reconstructing web pages from browser cache
play

Reconstructing web pages from browser cache Iwan Hoogendoorn & - PowerPoint PPT Presentation

Reconstructing web pages from browser cache Iwan Hoogendoorn & Edwin Schaap University of Amsterdam July 4, 2013 1 Demo I Open Safari Clear Safaris cache Visit www.tweakers.net 2 Criminal research planning a crime committing the


  1. Reconstructing web pages from browser cache Iwan Hoogendoorn & Edwin Schaap University of Amsterdam July 4, 2013 1

  2. Demo I Open Safari Clear Safari’s cache Visit www.tweakers.net 2

  3. Criminal research planning a crime committing the perfect crime Internet used as a resource 3

  4. Evidence by a witness looking at content that is against the law content is removed by a suspect in a later stage Internet used as a resource 4

  5. Forensic crime investigation computer forensics browser forensics web cache data forensics 5

  6. Research question In what ways can one visually reconstruct websites with information retrieved from normalized browser caches that can be use for computer forensic examiners to build a case? Raw caching data Reconstruction methods Reliability after reconstruction 6

  7. Current forensic web cache tools Nirsoft Web Cache View Digital Detective Siquest Foxten Software 7

  8. Netherlands Forensic Institute Tools XIRAF HANSKEN Traces 8

  9. Popular web browsers Figure 1 : Browser popularity - Worldwide 9

  10. Web cache data structure - Google Chrome index Header … … hash table … … Cache (meta) data data_0 data_1 data_2 data_3 data_4 block files Figure 2 : Chrome web cache structure 10

  11. Web cache data structure - Mozilla Firefox _CACHE_MAP_ Header 256 records … 32 buckets … … … Cache (meta) data _CACHE_001_ _CACHE_002_ _CACHE_003_ Figure 3 : Firefox web cache structure 11

  12. Web cache data structure - Apple Safari cfurl_cache_response PK entry_ID version hash_value storage_policy request_key time_stamp cfurl_cache_blob_data cfurl_cache_receiver_data PK,FK1 entry_ID PK,FK1 entry_ID response_object receiver_data request_object proto_props user_info Figure 4 : Safari web cache structure 12

  13. Web cache data - before sanitazion Chrome Firefox Safari Unique identification � � � Eviction X � � URL request string � � � Time/Date (first request) � � � Time/Date (last request) X X � Time/Date (expire) X X � Fetch count X X � Client request headers X X � Server response header � � � Server response body � � � Table 1 : Firefox, Chrome and Safari web cache comparison table 13

  14. Traces - normalised cache data Unique identification URL request string Time/Date (first request) Server response body 14

  15. Web page reconstruction methods - I pre-processing post-processing 15

  16. Web page reconstruction methods - II Pre-processing Advantages: Requires no configuration of the rendering browser. 1 Can even run in the browser of the user enabling interaction. 2 Disadvantages: Tampering the evidence. 1 Hard to parse all resource identifiers, especially if JavaScript is 2 used. Non-parsed resource identifiers are circumventing the 3 application. 16

  17. Web page reconstruction methods - III Post-processing Advantages: All resource identifiers are captured by the proxy. 1 Disadvantages: Requires proxy configuration of rendering browser. 1 SSL traffic is hard to deal with. 2 17

  18. Proof of Concept Proof of Concept 18

  19. Application design Application Cache Proxy Traces Rendering browser Frontend User's Browser Figure 5 : Web page reconstruction application 19

  20. Demo II Reconstruct web page visited at the beginning of this presentation Compare before and after 20

  21. Result - Simple websites I Reconstructed Original 21

  22. Result - Simple websites II NetAnalysis Original 22

  23. Result - complex websites I Original Reconstructed 23

  24. Result - complex websites II Original NetAnalysis 24

  25. Analysis - Dynamic resources 1 Browser S displays website W1 resources W1 on time A. W2 2 Website W1 contains R time A B resource R. 3 Browser S displays website W2 on time B. 25

  26. Analysis - Runtime dependencies 1 Browser S visits website W. 2 Website W contains a dynamic time T. 3 Time T is taken from the local system time. 26

  27. Conclusion Prefer post-processing Normalized data is sufficient Reliability depends on cache data 27

  28. Thank you ? 28

Recommend


More recommend