Various technical and legal issues hinder direct investigation on cloud services, which facilitates alternative approach to investigate services through artifacts left by web browsers. Among diverse ...web browser artifacts, client-side storages such as IndexedDB have been focused to retrieve contextual information about user behavior. However, analyzing such client-side storages has been difficult in private mode environments, as they were only kept in memory or not supported at all, depending on the browser. Recently, Firefox has started to support IndexedDB storage in private mode by storing encrypted files on disk during private sessions since July 2023. Since then, Gecko-based browsers' effort to support client-side storages through encrypted files on disk has been continued with Tor Browser also began supporting IndexedDB in the same way since October 2023. Meanwhile, the research to utilize those encrypted files on investigation has not progressed much yet. This paper shows how to decrypt client-side storages generated on Gecko-based browsers’ private mode by extracting cipherkeys in memory. Experimental results indicate that when private session is running, our proof-of-concept tool successfully decrypts all encrypted files. Additionally, there is a possibility of recovering data even in an inactive state by utilizing hibernation file on disk.
While the COVID‐19 virus remolded the routines of the establishments, remote collaboration and distant communication gained more popularity. As the way electronic communications are handled changes ...drastically, new applications and storage mechanisms are introduced. Microsoft Teams is an application offered within the scope of Microsoft Office 365 that offers services for hosting virtual meetings, team communication, and comprehensive team resource management. It is prevalently used by organizations and indicates a great potential to be a source of digital forensic investigations. This paper scrutinizes the artifacts created by Microsoft Teams in IndexedDB persistent storage. IndexedDB is a fast‐growing client‐side storage technology that is relatively new as a source for digital forensic investigations. A single‐case pretest–posttest quasi experiment was conducted to produce artifacts in Microsoft Teams IndexedDB storage. The artifacts were extracted without user credentials indicating security flaws in the application. Extracted artifacts were processed based on signature patterns and evaluated for their significance. Traditional database queries were utilized to link and present the information clustered according to their relevancy. A time‐frame analysis was constructed to display information in a suitable format for investigators. The results indicate that Microsoft Teams IndexedDB storage artifacts contain significant potential for digital investigations with extraction of complete contents of private chat messages, voice mails, and team extensions with efficient time‐frame analysis.
As the Internet and World Wide Web have rapidly evolved and revolutionized the applications in everyday life, it is a demanding challenge for investigators to keep up with the emerging technologies ...for forensic analyses. Investigating web browser usages for criminal activities, also known as web browser forensics, is a significant part of digital forensics as crucial browsing information of the suspect can be discovered. Particularly, in this study, an emerging web storage technology, called IndexedDB, is examined. Characteristics of IndexedDB technology in five major web browsers under three major operating systems are scrutinized. Also, top 15 US websites ranked by Alexa are investigated for their data storage in IndexedDB. User screen names, ids, and records of conversations, permissions, and image locations are some of the data found in IndexedDB. Furthermore, BrowStEx, a proof‐of‐concept tool previously developed, is extended and cultivated into BrowStExPlus, with which aggregating IndexedDB artifacts is demonstrated.
As the usage of the Web increases, so do the threats an everyday user faces. One of the most pervasive threats a Web user faces is tracking, which enables an entity to gain unauthorized access to the ...user's personal data. Through the years, many client storage technologies, such as cookies, have been used for this purpose and have been extensively studied in the literature. The focus of this paper is on three newer client storage mechanisms, namely, Web Storage, Web SQL Database, and Indexed Database API. Initially, a large-scale analysis of their usage on the Web is conducted to appraise their usage in the wild. Then, this paper examines the extent that they are used for tracking purposes. The results suggest that Web Storage is the most used among the three technologies. More importantly, to the best of our knowledge, this paper is the first to suggest Web tracking as the main use case of these technologies. Motivated by these results, this paper examines whether popular desktop and mobile browsers protect their users from tracking mechanisms that use Web Storage, Web SQL Database, and Indexed Database. Our results uncover many cases where the relevant security controls are ineffective, thus making it virtually impossible for certain users to avoid tracking.
PDF