A Framework for Browser Forensics in Live Windows Systems

Abstract

Live Forensics is the process of collecting forensically sound evidence from a running computer system. In cyber forensics, live forensics is very important which is to be done in order to collect volatile information. Live Forensics is done if the computer is in the running mode at the scene of crime because these information will be lost forever once the system is switched off. Also, this is the preferred option for forensically analyzing mission critical dedicated servers. During Live Forensics, it should be ensured that only relevant data is acquired from the Suspect's hard disk. This is done to minimize the tampering made in the Original Evidence. Browser files contain important information related to Suspects' Internet activities and hence its analysis is indispensable in both offline and live forensic analysis. Here, a framework which can do both the acquisition and analysis of Browser Files is discussed. The acquisition tool in the framework is capable of forensically retrieving the browser files from the Suspect's machine. The analysis tool analyzes the browser files acquired to find forensically relevant information related to Internet Activities. Browser Forensics of commonly used web browsers is described in the paper. This framework enables the investigators to find out crucial hints regarding the crime. This may help in proving whether the Internet activities related to the reported cybercrime had happened in the Suspect's machine.