anti forensics-techniques-for-browsing-artifacts

Anti-Forensics Techniques for

browsing artifacts

By: Gaurang Patel

www.cyberworldhere.com

Outline

Introduction to cybercrime

What is Cyber Forensics

Branches of Digital Forensics

Why Browser Forensics ?

Test and Analysis

Proposed Research Flow

Forensics Vs. Anti-Forensics

Why Anti-Forensics ?

Anti-Forensics Test and Analysis Flow

Anti-Forensics Techniques

Analysis of Results

Conclusion

References

Copyright © http://www.cyberworldhere.com


Introduction to cybercrime

Digital crime (also called cybercrime, e-crime, hi-tech crime and electronic

crime) generally refers to criminal activity here computer or network is the

source, tool, target, or place of a crime. Cybercrime is a term for any illegal

activity that uses a computer as its primary means of commission



What is Cyber Forensics

Computer forensics is the application of investigation and analysis

techniques to gather and preserve evidence from a particular computing

device in a way that is suitable for presentation in a court of law. The goal of

computer forensics is to perform a structured investigation while

maintaining a documented chain of evidence to find out exactly what

happened on a computing device and who was responsible for it



Branches of Digital Forensics

1. Disk Forensics

2. Printer Forensics

3. Network Forensics

4. Mobile Device Forensics

5. Database Forensics

6. Digital Music Device Forensics

7. Scanner Forensics

8. Browser Forensics

9. Social networking Forensics

10. PDA Forensics



Why Browser Forensics ?

People uses Web Browsers to search for information, shop online,

banking and investing, communicate through emails or instant messaging,

and join online blogs or social networks, and many other functions.

Crimes Through browsers

Losses due to crimes

Important to collect trails as an evidence

Forensics Investigation to get browsing related data from computer



Test and Analysis

Test Conduction in two modes

1) Normal Browsing Mode

2) Private Browsing Mode

Tools Used:

* AccessData® FTK® Imager 3.1.3.2

* Autopsy 3.0.6

* Web browser Forensic Analyzer, version 1.2

* Cache, History and Cookie viewers by Nirsoft

* Fsutil

* Eraser Secure Deletion tool

* Any Linux Distribution Live Diskette

Browsers Used:

* Mozilla Firefox version 25.0.1

* Google Chrome version 17.0.963.12

* Internet Explorer version 9.0.8112.16421

System Used: Dell Xps 15 machine with 6 GB RAM, Windows 7 Professional and 750 GB

hard-disk formatted with NTFS. Copyright © http://www.cyberworldhere.com


Proposed Research Flow



Normal Browsing Test:

Unique URLs and the Keywords used during the test

URLs Keyword used in Search and opened

link

Google.com Cyber securityopened first Wikipedia

page on cyber security standards

Yahoo.com Virusattackopened

home.mcafee.com/VirusInfo

msn.com Threatopened first Wikipedia page

Youtube.com Hacking



Cache, history and cookie places of Firefox have traces of normal browsing activities.



Cache, history and cookie places of Chrome have traces of normal browsing activities



Cache, history and cookie places of IE have traces of normal browsing activities.



Evidence collected using WEFA (Web browser Forensic Analyzer)

All the History, Cache and cookies based artifacts found by WEFA.

Also gives some interesting evidences like

– Local File accessed by the user on the computer

– Search outline of all the browsers with URL hit status (Direct or Indirect)



Forensically sound tool- WEFA

Shows URL behavior like search, blog, news, video etc.

Shows URL hit status (Direct or Indirect)

WEFA recovers the deleted web browser log files

WEFA collects the artifacts from all the browsers at single time.

Carving index.dat files



Carving index.dat file shows the old History

Actual Test Performed on 4-12-2013



Carved File Analysis by Autopsy

How can we say that it is the Result of Carving of index.dat files.

To cross check we opened the carved files of WEFA in Autopsy.

It shows the same URL as shown in history.



Private Browsing

Why Private Browsing ?



Private Browsing



Private Browsing Test:

Unique URLs and the Keywords used during the test

Firefox (Private):

Chrome (Incognito):

Internet Explorer (In-Private):

URLs Keyword Used in search

Forbes.com Security

Food.com Salad

Timesofindia.indiatimes.com Exploit

Djmaza.com Singh saab the great


Youtube.com Forensics

Bing.com Social networking

Play.google.com Angry birds


Hotmail.com -

Filehippo.com Chat

Torrentz.com Mickey virus



Searching For Artifacts

Search Was Performed

Terminating the Private Browsing Session by closing browser

Common places of history, caches, cookies doesn’t leaves any trails

Used several tools but not found any trails of Private Browsing.

Captured the RAM (Volatile Memory) and swapping File



Private Browsing Artifacts Found From RAM



Entries in RAM

Browser URLs entries in RAM Keyword entries in RAM

Mozilla Firefox- Private Forbes.com – 38 entries Security - 7 entries

Food.com - 51 entries Salad - 47 entries

Timesofindia.indiatimes.com – 17 Exploit - 8 entries

Djmaza.com – 15 entries Singh saab the great - 9

Google Chrome- Incognito Youtube.com - 13 entries Forensics - 7 entries

Bing.com - 150 entries Social networking - 14

Play.google.com – 200 entries Angry birds - 39 entries

Internet Explorer-In-Private Hotmail.com – 20 entries -

Filehippo.com - 38 entries Chat - 10 entries

Torrentz.com - 30 entries Mickey virus - 25 entries



Capture and Analysis of RAM and Paging File in Different Phases

Evidence found on the running machine acquired image

Quick Restart the System and acquired image again

Evidence still found in RAM after quick restart

Powered off machine for few (4-5) minutes and powered on again

Acquired image of RAM and Paging File again

No evidences found from the RAM dump. But some evidences found from

the Paging file (Pagefile.sys).



Page File having Private Browsing Artifacts



Private Browsing is not so Private



Forensics Vs. Anti-Forensics

Essentially, anti-forensics refers to any technique, gadget or software

designed to hamper a computer investigation.

Achieve Security using Anti Forensics.

Anti-forensics Includes: Encryption, stenography, disk cleaning, file wiping



Why Anti-Forensics ?

Anti-Forensics mainly for the security purpose.

For confidentiality of Information or Securing the Web-Transaction.

Smart Criminals are using it to Harden the forensic Investigation.



Anti-Forensics Test and Analysis Flow



Continued..



Anti-Forensics Techniques

Disable Page File

It affects our computer performance and slow down the computing for

less RAM



Encrypt Page File

We encrypted the content of pagefile and acquired the image

again to analyse using the Forensics tools



Capturing Pagefile



Encrypted Page File



Clear the windows page file

You can tell your computer to erase the pagefile on every shut down. Open

the Registry by typing the regedit inside run and move to the

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionMa

nager\Memory Management\ Inside that Change the DWORD value of

‘ClearPageFileAtShutdown’ from 0 to 1



Cleared Page File

No browsing evidences found from the machine and it

only shows the cleared pagefile



Using the Linux Live CD or USB to browse the Web securely

* We booted the existing machine with the Linux but not mounted the cd

with Read/Write. Only we booted up and directly performed the browsing

activities.

* All the Linux file system get stored inside RAM and we restarted the

machine there is no artifacts found from the machine.

* So it is one of the best way to use Linux distribution to perform private

browsing without leaving the artifacts behind.



Secure Wiping the browsing activities

Normally deletion - not originally

deleted, only the file reference is deleted

from the system table and data remains in

hard disk until it’s been overwritten by

other data and can be recovered by

several tools

But if we securely wiping the data of

browsing activities using multiple passes

then it cannot be recovered back. So it is

the best Anti-Forensics Technique.

Forget to turn on the Private browsing mode ?-Don’t Worry..

Artifacts can be found from several history, cookies locations on the

computer.

we have used the tool named Eraser which securely wipe the

contents from the hard disk which cannot be recoverable by any of

the forensics tools.Copyright © http://www.cyberworldhere.com


Analysis of Results

Disabling Paging

File

Encrypt Paging

File

Clear Page File Using Linux

Distribution

Secure Wiping

(Using Several

Passes)

Performance Hit? Yes- We found

serious

degradation on

performance after

disabling the

paging file

because this swap

storage is used for

the faster indexing

of the data. So it is

not the effective

Anti-forensics

Technique if you

want quick

response.

Yes-Performance

hit due to the

nature of

encryption (EFS).

EFS uses public

key encryption in

conjunction with

symmetric key

encryption. It slow

down the

Computing and

takes more time

to power on-off

machine.

Little- We have

cleared the

windows paging

file and use the

computer again

and we found the

little performance

affection because

page file stores

the computing

data as swap

storage and when

we access the

same data again

it gives the quick

response if it

resides in swap.

No- To secure our

browsing we used

the Linux live disk

and perform the

web activity and

then removed the

cd from windows

machine and here

we doesn’t require

to

clear/wipe/encrypt

the paging file. So

computer

performance

remains as it is.

No- Here we are

wiping the

browsing content

(history, cookies,

cache, Index.dat

etc.) after normal

browsing and not

dealing with page

file. So there is no

performance

affection.



Analysis of Results… Continued

Disabling Paging

File

Encrypt Paging

File


Distribution

Secure Wiping

(Using Several

Passes)

Evidence

Remnant?

No- No evidences

because we

disabled the page

file creation.

(Fig-16)

No (Restart

Required)-

Evidence Content

stored in

Encrypted form

so nobody can

read it

(Fig-19)

No (Restart

Required)-

After clearing the

Paging file, no

evidences found

from the Page

file. Just found

‘0’s.

(Fig-20)

No- No browsing

evidences found

from the windows

machine because

we used the Linux

distribution to

perform the web

activities.

No- Secure

wiping the

evidence removes

the traces from

the computer by

removing the

entries using

several passes

(we used 35

passes).

Removes the file

from hard disk

and not recovered

by any of the

recovery tool.

(Fig-21)




Disabling

Paging File

Encrypt Paging

File


Distribution

Secure Wiping

(Using Several

Passes)

Evidence

Remains in RAM

after Restart?

Yes- RAM

contains the

evidences after

restart. (Fig- 12)

Yes- RAM

contains the

evidences after

restart.

(RAM store as in

unencrypted form)

(Fig- 12)

Yes- RAM

contains the

evidences after

restart.

(We cleared page

file not the RAM.)

(Fig- 12)

No- RAM

contains no

evidences after

restart because

we ran the Linux

over the windows

to browse the

web.

Yes- RAM

contains the

evidences after

restart.

Evidence

Remains in RAM

After Power off

& On (After 4-5

Min.)?

No- Power off &

on (after few

minutes)

completely wipe

the evidences.

No- No

unencrypted

evidence found.

No- No evidence

found from RAM

after Power Off-

On

No- There are no

traces found in

windows machine

RAM.

No- Evidence

removed from

RAM but it is

required to handle

the Page file to

remove traces.




Disabling

Paging File

Encrypt Paging

File


Distribution

Secure Wiping

(Using Several

Passes)

Evidence

Recovered (After

Private

Browsing)?

No No No No No

Best For Private

Browsing?

Yes

(Recommended)

Average Average Yes

(Recommended)

No

Best For Normal

Browsing?

Yes (Not Enough-

Required More

Action to Remove

Other Traces )

Yes (Not Enough-

Required More

Action to Remove

Other Traces )

Yes (Not Enough-

Required More

Action to Remove

Other Traces )

Yes Yes



Recommended from Above Comparison

Here we recommend to use Technique “Disable page file and Use Private

Browsing” because after private browsing we need to handle only Swap

storage and only one time Disable does not create the paging storage file

(size=As RAM Size) and we does not require additional restarts as we

need in Page file encryption and Page file Clear. (Power Off machine for

few minutes after Private browsing is required to remove evidences

completely from RAM)

Another Recommendation from above comparison is to use “Linux live

distribution in any of the browsing mode (Private/Normal)” and which does

not leaves any traces behind.



CONCLUSION

Before moving directly to the Anti-Forensics it is important to understand

the Forensics methodology first. This research used proper test methods

and examined the normal and private browsing activities on three popular

web browsers to collect evidences like browsing history, caches, and

cookies forensically and then we used the several Anti-Forensics

techniques to mitigate or remove the trails after browsing activities. So if

you want to achieve the end-level security then don’t forget to use the

Anti-Forensics. We have concluded the Latest Firefox (Private) is the

secured one than the other browsers. We have also proposed the proper

method to achieve the more security by the use of Anti-Forensics and

tested every technique using that method to check for the effectiveness

and finally concluded the best Anti-forensic technique. Further research

can be done in Anonymity browsers like TOR to analyse which level of

privacy they give to us.



References

[1] Muhammad Kamran Ahmed, Mukhtar Hussain, Asad Raza,“ An Automated User Transparent Approach to log Web URLs

for Forensic Analysis”, 2009 Fifth International Conference on IT Security Incident Management and IT Forensics.

[2] Huwida Said, Noora Al Mutawa, Ibtesam Al Awadhi and Mario Guimaraes,“ Forensic Analysis of Private Browsing

Artifacts”, 2011 International Conference on Innovations in Information Technology

[3] Andrew Marrington, Ibrahim Baggili, Talal Al Ismail, Ali Al Kaf, “Portable Web Browser Forensics: A forensic examination of

the privacy benefits of portable web browsers”, Computer Systems and Industrial Informatics (ICCSII), 2012 International

Conference.

[4] Aljaedi, A. Lindskog, D. ; Zavarsky, P. ; Ruhl, R. ; Almari, F., “Comparative Analysis of Volatile Memory Forensics: Live

Response vs. Memory Imaging ”, Privacy, security, risk and trust (passat), 2011 ieee third international conference on and

2011 ieee third international conference on social computing (socialcom).

[5] Harry Parsonage January 2010, “Web Browser Session Restore Forensics”, Retrieved

fromhttp://computerforensics.parsonage.co.uk/downloads/WebBrowserSessionRestoreForensics.pdf (1 December 2013).

[6] SeungBong Lee Jewan Bang ; KyungSoo Lim ; Jongsung Kim ; Sangjin Lee ,“A Stepwise Methodology for Tracing

Computer Usage”, INC, IMS and IDC, 2009. NCM '09. Fifth International Joint Conference.



References

[7] Hong Guo Bo Jin ; Wei Qian, “Analysis of Email Header for Forensics Purpose ”, Communication Systems and Network

Technologies (CSNT), 2013 International Conference.

[8] Selamat, S.R. Yusof, R. ; Sahib, S. ; Hassan, N.H. ; Abdollah, M.F. ; Abidin, Z.Z., “Traceability in digital forensic

investigation process”, Open Systems (ICOS), 2011 IEEE Conference.

[9] Van Staden, F.R. Venter, H.S., “Adding digital forensic readiness to the email trace header”, Information Security for South

Africa (ISSA), 2010.

[10] Kaushik, A.K. Pilli, E.S. ; Joshi, R.C., “Network forensic system for port scanning attack”, Advance Computing Conference

(IACC), 2010 IEEE 2nd International.

[11] Zhong Xiu-yu, “A model of online attack detection for computer forensics ”, Computer Application and System Modeling

(ICCASM), 2010 International Conference.

[12] Keith J. Jones, “Forensic Analysis of Microsoft Internet Explorer Cookie Files”, Retrieved from http://www.index-

of.es/Forensic/Forensic%20Analysis%20of%20Microsoft%20Internet%20Explorer%20Cookie%20Files.pdf (16 November

2013).

[13] Noora Al Mutawa, Ibtesam Al Awadhi, Ibrahim Baggili, and Andrew Marrington , “Forensic artifacts of Facebook‟s instant

messaging service”, 6th International Conference on Internet Technology and Secured Transactions, 11-14 December 2011,

Abu Dhabi, United Arab Emirates.

[14] Stamm, M.C. Tjoa, S.K. ; Lin, W.S. ; Liu, K.J.R., “Anti-forensics of JPEG compression ”, Acoustics Speech and Signal

Processing (ICASSP), 2010 IEEE International Conference.

[15] Belani, R., Jones, K., (2005, March, 29). “Web browser forensics”, Retrieved from

http://www.symantec.com/connect/articles/web-browser-forensics-part-1 (1 December, 2013).

[16] Belani, R., Jones, K., (10 May 2005). “Web Browser Forensics”, Retrieved from

http://www.symantec.com/connect/articles/web-browser-forensics-part-2 (1 December, 2013).



http://www.symantec.com/connect/articles/web-browser-forensics-part-1

References

[17] Brookman, J. (2010, December). “Browser privacy features: a work in progress. Center for Democracy & Technology”,

Retrieved from http://cdt.org/files/pdfs/20101209_browser_rpt.pdf (3 December 2013).

[18] Aggarwal, G., Boneh, D., Bursztein, E., & Jackson, C. (2010). “An analysis of private browsing modes in modern

browsers”. Stanford University”, Retrieved from http://www.usenix.org/events/sec10/tech/ ( 4 December 2013).

[19] Bas Kloet, Hoffmann Investigations September 2010, “Advanced file carving”, Retrieved from http://computer-

forensics.sans.org/summit-archives/2010/eu-digital-forensics-incident-response-summit-bas-kloet-advanced-file-carving.pdf (4

December 2013).

[20] Rich Murphey, “Automated Windows event log forensics”, Retrieved from http://www.dfrws.org/2007/proceedings/p92-

murphey.pdf (5 December 2013)

[21] “Anti-forensic_techniques”, Retrieved from http://www.forensicswiki.org, (25 January 2014)

[22] “Anti-forensic-project-listing”, Retrieved from https://www.anti-forensics.com/anti-forensic-project-listing/ (2 February 2014)

[23] “How Computer Forensics Works”, Retrieved from http://computer.howstuffworks.com/computer-forensic3.htm (16

February 2014)

[24] “How EFS Works”, Retrieved from http://technet.microsoft.com/en-us/library/cc962103.aspx (26 February 2014)

[25] “Anti-forensics”, Retrieved http://resources.infosecinstitute.com (18 March 2014)

[26] “Anti-forensics Encryption”, Retrieved from

http://www.reddit.com/r/antiforensics/comments/yhfw2/encrypt_your_swap_space/ (2 April 2014)

[27] “Swap Space Handling”, Retrieved From http://support.microsoft.com/kb/314834 (15 April 2014)

[28] “Anti-Forensics using Linux Distribution”, https://www.anti-forensics.com/leave-no-artifacts-behind-linux-live-cds/ (2 May

2014)

[29] “Anti-Forensics Techniques”, https://www.anti-forensics.com/anti-forensic-project-listing/ (5 May 2014)



http://cdt.org/files/pdfs/20101209_browser_rpt.pdf

http://www.dfrws.org/2007/proceedings/p92-murphey.pdf

http://www.reddit.com/r/antiforensics/comments/yhfw2/encrypt_your_swap_space/

https://www.anti-forensics.com/leave-no-artifacts-behind-linux-live-cds/

https://www.anti-forensics.com/anti-forensic-project-listing/



http://www.cyberworldhere.com/