History About Youtube Hacking Yahoo

Published Date: 02 Nov 2017

- During the CansecWest Conference, some IT professionals tested the security of the IE web browser; they found a weak point in the codes of Internet Explorer 10. Microsoft took steps to fix the bugs; however, had the IT professionals had been unscrupulous hacker, they would have been able to effectively send malicious codes to all IE’s version still on the market and operating on all Windows’ operating systems.

If the authorities have a hacker in custody, how could we get the proof that he actually committed the crime? We would conduct a digital forensic investigation. But, how easy or effective is it to look for evidence in a web browser activity?

One size does not fit all! According to Oh, Lee, and Lee, there are two main reasons why web browsing forensic investigation is not perfect. First, there are many different web browsers and the investigation tools available to us only cover some web browsers, but not all. For example, Encase covers IE, Firefox, Safari, Opera, but not Chrome (Oh, Lee, & Lee, 2011). Second, the tools do not allow us to obtain important information (parsing) such as search words and user activity (Oh, Lee, & Lee, 2011.) Oh, Lee, and Lee also talk about the need to be able to extract from web browser important information such as search words and user activity, to be able to decode words in an URL due to a change of language and to be able to retrieve web information that was tampered with. We will discuss these last three topics in our "Evidence Analysis Process" section

In order to better understand Web Browsing evidence investigation, we asked the point of view of an expert. Dr. Curtis A. Carver Jr., is the Vice Chancellor and CIO for the Board of Regents of University System of Georgia Policy. We asked him the following questions:

What are the main limitations of forensics tools such as EnCase and NetAnalysis?

Is it likely that in the near future we will have digital forensics tools that will allow us to perform 1) integrated analysis of Web browsers, 2) timeline analysis, 3) extraction of significant information related to digital forensics, such as search words and user activity, 4) decoding encoded words at a particular URL, and recovery of deleted Web browser information because a suspect can delete web browser log information to destroy evidence.

How do you see the future of the tools related to the investigation of web browser log files?

Dr. Carver answered: "This is a difficult question to answer. Increasingly, organized crime or nation states are involved in attacks and advanced forensics play an important role in responding to these complex attacks. There is no question that penetration will take place. The question is how will the institution respond to the penetration. Due to the complexity of the attacks, forensics are a necessary, but not sufficient component of responding to an attack."

Then, we asked him "What would you say are other important components to responding to an attack? Proper Incident Response Policies?" to which he answered: "Policy as well as response teams that can be stood up if necessary or contracts in place with services such as Dell SecureWorks."

The methods that can be used to destroy information or evidence located on the web browser’s log files depend on the browsers used by a suspect and the types of files that are subject to destruction (history, cache, download, etc.... Based on these differences, Oh, Lee, & Lee, identified 2 types of methods to delete evidence: re-initialization or overwrite and deletion. To illustrate, in Firefox the cache must be initialized to erase evidence; however, in Chrome, the cache deletion is better to erase information.

Below is an example of deletion with Internet Explorer.

Not so fast! Even if we press "Delete…" in the Browsing history as shown on the page above, all the events in the web browsing log data will not be deleted. To delete all events of the web browser, the index.dat files must be deleted. Below are screenshots of where the index.dat file should be located. (Screenshots taken on school computer with index.dat file locations found on Acesoft.

According to Oh, Lee, & Lee, it is almost impossible to recover a file that was initialized; however, a file that was deleted can be recuperated much easily.

Web Browser forensic analysis tools are, like other digital tools, in a constant state of development as end-user web activity platforms and associated end-user privacy features multiply. The are several commercial and open source tools that perform a variety of functions, on a variety of web browsers, and operate in various relevant environments: Windows, Mac OS, Linux, and Ubuntu. As Windows has signifiacnt market share, especially in corporate environments, we will examine those tools. Specific commercial tools whose features we will compare here​ are EnCase, NetAnalysis, FTK, and InternetExaminer.

This is a link to a copied and edited list of open source tools and descriptions found at <http://forensiccontrol.com/resources/free-software/> with a simple Google search. Forensic Control is a privately held UK computer fornsics firm. This list was updated in March 2013. You can infer two key issues from the sheer number of tools and their descriptions: (1) Web activity is multi-faceted and therefore forensically very complex and (2) The criminals have a lot of free tools available to help hide their activity. As with programs used by law enforcement or intelligence instiutions that hackers use for criminal data collection (Jones, 2012) and tools lays people use for privacy (Yasin, 2013), these forensic tools can be modified by the bad guys to provide privacy features beyond what lay people may use to evade being tracked and stalked or commoditized.

The way web forensic analysis tools work vary naturally, according to the operating environment and browsers and other applications analyzed. The diagram below is from the article by Oh, Lee, and Lee that served as the spring board for this wiki. This diagram pertains to a specific tool, WEFA, which was developed based on their research.

"From the recovery module and the collection module, recovered or collected Web browser log files are parsed in the analysis module. Then information such as the cache, history, cookies, and the download list is extracted. This extracted information is used as input to each submodule​" (Oh, 2011).

After data has been collected and processed, different modules display the various types of web browser information for analysis and reporting. Below are some examples of the NetAnalysis user interface looks like (Digital Detective Group Ltd).

Our initial research article is not two years old (Oh 2011), as it was published in August 2011. Yet, since that time the major forensic suites have all advanced in their capabilities to collect, process, analyze, and report internet artifacts from e-mail, instant messaging, and file sharing sites around the globe. Either the core package or configurable add-ons for each of these tools provide the features listed below as well as audit logs of the evidence file actions like recovering and rebuilding internet pages or storyboarding found or recovered and rebuilt video files. All have flexible reporting templates that enable investigators to compile bookmared evidence of different natures in a format that is viewable and understable (i.e. rebuilding web pages instead of listing lines of html).

Including the vendor and third party sales sites, a variety of reviews from industry websites were used to discover and compare features specific to web brower forensic analysis. The following chart should make the bogies think twice!

Web browsers are the central application used to conduct activities over the internet. E-mail, Messaging, File Sharing, Research, Social Media, Publishing, and Shopping are popular activities for people with access around the world. As such, it is expected that criminals will do these same things, but with ill intent. Although the internet was created as an open forum, modern usage has created a need or desire for security (and other data analytics uses) features to counter the anonymity.

Fortunately, things like browser bookmarks, histories, and cache files which allow regular people to forget their passowords and favorite sites also leave a trace for investigators seeking to discover evidence of a crime. Currently, there are web browser forensic analysis applications that allow investigators to discover addresses and content (including mulitude of file format attachments) of e-mails, surfing, and messaging activites by time and date, regardless of geography in the five most used browsers: IE, Firefox, Opera, Safari, and Chrome. They can dig into the system files and disk slack space to uncover the hidden. These tools also provide excellent audit logs of evidence file manipulations like recovering and rebuilding deleted images, and excellent reporting suites so that the carefully acquired and analyzed evidence can be used in legal action.

However, there are a growing number of web applications which strive to return anonymity to end-users activities. Though promoted to hinder web stalking or consumer data tracking, they can also help criminals elude convictions. Additionally, forensic tools can be manipulated by skilled criminals to elude those same forensic tools from catching them. As with cyberintelligence, there is an ever escalating game of cat-and-mouse where the mice can get faster from playing with the cat's toys.