In the past it has been possible to recover artefacts for various online services such as Facebook and Gmail from the browser cache on disk. This was most likely due to different browser behaviour, incorrect use of HTTP headers in responses and a lack of consideration over data privacy. It should be noted that Chrome, Firefox and Internet Explorer all use an opt-out policy where HTTPS content will be cached to disk unless the appropriate HTTP headers are returned such as
Cache-Control: no-store. Firefox was the last to implement this policy in 2011. A great article on this topic can be found at
https://securityevaluators.com/knowledge/case_studies/caching/.I recently carried out some tests to explore whether any of the major services were still caching information to disk which might prove useful to an investigator. As expected the amount of information being cached to disk was limited with most services. However, I did identify some interesting artefacts created while accessing the new Skype web client (
https://web.skype.com) which is also integrated into Outlook.com (and possibly other Microsoft services). I was able to find the details of all of my contacts cached to disk. These contact details included some useful information such as names, telephone numbers, locations, usernames and avatar URLs. I carried out these tests using Chrome v47, Firefox v43 and IE 11 on Windows 8.1 and found the contact data was cached by both Firefox and IE, highlighting clear differences between how browsers handle HTTP cache headers.
The contact details are generated from a request to the following URL, where ‘username’ represents the Skype user currently logged-in:
https://contacts.skype.com/contacts/v1/users/username/contacts...The screenshot below shows how this cached request appears within
Browser History Examiner (BHE).
As with most AJAX requests the contact details are returned in JSON format. An example of a contact is shown below:
{"authorized":true,"avatar_url":"https://api.skype.com/users/bloggs123/profile/avatar?auth_key=1663526397","blocked":false,"display_name":"Joe Bloggs","id":"test456","name": {"first":"Joe","surname":"Bloggs","nickname":"jbloggs"},"phones":[{"number":"+449876543210","type":2}],"type":"skype"}To make it easier to analyse such artefacts we have recently added a JSON viewer to BHE. This can be accessed by right-clicking on the record and selecting ‘Inspect JSON’.
The JSON data can be viewed in a typical tree structure but more importantly the viewer will also group common objects within JSON and display them within a table. An example of this can be seen below where all of the ‘
contact’ objects are automatically displayed together in a tabular format.
This allows us to analyse the structure of JSON data much more quickly, for example we can instantly view all phone numbers:
The JSON viewer is designed to work with any unknown JSON structure, therefore it can be used with any other JSON artefact found in the browser cache. It is also possible to load external JSON files into the viewer.
In a future release of BHE we will also be adding the ability to perform keyword searches across all cached JSON content. It is already possible to search the text content of cached HTML files.
We will continue to test and report on any other useful browser artefacts we find that are cached to disk. In the meantime we would love to hear your thoughts on our new JSON viewer and any improvements you would like to see.