Home » Articles » Research: Forensic analysis of six anonymous internet browsers
Click Here To Hide Tor

Research: Forensic analysis of six anonymous internet browsers

Cybercrime has evolved to become a challenging problem during the past few years. Cybercriminals rely on the dark web to sell various hacking and malicious tools on darknet marketplaces including ransomware, DDoS attack tools, Crimeware-as-a-service (CaaS), and others. Users can currently use the Tor browser bundle, with incognito properties, to access the dark web and conduct transactions in darknet marketplaces. Furthermore, there are other anonymous browsing software that can conceal the online browsing activities of users. Even though these internet browsers cannot be used to access the dark web directly, they enable users to browse the internet anonymously and conceal all forms of illegal activities that they might engage in. Accordingly, analyzing digital evidence obtained from the records of users’ anonymous browsers represents a critical challenge, especially to law enforcement agencies.

A recently published research paper analyzed how programs and tools can be utilized in forensic analysis of different forms of anonymous internet browsers. The paper analyzed six different anonymous internet browsers: Secure Browser, Epic Privacy Browser, SRWare Iron, Comodo Dragon, Maxthon, and Dooble. Throughout this article, we will overview some of the interesting results presented via this paper.

The Epic Privacy Browser:

The Epic Privacy Browser relies on Chromium. It is designed to block every link that can lead to privacy leaks, thus, maximizing privacy. Session data, including tracking data and cookies, are all deleted following termination of each browsing session. All search queries are conducted via the browser’s very own server, which acts via prioritization of SSL connections whenever possible.

Secure Browser:

Secure Browser offers users private browsing, secure browsing, privacy removal, non-tracking, HTTPS based encryption, and a group of other incognito and safety features.

Comodo Dragon:

Comodo Dragon is a totally free internet browsing software that is based on Chromium. Its user interface is similar to that of Google Chrome but without features that can undermine users’ privacy.

SRWare Iron:

SRWare Iron is also a totally free internet browsing software that is based on Chromium. SRWare Iron offers functions that are very similar to those of Chrome.

Dooble:

Dooble is cross-platform (Linux, Windows, OS X) internet browser based on Chromium that is designed to disable insecure interfaces, including Javascript and Flash, by default. The browser blocks cookies from third parties in iFrames and features a function that utilizes passphrases and ciphers to encrypt all forms of content including history, browsing preferences, and bookmarks.

Maxthon:

Maxthon is a brand new HTML5 compatible internet browser. Its innovative incognito mode offers secure browsing capabilities without leaving any potential traces.

Digital forensic methods used to analyze the six browsers:

The researchers used the X-Ways Forensics Software to perform integration analysis and save the file systems of the virtual machine. Data obtained from four sources (system registry, files and folders, network packages, and memory) were utilized in differential analysis and observation to detect potential file paths in residual forensic data or forensic feature items which can be helpful in forensic examination.

The following tools were used to collect data:

– SysTracer Version 2.1.0 to compare relevant records (registry location and registry keys)

– Disk Pulse Version 8.2.16 in order to observe and record changes in the files and folders

– Wireshark Version 2.4.6 in order to capture and analyze network packets

– Process Hacker Version 2.39 in order to capture browser’s memory

– Capture Memory function within FTK Imager in order to record the memory of the virtual machines

Figure (1) shows the used forensic process for analyzing the anonymous browsers.

forensic1.PNG

Figure (1): The forensic process used to analyze the anonymous browsers

Results of forensic analysis of the six anonymous browsers:

The forensic analysis revealed residual evidence within multiple regions including the file systems’ files and folders, random access memory, network port utilized in connection, system registry key, and browser execution memory.

Even though the studied six anonymous browsers utilize a different group of incognito features and frameworks, they still record browsing data and records with the browser’s memory. Table (1) shows some essential forensic items for the six browsers with incognito functions enabled.

Browser Name of important folder or file Important storage path Forensic value
Epic Privacy Browser Files: Cookies, Login Data, Preferences, Secure Preferences, Bookmarks; Folder: Local Storage 1. \Users\User Account\ AppData\Local\Epic Privacy Browser\User Data\Default Identify whether or not a user has installed and used this anonymous browser
Secure Browser 1. Files: Cookies, Web Data, Favicons, Login Data, Preferences, Shortcuts, Top Sites, Network Action Predictor, Bookmarks, previews_opt_out.db; Folders: Local Storage, databases, Cache 2. Files: Safe Browsing Cookies, Safe Browsing Download; Folder: CertificateTransparency 1. \Users\User Account\ AppData\Local\Safer Technologies\Secure Browser\User Data\Default\ 2. \Users\User Account\ AppData\Local\Safer Technologies\Secure Browser\User Data\ Identify whether or not a user has installed and used this anonymous browser
Comodo Dragon Browser Files: Cookies, Web Data, Favicons, Login Data, Preferences, Shortcuts, Top Sites, Network Action Predictor; Folders: Local Storage, Session Storage, Databases, Cache 2. Files: Safe Browsing Cookies, Safe Browsing Download; Folder: CertificateTransparency . \Users\User Account\ AppData\Local\Comodo\ Dragon\User Data\Default\ 2. \Users\User Account\ AppData\Local\Comodo\ Dragon\User Data\ Identify whether or not a user has installed and used this anonymous browser
SRWare Iron Browser . Files: Cookies, Web Data, Favicons, Login Data, Preferences, Shortcuts, Top Sites, Network Action Predictor; Folders: Local Storage, databases, Cache, Session Storage, Media Cache 2. Files: Safe Browsing Cookies; Folder: Certificate Transparency 1. \Users\User Account\ AppData\Local\Chromium\ User Data\Default\ 2. \Users\User Account\ AppData\Local\Chromium\ User Data\ Identify whether or not a user has installed and used this anonymous browser
Dooble Files: applications.db, cacheexceptions.db, cookies.db, downloads.db, favicons.db, history. db, preferences.db; Folder: Cache, Dooble \Dooble\User Account\.dooble Identify whether or not a user has installed and used this anonymous browser
Maxthon 1. Files: Cookies, Web Data, *.dat; Folders: Local Storage, databases, Application Cache, History, Favorite 2. Files: Cookies, Web Data; Folders: Local Storage, databases, Application Cache 3. Files: *.dat; Folder: NewTab 4. All files 1. \Users\User Account\ AppData\Roaming\ Maxthon5\Users\guest\ 2. Users\User Account\ AppData\Roaming\ Maxthon5\Users\guest\ Session\ 3. \Users\User Account\ AppData\Roaming\ Maxthon5\Temp\ 4. \Users\kan\AppData\Local\ Temp\Maxthon3Cache\ Temp\Webkit\Cache\ Identify whether or not a user has installed and used this anonymous browser

Table (1): Essential forensic items for the six anonymous internet browsers with incognito mode enabled

In summary, forensic analysis of the six anonymous browsers revealed digital evidence in multiple regions including SQLite database files (cache, history, shortcuts, cookies, login data, web data, and top sites), bookmark and search keyword information, system registry key, temporary browser storage files, pagefile.sys, server execution memory, unallocated space, and Hyberfil.sys. When the browsers’ incognito mode is turned on, forensic analysis is almost impossible to conduct. Nevertheless, if the content of the browsers’ memory can be extracted via means of forensic tools, it is still possible to extract and obtain the browsing records of the user.

 

One comment

  1. I Love you cats :::)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *