The recent evolution of cyber security has improved more defensive approaches and hardening security measures, intruders started discovering various ways to compromise or to get intruded into an organization they often target vulnerable employees as an intrusion point,
Many attacks take place by the lack of awareness of the employees of an organization, attacks such as Stuxnet, SolarWinds happen because of a flaw of internal employees who failed to be aware of these cyber threats, an intruder whose main focus is to target a vulnerable person and to trick them to execute their targeted actions.
- Malicious websites
- Weak password
- Excessive privileges
In recent trends browser-based intrusion becomes more common, attackers publicly hosted many malicious websites and trick the victim to visit the infected sites and get intrude into the networks these types of attacks known as WATERING HOLE TECHNIQUE
WATERING HOLE TECHNIQUE
This attack has a specific path to be get executed
- Attacker compromise website
- Trick the user to vist the website
- Malware/backdoor dropped on the victim system
- Attacker successfully intrude into the organisation
To be more preventive browser-based analysis is more important due to the level of complexness
- C:\Documents and Settings\<username>\Local Settings\Application Data\Google\Chrome\User Data\Default
- C:\Documents and Settings\<username>\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache
Windows Vista, 7, 8, 10
- C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default
- C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Cache
Mac OS X
- /Users/<username>/Library/Application Support/Google/Chrome/Default
- C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\<profile folder>
- C:\Documents and Settings\<username>\Local Settings\Application Data\Mozilla\Firefox\Profiles\<profile folder>\cache2
Windows Vista, 7, 8, 10
- C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile folder>
- C:\Users\<username>\AppData\Local\Mozilla\Firefox\Profiles\<profile folder>\cache2
Mac OS X
- /Users/<username>/Library/Application Support/Firefox/Profiles/<profile folder>
- /Users/<username>/Library/Caches/Firefox/Profiles/<profile folder>/cache2
- /home/<username>/.mozilla/firefox/<profile folder>
- /home/<username>/.cache/mozilla/firefox/<profile folder>/cache2
- Up to version 31 the cache files were stored in a folder named ‘Cache’. Starting with version 32 the cache files are stored in a folder named ‘cache2’.
Also Read: Latest Cyber Security News – Hacker News !
Windows 7, 8, 10
- C:\Users\<username>\AppData\Local\Microsoft\Internet Explorer\Recovery
Browser forensics is the process or a technique to determine the root cause of a browser-based intrusion by an attacker, most part of the analysis is to correlate the activity of an intrusion and to determine the origin of an attack.
Other Web Forensics Tools
The below mentioned are commonly used browser forensic tools
- DB Browser – For opening . sqlite files.
- Nirsoft – Web Browser Tools.
- Sysinternals Strings.
- OS Forensics.
- Magnet IEF (Internet Evidence Finder)
- Browser History Viewer
Hindsight is an open-source tool that has been used to analyze or investigate web artifacts and used to correlate the root cause or origination of intrusion
In addition, hindsight is more compatible and famous for its easy deployment and configuration; it just requires a “Profile Path”. This is the location of the Chrome profile you want to analyze.
Just two-line deployment which used to completely install HINDSIGHT
- pip install pyhindsight
- curl -sSL https://raw.githubusercontent.com/obsidianforensics/hindsight/master/install-js.sh | sh
On-further HINDSIGHT can deploy in two types
- Command line
Working of Hindsight
Similar to supply chain compromise, browser-based exploitation is evaded and most targeted by many attacks. For example DARKHOTEL APT. So to make things more secure we need more focus on browsed-based monitoring too. It helps to analyze or determine the root cause of the intrusion.