Project Spartan Forensics
Transcription
Project Spartan Forensics
Faculty of Physics, Mathematics and Informatics Graduate School of Informatics System and Network Engineering MSc Project Spartan Forensics Cybercrime and Forensics James Gratchoff james.gratchoff@os3.nl Guido Kroon guido.kroon@os3.nl April 10, 2015 Introduction Web browsing activity is a major source of information in forensics investigation [2]. Many open-source and proprietary software already exists to perform forensic investigation on the top leading web browsers. These forensic tools depend on the architecture of the web browsers and thus need to adapt their code to new versions or new browsers. Microsoft is moving away from their traditional web browser, called Internet Explorer, and launches a new web browser codenamed Spartan, which will be shipped by default on Windows 10. The web browser is using the new Edge engine, which is a fork from their former Trident engine that Internet Explorer is based on. The purpose of this project is to gather information about new artifacts that project Spartan leaves behind on workstations. If time permits an open source tool to analyse these artifacts will be created as a proof of concept. Significance and motivation As Spartan is a newly developed browser, it is interesting to research its artifacts it leaves on workstations, especially if more and more people will start using it when Windows 10 releases, which is scheduled for release next summer. Therefore, this new information may attribute to the digital forensic community and will soon be needed for investigations, ideally in an automated way by demonstrating this with a tool, based on the new findings during this project. Research questions The overall discussion of the problem derived the following research question: What and where are the artifacts Spartan leaves behind on workstations, and how can these artifacts be gathered for further analysis to serve as forensic evidence? 1 The above research question can be divided into the following research sub-questions: 1. As Spartan’s Edge engine is forked from its predecessor’ Trident engine used in Internet Explorer, how much does Spartan differ from its predecessor and to what extent can existing forensic toolkits for browsers still gather these artifacts by the way it gathers artifacts for Internet Explorer? 2. Can a tool be developed, based on the gathered results, in order to gather the artifacts of the Spartan web browser in an automated way? Related work No forensic research on Windows 10 or the Spartan project have been published yet. However, there is much related work about web browser forensics in general. Marrington et al have described and researched [1] how portable browsers are used as a means to improve privacy. They found that Google Chrome Portable for example, still leaves web browsing activity artifacts on the host system’s storage. Private browsing has also become popular to increase privacy while browsing. Using privacy browsing, the browser will not store any browsing activity during the session. Said et al have researched [3] Microsoft’s Internet Explorer, as well as Mozilla Firefox and Google Chrome regarding their privacy browsing features. Google Chrome and Mozilla Firefox do a better job hiding their private browsing data, while Internet Explorer seems to leave evidence ”all over the hard drive”. Research showed that the most used web browser forensic tools are: Open source Odessa (IE) Mandiant Web historian Cache view (for web caches-works with Chrome, IE, Mozilla, Netscape, Opera) Foxanalysis (Web history- Mozilla) Hindsight (Web history - Chrome) Closed source Encase FTK SiQuest IXTK Table 1: Web browser forensic tools Scope This project will look into the Spartan web browser, running on the latest Technical Preview build 10051, and possibly also on the latest Internet Explorer that is still running the Trident engine1 to see how artifacts differ from each other. It should be noted that the current Spartan web browser is still in development and is therefore subject to change over time. The results of this project may therefore also differ from gathering artifacts of the final version of Spartan that is being shipped with Windows 10. Approach and methodology Firstly, top leading forensic tools will be investigated to see what type of browser information they gather. Secondly, the authors will try to find where these type of information resides on the Spartan browser. Moreover, other type of information will try to be found and analysed. Planning This project spans five weeks, and will be planned as follows: 1 Internet Explorer 11 uses both Trident and Edge for backwards compatibility, which will therefore be omitted during this project. 2 Week Week 1 Date Apr 13 - May 19 Week 2 Week 3 Apr 20 - Apr 26 Apr 27 - May 03 Week 4 May 04 - May 10 Week 5 Week 6 Week 7 May 11 - May 17 May 18 - May 24 May 25 - May 31 Description Investigate existing tools and deploying the test environment. Investigate Spartan’s artifacts Comparing Spartan artifacts to Internet Explorer and research how current forensic toolkits handle Spartan by making use of its gathering features for Internet Explorer. Create automated tool for gathering artifacts based on previous results. Report Report and presentation Project presentation on May 29 and finalising report. Report submit deadline Sunday May 31 at midnight. Table 2: Planning. Expected results Expected results are to find all the previous information gathered by other top browser forensic tools and investigating if new artifacts can be found. Moreover if time permits an open source tool to analyse the data gathered will be created. Ethical concerns Currently, there are no ethical concerns found for this project. However, if this does become the case, the Ethical Committee of OS3 will be signaled immediately, at which point all discoveries during the course of this project will be responsibly disclosed. References [1] Andrew Marrington, Ibrahim Baggili, T Al Ismail, and A Al Kaf. Portable web browser forensics: A forensic examination of the privacy benefits of portable web browsers. In Computer Systems and Industrial Informatics (ICCSII), 2012 International Conference on, pages 1–6. IEEE, 2012. [2] Junghoon Oh, Seungbong Lee, and Sangjin Lee. Advanced evidence collection and analysis of web browser activity. digital investigation, 8:S62–S70, 2011. [3] Huwida Said, Noora Al Mutawa, Ibtesam Al Awadhi, and Mario Guimaraes. Forensic analysis of private browsing artifacts. In Innovations in information technology (IIT), 2011 International conference on, pages 197–202. IEEE, 2011. 3