Alternative browsers pose challenge for cybersleuths

By Joris Evers

MONTEREY, Calif.--The advent of Firefox and other alternatives to Internet Explorer means cybercops have to learn new tricks for their investigations Internet Explorer hides nothing from police and other investigators who examine PCs to discover which sites the user has visited, according to a class held Wedensday at the annual training meeting of the High Tech Crime Investigation Association. Investigators know the location of the IE browser cache, cookie files and history, and they know how to read those files. Also, popular forensics tools can help out.

But that story changes when it comes to alternative Web browsers such as Firefox and Opera, instructor Glenn Lewis said at the well-attended session. These programs use different structures, files and naming conventions for the data that investigators are after. And files are in a different location on the hard drive, which can cause trouble for examiners. Furthermore, forensics software may not support the Web browsers, he said.

Though Microsoft's IE remains the most widely used browser, these alternatives are gaining in popularity. The open-source Firefox browser in particular has been able to nibble at Microsoft's dominant share of the market. Web browser data can be important in criminal investigations because browsers keep track of a suspect's online activity.

One specific challenge with Firefox and Opera is identifying which Web addresses have been entered manually as opposed to having been clicked on in a hyperlink, Lewis told the class. The distinction may be important in a case where a suspect claims he did not intend to visit a Web site, but accidentally clicked on a link or was sent to a site automatically. It is hard to make that argument if an address was physically typed into the Web browser. Firefox and Opera store information on typed URLs in a different file than IE does, and the files are somewhat tough to decipher, Lewis said. He showed his students--mostly law enforcement agents and private investigators--how to do it.

Lewis, who works for risk consulting company Kroll, gave attendees more tips on how to read the cache, history and cookie files that Firefox and Opera generate. He recommended some free tools for investigators, including Opea 4 File Explorer, which displays Opera cache files, and Web Historian from Red Cliff, which exports history information for IE, Opera and Firefox into an easily readable Excel spreadsheet.

Private investigator Mark Carlsson felt Lewis' provided useful information. "Each browser has its intricacies," he said. "You can find some details online, but often it is difficult." Carlsson does computer forensics investigations for private clients, such as corporations that need evidence on a rogue employee, he said. The session was also valuable because Lewis provided tools that investigators can use to back up findings from major forensics tools, said Carlsson, who works for Digital Bytes in Lyndora, Pa.

Labels: Kroll