Extracting Browser History artifacts using Memory Forensics: Volatility

Tools used in this demo.

      • Firefox
      • Volatility
      • Notepad++
      • CMD
      • Powershell
      • strings sysinternals
    •  

Browser artifacts may contain valuable information that can help the analyst correlate evidence and timeline the incident during the investigation, this artifact can also reveal information such as URL, Attachments and etc.

In this demo, we will tackle about different ways to extract browser artifacts using memory forensic tool Volatility.

To be able to understand this demo, we will use a Firefox browser to browse “https://eyehatemalwares.com” as a sample URL of choice.

Next, we run Volatility pstree plugin to identify Parent/Child relationship.

Command: volatility.exe -f browserhistory.mem –profile=Win7SP1x64 pstree 

In this case, we identify firefox.exe:532 as a parent process of all firefox.exe processes. 

Now, we can use Volatility Yarascan plugin to search for all URL instances found inside the browser process.

In this case, we use this regex pattern: “/(https?:\/\/)?([\w\.-]+)([\/\w \.-]*)/”

Command: volatility.exe -f browserhistory.vmem –profile=Win7SP1x64 yarascan -Y /(https?:\/\/)?([\w\.-]+)([\/\w \.-]*)/” -p 532 > firefox_yaraURLscan.txt

Now, let us check “firefox_yaraURLscan.txt“. 

In this case, we use notepad++ for text editor tool to view the result. 

By performing few searches, we can see our target URL “https://eyehatemalwares.com

Now, let’s jump to the next section.

The next option is by using Volatility Memdump plugin. To do this, first we need to identify our target browser’s process ID.

Now, we run Volatility pstree plugin to identify Parent/Child relationship.

Command: volatility.exe -f browsinghistory.mem –profile=Win7SP1x64 pstree

In this case, we see firefox.exe:532 as a parent process of all firefox.exe processes.

Next, we run Volatility memdump plugin to dump the firefox process.

Command: volatility.exe -f browsinghistory.mem –profile=Win7SP1x64 memdump -p 532 -D .

In this case, we successfully dump firefox.exe:532 to our current working directory.

Now, let us extract all strings from this exported process.

To do this, we can use a tool strings.exe from sysinternals tools suite.

Command: strings.exe -a 532.dmp > demo_urlextract.txt

In this case, using notepad++ we can see all the strings extracted from our firefox.exe process.

In the next section, we will do filtering.

In this section, we will do the filtering side using powershell Select-String function.

To do this, open powershell.exe.

Next, run the following Select-String function.

Powershell: Select-String -Path .\demo_urlextract.txt -Pattern https?:\/\/(www\.)?[-a-zA-Z09@:%._\+~#=]{1,256}\.[a-zA-Z09()]{1,6}\b([-a-zA-Z09()@:%_\+.~#?&//=]*)” | findstr -i eyehatemalwares

Regex Pattern Used: “https?:\/\/(www\.)?[-a-zA-Z09@:%._\+~#=]{1,256}\.[a-zA-Z09()]{1,6}\b([-a-zA-Z09()@:%_\+.~#?&//=]*)”

In this case, we see that our target URL “https://eyehatemalwares.com”