Forensic analysis of privacy focused mobile browsers

all right please give a hand for Lorena and Reuben Jonathan [Applause] so we're gonna do a forensic analysis well that's time let me let me start with my name is lorena Karthi and this is vanassa and we are students we study data forensics nora and our other part of the team is in the united states and she couldn't come today so we're gonna go quite fast through all of these things and but the most important thing is actually to give you our aim of the research and very quick disclaimer so what we wanted to do is to be able to show if any if there are any forensic element in the in forensic focus browsers and i'm sorry in

privacy focus browsers on mobile devices but we decided to actually do a quick kind of a quick research to see if it was actually possible to go into an actual research paper so this is preliminary research i would like to start to explain why we did this and it's because we are in the age of surveillance everybody knows that so we decided to look at first the states it just is a line of the freedom where 91 percent of adults believed will really have any power any control over what companies have like the private information have so that's a very high number but what about some were closer so here in europe we have in the UK 1.5

million CCT cameras all around us and at some point that has said that it there are at least 14 cameras per citizen which is very scared but then again yeah but this is not Norway oh well Norway the NSA helped Norway at some point it was only a two years ago that three years ago that we have information about how they have set up antennas to spy on us so it's kind of like there's an entire research paper about that's really interesting very scary as well but US consumer I obviously don't want the government or law enforcement to have any information any spies on my own phone you know I google a bunch of your

things so I don't want them to be spying on me and I'm pretty sure nobody wants that but from the other side and as future forensic investigators we want to be able to still get any some information especially if a crime has been committed and now with mobile phones everything pretty much goes through it so we found ourselves in this paradox where you want you don't want to find out information but you also do so it was actually quite easy to be objective and three browsers that we decided to focus on our browsers that I'm pretty sure you guys have heard about so we focus on doctor goal which is like they really said we give you the

essentials for privacy which is like you have to do the other part then we have five for Fox focus which is constantly asking you to delete your browser history constantly asking you if you have used it you know it and brave is about that they have inbuilt browser security for trackers so they really are like we are all against trackers so that's the point when we were like easy really from a forensic point of view do we really get to find SERO information about a user based on the process that they using so I'm gonna go into that in a minute but a process for this research we started with setting up emulators on physical devices because Android can be

complicated for mobile forensics you really need to be able to rule them file a phone so we wanted to be able to have both versions of the emulator and a physical device then we had a list of websites that we visit so we so we can have at least information across the three browsers and then we acquired the data as if if let's say a suspect is found with the phone in their hand and we can just extract it in on the on site then we clean all the browsers and we acquire the data one more time and that's it and both data sets have been reviewed and are today we're presenting our findings so we start with brave oh

well that move-in brave once you work once you acquire the data on site you still get all the information which is very common to file so we have the cache and we have a history database and it is very okay to find it the problem is that you do get it kind of plain text so it's just a database and everything that you have searched it's right there and yeah and even straight strings and we also had a lot of leftover timestamps after we cleaner or like we use the in-app cleaning option we were able to find and still remain in cache files which is a little complicated because if you're cleaning your app and you're erasing

your information it should be it should really erase it but at the end and at some point we had a lot of information from places like eBay and I believe it was also Yahoo but we never really visit those sites so it was quite complicated to figure out and it was an actually success success response code so we will really like to be able to look into that so that's kind of like our next step and with brave finally we realize that when you download a file they still stay in your in your data so from the poor and forensic point of view this is great because we were able to go back to it

and see what you download it in a way can actually be taking us a hit during review then we have focus okay so oh my logos have moved for focus some websites stopped working because they really block all the trackers that you have so to be able to make websites work such as Wikipedia you still need to remove the tracker remove the block from the trackers so that's okay it's fine but once you go in to check the evidence because this is before using the clean button you get it in an XML file so it's like okay that's fine you haven't cleaned the app yet so and once again we have databases and cookies all around it's like all the

pages that you have fists it once we clear the history then a very interesting database just appear of nowhere it wasn't in the first one but it appeared on the second one so we couldn't be we didn't run these searches like to be able to use autofill options but if there's a database and there's going to be data at some point which is I mean focus was supposed to be the best of the three then oh I went too fast oh yeah and we also got that file that just appear with the word password I mean at some point I did use the word password as a password but it wasn't supposed to it was supposed to appear in the first

part of it before cleaning it not right after so then again however I can actually tell you the focus does clean your data we weren't able to get any history of cars for cookies but it does remember there were places where you said oh I I don't mind about the trackers on this page which once again it can be used as history it can be evidence of you visiting a site okay yeah building upon the experiences we we gathered from the tests we did on the two first browsers we could tinted on with the duck taco browser and the idea was to find artifacts that we could later identify if found present on the on the device so we started started with

app dot DB that's where all of the visited websites were were stored we found the cookies as well with all the timestamps and corresponding data and then we thought it was a good idea to include thumbnails because later on you will see that we we were able to extract those as well even after clearing the history using the fire button or fire function built-in in the browser so yeah after using the inbuilt function all of these same websites or our found in the database so it's it's not getting cleaned in any way and that's yeah quite interesting we didn't expect it beforehand so continuing on we we we try to look at the application database and

and see where the cookies might have gone and then okay the cookies from the cookies file itself was cleared by doing a hex comparison of the before and after the cleaning of the the file which you see there we found no remnants of the same artifacts of the web sites that that we use that we found before however after digging a little bit more the cookies Journal file still contain remnants of the same websites that we had been visiting which indicates that yes the hex file itself does clear or gets cleared but the journals file which is easily obtainable still has the remnants available and then even even the website website thumbnails were found to be present even after the clean

so all in all it's I'm quite disappointed in the doctor co browser in the terms of actually cleaning the browsing history of the device because our findings here indicate that they're not doing a very good job apparently so we have some recommendations here at the end I'm not sure if we're running over time here but oh good yeah so we basically ended up with thinking end users should not blindly trust the project the products advertisements so in the case of these three browsers which lean heavily towards being privacy centered and stuff yeah might not be too too good at those aspects trackers cannot can never be blocked or you can't block all trackers so you have to be aware of them

the crypting your phone and keeping everything and updated and stuff it's kind of given and then yeah at the end here if you have any questions regarding the process or the findings or anything we we do intend to keep on growing stuff out with this and so feel free to ask us questions later or very simple question which Android version is that which Android version is that for the physical device we use a six point four and for the emulators we use seven point one it's because we wanted to make it more realistic as possible because if we use Android - nobody is using under - and Android eight wasn't available in our physical device so we can stay on

what's commonly used right now thank you thank you very much for the talk I was wondering what kind of review your research has to go through before someone could use this as evidence let's say in a court of law definitely nothing the problem is that one of the physical device we have to route it and the emulators cannot be really proven because they are also automatically routed so it wouldn't unless we want to go and actually work on research paper for this so for that we are actually gonna be able to base it on forensically standards and make it actually forensically sound so you're expecting in the future someone could extract the files that you were showing

and use it yeah absolutely the thing is we also wanted to do it more open source because we are student so we wanted to be able to focus on that point but if you celebrate you can actually stretch all that data I think we got another question over here I'm gonna go to this guy so have you reported your findings to the actual developers all these browsers and if yes did you get any feedback from them as of right now we haven't no we just finished finished our tests a couple of days ago and we try to figure how to present it in the best possible way so if if if these are mistakes that

developers have may have have made then of course we should try to notify them in the best possible way so a quick question you said they like sometimes they delete the database files but did you recover things from sort of unallocated could you if you search for the websites that you visited did you find them in in free space yeah or we had some strange cases when we did the testing where in one instance the database were app dot DB itself didn't contain much data at all but the temporary database file the DB - wall I believe it's called still contain the same data that you found in the main application database and that was

readily available it's not easy nor and not hard to find at all all right one more before lunch last question so bottom line how big is the difference for an end user using those privacy browser or using any Android browser is there any big difference or is it just in the marketing it's hard to say without testing all the different process that are available but I mean if you're aware of the limitations of this process then of course you can use them and and still be fairly safe I guess but you have to make sure that everything's yeah being cleared correctly maybe not just rely on the inbuilt function of the applications themselves maybe go a step

further but yeah without checking the different browsers that that are out there we can't say for sure yeah really great job guys it's good to know that people are doing actually doing something in school these days unlike when I was there yeah fantastic having you guys here today thank you so much