TY - GEN
T1 - Acquisition of evidence of web storage in HTML5 web browsers from memory image
AU - Matsumoto, Shinichi
AU - Sakurai, Kouichi
N1 - Publisher Copyright:
© 2014 IEEE.
PY - 2014/1/26
Y1 - 2014/1/26
N2 - Web browser is a growing platform for the execution of various applications. There are large fractions of smartphone platforms that support the execution of web technology based application, especially one such as HTML 5. However there are also some emerging smartphone platforms that only support web technology based applications. Taking into the considerations of these situations may lead to a higher importance of forensic investigations on artifacts within the web browser bringing about the usefulness of the HTML5 specific attributes as evidences in mobile forensics. Through this paper, we explore the results of experiments that acquire the main memory image within terminal and extract the webStorage data as an evidence of the browsing activity. The memory forensics of web browsing activity is highly concerned. The evidences gathered from the HTML5 web Storage contents acquired from the main memory image are examined and the results of the observations indicate the ability to retrieve web Storage from the memory image is certain. Therefore, we proclaimed formats of evidences that are retrievable from the main memory. The formats were different depending on the type of web browser accessed. Three most utilized web browsers are experimented in this paper namely, Google Chrome, Mozilla Firefox and Microsoft Internet Explorer. The results showed that the acquisition of web Storage content on the browsers were possible and elucidated its formats. Values of web Storage is contained in the residuals that left by all of three web browsers. Therefore, if the investigator has the knowledge of values, he will be able to find the location of the evidence to hint values. If the investigator does not have the knowledge about the value, then he can explore the evidence based on the knowledge of the origin or key. Because the format of the evidence depends on Web browser, investigator must use different search techniques according to the Web browser.
AB - Web browser is a growing platform for the execution of various applications. There are large fractions of smartphone platforms that support the execution of web technology based application, especially one such as HTML 5. However there are also some emerging smartphone platforms that only support web technology based applications. Taking into the considerations of these situations may lead to a higher importance of forensic investigations on artifacts within the web browser bringing about the usefulness of the HTML5 specific attributes as evidences in mobile forensics. Through this paper, we explore the results of experiments that acquire the main memory image within terminal and extract the webStorage data as an evidence of the browsing activity. The memory forensics of web browsing activity is highly concerned. The evidences gathered from the HTML5 web Storage contents acquired from the main memory image are examined and the results of the observations indicate the ability to retrieve web Storage from the memory image is certain. Therefore, we proclaimed formats of evidences that are retrievable from the main memory. The formats were different depending on the type of web browser accessed. Three most utilized web browsers are experimented in this paper namely, Google Chrome, Mozilla Firefox and Microsoft Internet Explorer. The results showed that the acquisition of web Storage content on the browsers were possible and elucidated its formats. Values of web Storage is contained in the residuals that left by all of three web browsers. Therefore, if the investigator has the knowledge of values, he will be able to find the location of the evidence to hint values. If the investigator does not have the knowledge about the value, then he can explore the evidence based on the knowledge of the origin or key. Because the format of the evidence depends on Web browser, investigator must use different search techniques according to the Web browser.
UR - http://www.scopus.com/inward/record.url?scp=84946690124&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84946690124&partnerID=8YFLogxK
U2 - 10.1109/AsiaJCIS.2014.30
DO - 10.1109/AsiaJCIS.2014.30
M3 - Conference contribution
AN - SCOPUS:84946690124
T3 - Proceedings - 2014 9th Asia Joint Conference on Information Security, AsiaJCIS 2014
SP - 148
EP - 155
BT - Proceedings - 2014 9th Asia Joint Conference on Information Security, AsiaJCIS 2014
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2014 9th Asia Joint Conference on Information Security, AsiaJCIS 2014
Y2 - 4 September 2014 through 5 September 2014
ER -