SANS Digital Forensics and Incident Response Blog

How Miscreants Hide From Browser Forensics

Scammers, intruders and other miscreants often aim to conceal their actions from forensic investigators. When analyzing an IT support scam, I interacted with the person posing as the help desk technician. He brought up a web page on my lab system to present payment form, so I'd supply my contact and credit card details. He did this in a surprising manner, designed to conceal the destination URL.

You can see the scammer bringing up the web page by watching this 17-second video of his actions. Rather than bringing up the web browser, the person launched the HTML Help application, which is built into Windows, by typing:

hh h

According to Microsoft, HTML help is "the standard help system for the Windows platform. Authors can use HTML Help to create online help for a software application or to create content for a multimedia title or Web site." To bring up the interface captured in the above video, it's sufficient to launch the application using the "hh" command and supply any string as a parameter.

Why would the miscreant launch this application? The goal is to use the "Jump to URL..." feature, which is available by clicking in the top left corner of the application:

HTML Help: Jump to URL


The "tech support" rep then pasted the desired URL from the clipboard into the Windows that popped up. Since the input field of the Window was relatively small, I (posing as the victim) could not see the full URL.

The web page rendered within the HTML Help window, the way it would show up within a browser, though there was no URL bar to display the address of the page:

ClickBank Payment Form

Examining the system after this incident, I could not find a reference to the ClickBank URL in the Internet Explorer history. I used ESEDatabaseView to examine the system's WebCache file; the tool found a cookie set by ClickBank, but showed no relevant URLs. I also used Redline to pull out browser artifacts from this system using memory forensics; this tool showed some URLs belonging to the domain, but not the address of the initial web page:

Redline Clickbank URLs

I was able to locate the URL by extracting all strings from the system's memory image that included "clickbank" in them. The same URL was also left by the adversary on the system's clipboard.

Based on this analysis, it appears the adversary used an unusual method of visiting the website from the victim's system to conceal the URL from the person's view and to make it hard for an investigator to locate the URL in the browser history. This is the first time I've seen such an approach, and wanted to share it with the community. If you've encountered similar techniques or would like to share your perspective on this situation, please leave a comment.

To learn more about this incident, take a look at my Conversation With a Tech Support Scammer article.

Lenny Zeltser

Lenny Zeltser teaches malware analysis at SANS Institute. He is active on Twitter and writes a security blog.


Posted March 25, 2015 at 7:36 AM | Permalink | Reply

Andetrs Thulin

This kind of approach is fairly common to ''break out' of kiosk environments or other policy limitations imposed on a particular system.
In the days where OLE embedding was common, it was often possible to insert OLE objects in documents, and that way access functionality that was locked out. (Wordpad still has ''Insert Object', but the number of objects available is much smaller now.)
And some software suites contained unexpected functionality that could be used for similar bypasses: on a system with OpenOffice, it may be possible to access Internet Explorer from Calc by the preview function.
The forensic implications of this kind of activity are very interesting '' I hadn't thought of it before. Thanks for bringing it up!

Posted May 1, 2015 at 3:43 PM | Permalink | Reply


I'm interested in this from a forensic perspective but have been unable to replicate your result regarding the web address not being present in IE history. I have followed the same procedure as yourself but my entered web address always appears in my web history. I have tried windows xp, 7 and 8 running IE 8, 9 and 11 respectively. Any thoughts?