Sep 8, 2016 - Edith Cowan University, Western Australia ... There are many types of browser forensics in use, including by law enforcement in the ... the 'Orchid Club', an international child pornography ring that utilised the internet to.
A Study of Web Usage Forensics Michael James School of Computer and Security Science Edith Cowan University, Western Australia Abstract The internet has been in existence in one form or another since 1969. With the introduction of TCP/IP in 1970, the internet matured. Internet browsers first became available in 1993 with the release of Mosaic, quickly followed by the Netscape browser, before Microsoft released their Internet Explorer (Howe, 2016). When a person uses a browser to “surf’ the internet, they leave a history of their searches, the pages visited and items that are downloaded. These are contained within the computer’s registry, history and cookies, all of which are a rich sources of evidence. Further, there is the host server which records client interaction and stored in logs files. Web forensics has matured with the ever expanding array of browsers, and platforms that now exist. This paper will seek to provide detail into the various types of web usage forensics in use today. There are many types of browser forensics in use, including by law enforcement in the investigation of crimes, e.g. child exploitation or sale of illicit substances, to intrusion detection analysis, to commercial applications such as how retailers monitor the habits of online shoppers for activities, trends and popularity.
Keywords Browser, digital forensics, retail forensics, Internet of Things, BitTorrent
Introduction Accessing the internet is conducted through a web application, typically this is a browser. This software comes in many different forms and for use on all operating system (OS) platforms. The web browser is capable of so much more. Browsers hold artefacts that show where on the internet a user has been and they also allow retailers to collect information relating to which products interest their customers. Other aspects of the web service allow for the collection of statistics from those that access a particular site, e.g. IP address, referrer and user dwell time (Sen, Dacin, & Pattichis, 2006). Today, the forensic analyst can be presented with a multitude of browsers – Sitepoint browser trends for March 2016 showed seven common browsers in use worldwide (Buckler, 2016). These are:
Microsoft Internet Explorer (all versions) Microsoft Edge Google Chrome
Mozilla Firefox Apple Safari iPad Safari (Apple) Opera
The Sitepoint browser trends article detailed which browser was used by what percentage of web users, and with a user percentage of 55.47%, Google Chrome was listed as the most widely used browser. All computer based activity leaves some form of trace or artefact, and accessing the internet is one of them. Advancements in mobile communication hardware has led to an expanded array of devices that are used for browser activity, e.g. tablets, smartphones and phablets. These items are not only mobile, but able to take photos and videos that could
contain geo-tagged datum in their meta data, they may allow a forensic analyst to track the device user. The internet is used by many people for many different reasons. The average user may want to read the news, catch-up on social media or access online gaming. And there are criminals who want to separate that unsuspecting user from their money. As at 18 September 2016 the total number of internet users exceeded 3.459 billion, browsing through over 1 billion active websites (Internet_Live_Stats, 2016). Of these there will be numerous criminals, hackers, hacktivists and people or entities with nefarious intent, they are out there!
Law Enforcement Applications Simply put, cybercrime is any criminal act committed through the use of any form of computer technology, e.g. online fraud, identity theft etc. or a criminal act directed at computers or devices, e.g. hacking (ACORN, 2016). The Computer Society of India listed three types of cyber criminals (Vijith & Pramod, 2016):
those that are out for some type of recognition, e.g. terrorist; those that do it for the intellectual excursion (without the recognition), e.g. psychological perverts; and those are out for revenge / the trusted insider, e.g. ex-employee
Law enforcement first used internet forensics to investigate communication within early message boards and chat rooms (Goodison, Davis, & Jackson, 2015). The first investigation that spanned multiple jurisdictions was in 1996. The United States and British law enforcement agencies began an investigation into the members of the ‘Orchid Club’, an international child pornography ring that utilised the internet to transfer their images. British police conducted an operation that resulted in the seizure of a computer, that when forensically examined revealed the existence of the ‘Wonderland Club’ (Graham, 2000). Investigations into this club spanned 13 countries and resulted in the largest international police operation at the time, to find and arrest the members. Considering 20 years has passed since the Wonderland Club investigation, and that law enforcement has learnt a lot through the years, thanks to the advancement of technology, analysts still miss important and key pieces of evidence. For example, the case of Casey Anthony in the United States of America. In 2011 Anthony was tried for the death of her daughter and it was noted years later that digital forensic analysts missed key browser artefacts. The analysts searched through Anthony’s computer and found 84 internet searchers on “chloroform”, but made the mistake of relying on tools that were designed to only work with Microsoft Internet Explorer, and as Anthony’s preferred browser was Mozilla Firefox, the analysts missed approximately 98% of the suspect’s browsing history, which included searching for “foolproof suffocation” (Goodison et al., 2015). With instances of child pornography becoming more prevalent, investigators are required to spend more and more time looking at the child exploitation material that
is collected, which can have a psychological effect on the investigators who need to look at, and assess each image (Follette, Polusny, & Milbeck, 1994). For this reason, the National Institute of Standards and technology (NIST) began collecting the references and hash sets for files that related to child exploitation (NIST, 2013). The hashes stored in a NIST list can be implanted into a commercial forensic application, e.g. NUIX or EnCase, and used to locate all files with a hash that matches those stored in the NIST list, thus saving the investigator from having to view the actual files. Other types of cybercrime include hacking and attacks on computer systems, cyberbullying, identity theft, email spam and phishing and online scams (ACORN, 2016). Each requires different investigation methods as the artefacts that are gathered can differ. Internet Browsing Privacy - law enforcement issues/concerns Most mainstream web browsers have a “private mode” designed to hide browsing activity. Considering that the browsing is supposed to be “private” it is possible to retrieve browsing history artefacts from private session. In these instances, it requires the forensic analyst to capture an active memory dump, as proven by Ghafarian and Seno in 2015. Their research looked at the available forensic artefacts within a physical memory dump while four mainstream browsers where in “open” mode and in “private’ mode. The four browsers used were Firefox, Internet Explorer, Chrome and Safari. Their results showed that it was possible to retrieve almost all forensic artefacts from memory both before and after the private mode browser was closed (Ghafarian & Seno, 2015). The only data that was not retrievable from within private sessions included the browser process across all platforms, with only Firefox and Chrome providing protection for email passwords. All other data within both the private and open sessions was retrieved, including browser history, email ID, videos and search history (Ghafarian & Seno, 2015). While in a private browsing session in Internet Explorer 11, .dat files are added to a Recovery folder and a LowContent.IE5 folder is used to cache files in case there is a system failure. Log files are not cleaned up after each session until a new session is instigated, which overwrites the older log files. On the other hand, Firefox use a tiny amount of the hard disk drive whilst in private browse mode. Hard disk drive activity in Google Chrome was interaction with various plug-in applications, that made changes to files that could, under intensive analysis, be extracted and analysed (Bradley, 2016). It is possible to configure a portable private browser application onto a USB thumb drive, e.g. TOR tails. These revealed no artefacts left by a browser session for most browsers as all files are cleaned from the USB thumb drive used to instigate a session, except Internet Explorer where cached artefacts are still able to be located (Bradley, 2016). A much better option is to create a bootable USB drive that contains an OS and secure browser, e.g. TOR Tails. In this way, all browser activity
is stored in volatile memory which is wiped when the computer is restarted (Tails, 2016). The Onion Router (TOR) The deep web has been promoted as a place where a user can find anything. The Onion Router Project (TOR) advertises its ability to protect a user’s online anonymity and privacy (TOR, 2016). Akhil and George conducted forensic analysis of TOR browser usage and found that while the registry and state file only contained detail of the activation of the TOR browser, there were no other forensic artefacts located. However, using a hex editor to complete an analysis of a memory dump revealed details of the websites visited, Gmail sign in username, Gmail mail messages and images that had been opened (Akhil & george, 2015). Built using the Firefox platform, the TOR system operates by routing all browser requests through a relay of servers that are hidden. TOR anti-surveillance abilities are inbuilt and will anonymise a user’s internet presence. Some of the features that make TOR so secure is the blocking of all plug-ins by default and forcing all internet activity to use HTTPS connections. A further aspect is the instructions that are provided to all TOR users, to ensure that not only browsing history is kept private, but also to ensure user locations are not discoverable (TOR, 2016). Another method for securing the user browsing history is to use the Tails operating system. The OS is installed onto two USB thumb drives, which is then used to boot the user's system for secure browsing. Two thumb drives are used because the first installation is completed through the user’s OS, which leaves traces that can compromise the session. Creating a second bootable USB with the TOR OS will ensure online anonymity (Tails, 2016). The OS contains a number of privacy related tools such as TOR, and will even detect if it has been installed onto a virtual environment (Buchanan, 2016). These two examples highlight the need for the forensic analyst to secure an active computer/laptop before any attempt is made to power the system down. Cloud Cloud computing is a relatively new frontier covering how users store, access and interact with large volumes of data (Pallis, 2010). Cloud forensics is a subset of both digital and network forensics, digital forensics because there is the capture, verification and chain of custody required for any digital evidence that is seized for analysis. Network forensics because of the very nature of the Cloud in that an internet or network interface is required to access the environment (Cruz, 2012). Popular free cloud services include Dropbox, Google Drive and Microsoft OneDrive. Due to separations between services, mobile devices are being used more and more to share data across storage platforms. Collecting evidence of cloud storage services such as these usually involves traditional acquisition methods which results in a seizure that may not be complete. Relying on acquisition of data from the user device could result in incomplete evidence, as the device will not contain any file revisions or other “cloud-native” artefacts (Roussev, Barreto, & Ahme, 2016). Roussev, Barreto & Ahme developed an API to perform a cloud based acquisition of
a storage container, ensuring that a complete acquisition is conducted in a forensically sound manner. The artefacts contained in this evidence are typical of the particular cloud service that has been accessed, and suggested that further research into the acquisition API to encompass all providers was required, and include a deeper look into the acquisition and storage of "file history" artefacts (Roussev et al., 2016). The Cloud environment adds a number of elements that could change the admissibility of the evidence that has been collected. For example, the jurisdictional boundaries that exist within the cloud environment are an element that may need to be taken into consideration. Data that is placed in a cloud environment in Australia, e.g. Microsoft Azure datacentre in Sydney, could be backed up to the data centres in Melbourne and Singapore (Microsoft, 2015). This multi tenanted approach has created legal challenges that require more interaction between law makers, law enforcement agencies and cloud providers. Another is the nature of the multitalented environment, where there is a sharing of resources that digital forensics traditionally finds on a single user/server system. Memory, cache etc. are shared in the cloud and are not designed to segregate usage between users. File Sharing Site The common way to share files is through the peer to peer (P2P) system, e.g. Gnutella, or bit torrents. Sharing files in this manor is completed by downloading small amounts of each file from many different locations on the internet, all at the same time (P. Gill, n.d.). Two of the most common protocols are Bittorrent and Gnutella and they work in different ways, as described below (Liberatore, Erdely, Kerle, Levine, & Shields, 2010):
Gnutella topology works as an unstructured topology where peers joined together in a set of point to point (TCP) connections to some peers, that forms into a neighbourhood of peers. Searches are completed by users sending queries to peers within the neighbourhood. These queries, in string form, are matched with file names across the network. All query responses are routed back to the originator along original outgoing path. Sites include LimeWire, Shareaza and Phex; and Bit Torrent requires ancillary support and global components to allow users to search across the swarm for a particular file to download. A user searches for a file and the peer then queries the bit torrent tracker file for the list of other peers that have that file available for download. Sites include BitTorrent, Vuze and The Pirate Bay.
In the 2009 paper “Tracking Contraband Files Transmitted using Bittorrent” Schrader, Mullins, Peterson and Mills detailed two methods to identify illegal file shares (Schrader, Mullins, Peterson, & Mills, 2009): a) Honeypots: which is a trap for the detection and tracking of illegal sharing activities. a. Typically, the honeypot will contain a number of illegal files and then connect to the internet. If an attempt to download these files is made, the honeypot will track the files to their eventual destination.
b. Flaw – file sharers have to be able to locate the shared content and there are applications that can protect the illegal shares from these types of traps, e.g. Peer Guardian b) BitTorrent Monitoring System (BTM): is a system designed to detect and track the illegal file downloaders. a. The BTM is designed to search the Torrent site for content it determines is illegal, it will then attempt to download the content which allows it to track information in relation to the computers and user accounts of those who have the file shared. b. Flaw – due to the large numbers of torrent files on any one site, this method of detection is quite slow. Schrader, Mullins, Peterson and Mills postulated the development of a Field Programmable Gate Array (FPGA) forensic tool for the detection and matching of bit torrent packets. Once detected, the information hash of each packet is compared to the hash of a list of files. If the comparisons match, the data is recorded for later tracking and analysis (Schrader et al., 2009). In 2009 the Oak Ridge National Library in partnership with various law enforcement agencies, created a suite of tools used to locate and identify offenders that are sharing child pornography. The RoundUp suite is a group of tools to investigate file sharing sites such as Gnutella, eMule, Ares and BitTorrent. This suite of tools is available to Law Enforcement agencies at no cost. Almost no public knowledge exists about the RoundUp tool set, as there is speculation that the Federal Bureau of Investigation (FBI) released a directive to all RoundUp users to not disclose the existence of the tool (Hartman, 2016). In Australia, under the Commonwealth Crimes Act 1914, when conducting evidence searches, e.g. peer to peer environment, the search terms included on the search warrant have to be given prominence (Commonwealth, Amended 2015). An interesting legal fact in the United States of America is the difference between direct evidence and hearsay. When an analyst is connected to a computer over a network, e.g. TCP interface, then any evidence collected is considered “direct evidence” and admissible in a court. If, however, the data is gathered through a relay of computers across the network connection, any evidence that is “relayed” from a remote computer through the computer that the analyst has direct connection with, is considered to be “hearsay” evidence and not admissible in court. To avoid this situation the analyst would need to use the information gathered about the remote computer and connect with it prior to downloading the evidence (Hartman, 2016).
Internet of Things The Internet of Things (IoT) is any object that can be assigned an IP address and access to the internet for the transmission of data (Rouse, 2016). Gartner predicted that by 2020 20.8 million “connected things” will be plugged into the internet (Gartner, 2015). Indeed, these devices are already in use and have been exploited, e.g. the hack of a Chrysler Jeep whilst it was in motion (Greenberg, 2015).
The IoT will present the analyst with an array of challenges regarding the treatment of the item. Should the analyst leave the item powered on to preserve the current meta data of the stored information, or should it be powered off to avoid evidence being overwritten? What format is the data stored in, is proprietary, what interfaces exist to interact with the device for data extraction and can it be done in forensically sound manner? These are just a fraction of the questions an analyst will have. Despite the benign gathering of data that is designed to improve how the item interacts with and for the user, do regular users have the knowledge to ensure that their IoT systems are configured in a way that ensures, or lifts the level of privacy. At Enfuse 2016 Jonathan Rajewski showed how some innocuous household items could be compromised. Two examples are Hatch Baby and Android Nest (Rajewski, 2016): Hatch Baby is a smart change pad for the home, designed to track a baby’s growth, feedings, sleep patterns and nappy changes. The system works by downloading the Hatch Baby app to a smartphone and setting up an account. The pad itself connects to the home Wi-Fi modem using 802.11 frequency, as it requires internet access to operate (Hatch_Baby, 2016). o Rajewski was able to extract the Wi-Fi SSID, account information and biometric data from the device. Android Nest is an integrated system to assist home owners monitor a number of in home appliances, including the thermostat, outdoor and indoor cams and a smoke/CO2 alarm (Nest, 2016). o Rajewski was able to extract the Nest Account information, use ffmpeg to convert video files located in cache and access the nest protect cache for the smoke alarm. To further highlight the opportunities that are offered to hackers by IoTs, Gill, Archibald and Gallo from KPMG reported that the 2015 RSA Conference featured a demonstration on how to use IoTs to hack into a power plant. The hackers used social engineering and some software to gain access to a “smart oven” that was networked to a Wi-Fi router. Using this path, the hackers access a workstation and were able to steal passwords and confidential data from an employee of the power plant. These passwords gave the hackers admin rights to power plant infrastructure (G. Gill, Archibald, & Gallo, 2016).
Security Analysts Cyber intrusion is a problem that affects pretty much anyone on the internet. From terrorists to hacktivists to industrial spies and trusted insiders. Terrorist based cyberattacks are on the rise according to the FBI Director James Come, who stated that there were signs of increased interest from known organisations, e.g. ISIL (Paletta, 2015). Research shows that the main targets of a cyber intrusion attempt are not large corporations or Government agencies. Symantec reported in the Internet Security
Threat Report 2016,that 43% of attacks were targeted at small business, with larger corporations making up 35% (Symantec, 2016). Security analysts use browser analytics to track malware distributed through web page interaction. This could be the automatic installation of the malware, or a driveby-download (Provos, McNamee, Mavrommatis, Wang, & Modadugu, 2007), where exploits within the browser are used to perform an auto install of the malware code (Mendoza & Varol, 2012). Another tool used by the analyst is the server log files. Server log files are extremely valuable in the recording of events and actions that have taken place on the server. Being able to see who has accessed a server and when will lead to the how and an eventual revelation of the chain of events that have occurred. Insider attacks are a very real threat to any organisation. Being able to use a variety of tools, and thinking “outside the box” can save not only time in completing an investigation, but could ensure that the investigation has exhausted every avenue of enquiry. In some cases, the insider may be using the techniques of hacktivist groups to mask their own agenda. One case reported by CSO Online detailed an instance of a web page defacement that was initially reported as coming from a known hacktivist group. With this information, Management approved a complete rebuild of the web server, which destroyed all forensic evidence. When an independent forensic examination was conducted a number of unusual factors where observed. Among these was suspicious intensive and recent scans of the web application firewall. The application used to complete the scans was an expensive one that hacktivists are not likely to be able to afford to purchase. The affected company owned several licenses for this product. This led to a discussion with a web administrator who admitted to the activity as he was stealing company secrets to sell (Kolochenko, 2016).
Retail Providers In “Current Trends in Web Data Analysis” Sen, Dacin and Pattichis developed the Web forensic pyramid to show the importance of the value of data and analysis to business (Sen et al., 2006). The pyramid is made up of the following layers:
Level 0 – Basic metric Reporting. Used to analyse click records and report on web and marketing metrics; Level 1 – Web data warehousing. Storing large data sets, interfacing with enterprise data support for cross channel traffic analysis; and Level 2 – Visit behaviour tracing. Understanding the entirety of the visitor interaction with the web site.
The current trend for the monitoring of user interaction with a web site is Real User Monitoring (RUM). RUM is the passive monitoring of web site interaction for every user that visits the site. There are two forms of RUM, “bottom-up” where server side
data is captured to enable a reform the end user experience. “Top-down” RUM is on the client side of the user interaction and records details of how users interact with the web site. RUM tools are invaluable to a retail entity in their ability to show clickstream detail of when and how a user interacted with the site, what products the user has looked at and added to their cart and if the user completes the transaction, or leaves the site (Huston, 2014). With a market share of approximately 83%, Google Analytics is considered to be the most widely used web traffic analysis tool in use today (W3Techs, 2016). Google analytics uses high level dashboard style data display and an in-depth report set. Analytics can highlight pages that are not performing optimally showing where visitors are being referred from, how long they remain on the site and their geographical location. Google analytics also has a feature that allows for the gathering of user data from iOS and Android apps and uses it’s measurement protocol to allow for the collection of data from all digital platforms, including when offline (Google, 2016a).
Mobile Devices Mobile devices use solid state storage for all memory to store data, use applications and “remember” user settings. Unlike a computer HDD, this memory is not volatile and will not wipe when the device is restarted. To quote Clarke Walton “if a cell phone used only “volatile” memory, your iTunes library would be wiped out every time you powered down your phone” (Walton, 2014). Because the memory is not volatile, every interaction with the device will update the information in memory. For example, the process for acquiring digital evidence, a hash value is taken of the item just prior to imaging, and then again after imaging to ensure the continuity of the evidence. With a mobile phone, the hash value will be different every time, because each interaction changes what is in memory. Lessard and Kessler advised in their 2010 paper that a write blocker needed to be connected to a device, in this case an Android device, prior to taking a hash value. They failed to take into consideration that the device they connected to showed a message “you have connected your phone to a computer…….“ (Lessard & Kessler, 2010). This in itself changed just a small aspect of the device’s memory and will affect the hash. The web based artefacts recovered in this study included social media and email accounts and passwords (in plain text), images and emails. Geo-artefacts, similar to those used in mapping tools, can be left by the mobile device as well as web applications. Two such applications are Mobile Flickr and Twitter. Chad Tilbury detailed how these two applications sourced geo-artefacts in his article Big Brother Forensics: Device Tracking Using Browser-Based Artefacts (Tilbury, 2012). Being a photo sharing application Flickr mobile has an added feature known as “nearby” where a user can access pictures that had already been tagged for that location. To do this, Flickr needs the user’s current location, which is confirmed through Yahoo! Geo Services. The device’s browser cache will store an artefact relating to this activity. Twitter on the other hand allows users to tag tweets
to a location. It uses a feature of HTML5 browser to gather latitudinal and longitudinal coordinates to plot a geo-artefact. If this particular feature is not available, then the device’s IP address is used to plot a location. Twitter stores the device IP address of the last post within a cookie, even if it was not authorised by the account holder. Consider the increase in user interaction with the internet though mobile devices. A 2015 report completed buy comScore showed that as of March 2015 the number of American mobile-only adult users exceeded desktop-only users (Lella, 2015). Figures also indicate a downturn in the number of Americans only using a desktop computer from March 2014 to March 2015 [see Figure 1]. Interestingly, the number of mobile-only users has remained fairly static (Lella, 2015).
Figure 1 – Graph data from comScore.com (Lella, 2015)
The Google “Connected consumer survey 2016” shows that while Australian users conduct most of their online interactions on a desktop computer or table (32%), users who predominantly use a smartphone is not that far behind (20%) (Google, 2016b) [refer to Figure 2].
Figure 2 - Graph data from Google Barometer (Google, 2016)
One interesting case that involved the forensic examination of a mobile device was that of Pedro Bravo, who was convicted of first degree murder in the US state of Florida in 2014 (Awford, 2014). Forensic analysts examined Bravo’s mobile phone and found a Siri search that read “I need to hide my roommate.” Bravo’s device did not have the Siri application installed and this search was made through Facebook, with the artefact being located in the device cache for the Facebook app. The analyst was also able to determine that the torch application of the device was active for over an hour just after the disappearance of the victim (Goodison et al., 2015).
Discussion There are so many different ways to access the internet, and as technology constantly evolves more are being developed every day. From traditional web browsers, including The Onion Router, users are being given the tools they need to interact with the web in the manner that they prefer and are able to access content that is both benign and illegal. Access to information is expanding exponentially. Consider these statistics from Gwava published on 8 September 2016 (Team_Gwava, 2016):
4 million hours of video content uploaded to YouTube every day 4.3 billion Facebook messages posted daily 205 billion emails sent each day (predicted to grow to 246 billion by 2019)
Law enforcement will forever be a step behind the criminal as they get smarter. Dr Simon Walsh, Australian Federal Police (AFP) Specialist Operations Manager, at the opening of the AFP’s new Forensic Labs in Canberra, stated that the time critical aspect of saving lives required members to work faster, which is something that gets harder to achieve as criminals get smarter (Doresett, 2016). The FBI’s decision to hide the contents of the RoundUp tool is a very big step towards limiting a criminal’s ability to change their techniques to beat the tool. Australian law enforcement agencies are investing in technology to catch criminals, but as new techniques are developed cyber criminals are developing ways to circumvent them. Cyber criminals must be investing in the technology they require to meet their needs and with Government cuts to budgets, it may be that the cybercriminal is that much more ahead. The Veda 2015 Cybercrime and Fraud Report states that cyber criminals are now using systems designed to make life easier for the average consumer. In 2015, there were more fraudulent credit applications made online that in branches and as there is a tightening of the identity verification rule, cyber criminals are turning more and more toward identity theft (Veda, 2015). To further exacerbate this particular issue, how much data is available to facilitate the theft of a person’s identity? That question is quite easy to answer, when considering the types of remnant data that is available on second hand devices sold through online auction sites (Robins, Williams, & Sansurooah, 2015). The Cloud is everywhere, and very hard to avoid. Gmail, Hotmail or any other web based email service are on the cloud and commonly used by many people.
Dropbox, OneDrive and iCloud are some of the services that allow both the average user and Corporations to store their data. Tools need to be developed that not only extract the data that is readily available, but revision histories and other meta data that is hidden from view. This will require developers, forensic analysts and cloud providers to collaborate. The legal profession needs to be involved to consider the aspect of multi-tenanting in regards to the available evidence that can be gathered from the cloud and the jurisdictional issues with world wide access to storage and where the systems are backed up to. Cyber Incident Response Teams (CIRT) have a great responsibility within their portfolios and require experience covering not just networks and servers, but also knowledge of network and digital forensic techniques, especially if there is to be any hope of prosecution. As with Law Enforcement agencies, CIRTs require current technology to counter the advanced attacks that criminals/hackers now use. The FBI has tried to recruit hackers to their Cyber Division, in an effort to stay ahead of the game (Boyd, 2015). The internet of things will expand the world's digital footprint, and could leave us vulnerable to an intrusion. It comes down to the analyst, who needs to learn how to gather and interpret the data that could potentially hold evidence of a breach. However, no person cannot hope to learn everything - gathering infinite knowledge will take infinite time. For this reason, Companies and Government agencies that rely on some form of digital forensic services are best advised to ensure their team have a diverse level of knowledge. For the CIRTs, IoTs will present a challenge as they continue their efforts in protecting the office space from outside threats. IoTs will become a part of the office environment and manufacturers must integrate security features into their products or risk the possibility of very bad publicity, or worse litigation. Long thought of as a way to send targeted advertising to consumers, loyalty programs have been tracking user buying habits for years. Now, retailers are using internet shopping habits to provide users with targeted advertising, and they don’t need an email address. Retail Forensics is used by nearly every online shopping site available. Sign up to an auction site like eBay or any of the worlds retailers and buying habits are recorded and the individual's screen will be filled with advertising that is tailored to the account user. In 2016 mobile search engine advertising resulted in “53% of paid-search clicks”, with Google responsible for 95% of all smartphone based, paid advertising clicks in the United States of America (Lister, 2016).
Conclusion This paper is only an insight into a comprehensive look at the different aspects of web usage forensics, as there are just too many ways to interact with the internet. This paper highlights the need for further research to be conducted into two emerging areas:
how the IoT could be secured to protect the home and office from exploitations; and building tools to forensically collect data from the cloud.
References ACORN. (2016). Learn about cybercrime. Australian Cybercrime Online Reporting Network. Retrieved from https://www.acorn.gov.au/learn-about-cybercrime Akhil, M., & george, G. (2015). TOR Browser Forensics – Introduction to Darknet. Data Forensics. Awford, J. (2014). College student accused of killing his friend in love triangle 'asked his phone where to put the body' the day the man went missing. Baily Mail. Retrieved from http://www.dailymail.co.uk/news/article-2723786/College-student-accused-murder-askedSiri-hide-body.html Boyd, A. (2015). FBI tries to recruit hackers as cyber special agents. Federal Times. Retrieved from http://www.federaltimes.com/story/government/cybersecurity/2015/08/18/fbi-recruitshackers/31867247/ Bradley, D. (2016). How private is your browser's privacy mode? International Journal of Electronic Security and Digital Forensics. Buchanan, W. (2016, 23 March 2016). The 3T challenge for digital forensics: Tails, Telegram and Tor. Retrieved from https://www.linkedin.com/pulse/3t-challenge-digital-forensics-tailstelegram-tor-william-buchanan Buckler, C. (2016). Browser Trends March 2016: Operating System Surprises. Retrieved from https://www.sitepoint.com/browser-trends-march-2016-operating-system-surprises/ Crimes Act 1914, (Amended 2015). Cruz, X. (2012). The Basics of Cloud Forensics. Cloud Times. Doresett, J. (2016, 21 Agust 2016). Australian Federal Police's new digital forensics lab helps fight crime before it occurs. ABC News. Retrieved from http://www.abc.net.au/news/2016-0821/afp-digital-forensics-lab-helping-fight-crime-before-it-occurs/7769330 Follette, V. M., Polusny, M. M., & Milbeck, K. (1994). Mental health and law enforcement professionals: Trauma history, psychological symptoms, and impact of providing services to child sexual abuse survivors. Professional Psychology: Research and practice, 25(3). Gartner. (2015). Gartner Says 6.4 Billion Connected "Things" Will Be in Use in 2016, Up 30 Percent From 2015 [Press release]. Retrieved from http://www.gartner.com/newsroom/id/3165317 Ghafarian, A., & Seno, S. A. H. (2015). Analysis of Privacy of Private Browsing Mode through Memory Forensics. International Journal of Computer Applications, 132(No. 16). Gill, G., Archibald, G., & Gallo, S. (2016). Internet of Things: Threat and opportunity in one. KPMG Insights. Gill, P. (n.d.). Torrents 101: How Torrent Downloading Works. About Tech, Internet Basics. Goodison, S. E., Davis, R. C., & Jackson, B. A. (2015). Digital Evidence and the U.S. Criminal Justice System. Google. (2016a). Google Analytics - Features. Retrieved from https://www.google.com.au/analytics/standard/features/ Google. (2016b). With which connected devices do people most often go online? Consumer Barometer with Google. Retrieved from https://www.consumerbarometer.com/en/graphbuilder/?question=W4&filter=country:australia Graham, W. R. (2000). Uncovering and Eliminating Child Pornography Rings on the Internet: Issues Regarding and Avenues Facilitating Law Enforcements' Access to 'Wonderland'. Greenberg, A. (2015, 21 July 2015). Hackers Remotely Kill a Jeep on the Highway—With Me in It. Wired. Retrieved from https://www.wired.com/2015/07/hackers-remotely-kill-jeephighway/
Hartman, K. G. (2016, 27 March 2016). BitTorrent & Digital Contraband. InfoSec Reading Room. Hatch_Baby. (2016). Hatch Baby. Retrieved from http://www.hatchbaby.com/#specifications Howe, W. (2016). A Brief History of the Internet. Retrieved from http://www.walthowe.com/navnet/history.html Huston, T. (2014). What is Real-User Monitoring? Smart Bear. Internet_Live_Stats. (2016). Internet Users. Retrieved from http://www.internetlivestats.com/internet-users/ Kolochenko, I. (2016). Fake attacks by insiders to fool companies. CSO Online. Lella, A. (2015). Number of Mobile-Only Internet Users Now Exceeds Desktop-Only in the U.S. Insights. Lessard, J., & Kessler, G. C. (2010). Android Forensics: Simplifying Cell Phone Examinations. Small Scale Digital Device Forensics Journal, 4(1). Liberatore, M., Erdely, R., Kerle, T., Levine, B. N., & Shields, C. (2010). Forensic Investigation of Peerto-Peer File Sharing Networks. Lister, M. (2016, 20 September 2016). Mobile Advertising Statistics & Trends. Retrieved from http://www.wordstream.com/blog/ws/2016/09/15/mobile-advertising-statistics Mendoza, A., & Varol, C. (2012). Tracking Malware using Internet Activity Data. Paper presented at the World Congress on Engineering and Computer Science, San Francisco, USA. Microsoft. (2015). Office 365 Trust Centre. Retrieved from https://products.office.com/enus/business/office-365-trust-center-cloud-computing-security Nest. (2016). Your Home in your hand. Retrieved from https://nest.com/app/ NIST. (2013). Forensic Database Tech Digital Evidence Table. Technology/Digital Evidence. Retrieved from https://www.nist.gov/pba/forensic-database-tech-digital-evidence-table Paletta, D. (2015). FBI Director Sees Increasing Terrorist Interest in Cyberattacks Against U.S. The Wall Street Journal. Retrieved from http://www.wsj.com/articles/fbi-director-seesincreasing-terrorist-interest-in-cyberattacks-against-u-s-1437619297 Pallis, G. (2010). Cloud Computing -The New Frontier of Internet Computing. IEEE Computer Society. Provos, N., McNamee, D., Mavrommatis, P., Wang, K., & Modadugu, N. (2007). The Ghost In The Browser Analysis of Web-based Malware. Paper presented at the HotBots 07. https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/provos/provos.pdf Rajewski, J. T. (2016). Internet of Things Forensics. Paper presented at the Enfuse 2016, Las Vegas, United States of America. https://www.jonrajewski.com/data/Presentations/EnFuse2016/Enfuse_2016_Internet_of%2 0Things_Rajewski.pdf Robins, N., Williams, P. A. H., & Sansurooah, K. (2015). I know what you did last summer… An Investigation into Remnant Data on USB Storage Devices Sold in Australia in 2015. Paper presented at the Australasian Computer Science Week Multiconference, Canberra Australia. http://delivery.acm.org.ezproxy.ecu.edu.au/10.1145/2850000/2843356/a35robins.pdf?ip=139.230.244.118&id=2843356&acc=ACTIVE%20SERVICE&key=65D80644F295 BC0D%2EED6A94C50C5990AA%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35&CFID=6516 98225&CFTOKEN=26860162&__acm__=1470290595_23cdd04f456afc4c92efe4fd61a3fd6f# URLTOKEN# Rouse, M. (2016). Internet of Things (IoT). Tech Target, Internet of Things. Roussev, V., Barreto, A., & Ahme, I. (2016). Forensic Acquisition of Cloud Drives. Schrader, K., Mullins, B., Peterson, G., & Mills, R. (2009). Tracking Contraband Files Transmitted Using BitTorrent. In G. Peterson & S. Shenoi (Eds.), Advances in Digital Forensics V: Fifth IFIP WG 11.9 International Conference Pringer. Sen, A., Dacin, P. A., & Pattichis, C. (2006). Current Trends in Web Data Analysis. Comunications of the ACM, 49. Symantec. (2016). Incident Security Threat Report. Retrieved from https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-
en.pdf?aid=elq_&om_sem_kw=elq_16393413&om_ext_cid=biz_email_elq_&elqTrackId=283 a3acdb3ff42f4a70ab5a9f236eb71&elqaid=2902&elqat=2 Tails. (2016). TAILS installation Assistant. Retrieved from https://tails.boum.org/install/win/index.en.html Team_Gwava. (2016). How Much Data is Created on the Internet Each Day? Retrieved from https://www.gwava.com/blog/internet-data-created-daily Tilbury, C. (2012). Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 3). Retrieved from https://digital-forensics.sans.org/blog/2012/04/13/big-brother-forensicsdevice-tracking-using-browser-based-artifacts-part-3 TOR. (2016). TOR. Retrieved from https://www.torproject.org/about/overview.html.en Veda. (2015). Veda 2015 Cybercrime and Fraud Report. Retrieved from Australia: http://www.veda.com.au/sites/default/files/docs/ved464_fa_identity-fraud-report_hr.pdf Vijith, T. K., & Pramod, K. V. (2016). The Role of Cyber Forensics in Legal and Ethical Aspects of Cyberspace. Computer Society of India Communications, 39(12), 14-17. W3Techs. (2016). Usage of traffic analysis tools for websites. Retrieved from https://w3techs.com/technologies/overview/traffic_analysis/all Walton, C. (2014). Mobile Device Forensics: Pulling Back the Digital Curtain. Retrieved from http://www.alexanderricks.com/mobile-device-forensics-pulling-back-the-digital-curtain/
