sign in sign up
<<
Home , Comodo Dragon, Epic (web browser), SRWare Iron

Forensic Science Journal FORENSIC SCIENCE 2018;17(1):1-8 JOURNAL SINCE 2002 fsjournal.cpu.edu.tw DOI:10.6593/FSJ.2018.1701.01

A Forensic Examination of Anonymous Browsing Activities

Szu-Yuan Teng 1*, M.S. ; Che-Yen Wen 2, Ph.D.

1 Taipei City Field Office, Investigation Bureau, Ministry of Justice 2 Department of Forensic Science, Central Police University

Received: May 31, 2018; Accepted: August 15, 2018.

Abstract

Internet crime has become a serious problem. Cybercriminals use the Darknet to sell some tools in the black market, such as DDOS attack software, ransomware, Crimeware-as-a-service (CaaS), and other cybercrime tools. Users can use the browser with incognito functions to connect to the Darknet and conduct transactions in the black market. Besides, there are some anonymous browsers with the functions of hiding the webpage activities of users. Although these browsers cannot be used to connect to the Darknet directly, they can let a criminal connect to the Internet anonymously and hide all criminal activities. Therefore, the investigation of digital evidence from the used records of anonymous browsers is full of critical challenges. In this paper, we demonstrate how tools and programs can be used in forensic analysis of anonymous browsers. There are six types of anonymous browsers in our experiments: Privacy Browser, Secure Browser, , SRWare Iron, , and . The experimental results show the capability of those tools and programs in the investigation of digital evidence.

Keywords: anonymous browser forensics, anti-forensics, digital evidence, digital forensics, webpage activity forensics

Introduction more difficulties for criminal investigation if criminals use highly anonymous and security function browsers to With the growth in the awareness of personal commit crimes. Internet privacy protection, the concept of the secure Internet crime has become a serious problem. browsers attracts people’s attention. Commercial Criminals use the Darknet and underground black market web browsers (such as Chrome, IE, and ) to provide Crimeware-as-a-Service (CaaS). Users can have developed a series of security functions (such as also use the Tor browser with incognito functions to incognito mode, URL filtering, download protection, and connect to the Darknet and conduct transactions in the non-tracking) to comply with personal privacy protection underground black market. There are other browsers requirements. To an extent, these browsers can be termed with incognito functions such as Epic Privacy Browser, as “secure” browsers [1]. From users’ point of view, Secure Browser, Comodo Dragon, SRWare Iron, if we use more browser anonymity functions, we can Dooble, and Maxthon. Although these browsers are not obtain more privacy protection. However, it will cause available for the connection to the Darknet, they can let

*Corresponding author: Szu-Yuan Teng, Taipei City Field Office, Investigation Bureau, Ministry of Justice. E-mail: [email protected] 2 Forensic Science Journal 2018; 17(1)

users connect to the Internet anonymously and hide all Our experiments are based on the digital forensic criminal activities. Bursztein et al. conducted automatic procedure of evidence identification, evidence extraction security measurement on the modes and collection, evidence analysis, and reporting and of four popular browsers (such as Chrome, Firefox, IE, presentation. Our analysis tools (e.g. file system monitor and ), and found that the extensions and plugins and network packet monitor) are installed on of these browsers might damage private browsing based on VMware Workstation. For each security [2]. Mahendrakar et al. analyzed the activity browser, the normal and private browsing session are records of browsers. They found some data available observed and analyzed in four aspects: file and folder, for tracing even under the privacy mode [3]. Said et al. system registry file, network packet and physical investigated the effectiveness of private browsing mode memory. features in three widely used browsers, and outlines their investigation method for criminal activities. They Methods proposed a three-phase analysis method. The first phase is to use a special forensic tool to check common places Anonymous Browsers where browsers history and cached records are stored. In this paper, we focus on six anonymous browsers The second phase is to check the other location of disk which are common in practical cases: Epic Privacy storage space on local machine. The last phase is to Browser, Secure Browser, Comodo Dragon, SRWare capture physical memory (RAM) and analyze artifacts Iron, Maxthon, and Dooble. Each of them emphasizes of browsers [4]. Ohana and Shashidhar found residual the unique anonymity and privacy protection features artifacts of several popular browsers from portable and to allow users to hide the webpage activities. The first private browsing sessions. They argued that it is possible five browsers are based on the technology to find traces in physical memory (RAM), slack/free that can eliminate usage tracking and other privacy- space and certain areas of the file system through the compromising functions which are included in the specific forensic tool [5]. Ghafarian and Seno showed Chrome browser. These anonymous browsers how to use forensics methodologies and tools to examine have their own specific features which are different from the artifacts left in volatile memory after a private . The last browsers, Dooble, utilizes browsing session [6]. They recovered browsing evidence the Qt technology which has stronger anonymity than related to IE browser from the file system. Flowers et Chromium-based browsers. al. partially reconstruct the private browsing session Epic Privacy Browser is based on Chromium. It evidence from the physical memory (RAM), hibernate blocks every conceivable place that can cause privacy and page files where are the key areas [7]. Shafqat used leaks, and maximizes privacy. Session data, such as the various forensic tools and techniques to reconstruct the cookies and tracking data, are deleted at the end of each private browsing activity of the Google Chrome browser session. All search processes are conducted through its in Windows 8 [8]. Warren et al. conducted forensic own server, which attempts to prioritize SSL connections acquisition analysis of the Browzar browser which is to the maximum extent [10]. Secure Browser provides an emphasis privacy preserving internet browser. They secure browsing, private browsing, non-tracking, privacy compared it with other popular anonymous browsers [9]. removal, HTTPS encryption, and a series of safety From previous work, we can see that the current and incognito functions [11]. Comodo Dragon is a free research works on the popular anonymous browsers are browser based on Chromium. Its browser interface is very comprehensive and complete. However, research similar to Google Chrome but without functions that on less-popular anonymous browsers attracted less may potentially threaten privacy [12]. SRWare Iron is attention. In this paper, we focus our study on 6 less- another free browser based on the Chromium framework. popular anonymous browsers (with incognito functions): This browser provides similar functions as Chrome [13]. Epic Privacy Browser Version 40.0.2214.91, Secure Dooble is a streamlined Chromium-based cross-platform Browser Version 57.0.441.112, Comodo Dragon Version (Windows, , OS X) browser that can disable non- 55.0.2883.59, SRWare Iron Version 57.0.3000.0, secure interfaces such as Flash and Javascript in its Dooble Version 1.56c, and Maxthon V 5.0.2.2000. A Forensic Examination of Anonymous Browsing Activities 3

default state. It blocks third-party cookies in iFrames Digital Forensic Methods and provides an innovative function that can use We use the X-Ways Forensics software to conduct various ciphers and passphrases to encrypt all contents the integration analysis and record the virtual machine (bookmarks, browsing preferences, and history) [14]. file systems. Data from four sources (files and folders, Maxthon is an all-new HTML5 compatible browser. Its system registry, network packages, and memory) were unique incognito mode can provide secure browsing used for observation and differential analysis to identify without leaving any traces [15]. possible file paths in residual forensic information or Our goal is to provide an analysis reference for forensic feature items that can be useful for forensic criminal investigators. When they want to find the examination. We used the following tools to collect criminal activities (such as online drug trafficking, data: SysTracer Version 2.1.0 for the comparison of cryptocurrency purchasing for money laundering) in relevant records (registry keys and registry location), anonymous browsers, the reference can help them Disk Pulse Version 8.2.16 for observing and recording choose proper forensic tools. In our experiments, we use changes in the folders and files, Wireshark Version some well known forensic tools (in the next subsection) 2.4.6 for capturing and analyzing the network packets, to identify traces of anonymous browsing activities after Process Hacker Version 2.39 for capturing browser using the unique anonymous features provided by these memory, and the Capture Memory function in FTK browsers. We also analyze and compare the difference Imager Version 3.1.0 was used to capture virtual of the stored digital evidence between non-incognito machine memory. Fig. 1 shows the digital forensic mode operations (can remove the browsing history) process for anonymous browsers. and incognito mode operations of the six anonymous browsers.

Fig. 1 The digital forensic process for anonymous browsers. 4 Forensic Science Journal 2018; 17(1)

Results and Discussions functions and frameworks, they still store the browsing information and records in the browser memory. Before From the experimental results, we can find residual we terminate the browser program, it is possible for us to digital evidence in several regions: the files and folders identify and recover some browsing records and data in in the file system, system registry key, browser execution the incognito mode. We show some important forensic programs and network port used for connection, random items for the six browsers with incognito functions in access memory, and browser execution memory. Table 1. Although these six browsers use different incognito

Table 1 Important forensic items for the six browsers with incognito functions.

Data analysis of browser files Name of Name of important file or browser folder Important storage path Forensic value Epic Privacy Files: Cookies, Login Data, 1. \Users\User Account\ Identification of Browser Preferences, Secure Preferences, AppData\Local\Epic Privacy whether the user had Bookmarks; Folder: Local Storage Browser\User Data\Default installed and used this Secure Browser 1. Files: Cookies, Web Data, 1. \Users\User Account\ anonymous browser , Login Data, AppData\Local\Safer Preferences, Shortcuts, Top Technologies\Secure Sites, Network Action Predictor, Browser\User Data\Default\ Bookmarks, previews_opt_out.db; 2. \Users\User Account\ Folders: Local Storage, databases, AppData\Local\Safer Technologies\Secure 2. Files: Safe Browsing Cookies, Browser\User Data\ Safe Browsing Download; Folder: CertificateTransparency Comodo Dragon 1. Files: Cookies, Web Data, 1. \Users\User Account\ Browser Favicons, Login Data, AppData\Local\Comodo\ Preferences, Shortcuts, Top Dragon\User Data\Default\ Sites, Network Action Predictor; 2. \Users\User Account\ Folders: Local Storage, Session AppData\Local\Comodo\ Storage, Databases, Cache Dragon\User Data\ 2. Files: Safe Browsing Cookies, Safe Browsing Download; Folder: CertificateTransparency SRWare Iron 1. Files: Cookies, Web Data, 1. \Users\User Account\ Browser Favicons, Login Data, AppData\Local\Chromium\ Preferences, Shortcuts, Top User Data\Default\ Sites, Network Action Predictor; 2. \Users\User Account\ Folders: Local Storage, databases, AppData\Local\Chromium\ Cache, Session Storage, Media User Data\ Cache 2. Files: Safe Browsing Cookies; Folder: Certificate Transparency A Forensic Examination of Anonymous Browsing Activities 5

Data analysis of browser files Name of Name of important file or browser folder Important storage path Forensic value Dooble Browser Files: applications.db, \Dooble\User Account\.dooble cacheexceptions.db, cookies.db, downloads.db, favicons.db, history. db, preferences.db; Folder: Cache, Dooble Maxthon Browser 1. Files: Cookies, Web Data, *.dat; 1. \Users\User Account\ Folders: Local Storage, databases, AppData\Roaming\ Application Cache, History, Maxthon5\Users\guest\ Favorite 2. Users\User Account\ 2. Files: Cookies, Web Data; AppData\Roaming\ Folders: Local Storage, databases, Maxthon5\Users\guest\ Application Cache Session\ 3. Files: *.dat; Folder: NewTab 3. \Users\User Account\ 4. All files AppData\Roaming\ Maxthon5\Temp\ 4. \Users\kan\AppData\Local\ Temp\Maxthon3Cache\ Temp\Webkit\Cache\

Analysis of registry keys associated with browser Name of browser Important keys Registry location Forensic value Epic Privacy DisplayName HKEY_CURRENT_USER\ Confirmation of whether Browser DisplayVersion SOFTWARE\Microsoft\Windows\ Epic Privacy Browser is InstallDate CurrentVersion\Uninstall\Epic\ installed InstallLocation

Secure Browser AppId HKEY_USERS\S-1-5-21-3260109858- Confirmation of whether LastAccessedTime 125348108-769363293-1001\ Secure Browser is installed LaunchCount SOFTWARE\Microsoft\Windows\ CurrentVersion\Search\RecentApps\ {BBB8055F-9110-4435-8621- 8D9062283332}\

Comodo Dragon InstallDate HKEY_LOCAL_MACHINE\ Confirmation of whether Browser Version SOFTWARE\WOW6432Node\ Comodo Dragon Browser ComodoGroup\Dragon\ is installed

SRWare Iron DisplayName HKEY_LOCAL_MACHINE\ Confirmation of whether Browser DisplayVersion SOFTWARE\WOW6432Node\ SRWare Iron Browser is Inno Setup: App Path Microsoft\Windows\CurrentVersion\ installed InstallDate Uninstall\{C59CF2CE-B302-4833- InstallLocation AA35-E0E07D8EBC52}_is1\ 6 Forensic Science Journal 2018; 17(1)

Analysis of registry keys associated with browser Name of browser Important keys Registry location Forensic value Dooble Browser AppId HKEY_CURRENT_USER\ Confirmation of whether LastAccessedTime SOFTWARE\Microsoft\Windows\ Dooble Browser is installed LaunchCount CurrentVersion\Search\RecentApps\ {765FD9D6-CC3D-4183-8CA7- 7CC8B03AA9E0}\ Maxthon Browser DisplayName HKLM\SOFTWARE\WOW6432Node\ Confirmation of whether DisplayVersion Microsoft\Windows\CurrentVersion\ Maxthon Browser is InstallDate Uninstall\Maxthon5\ installed InstallLocation

Network packet analysis Name of Specific network Name of browser program Specific ports opened Forensic value Epic Privacy epicbrowser.net Confirmation of Epic.exe Port:4430 Browser www.epicsearch.in whether this browser Port:80 is used in the Secure Browser Secure.exe client.securebrowser.com Port:443 and as a benchmark for Comodo Dragon Port:80 Dragon.exe download.comodo.com retrieving specific Browser Port:443 keywords in the SRWare Iron Port:80 memory chrome.exe iron.start.me Browser Port:443 metager.de; Port:80 Dooble Browser Dooble.exe alt1-safebrowsing.google.com Port:443 pc-newtab.maxthon.com. Port:80 Maxthon Browser Maxthon.exe l.maxthon.com Port:443

Analysis of random access memory and browser memory Browser is in normal or Whether specific are logged into and incognito service account and password information Forensic value (private) status can be found The browser is logged into specific Login account number and passwords can be found The account and websites, showing that its status is in the browser execution program memory, and the clear text password not logged out. password exists in a cp 950 or utf-16 encoding format information that the The browser displays that it has Login account number and passwords can be found user uses to login logged out of specific website in the browser execution program memory, and the to websites can be services and the browser is not closed password exists in a cp 950 or utf-16 encoding format obtained. Data stored in specific websites From the random access memory data, we can find can be obtained The browser is closed the login account for specific websites, but are unable through the account to obtain clear text password information and passwords A Forensic Examination of Anonymous Browsing Activities 7

Except the Epic Privacy Browser (with default results of the browser incognito functions, non-incognito settings), we can set the incognito functions on or off modes (can remove browsing history), and forensic in the other five browsers. Table 2 presents the analysis methods for the incognito modes in the browsers.

Table 2 Digital evidence data of the browsers with incognito functions.

Name of browser Epic Privacy Secure Comodo SRWare Iron Dooble Maxthon with incognito Browser Browser Dragon Browser Browser Browser functions Browser

Version: Version: Version: Version: Version: Version: Based on Based on Based on Based on Based on Qt Based on Chromium Chromium Chromium Chromium technology Chromium Browser version technology technology technology technology Engine: and IE and technology Engine: Engine: Engine: Engine: WebKit technology used for engine WebKit WebKit WebKit WebKit Engine: WebKit and

Default 1. Normal 1. Normal 1. Normal 1. Normal 1. Normal incognito mode mode mode mode mode Analysis of mode, no 2. Private 2. incognito 2. incognito 2. Private 2. Private incognito functions normal mode Browsing mode mode mode mode in browser mode 3. Session mode

1. Website content (contains images) of websites browsed Percentage of 2. History, Cookie, Download, Search, and other information evidence that can 3. Account and password for logging into website (does not exist when browser is closed, but be collected from the passwords for some cloud services can still be found in the memory and are not erased memory after the Maxthon browser is opened) 4. Percentage of evidence retained differs according to the browser usage

1. Collect browser History, Cache, and Cookie Forensic methods 2. Collect database records stored by browsers by SQLite DB such as Login Data, Shortcuts, for browser non- Top Sites, and Web Data. incognito mode 3. Collect search keyword and information operations (can 4. Browser temporary storage remove browsing 5. Registry key history) 6. Memory data 7. Unallocated space data

1. When the browser is not opened, capture the browser memory for analysis. Epic Privacy Forensic methods Browser, Secure Browser, Comodo Dragon, SRWare Iron, and Maxthon anonymous for browser browsers have a main program during browser execution, whereas Dooble has only one incognito mode program. All programs should be fully captured to avoid omissions. operations 2. When the browser is opened, capture random access memory, pagefile.sys, Hyberfil.sys, and unallocated space for analysis 8 Forensic Science Journal 2018; 17(1)

In summary, we can find digital evidence in several portable web browsing sessions. EURASIP Journal regions, such as SQLite database files (History, Cache, on Information Security 2013; 6. Cookie, Login Data, Shortcuts, Top Sites, Web Data), 6. Ghafarian A, Seno S-A-H. Analysis of privacy of pri- Search Keyword and bookmark information, browser vate browsing mode through memory forensics. In- temporary storage files, system registry key, random ternational Journal of Applications, 2015; access memory, server execution memory, pagefile. 132. sys, Hyberfil.sys, and unallocated space. The browsers 7. Flowers C, Mansour A, Khateeb H-M-AI. Web with incognito functions possess the anti-forensic browser artefacts in private and portable modes: a ability and present a significant challenge for forensic forensic investigation. International Journal of Elec- analysis. However, if the browser memory content can be tronic Security and Digital Forensics, 2016; 8:99-117. extracted by forensic tools expeditiously, we still have a 8. Shafqat N. Forensic Investigation of User’s Web chance to obtain and extract the Internet information and Activity on Google Chrome using various Forensic records that a user has previously browsed. Tools. IJCSNS, 2016; 16:123. 9. Warren C, Sheikh E-EI, Khac N-A-Le. Privacy Conclusions Preserving Internet Browsers: Forensic Analysis of Browzar. in Computer and Network Security Essen- In this paper, we use some experiments to tials, ed: Springer, 2018:369-88. investigate digital evidence items in six anonymous 10. Epic Privacy Browser Home (2017). Epic Privacy browsers with incognito functions. We demonstrate Browser, a secure chromium-based that how we can use tools and programs to analyze them protects your privacy and browsing history _ a free and collect digital evidence. The experimental results VPN privacy browser Retrieved 1 June 2017, from show the capability of those tools and programs in the ://www.epicbrowser.com/. inspection of crimes that employ these anonymous 11. Seucre Browser Home (2017). Secure Browser Fast, browsers. Secure, Private Web Browser Retrieved 15 June 2017, from https://www.securebrowser.com/. References 12. Comodo Dragon Browser (2017). Secure Web Browser Fastest Free Dragon Browser from Comodo 1. The best secure browsers 2018. from http://www. Retrieved 15 June 2017, from https://www.comodo. techworld.com/security/best-8-secure-brows- com/home/browsers-toolbars/browser.php. ers-3246550/. 13. SRWare Iron Browser Home (2017). SRWare Iron 2. Gaurav A, Bursztein E, Jackson C, Boneh D. An The Browser of the Future Retrieved 15 June 2017, analysis of private browsing modes in modern brows- from https://www.srware.net/en/software_srware_ ers. USENIX Security’10 Proceedings of the 19th iron.php. USENIX conference on Security, Washington, DC, 14. Dooble Home (2017). Dooble Web Browser Re- 11-13 August 2010. trieved 15 June 2017, from http://dooble.sourceforge. 3. Mahendrakar A, Irving J, Patel S. Forensic analysis net/. of private browsing mode in popular browsers. in 15. Maxthon Browser Home (2017). Maxthon 5 all-new Proceedings of the USENIX security symposium release, supported free entire platform download Re- 2010. trieved 15 May 2017, from http://www.maxthon.cn/. 4. Said H, Mutawa NAI , Awadhi IAI, Guimaraes M. Forensic analysis of private browsing artifacts. Pub- lished in International Conference on Innovations in Information Technology, 197-202, Abu Dhabi, United Arab Emirates, 25-27 April 2011 . 5. Ohana D-J, Shashidhar N. Do private and portable web browsers leave incriminating evidence? a forensic analysis of residual artifacts from private and