.
Artifacts Analyzed:
Downloads Table: Verified the downloaded file and its source URL.
Web History: Correlated with visits to known phishing sites.
Outcome: Traced the malware to a phishing site, providing evidence for containment and remediation.
Key Points
Manual browser analysis using DB Browser for SQLite and Strings offers a deeper understanding of user behavior and potential security incidents. This approach enables forensic analysts to extract detailed information that complements the findings of automated tools.
In the next lesson, we will explore Hindsight, an automated browser forensic tool that simplifies and streamlines the analysis process without compromising on depth or accuracy.
Last updated