Passwordfox for chrome

Evaluation of Firefox Browser Forensics Tools

Sweta Mahaju University of Alabama

P.O. Box 870290 Tuscaloosa, Alabama 35487 smahaju@crimson.ua.edu

Travis Atkison∗

University of Alabama P.O. Box 870290

Tuscaloosa, Alabama 35487 atkison@cs.ua.edu

ABSTRACT

Web browsers store web surfing data and history to facilitate the users ease of operation such as instant website recommen- dations or quicker access to previously visited sites. Since cyber-criminals or suspects, in general, may use the browser to search for any number of crime methods or visit differ- ent websites to collect information, this is a good source of electronic evidence used in lawsuits and other crime re- lated investigations. For this reason, web browser forensics is an important field of Digital Forensics. It is crucial to know about the different web browsing analysis tools that are available and have a clear understanding of which tool would be more productive and suitable for which cases and situations. Therefore, this paper presents a survey of web browser forensics analysis tools for Firefox, as well as evalu- ates the performance of the tools and the system while the tool is being run. These tools are tested against different criteria such as time constraints, memory consumption, and availability. The evaluation result is varied with respect to different sets of criteria. Each of the tools in this survey had their own strengths and weaknesses. However, if one is to be chosen which could be suitable enough for all the jobs, then FoxAnalysis would be the choice.

KEYWORDS

Digital Forensics, Web Browsers, Survey

ACM Reference format: Sweta Mahaju and Travis Atkison. 2017. Evaluation of Firefox

Browser Forensics Tools. In Proceedings of ACM SE ’17, Kenne- saw, GA, USA, April 13-15, 2017, 8 pages.

DOI: http://dx.doi.org/10.1145/3077286.3077310

1 INTRODUCTION

Internet is used by almost every one today; around 3.5 billion, as of the most recent report according to Statista [16]. Among those billions of Internet users are a number of suspects who

∗Corresponding author.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.

ACM SE ’17, April 13-15, 2017, Kennesaw, GA, USA

© 2017 ACM. ISBN 978-1-4503-5024-2/17/04. . . $15.00 DOI: http://dx.doi.org/10.1145/3077286.3077310

will use the Internet for any help or information to assist with their criminal activities. These could be activities they either intend to commit or have already committed in the past; whether it be web searching, visiting different websites or deleting browsing history of the web browser, accessing emails or online storage, or downloading files and so on. Therefore, considering web browsers for evidence searching could be a crucial part of a digital forensic investigation, as critical electronic evidence is usually found in a suspect’s web browsing history in the form of above mentioned logs.

There are several numbers of web browsers that a user can use to access the Internet. Among them, Mozilla Firefox, Google Chrome, Internet Explorer, Safari and Opera are known as web browsing giants of today’s age. Each of them has their own significance. However, this paper will focus on the Firefox web browser as it is OS independent, i.e., it is compatible to several operating systems like MAC, Windows, Linux, etc. [17]. Moreover, it is highly customizable with a simple layout and easier to use, which could be one of the reasons making it many users’ first choice [17]. Web browsers save traces and logs, such as cache, history, cookies, login credentials, and a download list. Similarly, Firefox stores browsing logs in an SQLite database from which data can be extracted during an investigation. The Firefox browser and its log data files and formats are described in detail in the upcoming section.

Web browsing evidence recognition is one of the most significant parts of a digital forensic investigation [13]. How- ever, a forensic investigation is not limited to collecting logs and evidence. After gathering evidence, the next step is the analysis phase in which the forensic investigators begin by reconstructing the web browsing events and activities. As the process is quite complicated, it calls for the need of different forensics analysis tools. There are several browser specific and browser independent analysis tools available. However, not every tool exhibits all the features that a particular investi- gation scenario may require. Hence evaluation of the analysis tools with respect to the set of features they provide would be beneficial, especially for forensics investigation. Therefore, this paper includes a section which evaluates different web browser forensic tools for the Firefox browser on the basis of different features they provided which may be helpful during forensics investigations.

Additionally, performance of a tool is one of the key factors to be considered. Speed, ease of use, availability, memory utilization and CPU consumption, etc., are some of the per- formance matrices on the basis of which the tools could be tested against, so that forensic investigation could get a