Browser Stuff
Many times during an examination, we'll take a look at the user's browser activity. That might include starting by getting the contents of the TypedURLs Registry key (I see that as a first step in a lot of analysis plans) and parsing an index.dat file or two; however, one thing that I rarely see in an analysis process, in case notes, or in a report is, the first thing I did was determine the default browser, as well as any other browsers that may have been installed and used.
When exploring user activity via the browser, the analyst needs to be sure to:
1. Check to see what the default browser is...yes, there'san app a RegRipper plugin for that. But keep in mind, this value can change. If the user doesn't uncheck one box in the default browser dialog that appears, they will be asked every time if they want to make the browser their default, so the question will be asked each time and they can go back and forth.
2. Determine what other browsers may be installed; don't assume that someone's only going to use Firefox. Strike that...don't assume anything. Find out. Any easy way to do this is to check the file associations for .htm(l) and .asp(x) files, as well as just see what software is installed.
3. Other places to check (these are included in RegRipper plugins, by the way...) include the user UserAssist keys (what've they been launching), the Uninstall key (for software installations), and which MSIs have been run on the system.
Many of these are quick checks...several folks who've used RegRipper have said that the tool has reduced Registry analysis from days to minutes, and thanks to the plugins, been more comprehensive than previous processes. So adding these checks to your analysis plan doesn't correlate to a significant increase in the time it takes to conduct your analysis.
One area that I rarely see discussed in browser analysis is the bookmarks file. For Firefox, the bookmarks.html file include ADD_DATE and LAST_MODIFIED entries for folders, and ADD_DATE and LAST_VISIT entries for the URLs. For IE, you'd look for the Favorites folder, which contains InternetShortcut/.url files which also include timestamps, in addition to the file MAC times themselves.
It seems to me that including this information in a timeline...should the investigation necessitate doing so...might be a source of some valuable data. For example, let's say you found an entry of interest in the user's Internet history; would it add some additional (and perhaps significant) context to the overall investigation to know that the web site was in the user's bookmarks/Favorites?
Commercial tools like ProDiscover make it very easy to populate the IE Internet History view from an image rather than just a single user. But keep in mind that it isn't IE that populates the Internet history artifacts for the user; it's the use of the WinInet APIs. What that means is that any application or tool that uses the WinInet APIs may leave similar artifacts, which is why, during some engagements, some of us have seen an Internet history for the Default User populated. In one particular instance, wget.exe was found to have been launched using System-level privileges, and the tool was found to use the WinInet APIs so we found clear artifacts of the use in the Default User's Internet history. In that particular case, the intruder used SQL injection to gain access to the MS SQL Server, and ran commands to create an FTP script file, which was then launched via ftp.exe. The script downloaded wget.exe, which the intruder verified was on the system, and then used to download additional software.
Another aspect of browser analysis (specifically for IE) is to look for Browser Helper Objects, or "BHOs". From a forensic analysis perspective, some BHOs have been known to be spyware, or worse; Symantec identified BHOs as a common loading point for malware.
This article discusses how to prevent BHOs from loading with the Explorer process, and only loading with IE.
On Firefox, Add-ons may be of interest. Here's a Symantec article that talks about BHOs (IE) and XPCOM (Mozilla).
My point is that sometimes just looking at the user's Internet browsing history may not be enough to really get a solid picture of what's going on. The existence of a particular web site that has been bookmarked or added to the user's Favorites may add valuable context to the examination. BHOs are loaded when the user starts IE, so any action taken by the BHO will be done in the user's context, and therefore will populate the user's Internet history.
So how might you use this in a real-world investigation? Well, if the user has their browser configured to delete the history when the browser is closed, or uses another tool to do so, you may find something of value in the bookmarks. Even if the history hasn't been deleted, you will be able to associate some artifacts with specific user activity.
What about the Trojan Defense? Well, with a comprehensive and thorough malware detection process, you might also include a specific check for BHOs or addons to the browser, further closing the door on that issue.
Resources
Firefox 3 Forensics
FoxAnalysis
Firefox Forensics (Machor Software - also Windows and Google Chrome Forensics)
NirSoft Browser Tools
WBF Tool
Addendum, 8 Jan
Opera Files - global history is kept in global.dat, entries have a format that looks similar to IE Favorites .url files:
Webpage Title - Something
http(s)://www.somewebsite.com/page
(possible *nix epoch timestamp)
When exploring user activity via the browser, the analyst needs to be sure to:
1. Check to see what the default browser is...yes, there's
2. Determine what other browsers may be installed; don't assume that someone's only going to use Firefox. Strike that...don't assume anything. Find out. Any easy way to do this is to check the file associations for .htm(l) and .asp(x) files, as well as just see what software is installed.
3. Other places to check (these are included in RegRipper plugins, by the way...) include the user UserAssist keys (what've they been launching), the Uninstall key (for software installations), and which MSIs have been run on the system.
Many of these are quick checks...several folks who've used RegRipper have said that the tool has reduced Registry analysis from days to minutes, and thanks to the plugins, been more comprehensive than previous processes. So adding these checks to your analysis plan doesn't correlate to a significant increase in the time it takes to conduct your analysis.
One area that I rarely see discussed in browser analysis is the bookmarks file. For Firefox, the bookmarks.html file include ADD_DATE and LAST_MODIFIED entries for folders, and ADD_DATE and LAST_VISIT entries for the URLs. For IE, you'd look for the Favorites folder, which contains InternetShortcut/.url files which also include timestamps, in addition to the file MAC times themselves.
It seems to me that including this information in a timeline...should the investigation necessitate doing so...might be a source of some valuable data. For example, let's say you found an entry of interest in the user's Internet history; would it add some additional (and perhaps significant) context to the overall investigation to know that the web site was in the user's bookmarks/Favorites?
Commercial tools like ProDiscover make it very easy to populate the IE Internet History view from an image rather than just a single user. But keep in mind that it isn't IE that populates the Internet history artifacts for the user; it's the use of the WinInet APIs. What that means is that any application or tool that uses the WinInet APIs may leave similar artifacts, which is why, during some engagements, some of us have seen an Internet history for the Default User populated. In one particular instance, wget.exe was found to have been launched using System-level privileges, and the tool was found to use the WinInet APIs so we found clear artifacts of the use in the Default User's Internet history. In that particular case, the intruder used SQL injection to gain access to the MS SQL Server, and ran commands to create an FTP script file, which was then launched via ftp.exe. The script downloaded wget.exe, which the intruder verified was on the system, and then used to download additional software.
Another aspect of browser analysis (specifically for IE) is to look for Browser Helper Objects, or "BHOs". From a forensic analysis perspective, some BHOs have been known to be spyware, or worse; Symantec identified BHOs as a common loading point for malware.
This article discusses how to prevent BHOs from loading with the Explorer process, and only loading with IE.
On Firefox, Add-ons may be of interest. Here's a Symantec article that talks about BHOs (IE) and XPCOM (Mozilla).
My point is that sometimes just looking at the user's Internet browsing history may not be enough to really get a solid picture of what's going on. The existence of a particular web site that has been bookmarked or added to the user's Favorites may add valuable context to the examination. BHOs are loaded when the user starts IE, so any action taken by the BHO will be done in the user's context, and therefore will populate the user's Internet history.
So how might you use this in a real-world investigation? Well, if the user has their browser configured to delete the history when the browser is closed, or uses another tool to do so, you may find something of value in the bookmarks. Even if the history hasn't been deleted, you will be able to associate some artifacts with specific user activity.
What about the Trojan Defense? Well, with a comprehensive and thorough malware detection process, you might also include a specific check for BHOs or addons to the browser, further closing the door on that issue.
Resources
Firefox 3 Forensics
FoxAnalysis
Firefox Forensics (Machor Software - also Windows and Google Chrome Forensics)
NirSoft Browser Tools
WBF Tool
Addendum, 8 Jan
Opera Files - global history is kept in global.dat, entries have a format that looks similar to IE Favorites .url files:
Webpage Title - Something
http(s)://www.somewebsite.com/page
(possible *nix epoch timestamp)