Law enforcement agencies have long been aware of the power of the internet browser to undertake criminal investigations, pulling information from suspect’s browsing history to reconstruct their activities, build a dossier and uncover vital evidence.
Web browsers are the primary way that end users access a variety of popular applications, both business and personal, and they store an incredible amount of important information about an individual’s personal and professional activities.
>See also: CSI in the cloud: how cloud data is accelerating forensic investigations
So, when a user has been detected conducting suspicious activities, or their device has potentially been compromised by an external hacker to gain access to systems, going through the information stored in their browser can help quantify the nature, scale and scope of any potential threat.
The web browser – a rich source of information
Within the enterprise, insider threats are both insidious and difficult to detect. But initiating a browser investigation after a user has crossed a predefined risk threshold – becoming a ‘notable user’ – or after a system has been flagged as suspicious or potentially compromised can be the vital first step to reconstructing a user’s activities.
Web browsers contain features that are designed to make life easier for users. Everything from remembering recently viewed web pages to recording web form data, saving passwords, sending geolocation information and synching browser history across devices. This means they offer the insights that investigators need to understand if a cyber crime has been committed and vital evidence on a user’s activities and motivations.
>See also: Forensics and the Internet of Things
Understanding a user’s web browsing activities can help identify if a user was in violation of enterprise policies. It can show if a user visited a site or clicked on a phishing link that redirected them elsewhere where a malware payload was delivered that infected their device – opening a door into the enterprise.
The prevalence of HTTPS and other privacy measures means its difficult for cyber security analysts to look at network traffic alone. So, any deep-dive investigation should involve looking at browser artefacts on a user’s laptop and mobile devices. When conducting a digital investigation on a system, a cyber security analyst is able to gather evidence from the artefacts left by a browser after a session; typically, these forensic artefacts will include cache, history, cookies and file download lists.
Primary investigation areas
A detailed forensic investigation of browser artefacts will reveal timestamps, dates, downloads, sites visited, whether data was entered on websites and more. At a basic level, viewing a user’s browsing history will enable construction of a timeline, URLs visited and help identify if a user has engaged in any perilous behaviours – such as downloading or opening a risky file or logging-in to non-authorised file-sharing websites.
>See also: A CTO guide: The main challenges of cyber security
Similarly, investigating a user’s search history and queries will provide context and background around a user’s motivations and their recent online behaviours. Meanwhile, autofill artefacts can provide a rich source of valuable information that helps build out what happened and when – for example, identifying if a user has multiple other email accounts they haven’t informed the team about.
Creating a ‘word cloud’ visualisation can help speed up the evaluation of a user’s areas of interest and other behaviours. Even if a user has deleted their search history, artefact data may well have been synched to the cloud or be retained elsewhere on the device.
An escalating challenge
Pulling as much information as possible out of a user’s browsing history is the key to reconstructing a user’s activities. For cyber security analysts responding to a potential data breach, this may involve reviewing multiple devices in a limited amount of time, so the ability to perform browser investigations as efficiently as possible is becoming a top priority.
>See also: Cyber security best practice: Training and technology
That said, today’s security analysts face an increasing number of alerts, with a limited amount of time or resources to respond. A recent Exabeam survey of digital forensics and incident response professionals found that they typically have to examine between five and 20 devices a month – and some had to evaluate 40 devices or more.
Reviewing processed browser data takes up a significant amount of time – most investigators took over an hour for each device. All of which highlights the growing need for tools and automation to extract data fast and glean threat intelligence as fast as possible.
>See also: Cyber security and AI predictions 2018
Today’s advanced automated intelligence tools can help telescope vital investigation timeframes, delivering the top-level summary of key information that gives analysts the answers they need fast. Automatically parsing actions from the web history investigation, these tools generate easy-to-read reports and dashboards that deliver insights on everything from a user’s search engine queries and accounts on websites, to autofill data, historical geolocation, activity per domain and even activity trends based on the time and day of the week.
Web browsers may be overlooked during investigations, but they have the potential to help cyber security analysts to respond to security incidents more quickly and effectively.
Written by Barry Shteiman, VP, Research and Innovation at Exabeam