Abstract
Web browser is the important application and majority user users use web browsers to access the social media sites, email application, web search engines, ecommerce sites and download the video or photos. Various web browsers are available in the market for this purpose but Google chrome, Mozilla Firefox and Brave are the well-known browser application. These web browsers might be use for normal internet access also use to committee the crime. In such case it is important to use digital forensics techniques to extract evidences which will be produced to court to prove the crime. Literature survey shows that dead forensics were frequently used by researchers but very less work is carried out to use live or RAM forensics to extract the evidences. In this research paper, we created real time scenario with Google Chrome, Mozilla Firefox and Brave browser and use RAM forensics techniques to extract the evidences related to web browser activities.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
- Web browser forensics
- RAM forensics
- digital forensics
- Google chrome
- Mozella Firefox
- Brave
- Autopsy
- memory analysis
- digital forensics
- browser ar-tifacts
- browser history
1 Introduction
One of the most common methods of retrieving the Internet is over a web browser, which gives users the ability to carry out traditional crimes or commit crimes online. Computer forensics, a more general area of study, includes web browser forensics. Computer forensics’ objective is to locate, gather, protect, and analyze data that contains evidence in a way that keeps the evidence’s honesty complete so that it can be used as signal in a law court. In web browser forensics, evidence pertaining to a user’s Internet surfing activities is analyzed and extracted. Browser forensics is mostly used to examine a computer’s browser log and universal web action in order to look for any doubtful activity or gratified access. In order to obtain precise material about the targeted system, this also relates to tracking website traffic and analyzing server-generated LOG files. The goal of computer forensics, a type of forensic investigation, is to describe and analyze the digital signal that remains kept on processers and connected storage broadcasting.
Nearly everybody, including accused under examination, uses the cyberspace. A suspicious person might use a web browser to collect evidence, cover their misconduct, or look for another traditions to obligate criminalities. An important feature of digital forensic investigations is frequently penetrating for web browsing related data. Thus, nearly each action a suspicious took although by means of a web browser would be recorded on a computer. This data can therefore be helpful when a investigator inspects the accused’s computer. It is likely to inspect evidence from a accused’s computer, counting cookies, cache, log data, and download lists, to control the websites has been checked, when and how frequently they were retrieved, and the examination relations the suspicious used.
The digital forensics analyst either can use dead / hard disk forensics or live/RAM forensics to extract evidences related to activities carried out by the user. RAM is volatile memory but keeps important details related to recent executed programs and application by the user. In this research paper, we used RAM forensics techniques to extract important evidences related to browser activities from Google Chrome, Mozilla Firefox and Brave web browser.
The remaining part of the paper is systematized as follows - the associated research paper assessment is deliberated in Sect. 2, methodology of RAM forensics, Data modeling, Laboratory Set-up and results is discussed in Sect. 3, 4, 5 and 6 respectively. The result is discussed in Sect. 7 and paper is concluded in Sect. 8.
2 Literature Survey
To understand the current status of the research in the domain of browser forensics, we have reviews recent published research paper in this domain, Research on artefact mining of Google Chrome, Mozilla Firefox, Apple Safari, and Internet Explorer in private and moveable browsing mode has been done by Donny J. Ohan, Narasimha, and Shashidhar [1]. The forensics of Google Chrome in both normal and private mode have been discussed by Andrew and Team [2]. Evidence pertaining to internet activity has been recovered from hard disc. Browser log files were taken into consideration by Junghoon Oh and Team [3] as a source of data for potential artefact extraction. Using RAM analysis, Huwida Said and Team [4] collected evidence. D. Rathod [5, 9] has taken RAM dump to gather objects connected to cyberspace actions on windows installed Google Chrome. In their study titled “Digital Forensic Analyses of Web Browser Records,” E. Akbal, Futma G., and Ayhan [6] describe how web browsers and operating systems save data. In their research paper titled “Forensics Investigation of Web Application Security Attacks,” Amor. L. and Thabet S. [7] deliberated the idea of net application scientific, describing it by way of a subset of nets scientific. They also proposed a procedure that would aid in the successful completion of an examination of net application safety. The following web browser forensic tools have been chosen by J. Oh, S. Lee, and Team [8]: WEFA, Cache Back 3.17, Encase 6.13, FTK 3.2, and Net Analysis 1.52. They concluded that WEFA would be the best tool for browser forensics.
Our review of the literature reveals that the majority of researchers employed browser history, local files, or hard disk examination as their primary bases of data for material extraction linked to online practice. In this research paper we focused on extraction of evidences related to Google search, Facebook, Web WhatsApp, ecommerce sites and movie sites form Google chrome, Mozilla Firefox and Brave web browsers. We focused on RAM forensics digital forensics techniques using volatility 3, Belkasoft Evidence Center X, FTK imager, and python 3.
3 Methodology
In this section we discussed the methodology adopted to carried out web browser forensics experiment.
RAM Forensics Methodology
As shown in the Fig. 1, whenever first responder reaches to the crime scene then he needs to check that system is switched on or off if it is switched on then take the RAM dump using FTK image or any other RAM dump application. If system is switched off then used dead forensics techniques to carried out the forensic. It is important to note down the hash worth of the picture which will be the part of chain of custodian to ensure the integrity of the evidence [10, 11]. The RAM dump is analyzed by the Autopsy and FTK analysis and examination tools. After the analysis, we used keyword search techniques to identify the evidences and this process will be continue until we found the required evidences. Once required evidences found, digital forensic analyst may prepare the report which will be produced in the court.
4 Data Modeling
The goal and objective of this research paper is to represents what kind of artifacts we can get in different situation. To generate the real-world scenario, we have created data model shown in Table 1 in which various activities such as searching keywords in the Google search engine, login, post photos chatting in the Facebook and web WhatsApp etc., are carried out using Google, Facebook, web WhatsApp. Once these activates carried out, we taken RAM dump and analyzed with forensic tools to identify the evidences.
5 Laboratory Set-Up
We carried out the browser forensics with laptop and configure of the laptop is 8 GB RAM, intel i5 processor, 1 TB HDD, AMD Radeon HD 8730M - 2 GB GPU, Dell Inspiron 15R with Windows 10 home and build version 15.19042. The scenario is created with Google chrome version 90.0.4430.93, Mozilla Firefox 86.0.1(x64 en-US), Breve version 90.1.24.812. We have used following additional tools for imaging and analysis purpose,
-
1.
FTK imager: FTK imager is used to take the memory dump
-
2.
FTK toolkit: Its computer forensics software and we used to process the memory dump to extract the evidences.
-
3.
Volatility 3 Framework: This is worlds widely used framework to extract digital evidences from volatile memory (RAM).
-
4.
Belkasoft Evidence Center X: This is a digital forensics suite and it will be used to acquires, examines and analyze the evidences form computer, mobile, cloud and RAM.
6 Results
In this section we discussed the evidences extracted for Google Chrome, Mozilla Firefox and Brave web browser forensics.
6.1 Google Chrome Browser Forensics
We created various scenario list in the Table 1 and taken RAM dump with Belkasoft. The RAM dump file memChrome.mem is proceed with Volatility 3.0 shown in Fig. 2 and recovered list of process is listed in the Fig. 3. We can see list of process with their name and created time. This will be the important evidences to find the list of programs recently executed by the user.
Image Info (Volatility 3)
Process List (Volatility 3.0)
Searched text in the Google Search Engine
Visited URL by user
Extracted evidences shows in Fig. 4 depicts that user has searched nature image in the Google search engine and Fig. 5 shows the URL of the site that user has visited. Figure 6 shows image which was download by the user and this evidence is extracted by the Belkasoft.
Image which was download by the user (Belkasoft).
Facebook login evidence is shown in the Fig. 7 and searched people related evidences in the Facebook is shown in Fig. 8.
Facebook login page (FTK)
People search details in Facebook (FTK)
We are able to extract the evidences related to profile picture of the user from RAM shown in the Fig. 9 and original profile picture show in Fig. 10.
Extracted profile of the user in the Facebook
Original Photo
We are unable to find artifacts related to request send, message send, photo sent but able to find the video call attempt shown in the Fig. 11 using FTK. Figure 12 shows that user has search web whatsapp in the google search engine and Fig. 13 shows mobile number that user has has used to login in the web WhatsApp.
Video call through Facebook (FTK)
Web WhatsApp Search Details (FTK)
Web WhatsApp login number retrieved (FTK)
As far as Web WhatsApp calling and chat concern, we are able to recover a artifact of receivers mobile number shown in Fig. 14 and also able to find that with which user (mobile no) user is doing a chat shown in Fig. 15. We are not able to find the evidences related to content of the chat.
Web WhatsApp Receiver Mobile no. (FTK)
Web WhatsApp Chat Receiver
6.2 Mozilla Firefox Browser Forensics
We have crated scenario listed in the Table 1 with Mozilla Firefox and taken the RAM dump using Belkasoft. The RAM dump is processed with FTK and Bulkasoft to identify the evidences related to activities performed by us. In this section, we have discussed the identified evidences for various activities.
The RAM image is processed by the Volatility 3 shown in Fig. 16 and process list is shown in the Fig. 17. We can identify the evidences related to Mozilla Firefox along with creation time.
Image info (Volatility 3)
Profess List (Volatility 3)
The user has searched for the in the Google search engine for the nature images and we are able to find the evidences related to search item from the RAM shown in Fig. 18. We are able to find the URL of the site from which nature image is downloaded as shown in the Fig. 19.
Google Search results (FTK)
URI of site to download the image (FTK)
6.3 Brave Browser Forensics
The Brave Browser is constructed on the open-source Chromium Web core and client code is released under the Mozilla Public License 2.0 [13]. Brave, a browser which conceits the situation in the safety and confidentiality it offers and it has more than 13 million active handlers per month [16] or 0.05% of Global Desktop Browser Market Share [17]. As Brave browser is open sources and considering the percentage share in the global desktop browser market, it is important to know that what kind of evidence a digital forensic analysis can found in case Brave browser is used to committee the crime.
We have carried out the activities list in the data model Table 1 using Brave browser and taken the RAM dump. The following evidences were obtained for the activities list in the Table 1.
The image of RAM dump created for the Brave browser is process by the volatility 3.0 framework shown in Fig. 20 and process list listed by the volatility 3.0 is shown in the Fig. 38. We observed the evidences related to Brave browser along with created date (Fig. 21).
Image info of Brave browser [Volatility 3]
Process list [ Volatility 3]
The user has searched for the nature images in the Google search engine and we recovered evidences for the same in the Fig. 22. We are also able to find the URL of the web site form which user downloaded the nature images (Fig. 23) .
Search text in the Google search engine
URL of the site to download image
The evidence related to keywork search “Adobe” and URL of the site from which Adobe is download is recovered from RAM and same is shown is Fig. 24 and Fig. 25 respectively.
Adobe keywork search in the Google search engine
URL of the site to download Adobe
The evidence related to free movie search, URL of the site from which movie is downloaded and URL of the YouTube video which user has watched is shown in Fig. 26, Fig. 27 and Fig. 28 respectively.
Movie search in the Google Search Engine (FTK)
URL of site to download movie (FTK)
YouTube URL of Video (Belkasoft)
7 Result Discussion
The results shows that in the case of Google Chrome, Mozilla Firefox and Brave web browser forensics, we are able to extract the evidences related to recent process list, Google search items along with URL of sited recently visited, images downloaded along with site and downloaded images, people search in the Facebook, Facebook profile, Facebook video call related information, web WhatsApp login details with mobile number, URL of site from which user has downloaded the movies or software. It is observed from the result that artifacts related to web WhatsApp chat found in the case of Google chrome, Facebook ID and password found in the case of Mozilla Firefox and Facebook ID in the case of Brave web browser recovered from the RAM.
8 Conclusion
A web browser remains a software program or device used to navigate the internet. Lots of persons today using web browsers to examine on Google search engine, access the social media sites and email application, view videos in the YouTube etc., Digital forensics is the branch of the forensic science which deals through acquisition, collection, analysis then reporting of the digital evidences. Today, criminals use web browser to committee the misconduct and it is significant for the digital scientific analyst know digital forensic techniques to recover the evidences form the browser. In this research paper we focused well-known browser Google chrome, Mozilla Firefox and Brave web browsers and also discussed that RAM forensics will be important techniques to recover the evidences related to recent activities carried out by the user.
References
Ohana, D.J., Shashidhar, N.: Do private and portable web browsers leave incriminating evidence?: a forensic analysis of residual artifacts from private and portable web browsing sessions. EURASIP J. Inf. Secur. 2013, 6 (2013)
Marrington, A., Baggili, I., Al Ismail, T., Al Kaf, A.: Portable web browser forensics: a forensic examination of the privacy benefits of portable web browsers. In: 2012 International Conference on Computer Systems and Industrial Informatics, pp. 18–20 (2012)
Oh, J., Lee, S., Lee, S.: Advanced evidence collection and analysis of web browser activity. Digit. Invest. 8, S62–S70 (2011)
Said, H., Al Mutawa, N., Al Awadhi, I., Guimaraes, M.: Forensic analysis of private browsing artifacts. In: 2011 International Conference on Innovations in Information Technology, pp.25–27 (2011)
Rathod, D.: Web browser forensics: google chrome. Int. J. Adv. Res. Comput. Sci. 8(7), 896–899 (2017)
Akbal, E., Günes, F., Akbal, A.: Digital forensic analyses of web browser records. J. Softw. 11(7), 631–637 (2016). Accessed 10 Mar 2020. https://doi.org/10.17706/jsw.11.7.631-637
Amor. L, Thabet S.: Forensics investigation of web application security attacks. Int. J. Comput. Netw. Inf. Secur. 7, 10–17 (2015). https://doi.org/10.5815/ijcnis.2015.03.02. Accessed 10 Mar 2020
Oh, J., Lee, S., Lee, S.: Advanced evidence collection and analysis of web browser activity. In: The Digital Forensic Research Conference, 2001 USA (2020). Accessed 17 Mar 2020. https://doi.org/10.1016/j.diin.2011.05.008
“Basis Technology Corporation: Autopsy and The Sleuth”, Accessed 14 Mar 2020. http://www.autopsy.com/wpcontent/uploads/sites/8/2016/02/Autopsy-4.0-EN-optimized.pdf
Mohammmed, S., Sridevi, R.: A survey on digital forensics phases, tools and challenges. In: Raju, K., Govardhan, A., Rani, B., Sridevi, R., Murty, M. (eds) Proceedings of the Third International Conference on Computational Intelligence and Informatics. Advances in Intelligent Systems and Computing, vol. 1090, pp. 237–248. Springer, Singapore (2020). https://doi.org/10.1007/978-981-15-1480-7_20
Aminnezhad, A., Dehghantanha, A., Abdullah, M.T.: A survey on privacy issues in digital forensics. Int. J. Cyber-Secur. Digit. Forensics 1(4), 311–324 (2012)
https://kinsta.com/browser-market-share/. Accessed 5 Dec 2022
https://www.forbes.com/sites/billybambrough/2020/04/09/billions-of-google-chrome-usersnow-have-another-surprising-option/?sh=58f2bdd45956. Accessed 5 Dec 2022
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Sanghvi, H., Patel, V.J., Shah, R., Shukla, P., Rathod, D. (2023). Web Browser Forensics: A Comparative Integrated Approach on Artefacts Acquisition, Evidence Collections and Analysis of Google Chrome, Firefox and Brave Browser. In: Chaubey, N., Thampi, S.M., Jhanjhi, N.Z., Parikh, S., Amin, K. (eds) Computing Science, Communication and Security. COMS2 2023. Communications in Computer and Information Science, vol 1861. Springer, Cham. https://doi.org/10.1007/978-3-031-40564-8_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-40564-8_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-40563-1
Online ISBN: 978-3-031-40564-8
eBook Packages: Computer ScienceComputer Science (R0)