SANS Secure Singapore 2012 - Core Windows Forensics Part IV - Web Browser Forensics

Forensics 408

6 Day Course

For GIAC Certification

If you register for the full course, you may register to seek your GCFE Certification.

Students who attend a live SANS Training Event will receive access to the GIAC certification attempt approximately 7-10 business days after the last day of the event.

Additional information:
GCFE Information
GIAC FAQ
Fee Information

COSEINC, our Singapore Course Provider will be marketing this program locally. Note that Singapore Citizens and PRs must register via COSEINC for CITREP eligibility

FORENSICS 408 - Day 5

Core Windows Forensics Part IV - Web Browser Forensics

Friday, March 16, 2012 : 9am - 5pm
Chad Tilbury, SANS Certified Instructor
6 CPE/CMU Credits

Laptop RequiredFree

Focus: Internet Explorer and Firefox Browser Digital Forensics. Learn how to examine exactly what an individual did while surfing via their web-browser. The results will give you pause the next time you use the web.

With the increasing use of the web and the shift toward cloud computing using web-based applications, it is essential that browser forensic analysis is key to the investigator's skills. The investigator will explore comprehensive web browser evidence created during the use of Internet Explorer and Firefox. The analyst will learn how to examine cookies, history, and Internet cache files of the suspect's system. We will show you where you can examine these files and the common mistakes amateur investigators make when looking at browser artifacts.

Throughout the day, the investigator will utilize their skills in real hands-on cases, exploring evidence created by Firefox and Internet Explorer and Windows OS artifacts.

Day 5 topics include:

Browser Forensics
- History
- Cache
- Searches
- Downloads
- Understanding of Browser Timestamps
- Internet Explorer 6, 7, 8, and 9
IE Key Forensic File Locations
History Index.dat (Master, Daily, Weekly) Timestamps
Cache Index.dat Timestamps
InPrivate Browsing
IE8/IE9 Recovery Folder Analysis
- Firefox 2-5
FF2 and FF3-5 Key Forensic File Locations
Mork format and .sqlite files
Download History
Cache Examinations
Typed URLs
FF3+ Recovery Data Analysis
Private Browsing
Session Recovery
- Examination of Browser Artifacts
Flash Cookie Files
DOM Objects
Super Cookies
- Tools Used
MANDIANT Inc.'s Web Historian
Access Data's FTK
FoxAnalysis

Day 5 exercises

Track a suspect's activity in browser history and cache files
Examine which files a suspect downloaded
Determine URLs a suspect type, click on, bookmark, or merely pop-up while they were browsing

This track and the Hacker Refresher course by Skoudis really opened my eyes to the amount of vulnerabilities that we face today.
-Stephen De Jong, Equity Office Properties