Hello TurkHackTeam members.
I'll show you forensic investigation processes today. We'll do this proccesses on Google Chrome.
Installing Needed Softwares
We need to provide acces to SQLite files. So, we need to download SQLite Expert Personal software. You can download in this link;
Virüs Total
Forensic Investigation on Browser
All processes (downlads, accesses) which is making from users is saving. They save in "Histor" file. We can make various investigations with them. We can get critical informations with that investigations and sometimes they can be forensic proofs. Now we will acces to them.
First, we will check our history's directory. Our user history hide in this file. This files format is SQLite. You can reach to your history file with fallowing this way;
Now open your SQLite Expert Personal software. After that, Click "File" button and click "Open Database". As you can see, tables are listing now.
First, look "urls" page. In here;
"id" table is about; value below to url.
"url" table is about; value below to url.
"title" table is about; informations below to urls.
"visit_count" is about; count of that related url was visited.
"typed_count" is about; count of how many times url address is entered into browser manually.
"last_visit_time" is about; information of related url last accessed date (in browser time format).
"hidden" is about; info of url address is used in AutoComplete feature and if url info is shown to user or not (if it's 1, it's not shown; if it's 0, it's shown)
Now look to "visits" tables.
You can see IP addresses below to visits in "id" table.
You can see url's id value in "url" table. By this means, you can see which id is against which url.
You can see last visit date in "visit_time" table.
You can see guidance numbers in "from_visit" table.
You can see reaching shape to went address in "transition" table. (Clicking, Manuel URL etc.)
You can see id informations of segments table in "segment_id" table.
You can see staying on address duration in "visit_duration" table.
You can see download informations in "downloads" tables.
You can see identity information about file in "guid" table.
You can see dowloaded file's current localation in "current_path" table.
You can see downloading file's download localation in "target_path" table.
You can see download started time in "start_time" table.
You can see size information of downloading in "received_bytes" table.
You can see total byte of downloaded file in "total_bytes" table.
You can see file's opening status in "opened" table.
You can see information of file's last accessed date in "last_access_time"
You can see referrer page's information in "referrer" table.
You can see file's change information in "last_modified" table.
You can see searched words in search engine in "keyword_search_terms" tables.
You can see websites which is seeing on browser in "segments" tables
You can see download addresses in "download_url_chains"
We can get forensic proofs with analysing this SQL files.
Also, you can see browser's cache too. For this, type this code in browse'r address registry
Source: https://www.turkhackteam.org/adli-bilisim/1922997-tarayici-uzerinde-adli-inceleme.html#post9101662 'blackcoder
I'll show you forensic investigation processes today. We'll do this proccesses on Google Chrome.
Installing Needed Softwares
We need to provide acces to SQLite files. So, we need to download SQLite Expert Personal software. You can download in this link;
Kod:
https://www.gezginler.net/indir/sqlite-expert-personal.html
Virüs Total
Kod:
https://www.virustotal.com/gui/file/ded898ae09a138accf8983dc8f49812294d2e504ffc69f4c3d704a6bba90c31b/detection
Forensic Investigation on Browser
All processes (downlads, accesses) which is making from users is saving. They save in "Histor" file. We can make various investigations with them. We can get critical informations with that investigations and sometimes they can be forensic proofs. Now we will acces to them.
First, we will check our history's directory. Our user history hide in this file. This files format is SQLite. You can reach to your history file with fallowing this way;
Kod:
C:\Users\kullaniciadi\AppData\Local\Google\Chrome\User Data\Default
Now open your SQLite Expert Personal software. After that, Click "File" button and click "Open Database". As you can see, tables are listing now.
First, look "urls" page. In here;
"id" table is about; value below to url.
"url" table is about; value below to url.
"title" table is about; informations below to urls.
"visit_count" is about; count of that related url was visited.
"typed_count" is about; count of how many times url address is entered into browser manually.
"last_visit_time" is about; information of related url last accessed date (in browser time format).
"hidden" is about; info of url address is used in AutoComplete feature and if url info is shown to user or not (if it's 1, it's not shown; if it's 0, it's shown)
Now look to "visits" tables.
You can see IP addresses below to visits in "id" table.
You can see url's id value in "url" table. By this means, you can see which id is against which url.
You can see last visit date in "visit_time" table.
You can see guidance numbers in "from_visit" table.
You can see reaching shape to went address in "transition" table. (Clicking, Manuel URL etc.)
You can see id informations of segments table in "segment_id" table.
You can see staying on address duration in "visit_duration" table.
You can see download informations in "downloads" tables.
You can see identity information about file in "guid" table.
You can see dowloaded file's current localation in "current_path" table.
You can see downloading file's download localation in "target_path" table.
You can see download started time in "start_time" table.
You can see size information of downloading in "received_bytes" table.
You can see total byte of downloaded file in "total_bytes" table.
You can see file's opening status in "opened" table.
You can see information of file's last accessed date in "last_access_time"
You can see referrer page's information in "referrer" table.
You can see file's change information in "last_modified" table.
You can see searched words in search engine in "keyword_search_terms" tables.
You can see websites which is seeing on browser in "segments" tables
You can see download addresses in "download_url_chains"
We can get forensic proofs with analysing this SQL files.
Also, you can see browser's cache too. For this, type this code in browse'r address registry
Kod:
about:cache
Source: https://www.turkhackteam.org/adli-bilisim/1922997-tarayici-uzerinde-adli-inceleme.html#post9101662 'blackcoder
If you find this article helpful ? You can press thank button
Son düzenleme: