Parsing Internet Information from a USB Thumb Drive

James Habben The EnCase® Evidence Processor has some great features, but did you know that it can also parse Internet history and bookmarks from a USB thumb drive? Today we will look at forensic artifacts from the use of Mozilla Firefox and Google Chrome web browsers used from the PortableApps.com framework.

First, let’s have a quick intro on the framework. The project was originally created to make a version of Firefox that was able to run solely from a USB thumb drive. It required a computer that was running Windows®, but it did not need Firefox. The thumb drive carried the application and stored all the history, bookmarks, and settings back onto the thumb drive. This setup allows privacy, secrecy, and convenience. Today, the PortableApps.com framework allows for a ton more applications to be run in a portable configuration.

To use the framework, you simply download the installer from the PortableApps.com website. Run the installer and point it to your thumb drive. This installs the framework, but no applications. Here is what the application launcher looks like.


In some Windows versions, this can be set as an autorun application, but Windows 7 has disabled the ability to autorun from a USB device.



To get Firefox and Chrome, you need to download and install them through the Apps button > Get More Apps… option. Scroll down to the Internet section, and you will find the two applications.

Click Next to start the download. You may have to check the typical “agree” boxes. When finished, the browsers will show in the menu.



Now it is time to have some fun. Use these browsers to explore the “interwebs.” Dare yourself to go to sites that you have never seen before. You might find a new hobby!

Once you have tired yourself out, shut down the browsers, and let’s see what kind of mess we made. If you decided not to be adventurous with your own portable browsers, you can download my sample here.

Open EnCase® v7. Firefox has been supported since EnCase® v6 dot-something, but if you want to see the Chrome stuff, you will need a minimum version of EnCase v7.3. Create a new case using the #1 Basic template. Fill in the information and choose a location that works for you.



Add a preview of the drive that has the portable apps. There is no need to disconnect and use a write blocker since this isn’t a forensic case, but feel free if you like. Click on the device name to have EnCase parse the file system.

The structure of the framework places the application and its settings inside a folder under the [root]:\PortableApps folder. In this drive we only have the FirefoxPortable and GoogleChromePortable folders added. You will also notice that they each have a consistent list of folders under them: App, Data, and Other.



The App folder holds settings that are related to the PortableApps.com framework. It contains icons, executables, and other files related to launching the application.

Once the application is running, the settings for the user actions are stored inside the Data folder. If you are familiar with the Firefox storage structure and artifacts, you will be at home inside the [root]:\PortableApps\FirefoxPortable\Data\PROFILE folder. In there, you will find files, such as cookies.sqlite or places.sqlite, which are used to store the artifacts we are after. One storage area that you will not find in the portable version is the web cache.



If you are interested in the full range of forensic artifacts available, we offer a course titled EnCase® Advanced Internet Examinations. What we are after in this posting, is the fact that the EnCase Evidence Processor can recognize the forensic artifacts of both Firefox and Chrome when used in the PortableApps.com framework.

Use the Add Evidence drop-down menu and choose the Process Evidence… option. For the purpose of this posting, deselect everything except the Find internet artifacts option. Then click OK.



The results show in the Records tab. There will be an Internet folder with an item inside labeled “Internet” as a hyperlink. Click on the name to open the data.



Once inside, you will see three main folders. The Chrome (Windows) and Mozilla 3 (Windows/Mac) are the folders of interest. The Mozilla (Windows/Mac) is created because there is a file created by PortableApps.com that resembles the Firefox v2 and lower bookmark storage, though it isn’t used as such.



Take a look in the History folder of the Mozilla 3 artifacts, and you will see all the sites that have been browsed on this portable version of Firefox. You will have to scroll to the right to find the Url Name column to see the URL that was browsed.



You will also see the bookmarks that have been made using the portable version.



Take a look inside the Chrome folder and you will see all of the same types of artifacts.



Hope this helps you in your cases!

No comments :

Post a Comment