”How can we do browser forensics better?” This is a question CCL’s R&D team have been pondering lately and in this blog, we start to look at one possible answer.
CCL is pleased to introduce a new, free, open-source tool for digital forensics practitioners and researchers: ‘Mister Skinnylegs’ – a tool and open plugin framework for parsing website/web app artefacts in browser data. It is available right now on our GitHub page.
For some time, CCL’s Research and Development team has advocated for an approach to browser forensics which better takes into account the complexity of modern websites/web apps. This could be done by bringing together the wide range of data sources stored by the browser related to a single website, and processing them in a manner specific to that site or service, in much the same way that an app on a smart phone is treated in a way that is tailored to that app.
‘Mister Skinnylegs’ has been built to streamline the ability to treat browser artefacts in this way. For developers and researchers this means a simplified interface to the data that lets you focus only on the meaning of the data and not how you go about getting at it. For users this means an expanding range of plugins that can grab useful artefacts relating to website usage from the browser’s data.
In this initial release we have included plugins for recovering potential evidence related to Google searches, Google Drive, Dropbox, Discord and Microsoft SharePoint/365. Full details can be found on the GitHub repository. Currently the tool is designed to be used with Chrome and Chromium-based browsers (no Safari or Firefox yet, but support is planned for future releases).
Principal Analyst Alex Caithness says: “As web browsers are one of the primary ways that users interact with their digital world, websites and web applications have reached the richness of features and levels of complexity and interactivity that we once associated with standalone desktop and mobile applications. With this come huge opportunities to recover information about a user’s activities in the context of an investigation. With Mister Skinnylegs we hope to make getting at these important insights easier and collaborate within the DFIR community to expand the scope of what web browser forensics can do.”
As this is an early version of the tool, we very much welcome feature requests, suggestions and bug reports via our GitHub page as well as code contributions from the community for plugins as pull requests.
If you’re looking for tooling to help you research data stored in the browser, you might be interested to check out another of our open-source tools which was instrumental in the development of the plugins in this release: https://github.com/cclgroupltd/chrome-profile-view.
As always, CCL remains committed to contributing to the DFIR open-source community – and to adding to the capabilities of digital forensic science.
Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.
Get in touch