COLLECTION OF EVIDENCE THROUGH WEB …...evidence collection and analysis of web browser activity’...
Transcript of COLLECTION OF EVIDENCE THROUGH WEB …...evidence collection and analysis of web browser activity’...
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
www.elkjournals.com
………………………………………………………………………………………………………
COLLECTION OF EVIDENCE THROUGH WEB BROWSER & FORENSICS DIGITAL
ANALYSIS VIA RECOVERABLE DATA
Nigam Pratap Singh
Dept. of Computer Science Engineering,
SRMSCET Bareilly, India
L S Maurya
Dept. of Computer Science Engineering,
SRMSCET Bareilly, India
ABSTRACT
Browsers are essential application to connect the cyber world. Cyber-crimes are increasing day by day and these
crimes are violating the Integrity, Confidentiality and privacy of common users. As technologies are becoming
powerful, attacker are also becoming more powerful, smarter and updated with technology. So Forensics investigations
of the browses can prevent the cyber-crime, for that we need advance techniques and tools to trace the criminal activity
commit using Browsers. This paper has two basic objectives first one is collect the recoverable data after the deletion
of information and second one is providing advance mechanism to improve the existing browser forensics tools which
could help to Investigate and trace the criminal activity and collect maximum evidence to prove the crime. Recovery of
deleted information covers these artifacts changes-Login History, Cache data, Searched Keywords, Visited URL’s List
and Saved Password.
Keywords— Cyber-crime, Integrity, Confidentiality, Privacy, Browser forensics, Criminal activity searched
keywords.
INTRODUCTION
Internet is essential application for everyday
work and Web browsers are used to connect to
internet world. Users are generally use web
browser for e-mail access, social networking
sites, internet banking, news, entertainment,
update related information’s, e-commerce and
searching relevant information’s. According to
‘Internet Live State’ 40 % of world population
use internet a report generated in 2016 [1].
This show the very huge number of worldwide
internet users. Where the common user use
internet for own work and attackers use it to get
advantages of user’s limited knowledge and
perform many Cyber-attacks. A suspect uses
the internet to hide the crime, or to search idea
of new crime space. Every time when suspect
perform any unethical activity using the
browser, he /she try to remove their activity
details. So collecting the evidences from web
browser for the evidence purpose is typically
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
crucial activity. Even there is many open
source browser forensics tools are available.
But problem is that every tool has limitation
like non-supportability of browser, non-
supportability of browser version, on-
supportability due to frequently update the
browsers. (Refer Fig. 1)
According to survey of Business Standard,
Cyber-crime in India increase by 350 % in last
3 year. Above graph show the increase of crime
in every year and arrested persons due to
availability of sufficient evidence and this
graph show that every year arrested person
ratio is decreasing even the crime ration
increasing, this is because of non-availability
of proper evidence. So evidence collection is
most important part of investigation.
As an Investigator has to target the following
information for evidence purpose, they are
called as 9 children of browser forensics
investigations [2] –
1-Archived History 6-Top Sites
2-Fav Icons 7-History
3-Shortcuts 8-Login Data
4-Cookies 9-History Index
5-Web Data
According to survey in 2016 Google Chrome is
most popular browser in worldwide. Now it is
used by more than 70 % of users as a default
browser [3].
Google Chrome History/ Timeline -
Google Chrome first time introduce in
September 2008 as open source browser [4].
First time password sync option was added into
it in 8th March 2011 in version 10.0.648 [5],
Initially password and session are store in plain
text format but version 14.0.835 in September
2011 it include the ‘encryption technique’ to
avoid session hijacking and password
collection by attacker [6].
In February 2012, in version 17.0.963 chrome
improve history database techniques.
Encrypted omni box to collect the searched
keywords was added into chrome version
25.0.1364[7]. It added SSL to improve server
side data protection.
Auto fill and password auto fill feature was
available to the chrome version 26.0.1410 till
April 2013. First time payment request card
detail storage option was introduce in
November 2013 in version 31.0.1650. It added
the new database ‘webdata.db’ into chrome
local app data database where used card details
are saving into encrypted format.
A very useful feature ‘chrome crash recovery’
was added into browser which actually makes
Google chrome more popular in version
36.0.1985 in July 2014 [8]. In January 2016,
Google chrome version 48.0.2564 change the
saved password encryption algorithm [9].
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
LITERATURE SURVEY AND RELATED
WORK
Jones in 2003 explains the structure of Internet
Explorer and how to recover the deleted
information using index.dat file. [10] He
introduces the Pasco tool and web history tool
to analyze the Internet Explorer. In this time
Google chrome browser was not introduced.
Pereire in 2009, proposed structure of History
system in Firefox and proposed techniques to
recover the deleted history with unallocated
field [11]. Junghoon Oh and Seungbong Lee in
august 2011 proposed in his paper ‘Advance
evidence collection and analysis of web
browser activity’ proposed the 4 method for
browser analysis. Integrating the all detail, use
timeline analysis, record the user activity, and
collect the URL detail. This paper shows the
test and implementation on Google chrome
version- 13.0.782. Using the open source tools,
it collects the URL detail, name of websites and
time of access and explains the use of retrieving
evidence for forensics investigations.
Sangeeta Lal and Ashish Sureka in 2012
proposed in their research paper "Comparison
of Seven Bug Report Types Google Chrome
Browser" proposed the method to recover from
sudden crash of Google chrome [12]. Because
of these techniques they proposed Usability of
data, maintaining the consistency and avoid
loss of data.
Donny Jacob Ohana and Narasimha
Shashidhar in 2013, in this paper “Do Private
and Portable Web Browsers Leave
Incriminating Evidence” [13] implement some
test to collect the browser data for the forensics
investigation in Mozilla Firefox using the FTK
imager tool. It collects the memory image and
recovers the deleted information using it. In
this paper they introduce how to recover
deleted History, Image and Video file and use
of these data in forensics investigations.
Shinichi Matsumoto and Kouichi Sakura in
2014 explain the [14] important data which can
be used for evidence purpose which are
Browser History, Image data, account detail
and email id. According to them now
computers are with memory of 500GB or a
terabyte, so collecting the deleted information
using dumping the memory( memory dump) is
very time taking procedure even it work if it
perform by expert investigator but we need to
always think for substitute solutions.
Narmeen Shafqat and Baber Aslam in
September 2015, “Forensic Investigation of
User’s Web Activity on Google Chrome using
Open-source Forensic Tools”[15]( Google
chrome version 44.0.2403)explain that every
word written by the user in chrome are store in
database. It explain that Google chrome use
SQLite database which is enough different
from Mozilla Firefox browser and chrome use
to update their file structure so many of existing
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
browser forensic tools are not able to collect the
data, so investigator need to design and update
existing tools time to time.
Google chrome used to update their file
structure time to time to prevent from the
attacks and add new feature into it. Now the
current version of Google chrome is 52.0.2743
final updated in February 2016 [16] have new
feature like new database to save the used
credit / debit card detail, recently change the
encrypting algorithm to save to login Password
and searched Keywords. So applications and
use of this information in forensics
investigation are untouched. As per the policy
of Google Chrome, there is a frequent change
in file structure therefore available forensics
tools are need to be change accordingly or
required to be update forensics tools..
BROWSERS FORENSICS TOOL AND
ITS COMPATIBILITY–
Pasco: a command line tool work in
windows and UNIX. It can collect the list
of URL, modified time, access time. It was
design to work with only Internet
Explorer.[17]
Web Historian: It is design in 2009 to
view the History of Internet Explorer and
Firefox. [18]
Forensic Tool Kit (FTK): This tool is a
well-recognized by the corporate and law
enforcement agency, It is being used to
analyze the browser history, session,
cookies etc. [19].the problem to use the
FTK is reconstruction of the index.dat file
and it is been observed that analysis of data
in this format is very difficult and for it
there is a need of expert investigator.
Firefox Forensic 2.3: It is design to collect
the History, Cookies, and Bookmarks,
Download list in Mozilla Firefox. [20]
Chrome Analysis 1.0: It was design to
support the Chrome version 1 to 48.X to
collect the cookies, history, and session,
Bookmarks, and searched keyword. But
now chrome updated its version to
52.0.2743 and there is no longer support of
this tool to collect the all detail.
Net Analysis 1.52: it is use to collect the
History, support to all browser.
Cache Back: it can use to collect the
History, cache and cookies data from
Google chrome, IE and Firefox.
Encase 6.13: Support with only IE, Firefox
Safari, Google Chrome and Opera to
collect the detail of Cache, History cookies
and bookmarks. Again it is well recognized
too and need to forensics expert for
analysis.
Chrome cookie viewer: It is use to collect
the cookies and session in Google chrome
browser.
Chrome Password Decryptor: To backup
of login secrets, for transferring the secrets
from one system to another, to recover the
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
password if chrome is not accessible.
Supported version 3.0.193 to 44.0.2403.
Chrome Session Parser: It can collect the
detail of current and last sessions and open
tab detail, support chrome browser.
Nirsoft browser pass viewer: open source
browser forensics tool to display all visited
URLs, and browser history viewer. It was
also use to collect the saved password. But
it does not support version after 48.0.2564,
because chrome change its encryption
algorithm to save password.
WEFA (Web Browser Forensic
Analyzer): It was design in August 2011
by Junghoon Oh and Seungbong to collect
the all History, Session, cookies, saved
password and visited URL detail. It support
chrome version 13.0.782 and before this.
(This tool has no longer support to collect
the saved password and searched keyword
of current version of Google chrome.)
PROPOSED METHODOLOGY
Recover information from multiple file
stored in chrome database:
Google Chrome updated its version 36.0.1985
in July 2014 and removes the Bugs like crash
recovery. Crash is a bug which causes a
machine to crash resulting in irrecoverable loss
of data. Google chrome changes the file
structure into hierarchical file system where
multiple file are created at the same time. At
the time of crash, multiple file which are
created is useful to avoid loss of data but there
is a drawback in Google Chrome to keeping
multiple file into chrome database because if
user remove the login detail then after copy of
multiple file will remain exist in the database.
It can be called vulnerability of Operating
System which compromises the Google
chrome security.
The research work emphasize on these files and
proposed method is to collect all possible
information from multiple files and collected
information will be used for the purpose of
digital evidence. (Refer Fig.3.1.1)
User Interface: To provide the user
interface we are using Anaconda Platform.
Anaconda platform: Because Source code
is written in Python Language to
execute/run the necessary packages like
matplotlib, Pandas and numpy.
To recover the data for forensics
investigation we target the database of
Google chrome. Google chrome use
SQLite Database.
Searching Module:
Target the current location of file- File
location= C:\%user%\Local
Settings\Application
Data\Google\Chrome\User Data\Default
(Default location Of Google chrome data
base in Windows 7/8).
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
Collect the all available data into current
directory and copy all into new temporary
database of History.db, logindata.db,
webdata.db.
Recovery Module:
To recover the deleted information need to
check all hierarchical file where duplicate
file are created during the use of Google
chrome. Home dictionary of these files in
windows 7/8 is: Location: \%user%\Local
Settings\Application Data\Google\Chrome
Collect the List of all visited URL, collect
used debit / credit card detail, copy the all
used password, collect all searched
Keywords, and create histogram based on
all recovered data
Integrate:
To show the all information collect all
database into local database and remove the
duplicate records and display the Available
information. To compare the actual
information from the deleted information,
create two separate databases and collect
the list of Deleted information.
Operational Model:
The most important thing is to collect the
all information into time wise and each
websites follows own standard time (UTC
time) so it need to convert them into local
time zone. Every browser uses their URL
encoding techniques so translate them into
English encoding standard and Split the
URL and URL count when new Website
encounter and find the difference between
websites and searched item, Classified
them and save into different database.
For the history of user like username and
password related information collects the
record of login.db database and Integrates all
into single database and convert the encrypted
password into plane text using decryption
algorithm. For the card detail target the
webdata.db file. Collect the encrypted data and
apply decryption algorithm and convert into
Plane text. Algorithm used:
win32crypt.CryptUnprotect.
Display module:
Display the all collected records in following
way-
List view of all visited URL
Histogram view between visited URL and
count
Display all collected password and
username in plain text format
Display all searched keyword into List
view.
Display the list of saved card detail into
plain text format.
Improvements / Update the features of
existing browser forensics tools:
Due to frequent update of Google chrome,
many existing browser forensics tools having
limitations, as discussed in literature survey.
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
Based on current version of Browser following
feature are added which support Google
chrome Version 52.0.2743 (current version) –
Collect the list of all Credit / Debit Card
Detail :
When the user use their Credit / debit card for
online transaction, the details of cards are store
in web. Database file in encrypted format, so
we need to extract information from web.db
file and decrypt them using
win32crypt.CryptUnprotectData algorithm and
display the plain text.
Use: If suspect performed any malfunction
activities from cyber cafe or anywhere. The
card detail will play a key role to trace the
suspected person with help of third party
details.
Collect all Search Keywords :
When suspected person wants to perform any
unethical activity, he should first collect the
prerequisite information before committing
crime. As we know that every criminals left
evidences behind him as like, in internet world
criminals also left evidences in terms of
collecting information through web browsers.
In this regard, keyword search is playing a very
fruitful role to analyze the case. Hence,
searched keywords are very important for the
primary investigation purposes.
Collect the List of Used Password :
Passwords are stored in chrome database in
encrypted format. It is easy to collect the
passwords but it is very difficult to decrypt
them.
Use: Ones the plain text password of suspect
person’s collected, it can be used in passive
monitoring of their activity. So it is very
important to forensics investigation.
Create Histogram View of all visited URL
and Count :
Visited URLs and count can be display in
Histogram View, plotted graph provide
graphical representation.
Use-
Comparative analysis of visited URL
Easy to understand
A large set of data can be easily compared.
Show the list of all visited URL (website):
When users visited any website, the history and
all associated metadata are also related to URL
stored in the database.
Use: Visited websites and hyperlinked sites can
be trace.
Count the number of total different
access browser :
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
Web history contained all accessed web
browsers, it is very easy to bifurcate that how
many web browser opened in particular times.
Count the total visited page:
If any website is visited in multiple of time and
we need to collect total number of hits.
Use: This can help to get information about
web browser which has been accessed by the
users.
RESULTS
Collect the list of Passwords in decrypted
format/plain text using proposed technique–
Google Chrome save the used password into
database, but attacker always want to remove
the used password after use but It is possible to
recover the detail of safe password even after
the deleting the detail manually. (Refer Fig.
4.1.1 or 4.1.2)
Figure 4.1.1 shows the list of password, many
of all password are removed so it show only
current available password. Also they are in
encrypted format so it cannot use for the
investigation purpose.
Figure 4.1.2shows the output after the recovery
of deleted password into decrypted format.
Observation: In figure 4.1.1there is only four
saved password show but after recovery there
are list of many used passwords into decrypted
format.
Compare to the Chrome Analysis 1.0 open
source tool [20] output which is not able to
decrypts the chrome version’s 52.0.2704
used password, this implementation is able
to collect list of used passwords.
Collected List of keywords search–
When suspect person want to do any unethical
activity he used to search detail regarding that,
as an investigator these searched keyword
(every typed word using Keyboard) are suggest
the primary areas. So searched word are very
important for the investigation purpose (Refer
Fig. 4.2.1, 4.2.2 or 4.2.3)
Figure 4.2.1 shows the list of searched key
word in default location.
Comparison to the Chrome Analysis 1.0
tool, Encase, and FTK 3.2 tools [20] [18],
which are not able to collect the searched
Keyword, this implementation is able to
collect all searched keyword.
Display the count of total visited URLs and
count of total different URLs– (Refer Fig. 4.3.1
or 4.3.2)
Observation: In figure 4.3.1 shows the count
of visited URLs in default location but after
searching all information from hierarchical file
structure in figure 4.2.2 show more number of
visited Url’s.
Compare to the Chrome Analysis 1.0 tool,
Encase, Cashback and FTK 3.2 tools
[20][18], which do not provide the total
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
count of visited URL and total count of
individual URL, this implementation
provide all. (Refer Fig. 4.4.1 or 4.4.2)
Observation: In Figure 4.4.1 list of URL we
can see a website ’ paytm.com count is 3’ but
after recovery of data in Figure 4.4.2 we can
see that website ‘ Paytm count is 5’, it means
suspect remove the two information from the
history page.
Comparison to the Chrome Analysis 1.0
tool, Encase, Cashback and FTK 3.2 tools,
this implementation provide individual
count of each website visit that help to find
deleted detail easily, which is not available
in above tools.
Conclusion: Deleted URL (Website page)
detail can be collect. (Refer Fig. 4.5.1)
algorithm and display. Card detail can help to
trace the suspect person from the help of
second party (Bank).
Compare to the Chrome Analysis 1.0 tool,
Encase, Cashback and FTK 3.2 tools
[20][18]in all of which do not have this
kind of feature(collect card detail), This
implementation add this new feature.
Display the Histogram View-
Visited URL and count can be display in
Histogram View, plot to the graph and provide
graphical representation. (Refer Fig. 4.6.1,
4.6.2)
In Figure 4.6.1 show the detail of all visited
URL after recover the all deleted information,
compare to the Figure 4.6.2 which show the list
of URL after deleting some URL by the user to
hide the detail (detail of Paytm.com is
missing).
Observation: In figure 4.6.1 marked area show
the website name” www. Paytm.com” after
recover the deleted URL and figure 4.6.2
(default) have missing this website, means
deleted URL can be trace using this Histogram
technique. (Refer Fig. 4.6.3)
Conclusion: List of all visited URL, and
deleted URL can be easily compared with the
help of Histogram specially if there is large set
of data, this histogram view is effective way to
find all deleted websites detail.
Compare to the Chrome Analysis 1.0 tool,
Encase, Cashback and FTK 3.2 tools [20]
[18] all don’t have this kind of feature, this
is new technique added to this
Implementation.
Comparison and result analysis of current
existing tools with this implemented tool for
web browser forensics investigation. (Refer
Fig. 4.7.1)
CONCLUSION
Collecting Evidences from web browser is
most important process for computer forensics
investigations. This implementation shows that
it is possible to collect evidence after deleting
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
the details by the suspect. After collecting and
analysis the browser forensics data it is
possible to trace the criminal activity. After
Crime when an investigator examining and
collects a suspect’s computer browsers
information log files, investigator can decide
the primary investigation direction. In most of
the cases, all the evidence to prove crime is
present into browser itself. This project
introduced some untouched forensics
investigation and Online movements like
visited browsers, searched keywords, saved
password and used debit / credit card detail can
be collect using this implementation which can
be help in investigation. This project’s
implementation can also help to collect hidden
information of user activity and recover deleted
information from the browser.
FUTURE WORK
Future work can be including Forensics
investigation in all other browsers and update
the current implementation corresponding to
the future browser changes. Future work also
cover forensics investigation in portable
browser because the main challenge in this is
saved files in portable browser are store into
portable device so it is bit challenging to target
the database of browsers after removing the
portable device
REFERENCES
Anuradha P, Raj Kumar T., Sobhana N. V.,
Recovering Deleted Browsing Artefacts
from Web Browser Log Files in Linux
Environment, 2016 Symposium on
Colossal Data Analysis and Networking
(CDAN).
Apurva Nalawade, Smita Bharne, Vanita
Mane, Forensic Analysis and Evidence
Collection for Web Browser Activity,2016
International Conference on Automatic
Control and Dynamic Optimization
Techniques (ICACDOT)International
Institute of Information Technology (I²IT),
Pune
Junghoon Oh, Seungbong Lee, Sangjin
Lee, Advanced evidence collection and
analysis of web browser activity, digital
investigation 8 (2011) S62 eS70.
Narmeen Shafqat, Forensic Investigation of
User’s Web Activity on Google Chrome
using various Forensic Tools, IJCSNS
International Journal of Computer Science
and Network Security, VOL.16 No.9,
September 2016.
Shinichi Matsumoto, Kouichi Sakurai,
Acquisition of Evidence of Web Storage in
HTML5 Web Browsers from Memory
Image, 2014 Ninth Asia Joint Conference
on Information Security.
Donny Jacob Ohana, Narasimha
Shashidhar, Do Private and Portable Web
Browsers Leave Incriminating Evidence? ,
2013 IEEE Security and Privacy
Workshops.
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
Sangeeta Lal, Ashish Sureka, Comparison
of Seven Bug Report Types: A Case-Study
of Browsers, 2012 19th Asia-Pacific
Software Engineering Conference.
Murilo Tito Pereira, Forensic analysis of
the Firefox 3 Internet history and recovery
of deleted SQLite records, digital
investigation 5 (2009) 93–103, Elsevier.
Junghoon Oh, Seungbong Lee, Sangjin
Lee, Advanced evidence collection and
analysis of web browser activity, digital
investigation 8 (2011) S62e S70.
Joshua!J.!Pauli,Patrick!H.!Engebretson,Co
okieMonster:,AutomatedSession,Hijackin
g,Archival,and,Analysis, 2011 Eighth
International Conference on Information
Technology: New Generations.
Ranveet Kaur, Amandeep Kaur, “Digital
Forensics” International Journal of
Computer Applications pp 0975 –8887
Volume 50 –No.5, July 2012.
Junghoon Oh, Namheun Son, Sangjin Lee,
and Kyungho Lee. “A Study for
Classification of Web Browser Log and
Timeline Visualization”,WISA-2012
F.Aggarwal, E. Bursztein, C. Jackson, and
D. Boneh, “An analysis of private browsing
modes in modern browsers,” In Proc. of
19th Usenix Security Symposium, 2010.
Howard Chivers “Private browsing: A
window of forensic opportunity”, Digital
Investigation 20–29, 2014.
Howard Chivers, Christopher Hargreaves.
“Forensic data recovery from the Windows
Search Database”, Digital Investigation
114–26, 2011.
K. Satvat, M. Forshaw, F. Hao, and E.
Toreini, “On the privacy of private
browsing - a forensic approach,” in Data
Privacy Management and Autonomous
Spontaneous Security. Springer Berlin
Heidelberg, 2014, pp. 380–389.
S. P. Aditya Mahendrakar, James Irving,
Forensic analysis of private browsing arti
facts. IEEE, 2011, pp. 197–202.
Divyesh G, Nagoor A R. (2014). Forensic
Evidence Collection by Reconstruction of
Artifacts in Portable Web Browser.
International Journal of Computer
Applications. vol. 91, issue 4. (pp. 32-35)
Marrington, I Baggili, Talal Ali. (2012).
Portable Web Browser Forensics: A
forensic examination of the privacy
benefits of portable web browsers. 2012
International Conference on Computer
Systems and Industrial Informatics
(ICCSII), (pp. 1-6).
Satvat, Forshaw, Hao, Paper: On the
Privacy of Private Browsing - A Forensic
Approach. Journal of Information Security
and Applications. Volume 19, Issue 1. (pp.
88-100).
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
LIST OF FIGURES:
Figure 1.1: Cyber Crime case register and arrests due to proper evidences in year 2010- 2014
Flow diagram of proposed method-
Figure 3.1.1: Flow diagram of proposed method
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
Figure 4.1.1: List of default saved password after removing some password (Default view)
Figure 4.1.2: Recover the deleted password and print in decrypt format (program output
view)
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
Figure 4.2.1: List of all searched Keyword (Default)
Figure 4.2.2: List of Searched Keyword collecting from all hierarchical files
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
Figure 4.2.3: List of Searched Keyword collecting from all hierarchical files
Figure 4.3.1: Display the count of total visited URLs and count of total different URLs
(Default)
Figure 4.3.2: Display the count of total visited URLs and count of total different URLs (after
recovery)
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
Display the list of visited URL:
Figure 4.4.1: List of Visited URL before recovery of delete items
Figure 4.4.2: List of Visited URL after recovery of delete items
Collect the List of saved card detail:
Figure 4.5.1: Fetch the detail of Used Credit / Debit Card details
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
Figure 4.6.1: Histogram Original
Figure 4.6.2: Histogram after removing detail of some websites
Figure 4.6.3: Comparison of two Histogram
ELK ASIA PACIFIC JOURNAL OF COMPUTER SCIENCE AND INFORMATION SYSTEM
ISSN 2394-9392 (Online); DOI: 10.16962/EAPJSS/issn. 2394-9392/2015; Volume 3 Issue 2 (2017)
………………………………………………………………………………………………………
All Tests performed on Google chrome version - 52.0.2743(current version).
Functionality
Result
Output WEFA
Cache
back Encase FTK Nirsoft
1. Graphical
Representation
Histogram
view No No No No No
2. Time line analysis yes yes no yes no yes
3. Recovery of Hidden
Information
Hierarchical
structures
memory
dump
memory
dump
memory
dump
memory
dump
Not
available
4. Preview Functions yes yes yes No yes yes
5. Total number of
different visited URL yes no no No no no
6. Total number Data
count yes no no No no no
7. Processing time for
recovery of History Quick take time take time
take
time
take
time not possible
8. Predefined algorithms
for recovery of History yes no no Yes no no
9. Manual instructions for
recovery of History not required required required required required not possible
10. Display Password Yes no no yes yes no
11. Searched Keyword Yes no no no no no
12. Collect Credit/debit
card detail Yes no no no no No
Figure4.7.1: Comparison of Implemented tool with current existing tools