Geunyeong Choi , Jewan Bang , Sangjin Lee , Jungheum Park
{"title":"基于chrome浏览器的内存分析","authors":"Geunyeong Choi , Jewan Bang , Sangjin Lee , Jungheum Park","doi":"10.1016/j.fsidi.2023.301613","DOIUrl":null,"url":null,"abstract":"<div><p>The web browsing activities of a user provide useful evidence for digital forensic investigations. However, existing analysis techniques that aim to analyze local artifacts (e.g., history and cache) cannot find useful data (e.g., visited URLs) if a user accesses the web using private or secret mode. Hence, string-searching and pattern-matching techniques have been proposed and used to examine user activities from a memory dump. These simple techniques are useful for identifying individual URLs visited in both normal and private modes. However, since a piece of individually detected data does not have context on how it is created, additional analysis efforts are required to properly interpret the meaning of the data. This paper proposes <em>Chracer</em>, a practical methodology for extracting forensically meaningful information from the virtual memory of a Chromium-based browser by systematically discovering objects of web browsing-related classes. Moreover, a proof-of-concept tool developed based on the proposed methodology demonstrates that users’ web browsing-related artifacts can be extracted effectively from the virtual memory of any Chromium-based browser, such as Google Chrome, Microsoft Edge and Brave.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0000,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Chracer: Memory analysis of Chromium-based browsers\",\"authors\":\"Geunyeong Choi , Jewan Bang , Sangjin Lee , Jungheum Park\",\"doi\":\"10.1016/j.fsidi.2023.301613\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>The web browsing activities of a user provide useful evidence for digital forensic investigations. However, existing analysis techniques that aim to analyze local artifacts (e.g., history and cache) cannot find useful data (e.g., visited URLs) if a user accesses the web using private or secret mode. Hence, string-searching and pattern-matching techniques have been proposed and used to examine user activities from a memory dump. These simple techniques are useful for identifying individual URLs visited in both normal and private modes. However, since a piece of individually detected data does not have context on how it is created, additional analysis efforts are required to properly interpret the meaning of the data. This paper proposes <em>Chracer</em>, a practical methodology for extracting forensically meaningful information from the virtual memory of a Chromium-based browser by systematically discovering objects of web browsing-related classes. Moreover, a proof-of-concept tool developed based on the proposed methodology demonstrates that users’ web browsing-related artifacts can be extracted effectively from the virtual memory of any Chromium-based browser, such as Google Chrome, Microsoft Edge and Brave.</p></div>\",\"PeriodicalId\":48481,\"journal\":{\"name\":\"Forensic Science International-Digital Investigation\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":2.0000,\"publicationDate\":\"2023-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Forensic Science International-Digital Investigation\",\"FirstCategoryId\":\"3\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2666281723001257\",\"RegionNum\":4,\"RegionCategory\":\"医学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Forensic Science International-Digital Investigation","FirstCategoryId":"3","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2666281723001257","RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
摘要
用户的网络浏览活动为数字取证调查提供了有用的证据。然而,现有的分析技术,旨在分析本地工件(例如,历史和缓存)不能找到有用的数据(例如,访问的url),如果用户访问web使用私有或秘密模式。因此,提出了字符串搜索和模式匹配技术,并将其用于检查内存转储中的用户活动。这些简单的技术对于识别在正常和私有模式下访问的单个url都很有用。然而,由于单独检测到的数据片段没有关于如何创建的上下文,因此需要额外的分析工作来正确解释数据的含义。本文提出了一种实用的方法,通过系统地发现web浏览相关类的对象,从基于chrome的浏览器的虚拟内存中提取有法律意义的信息。此外,基于所提出的方法开发的概念验证工具表明,用户的网络浏览相关工件可以有效地从任何基于Chrome的浏览器的虚拟内存中提取,如谷歌Chrome, Microsoft Edge和Brave。
Chracer: Memory analysis of Chromium-based browsers
The web browsing activities of a user provide useful evidence for digital forensic investigations. However, existing analysis techniques that aim to analyze local artifacts (e.g., history and cache) cannot find useful data (e.g., visited URLs) if a user accesses the web using private or secret mode. Hence, string-searching and pattern-matching techniques have been proposed and used to examine user activities from a memory dump. These simple techniques are useful for identifying individual URLs visited in both normal and private modes. However, since a piece of individually detected data does not have context on how it is created, additional analysis efforts are required to properly interpret the meaning of the data. This paper proposes Chracer, a practical methodology for extracting forensically meaningful information from the virtual memory of a Chromium-based browser by systematically discovering objects of web browsing-related classes. Moreover, a proof-of-concept tool developed based on the proposed methodology demonstrates that users’ web browsing-related artifacts can be extracted effectively from the virtual memory of any Chromium-based browser, such as Google Chrome, Microsoft Edge and Brave.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
