Welcome TurkHackTeam Members,
In this topic, I will show you the forensic investigation processes on the browser. When the subject is complete, we will conduct our review on Google Chrome.
INSTALLATION OF REQUIRED SOFTWARE
You can download the SQLite Expert Personal software that we will use to access SQLite format files from below,
VirusTotal
FORENSIC EXAMINATION REVIEW ON BROWSERS
Every transaction (download, access, etc.) made by the user while using the browser is recorded. These records are located in the "History" file of browsers and various examinations can be made on the file. The critical data obtained after the examination of this file can be considered as forensic evidence. We will now access these records and process our forensic investigation topic on the browser.
First, let's take a look at which directory our browser history is located, you can access the History file of your browser by following the path below. This file is the file where the user's internet history is stored and is located in the directory in SQLite format.
We are running our SQLite Expert Personal software to access our History file in SQLite format. After running the tool, we click on the "Open Database" button in the upper left file section. Then the tables are listed as below
First, let's take a look at the "urls" part.
Here, id value of url in the "id" table,
URL addresses in the "url" table,
Title information of urls in the "title" table,
How many times the relevant url has been visited in the "visit_count" table,
How many times the url address has been manually entered in the browser in the "typed_count" table,
Information on the last time the relevant url address was accessed in the "last_visit_time" table (in browser time format),
In the "hidden" table, there is information whether the url address is used in the AutoComplete property and whether the url information is shown to the user (if the value is 1, it is not displayed, if it is, is 0).
Now let's look at the "visits" tables.
Here again, on the "id" table, id values of the visits are given.
The "url" table displays the id value of the url we just mentioned. In this way, looking at the "urls" table again, you can find out which url the id value given here corresponds to.
The "visit_time" table shows the time of the last visit.
The routing numbers made in the "from_visit" table are seen.
In the "transition" table, the information of the way to reach the address is given. (Click, manual URL entry)
In the "segment_id" part, the id information specified in the "segments" table is given,
In the "visit_duration" table, information about the total time spent at the address is given.
When we look at the "downloads" section, information about the downloads made through the browser is given,
The credential of the file in the "guid" table,
The current Iocation of the downloaded file in the "current_path" table,
The Iocation of the download in the "target_path" table,
Information on the time of download in the "start_time" table,
The size information of the download in the "received_bytes" table,
The total size of the file after downloading in the "total_bytes" table,
Open status of the file in the "opened" table,
The last access time to the file in the "last_access_time" table,
The information of the referrer page in the "referrer" table,
And The "last_modified" table contains the modification information of the file.
When we look at the "keyword_search_terms" tables, the searches made in the browser's search engine appear here.
The "segments" tables contain the addresses of the websites displayed in the browser.
Downloaded url addresses can be viewed in the "downloads_url_chains" tables.
By analyzing the SQL file of the software and viewing the information it shows us in this way, we can obtain forensic evidence. Likewise, the following path can be entered into the browser address book to view the browser cache
Source: https://www.turkhackteam.org/adli-bilisim/1922997-tarayici-uzerinde-adli-inceleme.html
Translator: Dolyetyus
In this topic, I will show you the forensic investigation processes on the browser. When the subject is complete, we will conduct our review on Google Chrome.
INSTALLATION OF REQUIRED SOFTWARE
You can download the SQLite Expert Personal software that we will use to access SQLite format files from below,
Kod:
https://www.gezginler.net/indir/sqlite-expert-personal.htmlVirusTotal
Kod:
https://www.virustotal.com/gui/file/ded898ae09a138accf8983dc8f49812294d2e504ffc69f4c3d704a6bba90c31b/detectionFORENSIC EXAMINATION REVIEW ON BROWSERS
Every transaction (download, access, etc.) made by the user while using the browser is recorded. These records are located in the "History" file of browsers and various examinations can be made on the file. The critical data obtained after the examination of this file can be considered as forensic evidence. We will now access these records and process our forensic investigation topic on the browser.
First, let's take a look at which directory our browser history is located, you can access the History file of your browser by following the path below. This file is the file where the user's internet history is stored and is located in the directory in SQLite format.
Kod:
C:\Users\username\AppData\Local\Google\Chrome\User Data\DefaultWe are running our SQLite Expert Personal software to access our History file in SQLite format. After running the tool, we click on the "Open Database" button in the upper left file section. Then the tables are listed as below
First, let's take a look at the "urls" part.
Here, id value of url in the "id" table,
URL addresses in the "url" table,
Title information of urls in the "title" table,
How many times the relevant url has been visited in the "visit_count" table,
How many times the url address has been manually entered in the browser in the "typed_count" table,
Information on the last time the relevant url address was accessed in the "last_visit_time" table (in browser time format),
In the "hidden" table, there is information whether the url address is used in the AutoComplete property and whether the url information is shown to the user (if the value is 1, it is not displayed, if it is, is 0).
Now let's look at the "visits" tables.
Here again, on the "id" table, id values of the visits are given.
The "url" table displays the id value of the url we just mentioned. In this way, looking at the "urls" table again, you can find out which url the id value given here corresponds to.
The "visit_time" table shows the time of the last visit.
The routing numbers made in the "from_visit" table are seen.
In the "transition" table, the information of the way to reach the address is given. (Click, manual URL entry)
In the "segment_id" part, the id information specified in the "segments" table is given,
In the "visit_duration" table, information about the total time spent at the address is given.
When we look at the "downloads" section, information about the downloads made through the browser is given,
The credential of the file in the "guid" table,
The current Iocation of the downloaded file in the "current_path" table,
The Iocation of the download in the "target_path" table,
Information on the time of download in the "start_time" table,
The size information of the download in the "received_bytes" table,
The total size of the file after downloading in the "total_bytes" table,
Open status of the file in the "opened" table,
The last access time to the file in the "last_access_time" table,
The information of the referrer page in the "referrer" table,
And The "last_modified" table contains the modification information of the file.
When we look at the "keyword_search_terms" tables, the searches made in the browser's search engine appear here.
The "segments" tables contain the addresses of the websites displayed in the browser.
Downloaded url addresses can be viewed in the "downloads_url_chains" tables.
By analyzing the SQL file of the software and viewing the information it shows us in this way, we can obtain forensic evidence. Likewise, the following path can be entered into the browser address book to view the browser cache
Kod:
about:cacheSource: https://www.turkhackteam.org/adli-bilisim/1922997-tarayici-uzerinde-adli-inceleme.html
Translator: Dolyetyus
Moderatör tarafında düzenlendi:
