Hindsight – Browser Forensic Analyzer for Web Artifacts

By
Harisuthan
-
0

OVERVIEW

The recent evolution of cyber security has improved more defensive approaches and hardening security measures, intruders started discovering various ways to compromise or to get intruded into an organization they often target vulnerable employees as an intrusion point, 

Many attacks take place by the lack of awareness of the employees of an organization, attacks such as Stuxnet, SolarWinds happen because of a flaw of internal employees who failed to be aware of these cyber threats, an intruder whose main focus is to target a vulnerable person and to trick them to execute their targeted actions.

  1. Malicious websites
  2. Weak password
  3. Excessive privileges
  4. Phishing

In recent trends browser-based intrusion becomes more common, attackers publicly hosted many malicious websites and trick the victim to visit the infected sites and get intrude into the networks these types of attacks known as WATERING HOLE TECHNIQUE

Also Read: Latest Ransomware CVEs – Vulnerabilities Abused by Ransomware Actors

WATERING HOLE TECHNIQUE

This attack has a specific path to be get executed

  1. Attacker compromise website
  2. Trick the user to vist the website 
  3. Malware/backdoor dropped on the victim system
  4. Attacker successfully intrude into the organisation

To be more preventive browser-based analysis is more important due to the level of complexness

Important Locations

CHROME

Windows XP

  • C:\Documents and Settings\<username>\Local Settings\Application Data\Google\Chrome\User Data\Default
  • C:\Documents and Settings\<username>\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache

Windows Vista, 7, 8, 10

  • C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default
  • C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Cache

Mac OS X

  • /Users/<username>/Library/Application Support/Google/Chrome/Default
  • /Users/<username>/Library/Caches/Google/Chrome/Default/Cache

Linux/Unix

  • /home/<username>/.config/google-chrome/Default
  • /home/<username>/.cache/google-chrome/Default/Cache

Firefox

Windows XP

  • C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\<profile folder>
  • C:\Documents and Settings\<username>\Local Settings\Application Data\Mozilla\Firefox\Profiles\<profile folder>\cache2

Windows Vista, 7, 8, 10

  • C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile folder>
  • C:\Users\<username>\AppData\Local\Mozilla\Firefox\Profiles\<profile folder>\cache2

Mac OS X

  • /Users/<username>/Library/Application Support/Firefox/Profiles/<profile folder>
  • /Users/<username>/Library/Caches/Firefox/Profiles/<profile folder>/cache2

Linux/Unix

  • /home/<username>/.mozilla/firefox/<profile folder>
  • /home/<username>/.cache/mozilla/firefox/<profile folder>/cache2
  • Up to version 31 the cache files were stored in a folder named ‘Cache’. Starting with version 32 the cache files are stored in a folder named ‘cache2’.

Also Read: Latest Cyber Security News – Hacker News !

Internet Explorer

Windows 7, 8, 10

  • C:\Users\<username>\Favorites
  • C:\Users\<username>\AppData\Local\Microsoft\Windows\WebCache
  • C:\Users\<username>\AppData\Local\Microsoft\Internet Explorer\Recovery

BROWSER FORENSICS

Browser forensics is the process or a technique to determine the root cause of a browser-based intrusion by an attacker, most part of the analysis is to correlate the activity of an intrusion and to determine the origin of an attack.

Other Web Forensics Tools

The below mentioned are commonly used browser forensic tools 

  • DB Browser – For opening . sqlite files.
  • Nirsoft – Web Browser Tools.
  • BrowsingHistoryView.
  • ESEDatabaseView.
  • Sysinternals Strings.
  • OS Forensics.
  • Magnet IEF (Internet Evidence Finder)
  • Browser History Viewer
  • Hindsight

HINDSIGHT

Hindsight is an open-source tool that has been used to analyze or investigate web artifacts and used to correlate the root cause or origination of intrusion

In addition, hindsight is more compatible and famous for its easy deployment and configuration; it just requires a “Profile Path”. This is the location of the Chrome profile you want to analyze.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

Deployment

Just two-line deployment which used to completely install HINDSIGHT

  • pip install pyhindsight
  • curl -sSL https://raw.githubusercontent.com/obsidianforensics/hindsight/master/install-js.sh | sh

On-further HINDSIGHT can deploy in two types

  1. Command line
  1. GUI

Working of Hindsight

Conclusion

Similar to supply chain compromise, browser-based exploitation is evaded and most targeted by many attacks. For example DARKHOTEL APT. So to make things more secure we need more focus on browsed-based monitoring too. It helps to analyze or determine the root cause of the intrusion.

Reference:

  1. https://github.com/obsidianforensics/hindsight
Previous articleDetections of Malware Execution from Unusual Directories
Next articleDetecting and Preventing a Golden Ticket Attack
Harisuthan
Harisuthan
https://www.socinvestigation.com
A Cyber Security Aspirant Security Researcher | Red-Teamer |

LEAVE A REPLY

Please enter your comment!
Please enter your name here