We’ve made some significant progress in the last few weeks as we approach the final stages of our Incognito Mode analysis. Since completing the refined data generation sessions, we have acquired new images to analyze and immediately began artifact retrieval with FTK v5.5 from there.
A roadblock we encountered within the past weeks was finding a solid method to analyze the RAM of our virtual machines. Our original intent was to export the .RAW file from FTK 5.5, then open up the file in an analysis tool such as Volatility or Memoryze. Due to the size of the .RAW RAM dump file (about 6 GB on average), FTK would not allow us to export the file to the local machine and utilize these resources.
Our revised method involves the use of Internet Evidence Finder (IEF), a tool that we initially opted not to use in favor of FTK. Opening up our .E01 images in IEF yields more findings than we expected it to. Many of the files for items such as search histories were found within the RAM dump (confirmed by authenticating the source destination of the acquired data). We were pleasantly surprised by how seamlessly IEF was able to analyze and open the SQL databases located within the dump, as well as its in-depth look inside the .RAW file that contained all of the RAM information we were hoping to analyze.IEF has been a great help with streamlining and organizing our research. Screen captures of key browsing artifacts are being documented within our personal folders in preparation for use in the final report.
The new results are much more consistent with our expectations for the private browsers’ functions based on our original research. Now, with retrieval nearly complete, our next step is to organize our findings in a way that will be presentable for our culminating report.
We will be sharing our progress and findings in future blog posts throughout the coming months. If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at firstname.lastname@example.org.