Mobile Forensic aspects of Web browser: from HTML4 to HTML5

 

Prof Kouichi SAKURAI

       Depertment of Informatics, Kyushu University,  And

       Information Security Laboratory,  

       Institute of Systems, Information Technologies and Nanotechnologies (ISIT)

 

Abstract—Web browser is a growing platform for the execution of various applications. There are large fractions of smartphone platforms that support the execution of web technology based application, especially one such as HTML 5. However there are also some emerging smartphone platforms that only support web technology based applications.

Taking into the considerations of these situations may lead to a higher importance of forensic investigations on artifacts within the web browser bringing about the usefulness of the HTML5 specific attributes as evidences in mobile forensics. Through this paper, we explore the results of experiments that acquire the main memory image within terminal and extract the webStorage data as an evidence of the browsing activity.

This talk discusses two mechanisms of HTML5 forensic aspects, one is on memory and the other is on file system.

• The memory forensics of web browsing activity is highly concerned. The evidences gathered from the HTML5 web Storage contents acquired from the main memory image are examined and the results of the observations indicate the ability to retrieve web Storage from the memory image is certain. Therefore, we proclaimed formats of evidences that are retrievable from the main memory. The formats were different depending on the type of web browser accessed.

• We carried out the experiment to acquire the artifact left by Web Storage that is a part of HTML5 standard. This acquisition is performed via file system and not from Web user interface and/or APIs of Web framework. Reading the data handled by HTML via Web user interface and/or Web framework API means reading the data via Web browser framework. In this case, it is difficult to ensure the admissibility of evidence. In order to ensure the admissibility, it is necessary to retrieve the evidence via side channel. In this research, we try to retrieve it via file system.

 

Note: Most part of this work is jointed with Shinichi Matsumoto of ISIT

 

Keywords: Computer Forensics, Mobile Forensics, Web browser, Privacy

 

Bio-data:

Kouichi Sakurai received the B.S. degree in mathematics from the Faculty of Science, Kyushu University in 1986. He received the M.S. degree in applied science in 1988, and the Doctorate in engineering in 1993 from the Faculty of Engineering, Kyushu University. He was engaged in research and development on cryptography and information security at the Computer and Information Systems Laboratory at Mitsubishi Electric Corporation from 1988 to 1994. From 1994, he worked for the Dept. of Computer Science of Kyushu University in the capacity of associate professor, and became a full professor there in 2002. He is concurrently working also with the Institute of Systems & Information Technologies and Nanotechnologies, as the chief of Information Security laboratory, for promoting research co-oporations among the industry, university and government under the theme "Enhancing IT-security in social systems". He has been successful in generating such co-operation between Japan, China and Korea for security technologies as the leader of a Cooperative International Research Project supported by the National Institute of Information and Communications Technology (NICT) during 2005-2006. Moreover, in March 2006, he established research co-oporations under a Memorandum of Understanding in the field of information security with Professor Bimal Kumar Roy, the first time Japan has partnered with The Cryptology Research Society of India (CRSI). Professor Sakurai has published more than 260 academic papers around cryptography and information security (See:http://www.informatik.uni-trier.de/~ley/db/indices/a-tree/s/Sakurai:Kouichi.html)