Why THIS course? 

Web browser’s data can be critical to a digital investigation since they serve as a user’s window and access point to the web. They can reveal a significant amount of information about a user’s internet activities. Despite the fact that this course focuses on Windows browsers’ artifacts, an understanding of Windows browser forensics will simplify understanding of any OS browser forensics as you will find everything the same except file architecture.

Why NOW? 

I think you will never find a clear case of browsing activity that may reveal a lot of information. Therefore, you need to learn browser forensics now rather than tomorrow.

Browsers update frequently, so students that have not kept up with the changes will struggle when facing a case with a more updated browser than they know. The good point is that the concepts remain the same, that’s why now is better than tomorrow.

Who is this course for?

• Information Security Practitioners
• Incident Responders
• Digital Forensic analysts

What skills will you gain?

• Analyzing web browsing activity.
• Parse SQLite and ESE databases. And knowledge of some SQLite queries to be able to extract important artifacts. 
• Use browser forensics tools to extract web browser artifacts.

What will you learn about? 

• Understand how browsers work from a digital forensics perspective.
• The different artifacts that browsers produce and the importance of them such as: 
  • Browser Cookies
  • Browser History
  • Browser Cache files

What tools will you use?

• Nirsoft
  • ESEDatabaseView
  • BrowsingHistoryView
  • WebBrowserPassView
  • FavoritesView
  • MZHistoryView
  • MZCacheView
  • MozillaCookiesView
  • ChromeCacheView
• Velociraptor
• Hindsight Chrome Forensics
• CMD tools
  • dejsonlz4.exe
  • strings.exe
  • ParseRS.py
  • Windows esentutl
• Foxton Forensics Tools
  • Browser History View
  • SQLite Examiner
• SQLiteBrowser
• GA Cookie Cruncher by Mari DeGrazia
• StructuredStorageViewer
• RegistryExplorer by EricZimmerman

Course format: 

• Self-paced
• Pre-recorded
• Accessible even after you finish the course
• No preset deadlines
• Materials are video, labs, and text
• All videos captioned

What should you know before you join?

• Basic understanding of HTTP protocol
• Understanding of basic Windows internals such as Registry, File System
• Cybersecurity Fundamentals

What will you need?

Windows 10 Operating System

• Basic browser concepts. 
• Well known rendering engines.
• Statistics for most used browsers (Browser Market Share Worldwide).

Google Chrome is the top-used browser in the market. Understanding Chrome artifacts will help the student to gain the required practical knowledge to work in any case, as the probability of using Chrome is high. Also, understanding Chrome will pave the way for the analyst to understand and work with multiple browsers such as Edge and other Chrome-based browsers.

Main artifacts that need to be collected and analyzed from Chrome browser:

• History analysis
• Cache analysis
• Cookies analysis
• Some other artifacts

For this module, the student will be given a triage image containing evidence of browser activity from an ex-employee of a company who exfiltrated important documents. The student will need to check the browser artifacts we learnt and know where to search. The exercise will be a set of multiple-choice questions. 

Module Workload – Suggested Module Time: 4 hours

Firefox is one of the well-known browsers in the market so we will work on understanding the browser artifacts important to profile user browsing activities.

• Firefox History analysis
• Firefox Cache analysis
• Firefox Cookies analysis
• Firefox other artifacts

For this module, the student will be given a triage image containing evidence of browser activity from an ex-employee of a company who exfiltrated important documents. The student will need to check the browser artifacts we learnt and know where to search. The exercise will be a set of multiple-choice questions. 

Module Workload – Suggested Module Time: 3 hours

Internet Explorer is one of the most used browsers in the enterprise environment because of its tight coupling with the Windows operating system and many systems still use it. We will also explore Edge, the new default browser for Microsoft Windows. Microsoft Edge has gone with huge update from EdgeHTML, which utilized IE databases, to Chromium-based browser recently, which led to its popularity in the market. We will also explore Internet Explorer because of its tightly coupling with Windows operating system. IE retired, but you need to explore its artifacts. IE database is used by other applications in Windows. Hence, they may provide you with important evidence.

• IE & Edge History analysis
• IE & Edge Cache analysis
• IE & Edge Cookies analysis
• IE & Edge other artifacts

For this module the student will be given a triage image containing evidence of browser activity from an ex-employee of a company who exfiltrated important documents. The student will need to check the browser artifacts we learnt and know where to search. The exercise will be a set of multiple-choice questions.  

Module Workload – Suggested Module Time: 3 hours

Using Velociraptor IR tool with other browser forensics tools for large scale incident response and analysis activities.

We will cover new techniques for browser forensics on a large scale for incident response activities where you will be doing analysis during the collection and acquisition phase for rapid response in a large enterprise environment.

The student will be asked to collect evidence of browser activity remotely using Velociraptor and Nirsoft tools from multiple devices that simulate working at an enterprise as a security practitioner.

Module Workload – Suggested Module Time: 1 hour