After the long process of generating data through each VM, we used Magnet Forensics’ Internet Evidence Finder to view each browser’s artifacts. For this part of the project, we were able to see how Pirate Browser borrows its features from Portable and Firefox 23.
For Firefox Portable, we tested two images: one of the VM with the USB drive plugged in, and another of just the USB directly. There was no Firefox history stored on the VM because the browser was run directly from the USB. However, there was data from Internet Explorer on the VM even though it was not opened. IEF found artifacts for Adobe’s download page for flash in Internet Explorer, but it is not apparent why this was recorded into IE’s logs, without our team actually opening IE. In comparison, when IEF was run on the flash drive, we were able to find data that was generated from activity on the browser.
With PirateBrowser itself, we were able to find Firefox data from random advertisements, as well as the sites which we visited. Like Mozilla Firefox 23, we were able to find all user activity from the browser, including email usernames and ad sites that were loaded onto each page visited. This data revealed that PirateBrowser’s artifacts are stored in the same way Firefox 23’s are. IEF was easily able to find data for both browsers. We concluded that Pirate Browser only really borrows Firefox Portable’s ability to be run from a flash drive.
Next, we are comparing the data found in IEF to what we found using Bulk Extractor from Manta Ray.