Digital Forensic Analysis of Web-Browser Based Attacks

摘要

In recent years, attacks that target browsers' vulnerabilities have increased significantly. An innocent user may lure to access untrusted website and malicious content passively downloaded and executed by his/her web browser; this attack vector known as, Drive-by-Download attack. Systems and security researchers addressed this attack from different perspectives. Several techniques and tools were introduced to detect and prevent Drive-by-Download attack; however, few research addresses the browser forensics perspectives to (1) identify traces (2) reconstruct the executed events of a downloaded malicious content, to assist the digital forensic investigation process. In this paper, digital forensic method is introduced to investigate a web browser subject to Drive-by-Download attack. A Proof-of-Concept implementation based on Firefox browser-extension was developed to inspect and analyze malicious URLs that host malicious executable. The developed system was tested using 55 malicious web pages and successfully identified the digital evidence of the attack. 77% of the identified evidence were artifacts that we believe it could assist forensic investigator to determine if web-browser or a system subject to examination is compromised or not, and the indications of compromises.