Chracer: Memory analysis of Chromium-based browsers

Geunyeong Choi, Jewan Bang, Sangjin Lee, Jungheum Park

Research output: Contribution to journalArticlepeer-review

Abstract

The web browsing activities of a user provide useful evidence for digital forensic investigations. However, existing analysis techniques that aim to analyze local artifacts (e.g., history and cache) cannot find useful data (e.g., visited URLs) if a user accesses the web using private or secret mode. Hence, string-searching and pattern-matching techniques have been proposed and used to examine user activities from a memory dump. These simple techniques are useful for identifying individual URLs visited in both normal and private modes. However, since a piece of individually detected data does not have context on how it is created, additional analysis efforts are required to properly interpret the meaning of the data. This paper proposes Chracer, a practical methodology for extracting forensically meaningful information from the virtual memory of a Chromium-based browser by systematically discovering objects of web browsing-related classes. Moreover, a proof-of-concept tool developed based on the proposed methodology demonstrates that users’ web browsing-related artifacts can be extracted effectively from the virtual memory of any Chromium-based browser, such as Google Chrome, Microsoft Edge and Brave.

Original languageEnglish
Article number301613
JournalForensic Science International: Digital Investigation
Volume46
DOIs
Publication statusPublished - 2023 Oct

Bibliographical note

Publisher Copyright:
© 2023 The Author(s)

Keywords

  • Counter anti-forensics
  • Digital forensics
  • Memory forensics
  • User activity
  • Volatile data
  • Web browser

ASJC Scopus subject areas

  • Pathology and Forensic Medicine
  • Information Systems
  • Computer Science Applications
  • Medical Laboratory Technology
  • Law

Fingerprint

Dive into the research topics of 'Chracer: Memory analysis of Chromium-based browsers'. Together they form a unique fingerprint.

Cite this