Canon Puts Efficiency On Press
August 31, 2005 8:45 PM PDT
Alternative browsers pose challenge for cybersleuths
- Related Stories
-
Firefox growing in Europe, too
June 6, 2005
Internet Explorer hides nothing from police and other investigators who examine PCs to discover which sites the user has visited, according to a class held Wednesday at the annual training meeting of the High Tech Crime Investigation Association. Investigators know the location of the IE browser cache, cookie files and history, and they know how to read those files. Also, popular forensics tools can help out.
But that story changes when it comes to alternative Web browsers such as Firefox and Opera, instructor Glenn Lewis said at the well-attended session. These programs use different structures, files and naming conventions for the data that investigators are after. And files are in a different location on the hard drive, which can cause trouble for examiners. Furthermore, forensics software may not support the Web browsers, he said.
Though Microsoft's IE remains the most widely used browser, these alternatives are gaining in popularity. The open-source Firefox browser in particular has been able to nibble at Microsoft's dominant share of the market. Web browser data can be important in criminal investigations because browsers keep track of a suspect's online activity.
One specific challenge with Firefox and Opera is identifying which Web addresses have been entered manually as opposed to having been clicked on in a hyperlink, Lewis told the class.
The distinction may be important in a case where a suspect claims he did not intend to visit a Web site, but accidentally clicked on a link or was sent to a site automatically. It is hard to make that argument if an address was physically typed into the Web browser.
Firefox and Opera store information on typed URLs in a different file than IE does, and the files are somewhat tough to decipher, Lewis said. He showed his students--mostly law enforcement agents and private investigators--how to do it.
Lewis, who works for risk consulting company Kroll, gave attendees more tips on how to read the cache, history and cookie files that Firefox and Opera generate. He recommended some free tools for investigators, including Opera 4 File Explorer, which displays Opera cache files, and Web Historian from Red Cliff, which exports history information for IE, Opera and Firefox into an easily readable Excel spreadsheet.
Private investigator Mark Carlsson felt Lewis' provided useful information.
"Each browser has its intricacies," he said. "You can find some details online, but often it is difficult." Carlsson does computer forensics investigations for private clients, such as corporations that need evidence on a rogue employee, he said.
The session was also valuable because Lewis provided tools that investigators can use to back up findings from major forensics tools, said Carlsson, who works for Digital Bytes in Lyndora, Pa.
78 comments
Join the conversation! Add your comment (Log in or register)
I've defended C/NET in the past. But this IS a non-story. Different software solutions store data in different places. That's a 40+ year old story.
Or is it complaining that the public is obstructing justice, by not laying themselves bare for the authorities? One day, the cops/feds will actually have the same tehcnological acumen of a 12-year old geek - maybe.
I've defended C/NET in the past. But this IS a non-story. Different software solutions store data in different places. That's a 40+ year old story.
Or is it complaining that the public is obstructing justice, by not laying themselves bare for the authorities? One day, the cops/feds will actually have the same tehcnological acumen of a 12-year old geek - maybe.
I suppose you could say it's another good reason not to use IE, but they can still find that information in Firefox they just have to learn to do it and maybe work a little harder.
I suppose you could say it's another good reason not to use IE, but they can still find that information in Firefox they just have to learn to do it and maybe work a little harder.
And these guys pass themselvces off as investigators??? That alone cracks me up.
And these guys pass themselvces off as investigators??? That alone cracks me up.
experts" aren't up to speed. Law enforcement
rarely means cutting edge technologists. It is
obvious to anyone that's been using computers
for any length of time that different
applications do things differently -- especially
where they keep stuff.
This shouldn't be a surprise to the cops. Heck
-- what if someone alters the application to
store the information elsewhere (or not log it
at all)? Does it not seem silly that a law
enforcement officer wouldn't expect that a
reasonably intelligent criminal (there must be a
few) would change the rules?
If that's the best they can do, what happens
when the criminal uses a live-cd and, possibly,
uses an encrypted USB key for their nefarious
ditties? No trace on the PC, and good luck
finding something on the key -- if you can find
the key at all (not only small, but often built
into other things like lighters, belt buckles,
and rubber duckies)...
This story is about computer illiterate investegators who do not seem to know that ALL programs are created differently and lack the skills to compensate or REALLY investegate.
It shows that I can get away with things simply by using a file format they don't understand and create my own encryption because they cannot snoop well beyond the capabilities of the pre-canned software they can run.
If anything this story emphasizes the need for law enforcement to "get a clue" when investegating computers. Personally if a loved one was hurt and evidence is on a bad guys PC, I would feel frustrated because some idiot cops really lack the ability to uncover evidence simply because their programs don't know about a new program the bad guy was using.
So, to anyone who has a clue about how computer programs work ... this story serves only to poke fun of non computer literate sucker police investegators.
experts" aren't up to speed. Law enforcement
rarely means cutting edge technologists. It is
obvious to anyone that's been using computers
for any length of time that different
applications do things differently -- especially
where they keep stuff.
This shouldn't be a surprise to the cops. Heck
-- what if someone alters the application to
store the information elsewhere (or not log it
at all)? Does it not seem silly that a law
enforcement officer wouldn't expect that a
reasonably intelligent criminal (there must be a
few) would change the rules?
If that's the best they can do, what happens
when the criminal uses a live-cd and, possibly,
uses an encrypted USB key for their nefarious
ditties? No trace on the PC, and good luck
finding something on the key -- if you can find
the key at all (not only small, but often built
into other things like lighters, belt buckles,
and rubber duckies)...
This story is about computer illiterate investegators who do not seem to know that ALL programs are created differently and lack the skills to compensate or REALLY investegate.
It shows that I can get away with things simply by using a file format they don't understand and create my own encryption because they cannot snoop well beyond the capabilities of the pre-canned software they can run.
If anything this story emphasizes the need for law enforcement to "get a clue" when investegating computers. Personally if a loved one was hurt and evidence is on a bad guys PC, I would feel frustrated because some idiot cops really lack the ability to uncover evidence simply because their programs don't know about a new program the bad guy was using.
So, to anyone who has a clue about how computer programs work ... this story serves only to poke fun of non computer literate sucker police investegators.
"investigators" would be completely flummoxed if
someone changed where IE stores its information.
If someone can't easily figure out where a given
browser stores its data then they shouldn't be
allowed anywhere near an investigation. What we
have here is a classic case of confusion when
someone discovers that they might have to
actually think about what they're doing.
This is one of my pet peeves with local police departments trying to fight "cyber-crime." Instead of out trying to solve real crimes (murders, rapes, kidnappings, frauds) local police put a bunch of time, money and energy into cyber-crime, which devolves into chasing after old geezers looking at kiddie-porn.
Ok, kiddie porn is bad, and should be eradicated from the face of the earth (no disrespect intended to the hundred or so legal jurisdictions where it is not illegal). That said, it so much easier for law enforcement to go mano-et-mano with a 70 year old guy looking at pictures of 18 year old anorexic girls in nothing but panties than it is with a 20-something YWM/YBM hopped up on crystal meth carrying a MAC-10 and holding a hostage. I get that.
But we hired them to solve just that kind of violent crime and to bring in just those types of criminals. Leave the cyber-crime to the experts and finding how millions of dollars moved out the LAN pipe, or how a market got manipulated or whatever.
this could be a great advertisement to lure in paedophiles to the fox.
"got any child porn you don't want the authorities to find? use firefox!"
"investigators" would be completely flummoxed if
someone changed where IE stores its information.
If someone can't easily figure out where a given
browser stores its data then they shouldn't be
allowed anywhere near an investigation. What we
have here is a classic case of confusion when
someone discovers that they might have to
actually think about what they're doing.
This is one of my pet peeves with local police departments trying to fight "cyber-crime." Instead of out trying to solve real crimes (murders, rapes, kidnappings, frauds) local police put a bunch of time, money and energy into cyber-crime, which devolves into chasing after old geezers looking at kiddie-porn.
Ok, kiddie porn is bad, and should be eradicated from the face of the earth (no disrespect intended to the hundred or so legal jurisdictions where it is not illegal). That said, it so much easier for law enforcement to go mano-et-mano with a 70 year old guy looking at pictures of 18 year old anorexic girls in nothing but panties than it is with a 20-something YWM/YBM hopped up on crystal meth carrying a MAC-10 and holding a hostage. I get that.
But we hired them to solve just that kind of violent crime and to bring in just those types of criminals. Leave the cyber-crime to the experts and finding how millions of dollars moved out the LAN pipe, or how a market got manipulated or whatever.
this could be a great advertisement to lure in paedophiles to the fox.
"got any child porn you don't want the authorities to find? use firefox!"
It's fascinating that authorities would have an easier time decoding a propietary software's inticacies than an open source one. I mean the code is freely available. If they don't know how to interpret it, they could hire someone who can. Really, where is the challenge? Now, Opera is also propietary software, and I can see why it would be difficult in their case, but FireFox is open source. No excuses there.
Files stored in different paths? Fine, look for the different paths, it shouldn't be that hard. Traditional tools don't work? Write new ones! Honestly, there should be no challenge in this respect for the authorities, who have access to more technology than the average user.
Effectively, they're professional script kiddies working for the common good instead of against it.
The lesson? Training. You wouldn't put a detective in the morgue and hand him a scalpel, and you wouldn't drop him in front of a science lab. You'd hire a coroner, you'd hire someone trained in forensic science. If you're going to search someone's computer for evidence, hire an expert or train someone to *become* an expert.
It's fascinating that authorities would have an easier time decoding a propietary software's inticacies than an open source one. I mean the code is freely available. If they don't know how to interpret it, they could hire someone who can. Really, where is the challenge? Now, Opera is also propietary software, and I can see why it would be difficult in their case, but FireFox is open source. No excuses there.
Files stored in different paths? Fine, look for the different paths, it shouldn't be that hard. Traditional tools don't work? Write new ones! Honestly, there should be no challenge in this respect for the authorities, who have access to more technology than the average user.
Effectively, they're professional script kiddies working for the common good instead of against it.
The lesson? Training. You wouldn't put a detective in the morgue and hand him a scalpel, and you wouldn't drop him in front of a science lab. You'd hire a coroner, you'd hire someone trained in forensic science. If you're going to search someone's computer for evidence, hire an expert or train someone to *become* an expert.
And when they have to dissect a computer with linux on it, they peel a banana to the ancient gods of knowledge to help them understand ***
'Welcome to gentoo. EvilD00d login:' means ?
*sigh*
*sigh*
Jesus. Is this story some kind of way late april fools joke?
Jesus. Is this story some kind of way late april fools joke?
If people think that anything by IE is an "Alternative" browser, then this fact just strengthens the case for Microsoft's blatant anti trust exploits.
If people think that anything by IE is an "Alternative" browser, then this fact just strengthens the case for Microsoft's blatant anti trust exploits.
Microsoft Wins! I just go goo goo for MS!
Microsoft Wins! I just go goo goo for MS!