Showing posts from October, 2022

Recovering Cleared Browser History - Chrome Forensics

  Hello naughty sysadmin... I've been watching your search history this Summer O_o How do you detect when a user deletes their chrome history and is there a way to forensically recover it? The answer is… it depends. 😈 A good indicator for recovering what a user was doing when they deleted their chrome browser history is by checking inside the C:\Users\<name>\AppData\Local\Google\Chrome\User Data\Default\Sessions folder. The two files you need to look at are named: Session_<Webkit/Chrome date> Tabs_<Webkit/Chrome date> The session file stores session information and the tabs file stores what tabs they had opened. In a certain situation when a user CLEARS their Chrome history, what they were browsing can persist within these files.  There are a few potential cases that could have occurred, and we will go through all of them: A user cleared their history and did not use Chrome since A user clears their history and re-opened ONE new session A user clears their histor

How to Investigate Insider Threats (Forensic Methodology)

Insider threats are unfortunately a real and active threat. The forensic investigation of a suspected insider follows a different approach in methodology than the classic methodology for investigating threat actors. The main difference between insider jobs and other jobs is the fact that clients usually want a timeline of both activity around the “malicious action” and also a timeline of “legitimate” activity leading up to, during and post the malicious actions to remove reasonable doubt that it was somebody else. During an insider job, artefacts that show system wake/hibernation, or artefacts proving a user opened something on their taskbar are just as important as the malicious activity itself depending on the client needs. For these cases, analysts should *consider* create TWO timelines depending on the client needs and the nature of the incident: One timeline for malicious activity One timeline capturing ALL relevant activity showing what the user was actively doing since being ide