Network and Browser History
Last updated
Last updated
Techniques that can be used to discover evidence in support of an assets physical location, network connectivity and web browser history post-breach. More useful in investigation relating to insider threat or more commonly during the COVID Pandemic, attacks originating from employees working away from the office.
Identification of the systems timezone can grant information that could indicate the an assets physical locale.
WIN: XP+ SRV: 2003+
Internal logs and DTG stamps will be based on the control set saved in the registry key.
Other network sourced logs will need to be correlated for any time difference/skew.
Cookies give insight into which sites have been visited and the activities that occurred on the site.
WIN: XP+ SRV: 2003+
Google Analytics (GA) has developed an extremely sophisticated methodology for tracking site visits, user activity, and paid search. Since GA is largely free, it has a commanding share of the market, estimated at over 80% of sites using traffic analysis and over 50% of all sites.
_utma (Unique Visitors)
Domain Hash
Visitor ID
Cookie Creation Time
Time of 2nd most recent visit
Time of most recent visit
Number of visits
_utmb (Session Tracking)
Domain Hash
Page views in current session
Outbound link clicks
Time current session started
_utmz (Traffic Sources)
Domain Hash
last Update Time
Number of visits
Number of different types of visits
Source used to access site
Google AdWords campaign name
Access Method (organic, referral, cpc, email, direct)
Keyword used to find site (non-SSL only)
Determine what wireless connections have been established, displays SSID.
WIN: 7+ SRV: Not Tested
Event IDs
11000: Wireless network association started
8001: Successful connection to wireless network
8002: Failed connection to wireless network
8003: Disconnect from wireless network
6100: Network diagnostics (System.evtx)
Native Event Viewer
Records websites visited by date and time. Details are stored for each local user account. Records the number of times visited (frequency) and also tracks access of local system files. Includes the website history of search terms in search engines.
WIN: XP+ SRV: Not Tested
Records 30 to 60 days of historical system performance. Applications run, user account responsible for each, and application and bytes sent/received per application per hour.
WIN: 8+ SRV: Not Tested
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions
Windows Network Data Usage Monitor
{973F5D5C-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
Windows Network Connectivity Usage Monitor
{DD6636C4-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
The Browser cache is where web page components can be stored locally to speed up subsequent visits. It can be used to glean further information on what a user was actively looking at online. Providing the following information:
Websites visited
Files viewed on a website visited (caches files are linked to specific local accounts)
Timestamps indicate when site was first saved and last accessed.
WIN: XP+ SRV: Not Tested
Local Stored Objects (LSO's), or Flash Cookies, have become ubiquitous on most systems due to the extremely high penetration of Flash applications across the internet. They tend to be much more persistent because they do not expire, and there is no built-in mechanisms within the browser to remove them. In fact, many sites have begun using LSOs for their tracking mechanisms because they rarely get cleared like traditional cookies.
Provides the following information:
Websites visited
User account used to visit the site
When cookie was created and last accessed
WIN: 7+ SRV: Not Tested
Automatic Crash Recovery features built into the browser.
WIN: 7+ SRV: Not Tested
Historical Websites viewed in each tab
Referring Websites
Time session ended
Modified time of .dat files in LastActive folder
Time each tab opened (only when crash occurred)
Creation time of .dat files in Active Folder