SANS Digital Forensics and Incident Response Blog: Category - Browser Forensics

Digital Forensics Case Leads: Data Exposed, Movie Piracy Sites shutdown and a 0day exploit hits more the 10,000 Computers

This week in Case Leads we have another round of data exposed at WellPoint. The Feds shutdown movie piracy sites, and Microsoft reports more than 10,000 Windows XP computers hit with a 0day exploit. Some great reads on memory analysis and pagefiles, Safari Forensics and getting alternate timestamps from $MFT. Don't forget to cast your vote for the 2010 Forensic 4Cast awards, make your vote count.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Tools:

  • Mount Raw images as VMDK virtual disks usingraw2vdmk

Good Reads:

...


Digital Forensics Case Leads: ATT/Apple Rushes in The Forensics and Incident Response Team

A web application flaw was announced late Wednesday that appears to impact users of the 3G Apple iPad. According to press reports, AT&T is rushing in a forensic team in an attempt to determine the damage the flaw may have inflicted.

Gadget blog Gizmodo reports that a flaw in web application used to sign onto to an Apple/AT&T 3G iPad account allows an attacker to get into the account by incrementing the serial numbers on the SIM card on 3G iPads. It is not unusual for a web development team to not focus on using secure methods like using random numbers in generating web sessions. If there is no web application security team in place, these flaws can live on for years in web applications and sites.

AT&T claims that the team that discovered the flaw did not use responsible disclosure to alert AT&T and Apple about the flaw before going public. AT&T said that they closed this

...


Client-side Web Application Attacks

Over the past few years, attacks against web applications have become more prevalent and sophisticated. There are several methods of attacking web applications, SQL injection being one of the more well-known. In this article, we are going to discuss a different class of attacks and a few examples of how an incident responder or computer forensic investigator might spot them.

All web forms contain fields that are used to grab input from a user and post it to the server for processing. Form fields are commonly used to collect information, from transaction details on e commerce sites to authentication credentials for restricted content. While form fields are used to collect data legitimately from users, they can also be used maliciously.

An example of this is a client side attack commonly known as form field injection. In this type of attack, malware interacting in a web browser adds additional form fields to

...


Local Shared Objects, aka Flash Cookies

The Adobe Flash player can store various information regarding user settings to "remember" things like the preferred volume a user likes in a video player, saved game settings, whether or not the user allows the flash player to connect to the web camera, etc. With the introduction of various ad blocking software and privacy settings in the browsers, web developers and advertisers have increasingly started to use these files to store other information as well (see the paper "Flash Cookies and Privacy"). These files are now more often used to store the same information as can be found inside traditional browser cookies. The notion of flash cookies has been discussed previously on SANS blogs, both in the Digital Forensics Blog

...


Google Chrome Forensics

Google Chrome stores the browser history in a SQLite database, not unlike Firefox. Yet the structure of the database file is quite different.

Chrome stores its files in the following locations:

  • Linux: /home/$USER/.config/google-chrome/
  • Linux: /home/$USER/.config/chromium/
  • Windows Vista (and Win 7): C:\\Users\\[USERNAME]\\AppData\\Local\\Google\\Chrome\\
  • Windows XP: C:\\Documents and Settings\\[USERNAME]\\Local Settings\\Application Data\\Google\\Chrome\\

There are two different versions of Google Chrome for Linux, the official packets distributed by Google, which stores its data in the google-chrome directory and the Linux

...