Reconstructing web pages from browser cache Iwan Hoogendoorn & Edwin Schaap University of Amsterdam July 4, 2013 1
Demo I Open Safari Clear Safari’s cache Visit www.tweakers.net 2
Criminal research planning a crime committing the perfect crime Internet used as a resource 3
Evidence by a witness looking at content that is against the law content is removed by a suspect in a later stage Internet used as a resource 4
Forensic crime investigation computer forensics browser forensics web cache data forensics 5
Research question In what ways can one visually reconstruct websites with information retrieved from normalized browser caches that can be use for computer forensic examiners to build a case? Raw caching data Reconstruction methods Reliability after reconstruction 6
Current forensic web cache tools Nirsoft Web Cache View Digital Detective Siquest Foxten Software 7
Netherlands Forensic Institute Tools XIRAF HANSKEN Traces 8
Popular web browsers Figure 1 : Browser popularity - Worldwide 9
Web cache data structure - Google Chrome index Header … … hash table … … Cache (meta) data data_0 data_1 data_2 data_3 data_4 block files Figure 2 : Chrome web cache structure 10
Web cache data structure - Mozilla Firefox _CACHE_MAP_ Header 256 records … 32 buckets … … … Cache (meta) data _CACHE_001_ _CACHE_002_ _CACHE_003_ Figure 3 : Firefox web cache structure 11
Web cache data structure - Apple Safari cfurl_cache_response PK entry_ID version hash_value storage_policy request_key time_stamp cfurl_cache_blob_data cfurl_cache_receiver_data PK,FK1 entry_ID PK,FK1 entry_ID response_object receiver_data request_object proto_props user_info Figure 4 : Safari web cache structure 12
Web cache data - before sanitazion Chrome Firefox Safari Unique identification � � � Eviction X � � URL request string � � � Time/Date (first request) � � � Time/Date (last request) X X � Time/Date (expire) X X � Fetch count X X � Client request headers X X � Server response header � � � Server response body � � � Table 1 : Firefox, Chrome and Safari web cache comparison table 13
Traces - normalised cache data Unique identification URL request string Time/Date (first request) Server response body 14
Web page reconstruction methods - I pre-processing post-processing 15
Web page reconstruction methods - II Pre-processing Advantages: Requires no configuration of the rendering browser. 1 Can even run in the browser of the user enabling interaction. 2 Disadvantages: Tampering the evidence. 1 Hard to parse all resource identifiers, especially if JavaScript is 2 used. Non-parsed resource identifiers are circumventing the 3 application. 16
Web page reconstruction methods - III Post-processing Advantages: All resource identifiers are captured by the proxy. 1 Disadvantages: Requires proxy configuration of rendering browser. 1 SSL traffic is hard to deal with. 2 17
Proof of Concept Proof of Concept 18
Application design Application Cache Proxy Traces Rendering browser Frontend User's Browser Figure 5 : Web page reconstruction application 19
Demo II Reconstruct web page visited at the beginning of this presentation Compare before and after 20
Result - Simple websites I Reconstructed Original 21
Result - Simple websites II NetAnalysis Original 22
Result - complex websites I Original Reconstructed 23
Result - complex websites II Original NetAnalysis 24
Analysis - Dynamic resources 1 Browser S displays website W1 resources W1 on time A. W2 2 Website W1 contains R time A B resource R. 3 Browser S displays website W2 on time B. 25
Analysis - Runtime dependencies 1 Browser S visits website W. 2 Website W contains a dynamic time T. 3 Time T is taken from the local system time. 26
Conclusion Prefer post-processing Normalized data is sufficient Reliability depends on cache data 27
Thank you ? 28
Recommend
More recommend