Digital Forensics:Browser forensics

Browsers keep a record of visited websites, which can reveal a user's search history and potential malicious activity.

Kroll Artifact Parser And Extractor (KAPE) 

KAPE gives you access to targets and modules for the most common operations required in forensic exams, helping investigators gather a wider range of artifacts 

Description. ChromeHistoryView is a small utility that reads the history data file of Google Chrome Web browser, and displays the list of all visited Web pages 

Google Chrome’s browsing data is stored in the user’s AppData\\Local\\Google\\Chrome\\User Data\\Default directory.

Browser forensics Lab

Instruction

We found an attacker who compromised the machine and download malware . Please help find the URL which use by attacker.

Download History

Hint

Reveal download activity from Browser History.

Step 1.  KAPE Collecting Browser Artifacts

Step 2. Chrome History provides analysts with the following information: 

Chrome History View is a free utility developed by NirSoft

To run it, navigate to where you downloaded and extracted the tool Chrome History View.exe and double click the file.

When it opens load the history from the users data folder  from the Advance Options menu.

Then navigate to the path of the Users profiles from your Kape collection.

Click OK and it displays the Chrome history.

Step 3. SQLite Viewer Web App

SQLite Viewer Web is a free, web-based SQLite Explorer, inspired by DB Browser for SQLite and Airtable.

URL Table

Or  SQLite Browser 

Open SQLite Browser  and navigate to the Chrome database stored at C\Users\<User Name>\AppData\Local\Google\Chrome\User Data\Default.

Step 4. Check suspicious websites

Step 5. Tracking Changes Over Time The Wayback Machine

Q1. What sites have been visited in the last days ?

Ans:

Q2.How many times a site was visited (most frequency information) and what the page title by User visits  ?

Ans:

Q3.What is the name of the malicious file that was downloaded?

Ans:

Hint

Reveal download activity from Browser History.

Q4.What is the profile of the user who downloaded the malicious file? 

Ans:

Q5.The URL, page title, and referring website for visits used by the insider threat.

Ans:

อ่านเพิ่มเติม: How to analyze WebCacheV01.dat

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูล  เผยแพร่ความรู้และให้โอกาสในการค้นคว้าหาข้อมูลเพื่อการศึกษา   บุคคลที่สนใจโดยทั่วไป รวมถึงนักเรียน นิสิต นักศึกษา  ในการเรียนรู้เท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD