Browser Forensics

Mozilla Firefox browser upgrade taken offline due to vulnerability

The latest version of Mozilla’s Firefox browser has been taken offline after a security vulnerability was discovered.  Users who had upgraded to version 16 were advised to downgrade to the previous safe release until Firefox developers released a fix.

Firefox

The vulnerability allowed “a malicious site to potentially determine which websites users have visited”, Mozilla said.  The non-profit company said that only a “limited number of users are affected”.  The download had been taken offline within a day of its initial release, the organisation’s UK spokesman said.

He added that no users had been upgraded automatically to the new version.  In a blog post, Mozilla’s director of security assurance Michael Coates said a fix was being worked on and should be expected on Thursday.  “At this time we have no indication that this vulnerability is currently being exploited in the wild,” he added.  “Firefox 16 has been temporarily removed from the current installer page and users will automatically be upgraded to the new version as soon as it becomes available.


“As a precaution, users can downgrade to version 15.0.1 by following these instructions. Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability.”  Firefox was one of the three leading web browsers, with more than 450 million users worldwide, Mozilla said.


In recent months, various figures suggested Chrome had overtaken Firefox’s market share, pushing the Mozilla Foundation’s flagship product into third place in the browser race.

Firefox ‘new tab’ feature exposes users’ secured info

According to The Register, privacy-conscious users have sounded the alarm after it emerged the “New Tab” thumbnail feature in Firefox 13 is “taking snapshots of the user’s HTTPS session content”. 

Firefox actually introduced the thumbnail capturing capability in Firefox v12 and did not tell the users; however, there is no way to display them in v12.   Firefox v13 displays the thumbnails when a new tab is selected.

NetAnalysis v1.54 can extract Mozilla Firefox Thumbnail Images

We added the ability to extract these thumbnail images (stored in the cache) to NetAnalysis v1.54.  See the following for further information on moz-page-thumb entries.

http://kb.digital-detective.co.uk/display/NetAnalysis1/Firefox+moz-page-thumbs

NetAnalysis v1.54 Released

We are pleased to announce the release of NetAnalysis v1.54. This version brings a number of new features as well as providing some improvements to existing features. There has been many changes to the top five browsers over the past few months; NetAnalysis v1.54 supports all of the latest versions of Google Chrome, Mozilla Firefox, Opera, Microsoft Internet Explorer and Apple Safari.

 

Digital Detective NetAnalysis Supports Mozilla Firefox - Google Chrome - Microsoft Internet Explorer - Apple Safari - Opera

Overview

In this release we have added a number of new features and improvements. Please see the Change Log for a full list of changes, which should assist with feature testing and validation. NetAnalysis v1.54 has been tested against all the current release versions of supported browsers. Please see the following list:

The corresponding version of HstEx for this release of NetAnalysis is HstEx v3.8. HstEx v3.8 uses an updated file format which can only be opened in NetAnalysis v1.54 and above.

Mozilla Firefox

Since the release of NetAnalysis v1.53, we have seen some significant changes in the world of browser forensics. Mozilla has committed to a more aggressive release schedule for the Firefox web browser. There were nearly three years between the launch of Firefox 3 and Firefox 4, however, versions 5 to 12 have been released within a matter of months. This has been a technical challenge from a support point of view as many artefacts have changed during these releases. We are pleased to report that NetAnalysis now supports all versions of Mozilla Firefox from version 1 through to the current release, Firefox version 12.

Firefox moz-page-thumbs

Firefox v13 will bring a slightly new look to some parts of the browser. Both the New Tab and the Home Page have been redesigned. The New Tab page now has links to your most recently and frequently visited sites which looks more or less just like Opera’s Speed Dial, which Chrome also mimics.

 

Firefox Version 13 Speed Dial

Figure 1

Some of this functionality has been added to Firefox v12 in anticipation of the release of Firefox v13. Whilst Firefox v12 does not show the new Speed Dial page when new tab is selected, the page thumbnails are still saved to the cache when a page is visited. The URL portion of the cache entry looks like this:

 

Mozilla Firefox moz-page-thumb cache entry

Figure 2

We have added additional support to HstEx to recover these entries as part of the Firefox cache recovery. NetAnalysis v1.54 also supports these cache entries, with the added bonus of being able to extract the page-thumb file (which is usually stored in PNG format). Read more about Firefox Version 13.

These thumbnails can easily be exported and reviewed by the investigator. Using the new ‘Export/Rebuild Current Filtered Cache Items’ feature added to NetAnalysis v1.54, the thumbnail entries can be filtered and then the actual PNG thumbnail files can be exported from the cache. To filter the records, search for “moz-page-thumb” across the imported Firefox v12 records and then select Tools » Export/Rebuild Current Filtered Cache Items. The thumbnail files can then be examined from the “Extracted Files/PNG” folder.

Firefox moz_formhistory

We have added support to import data from the ‘moz_formhistory’ table. This contains artefacts relating to web form completion.

 

Digital Detective NetAnalysis Form History Example

Figure 3

The screen shot in Figure 3 shows an example where the browser user opened a ZIP attachment whilst viewing Google Mail; they then created a draft email using the subject line “Some research I’ve done”.

 

Digital Detective NetAnalysis Form History Example Google Account Sign-Up

Figure 4

The screen shot in Figure 4 shows the user creating a new Google Mail account. It also takes the user through the question and answer fields which are required to create a new account. Although the details in this image have been redacted, you can see the field names which have been completed as part of the process. These artefacts when viewed in context can provide some very interesting information.

 

Google Chrome

We have added significant extra functionality for Google Chrome artefacts. Chrome maintains a number of SQLite databases for data storage, and NetAnalysis v1.54 now extracts data from most of the significant databases.

 

History Index YYYY-MM c2body

We have added support for Google Chrome Page Content (c2body). Chrome’s history system keeps a full text index for each page the user visits, making it easy to find pages based on their content, not just title and URL. The user’s history is exposed through the History page, accessible via the Tools menu, or by pressing Ctrl+H. A user may also directly search their history by typing a search query in the address bar, and selecting the See all pages in history containing [query] item that appears if any results match the entered query.

When a user visits a page, the textual contents (those actually shown on screen) are stripped out and stored in the ‘History Index YYYY-MM’ database files (one file per month). NetAnalysis v1.54 allows the examiner to extract all of this information in one simple operation. The text files generated have been shown to contain potentially important information including Facebook and webmail data.

The text page content can be extracted by selecting Tools » Export Google Chrome c2body.

 

Digital Detective NetAnalysis Google Chrome c2body Extraction

Figure 5

Page Transitions

Google Chrome stores a transition value which identifies the type of transition between pages. These are stored in the history database to separate visits, and are reported by the renderer for page navigations. NetAnalysis now extracts and decodes the page transition value and displays the transitions in the ‘Status’ column. By examining the page transitions, it is possible to see how a user landed on a page. To understand the meaning of each transition, please see Page Transitions.

 

Digital Detective NetAnalysis showing Google Chrome Page Transitions from a History Database

Figure 6

Downloads

We have also added support for Google Chrome download history.

 

Digital Detective NetAnalysis showing imported Mozilla Firefox Downloads

Figure 7

Internet Explorer Visit Count

Recent testing has exposed an issue with the accuracy of Internet Explorer hit count values stored in the Master INDEX.DAT file. Normally, the hit count would be stored as a 32bit integer at record offset 0×54 (decimal 84). In many cases, comparing the record value to the hit count returned by Internet Explorer would show a mismatch. In these cases, Internet Explorer has an additional record object which stores an additional visit count. Testing has shown this additional count object to be accurate and is the value presented by the application. When the additional record object is present, NetAnalysis parses that block and displays that value in the Hits column. The original value stored at offset 0×54 is now displayed in the Status column as can be seen from the figure below.

 

Microsoft Internet Explorer Visit Hit Count Issue

Figure 8

 

Updated Query Manager

This release has an updated Query Manager with additional features. It is now possible to sort the ‘Database Field List’ and ‘SQL Query Operators’ by clicking on the corresponding column header. The ‘SQL Query Operators’ now have a ‘Description’ entry which explains the function of the Operator. The Operators have also been re-written to show the full Operator with parameters and wild card characters. This should make it much easier to build and understand your SQL queries. The ‘Check SQL Syntax’ button has been added as a more convenient way to verify the syntax of a query. For further information, please see SQL Query Operators.

 

Digital Detective NetAnalysis v1_54 Query Manager

Figure 9

 

Rebuilding and Exporting Filtered Cached Pages (and Objects)

NetAnalysis has long had the capability to rebuild either single webpages, or the entire cache in one operation.  NetAnalysis v1.54 now allows the forensic examiner to rebuild part of the cache.  Using the various filtering techniques available, the forensic examiner can generate a targeted subset of the browser data, and then rebuild only the live webpages (or export cached objects) contained within that subset.

For example, if you wanted to export only the moz-page-thumb files, search for “moz-page-thumb” across the imported Firefox v12 records and then select Tools » Export/Rebuild Current Filtered Cache Items.  The thumbnail files can then be examined from the “Extracted Files/PNG” folder.

 

Add Bookmark to Multiple Records

The bookmarking feature in NetAnalysis v1.54 has been enhanced to allow the forensic examiner to bookmark many records with the same bookmark text.  The forensic examiner can create a filtered list of specific records, and then apply the same bookmark text to all of these records in one operation.  The bookmark column can also be used for filtering, so this functionality is a powerful addition to the armoury.

 

Web Page Rebuilding

We have enhanced the web page rebuilding engine to make it more robust and provide better results.  We have also released v4 of QDV™, our internal web page viewing software.  This new version suppresses script errors in web pages, so the forensic investigator will no longer need to cancel multiple error messages when reviewing some rebuilt web pages.

HstEx v3.8 Released

We are pleased to announce the release of HstEx v3.8. This version brings a number of new features as well as providing some improvements to existing features. There have been many changes to the top five browsers over the past few months; HstEx v3.8 recovers artefacts from the latest versions of Google Chrome, Mozilla Firefox, Microsoft Internet Explorer and Apple Safari.

 

Digital Detective HstEx Extracting Google Chrome Cache Records from EnCase Image

Figure 1

In this release (Change Log v3.8) we have added some new functionality in terms of source processing and browser support. We have added support for processing data saved in Advanced Forensic Format as well as adding the ability to recover Google Chrome cache records. In addition, we have added support for Logicube Dossier E01 images.

 

Advanced Forensics Format (AFF®) Support

The Advanced Forensics Format (AFF®) is an extensible open format for the storage of disk images and related forensic metadata. It was developed by Simson Garfinkel and Basis Technology. HstEx (and Blade) now support the processing of AFF® image files (as well as other forensic formats). The following page lists the current supported file formats: Forensic Image Formats Supported by HstEx.

 

Recovery of Deleted Google Chrome v2 – 19 Cache Records

HstEx version 3.8 now adds the ability to recover live and deleted Google Chrome Cache records from all source data types. This is a significant addition to the software, as previously, it was only possible to examine live records, which were still available, on a suspect system. HstEx v3.8 can recover cache entries from Google Chrome browser v2 through to the current release v19.

 

Digital Detective HstEx Recovery of Googe Chrome Records

Figure 2

 

Recovery of Deleted Mozilla Firefox v1 to 12 Cache Records

Mozilla has committed to a more aggressive release schedule for the Firefox web browser. There were nearly three years between the launch of Firefox 3 and Firefox 4, however, versions 5 to 12 have been released within a matter of months. This has been a technical challenge from a support point of view as many artefacts have changed during these releases. We are pleased to announce that HstEx now supports all versions of Mozilla Firefox cache entries from version 1 through to the current release, Firefox version 12.

 

Digital Detective HstEx Recovery of Firefox Cache Records

Figure 3

 

Recovery of Firefox v12 ‘moz-pages-thumb’ entries

Firefox 13 will bring a slightly new look to some parts of the browser. Both the New Tab and the Home Page have been redesigned. The New Tab page now has links to your most recently and frequently visited sites which looks more or less just like Opera’s Speed Dial, which Chrome also mimics. Some of this functionality has been added to Firefox v12 in anticipation of the release of Firefox v13.

 

Firefox v13 Speed Dial

Figure 4

 

Whilst Firefox v12 does not show the new Speed Dial page when new tab is selected, the page thumbnails are still saved to the cache when a page is visited. The URL portion of the cache entry looks like this:

Firefox moz-page-thumb cache entry

Figure 5

 

We have added additional support to HstEx to recover these entries as part of the Firefox cache recovery. NetAnalysis v1.54 also supports these cache entries, with the added bonus of being able to extract the page-thumb file (which is usually stored in PNG format).

Read more about Firefox Version 13.

 

Logicube Forensic Dossier® E01 Support

According to Logicube:

“The sixth generation of computer forensic solutions from Logicube, the Forensic Dossier® was designed and engineered exclusively to meet forensic investigators’ requirements. Version 2.0.1 provides support for the E01 file format compression (hardware-based compression to maintain line-speed performance), and support for NTFS file format for support of 2TB and greater capacity hard drives and support of single, disk-wide dd image capture.”

With HstEx v3.8, we have added support for the E01 files produced by the Logicube Forensic Dossier. Unfortunately, earlier versions of HstEx are unable to load and read the E01 files generated by the Logicube Dossier because of an incompatibility with the metadata fields. Some of the values written to these fields are in a different format than those written by EnCase or FTK Imager. This has now been resolved.

 

Logicube Forensic Dossier

Figure 6

Chrome takes the lead in Browser War

Top 5 Browsers

Google Chrome is the Web’s most used browser and, according to the web traffic analysis tool Statcounter, the leadership beating Internet Explorer (IE) took place last week.

The firm’s latest illustrations show that Chrome’s line of usage overtook IE’s for the first week ever, with Firefox, Safari and Opera completing the top five respectively.

After the results, Google has obtained a double win, because its mobile browser, Android Robot, had overcame Opera as the most popular option for mobile-based Web surfers in March.

Despite that measuring the Web is not a precise science, very often based on scaling up small scale measurement surveys, Statcounter’s data over the last year indicates that Chrome use is rising of Chrome at the expense of IE and Firefox.

Internet Watch Foundation report highlights new abuse of online technology

Criminals intent on distributing images of children being sexually abused are finding new ways of exploiting legitimate online technology, according to the Internet Watch Foundation’s (IWF) 2011 Annual Report launched today (26 March 2012).

Criminals are ‘disguising’ websites to appear as if they host only legal content. However, if an internet user follows a predetermined digital path which leads them to the website, they will see images and videos of children being sexually abused.

This trend has been identified by analysts at the IWF who are experts at tracking and tracing child sexual abuse content. During 2011 this technique was seen nearly 600 times.

Chief Executive Susie Hargreaves said:

“We received reports to our Hotline by online users who have stumbled across these sites. They pose challenges because when the website is accessed directly, only legal content appears.”

“However, the reports we receive by the public can be quite detailed and these reporters were sure of what they had seen. Our analysts investigated further and discovered a legitimate web development technique was being used to disguise the website from all those who had not followed a particular digital path to access it.”

“Clearly, ordinary online users had still found this content and we’ve been working with analysts in our sister Hotlines and with our Members to tackle this issue.”

This legitimate web development technique is commonly used, for example, on shopping websites. There are several reasons why this method is used. Firstly, it masks the criminal website from those who have not followed the correct digital path. Secondly, it means that a commercial child sexual abuse business may be able to acquire legitimate business services if the website appears to host legal content when accessed directly – essentially tricking companies into providing their services for what is actually a criminal enterprise.

These disguised websites have not yet been encountered on UK servers but the IWF is working with its Members – the online industry -and other Hotlines around the world to effectively tackle this trend.

Quicker removal times

As criminals exploit new ways of hosting this content, the online industry is getting quicker at removing it from its networks. Very little of this content is hosted on UK networks and when it is, it’s removed typically within 60 minutes. None of the disguised websites were found hosted within the UK.

Ms Hargreaves continued:

“The IWF can, for the second year running, report successes with its work to speed up the time it takes to remove images and videos of online child sexual abuse.

“In particular, those companies and organisations which make up our membership are 40% quicker at removing this criminal content when it’s hosted outside of the UK than non-Members. However, our work continues with all those involved with the aim of eliminating online child sexual abuse content.”

During 2010 the IWF challenged itself to speed up the removal of child sexual abuse content hosted outside of the UK. This content is more likely to feature younger children, and more likely to show sexual activity between adults and children, rape and sexual torture.[i]

Around half of all child sexual abuse images and videos hosted outside of the UK are removed in 10 days. In 2008 they typically stayed available for more than one month.

IWF Members are able to remove child sexual abuse content around 40% quicker than non-members. When child sexual abuse content is hosted by one of our Members, most (85%) is removed within 10 days and almost all (95%) is removed within 13 days. This is due to the simultaneous alert service we are able to provide to Members.

Identifying new victims

IWF analysts are able to identify new images of sexual abuse and subsequently alert police to children who may not be known to them but are potentially at immediate risk. Three children who were being sexually abused were rescued during 2011 as a result of sharing intelligence with the Child Exploitation and Online Protection (CEOP) Centre.

One child was traced to Sweden – she was being abused by a relative who then put the images online.

Another two were traced within the UK. Both were rescued from their abusers.

Ms Hargreaves said:

“Since we began working with CEOP to help identify new victims in 2010, we’ve aided the rescue of seven children in total. For the analysts who do this work, there is no better result.

“The IWF is now in its 16thyear and has shared some incredible successes with the online industry in tackling some of the worst content on the internet. However, we will not get complacent. We will remain dedicated to the expeditious removal of child sexual abuse content wherever it is hosted.”

The 2011 Annual Report can be downloaded from Monday 26 March at www.iwf.org.uk or for a low resolution version, email media@iwf.org.ukto request a copy.

UK Web Owners Face Cookie Crunch

There are on average 14 tracking tools per webpage on the UK’s most popular sites, according to a recent study.  Privacy solutions provider Truste suggests that means a user typically encounters up to 140 cookies and other trackers while browsing a single site.

The research was published less than 40 days before strict rules come into effect governing cookie use.  The study was carried out in March and covered the UK’s 50 most visited organisations.  The firm said that 68% of the trackers analysed belonged to third-parties, usually advertisers, rather than the site’s owner.

“The high level of third-party tracking that is taking place is certainly an area of question and scrutiny,” said Dave Deasy, Truste’s vice president of marketing.  “It’s not illegal to do the tracking – the question is whether you are giving consumers enough awareness that it is happening and what you are doing with the data.”

Deadline

On 26 May the UK’s Information Commissioner’s Office (ICO) imposes an EU directive designed to protect internet users’ privacy.

The law says that sites must provide “clear and comprehensive” information about the use of cookies – small files which allow a site to recognise a visitor’s device.

It says website managers must:

  • Tell people that the cookies are there
  • Explain what the cookies are doing
  • Obtain visitors’ consent to store a cookie on their device

“The information needs to be upfront – without information people can’t give consent,” said the ICO’s principal policy adviser for technology, Simon Rice.

The ICO says the rules cover cookies used to provide information to advertisers, count the number of unique visitors to a page and recognise when a user has returned to a site to adjust the content that is subsequently displayed.

However, it says exceptions are likely to be made if the cookie is only being used to ensure a page loads quickly by distributing the workload over several servers, or is employed to track a user as they add goods to a shopping basket.

Many sites have yet to add a feature asking for users’ consent.

95% of 55 major UK-based organisations surveyed on behalf of KPMG were still not compliant with the cookie law at the end of last month, the accountancy firm reported.

Truste acknowledges that the vast majority of those who took part in its study had published a privacy policy – but adds that only 16% had a summary section that was “easily digestible”, and 80% did not disclose how long data about visitors was retained.

External Links

Drive-by Download Risks

More than ten million people were exposed to drive-by download risks in February.

Research from Barracuda Labs into the world’s top 25,000 websites discovered that one popular site will serve malicious content every day, statistically.  Its report found that the top-ranked domains served malicious content on all but six days in February, while the top-ranked domains that served malicious content were from 18 different countries.

More than half (54 per cent) of the sites were more than five years old, while 43 per cent were between one to five years old.

Paul Judge, chief research officer at Barracuda Networks, said: “Web security has shifted. If you are a popular website or company, the attackers want access to your users. Good sites gone bad is a serious problem. Users must be careful when visiting even long-time trusted sites; also, more than ever legitimate websites must take steps to protect their websites from compromise.”

NetAnalysis Training Announcement

As we are entering a new financial year in the UK, many of you will be starting to plan your budgets and training schedules for 2012/13.

We are pleased to announce the dates for the following NetAnalysis Foundation Courses.  This is an ideal opportunity for you or your staff to gain valuable training and certification in the use of NetAnalysis / HstEx within a forensic environment. 

This course will teach you how to get the most out of our software. 

Feedback from Previous Courses

The time zone lesson was excellent and really made me think.  I wish I had known that before I came on the course.  It is such an important subject to cover.
   
Really good all round course, not mundanely product specific…  Good teaching style.
   
This is one of the best courses I have attended.  I will certainly recommend it to my everyone.
   
Practical exercises helped a lot to instil the content…  The whole course was very relevant to my daily tasks within HTCU…  I will definitely be back for the advanced course.
   

Course Availability

Places are limited allocated on a first come, first served basis and are filling up fast; so contact us now to avoid disappointment.

There are a number of seats still available on the following courses which are being held at Learning Tree International in London:

·         26th – 27th April 2012 – NetAnalysis Foundation Level Course

·         30th – 31st May 2012 – NetAnalysis Foundation Level Course

·         21st – 22nd June 2012 – NetAnalysis Foundation Level Course

For our many users outside of the UK, we are planning to run a number of courses in US and Canada later this year and will publish details on our web site.

Booking a Course

To book your place on a course or to obtain further information, please contact us on 0845 224 8892, or drop us an email at our sales address.

Further Information

For further information regarding our training courses, please visit the following links:

Google Chrome v18 Released

Google’s updated its Chrome browser now to version 18 on the stable channel.  The major new improvement in this release is the addition of hardware acceleration for graphics in Canvas2D and WebGL.
John “More CPU in Your GPU” Bauman and Brian “FPS” Salomon and penned in the Chromium blog:
We’ve enabled GPU-accelerated Canvas2D on capable Windows and Mac computers, which should make web applications like games perform even better than a pure software implementation. GPU-accelerated Canvas2D has previously been enabled in the Beta channel for quite some time, so hopefully developers have had a chance to try it out. We’re continuing to make improvements and tweaks to our Canvas2D implementation, so please file a bug in our public issue tracker if you encounter problems.

WebGL enables compelling 3D content on the web, so we want to ensure that as many users as possible have access to this technology. That’s why we’ve enabled SwiftShader, a software rasterizer licensed from our friends at TransGaming, for users with older configurations. Keep in mind that a software-backed WebGL implementation is never going to perform as well as one running on a real GPU, but now more users will have access to basic 3D content on the web. See our previous blog post for more details on SwiftShader and how to try it out.

Older   

Browser Forensics is powered by WordPress | Entries (RSS) and Comments (RSS)| Partnerprogramm Theme