Project Spartan Forensics

Transcription

Project Spartan Forensics
Faculty of Physics, Mathematics and Informatics
Graduate School of Informatics
System and Network Engineering MSc
Project Spartan Forensics
Cybercrime and Forensics
James Gratchoff
james.gratchoff@os3.nl
Guido Kroon
guido.kroon@os3.nl
April 10, 2015
Introduction
Web browsing activity is a major source of information in forensics investigation [2]. Many open-source
and proprietary software already exists to perform forensic investigation on the top leading web browsers.
These forensic tools depend on the architecture of the web browsers and thus need to adapt their code
to new versions or new browsers.
Microsoft is moving away from their traditional web browser, called Internet Explorer, and launches
a new web browser codenamed Spartan, which will be shipped by default on Windows 10. The web
browser is using the new Edge engine, which is a fork from their former Trident engine that Internet
Explorer is based on.
The purpose of this project is to gather information about new artifacts that project Spartan leaves
behind on workstations. If time permits an open source tool to analyse these artifacts will be created as
a proof of concept.
Significance and motivation
As Spartan is a newly developed browser, it is interesting to research its artifacts it leaves on workstations,
especially if more and more people will start using it when Windows 10 releases, which is scheduled for
release next summer. Therefore, this new information may attribute to the digital forensic community
and will soon be needed for investigations, ideally in an automated way by demonstrating this with a
tool, based on the new findings during this project.
Research questions
The overall discussion of the problem derived the following research question:
What and where are the artifacts Spartan leaves behind on workstations, and how can these artifacts be
gathered for further analysis to serve as forensic evidence?
1
The above research question can be divided into the following research sub-questions:
1. As Spartan’s Edge engine is forked from its predecessor’ Trident engine used in Internet Explorer,
how much does Spartan differ from its predecessor and to what extent can existing forensic toolkits
for browsers still gather these artifacts by the way it gathers artifacts for Internet Explorer?
2. Can a tool be developed, based on the gathered results, in order to gather the artifacts of the Spartan
web browser in an automated way?
Related work
No forensic research on Windows 10 or the Spartan project have been published yet. However, there
is much related work about web browser forensics in general. Marrington et al have described and
researched [1] how portable browsers are used as a means to improve privacy. They found that Google
Chrome Portable for example, still leaves web browsing activity artifacts on the host system’s storage.
Private browsing has also become popular to increase privacy while browsing. Using privacy browsing,
the browser will not store any browsing activity during the session. Said et al have researched [3]
Microsoft’s Internet Explorer, as well as Mozilla Firefox and Google Chrome regarding their privacy
browsing features. Google Chrome and Mozilla Firefox do a better job hiding their private browsing
data, while Internet Explorer seems to leave evidence ”all over the hard drive”.
Research showed that the most used web browser forensic tools are:
Open source
Odessa (IE)
Mandiant Web historian
Cache view (for web caches-works with Chrome, IE, Mozilla, Netscape, Opera)
Foxanalysis (Web history- Mozilla)
Hindsight (Web history - Chrome)
Closed source
Encase
FTK
SiQuest IXTK
Table 1: Web browser forensic tools
Scope
This project will look into the Spartan web browser, running on the latest Technical Preview build
10051, and possibly also on the latest Internet Explorer that is still running the Trident engine1 to see
how artifacts differ from each other. It should be noted that the current Spartan web browser is still in
development and is therefore subject to change over time. The results of this project may therefore also
differ from gathering artifacts of the final version of Spartan that is being shipped with Windows 10.
Approach and methodology
Firstly, top leading forensic tools will be investigated to see what type of browser information they gather.
Secondly, the authors will try to find where these type of information resides on the Spartan browser.
Moreover, other type of information will try to be found and analysed.
Planning
This project spans five weeks, and will be planned as follows:
1 Internet Explorer 11 uses both Trident and Edge for backwards compatibility, which will therefore be omitted during
this project.
2
Week
Week 1
Date
Apr 13 - May 19
Week 2
Week 3
Apr 20 - Apr 26
Apr 27 - May 03
Week 4
May 04 - May 10
Week 5
Week 6
Week 7
May 11 - May 17
May 18 - May 24
May 25 - May 31
Description
Investigate existing tools and deploying the
test environment.
Investigate Spartan’s artifacts
Comparing Spartan artifacts to Internet Explorer and research how current forensic toolkits handle Spartan by making use of its gathering features for Internet Explorer.
Create automated tool for gathering artifacts
based on previous results.
Report
Report and presentation
Project presentation on May 29 and finalising
report. Report submit deadline Sunday May
31 at midnight.
Table 2: Planning.
Expected results
Expected results are to find all the previous information gathered by other top browser forensic tools
and investigating if new artifacts can be found. Moreover if time permits an open source tool to analyse
the data gathered will be created.
Ethical concerns
Currently, there are no ethical concerns found for this project. However, if this does become the case,
the Ethical Committee of OS3 will be signaled immediately, at which point all discoveries during the
course of this project will be responsibly disclosed.
References
[1] Andrew Marrington, Ibrahim Baggili, T Al Ismail, and A Al Kaf. Portable web browser forensics:
A forensic examination of the privacy benefits of portable web browsers. In Computer Systems and
Industrial Informatics (ICCSII), 2012 International Conference on, pages 1–6. IEEE, 2012.
[2] Junghoon Oh, Seungbong Lee, and Sangjin Lee. Advanced evidence collection and analysis of web
browser activity. digital investigation, 8:S62–S70, 2011.
[3] Huwida Said, Noora Al Mutawa, Ibtesam Al Awadhi, and Mario Guimaraes. Forensic analysis
of private browsing artifacts. In Innovations in information technology (IIT), 2011 International
conference on, pages 197–202. IEEE, 2011.
3