Blog: SANS Digital Forensics and Incident Response Blog: Category - Browser Forensics

Blog: SANS Digital Forensics and Incident Response Blog:

Digital Forensics Case Leads: Lots of oopsies

This week's edition of Case Leads covers an interview about the Onity Hotel lock oopsie, an oopsie involving overlooked artifacts in the Casey Anthony trial, the oopsie of dumping lots of confidential confetti at a parade, and the findings of the investigation into the Palmetto state oopsie. Many great tool updates (OllyDbg, bulk_extractor) and some new releases as well.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to


  • OllyDbg 2.01H has been released. One of the biggest changes is a major update to the plugin interface. Read more about it on the OllyDbg version history page.

  • Late last month Tableau quietly released an update to their free TIM software imager. It includes

Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 3)

Application Specific Geo-location

Web applications can often leave their own geo-location clues similar to those found via the mapping services. While mapping artifacts are largely consistent, geo-artifacts created by applications are more haphazard. Thus the number of available artifacts can be as numerous as the applications using geo-location services. To illustrate this, we will analyze the artifacts left by two popular location-aware applications: Flickr and Twitter.

Mobile Flickr Geo-artifacts

Flickr Location

Flickr is a photo sharing website and the mobile version has an interesting location-aware feature. A user can select the "Nearby" tab and see pictures that were geo-tagged in the general neighborhood. Of


Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 2)

Understanding Browser Artifacts

Geo-location artifacts demonstrate an interesting concept with regard to browser-based evidence. Among the various browser artifacts, Internet history is a fan favorite because it provides such rich information. There is no easier place to look to identify sites visited by a specific user at a specific time.Browser history is so useful, a critical shortcoming is often ignored; with today's dynamic web pages, the vast number of web page requests go unrecorded. When a user visits a website, a multitude of requests are completed in the background to retrieve images and advertisements, populate web analytics, and load content from third parties. The content retrieved from these requests is stored within the cache, and an entry within the cache database is created. While the browser history database may only show the page visited, the cache holds most of the components retrieved to dynamically build that ...

Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 1)

[Author's Note: Geo-location artifacts have been a frequent focus of my research, and I am amazed at how quickly they are permeating operating systems, applications and file formats.In the fall of 2011 I had the pleasure of writing an article for Digital Forensics Magazine focused on browser-based geo artifacts, where much of this series was originally published.]

One of the more revolutionary forensic artifacts to emerge in recent years is geo-location data. Geo-location gives us an accurate means to identify the physical location of an item on Earth. It is now possible to determine where in the world a laptop or mobile phone has been, solely using host-based forensics. In a world of increasingly mobile devices, geo-artifacts can provide a crucial extra dimension to our investigations. With it, we now have the potential to answer who,


Forensically mining new nuggets of Google Chrome

I was recently creating some slides on Chrome forensics for a class I'm teaching, when I really discovered for the first time just how popular it's actually become. As of last month, according to, Chrome is not only 50% more popular than internet Explorer, but is actually neck and neck with Firefox (36.6% vs. 36.9%).

Despite this, and the fact that Chrome is actually open source, (or technically, I guess Chromium is the open-source project behind Google Chrome) there's significantly less documentation about associated forensic artifacts than there is for equivalent items in IE or even Firefox.

What has gone before...

I was able to find a number of Chrome forensics blog postings, but most dealt more-or-less exclusively with extraction of its web ...