In this chapter, we will cover the following recipes:
It is hard to imagine a case where web browser artifacts are useless. Child abuse material, intellectual property theft, cyber harassment, malware - browser artifacts will help to solve all sorts of cases. Nowadays, a huge number of web browsers are available. Some provide their users with increased privacy options, others do not. But even if the suspect uses a private browser, such as notorious Tor, a computer forensic examiner is able to extract some data, for example from swap and hibernation files (check the last recipe in this chapter) or a memory dump.
In this chapter, we will show you how to perform web browser forensics with some forensic tools you have already dealt with, such as Magnet AXIOM and Belkasoft Evidence Center, and some new ones, such as BlackBag's BlackLight.
Finally, you will learn how to defeat some anti-forensic techniques using swap...
BlackBag's BlackLight is a very powerful digital forensic tool which we usually use for Mac OS X (macOS) forensicating. But, of course, Mac is not the only platform it supports. You can also use it for Android, iOS, and Windows forensics. What's more, you can use BlackLight both on Windows and macOS workstations, meaning that you can analyze Windows forensic images on a Mac! In this recipe, we will show you how to use BlackLight for Mozilla Firefox forensics.
If you are not a licensed user of BlackLight, you can request a trial licence on the BlackBag website. Use the REQUEST TRIAL button on the BlackLight page, fill in your personal information...
Google Chrome is another very popular web browser. You will find its artifacts during many forensic examinations, not only on Windows systems, but also macOS, Linux, and even mobile platforms. With the help of this recipe you will learn how to parse Google Chrome artifacts with Magnet AXIOM.
Of course, you can use the whole forensic image as the source, but it is much faster to extract the Google Chrome folder from the user's profile, as this greatly reduces the dataset that has to be parsed. Here is where you can find the folders you need:
Windows XP:
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome
Windows Vista and above:
C:\Users...
Hopefully, you have already added Belkasoft Evidence Center to your Windows forensic toolkit. As you will remember, it can help you to carve data out of memory dumps. Of course, this is not the only task it can help you to solve. It has robust support for hundreds of Windows operating system forensic artifacts, including different web browsers. In this recipe, we will show you how to use it for Microsoft Internet Explorer and Microsoft Edge forensic analysis.
If you already have Belkasoft Evidence Center installed, just start the tool. Otherwise, use the trial download link from the See also section to obtain a trial version...
You already know that you can extract quite a lot of useful forensic artifacts from a memory dump. But there is more: you can perform memory forensics even without a memory dump! There are files on the drive that contain some parts of memory. These files are pagefile.sys, swapfile.sys, and hiberfil.sys, and they are located at the system root (C:\). In this recipe, we will show you how to extract browser data from pagefile.sys with Belkasoft Evidence Center.
First of all, make sure you have Belkasoft Evidence Center with a valid licence (or a trial version) installed on your workstation. Then, use a tool of your choice, for example FTK Imager, to export data from...
© 2017 Packt Publishing Limited All Rights Reserved
