browser forensics adblocker extensions
play

Browser forensics: Adblocker extensions Willem Rens (UvA MSc SNE - PowerPoint PPT Presentation

Oct 06, 2023 •332 likes •786 views

Browser forensics: Adblocker extensions Willem Rens (UvA MSc SNE student) Supervisor: Johannes de Vries (Fox-IT) Why traditional browser forensics may not work Cleared Cookies Cache History Sometimes recoverable, Jeon et

  1. Browser forensics: Adblocker extensions Willem Rens (UvA MSc SNE student) Supervisor: Johannes de Vries (Fox-IT)

  2. Why traditional browser forensics may not work ● Cleared ○ Cookies ○ Cache ○ History Sometimes recoverable, Jeon et al(2012). Modern SSD’s make it impossible.

  3. Why traditional browser forensics may not work ● Cleared ○ Cookies ○ Cache ○ History Sometimes recoverable, Jeon et al(2012). Modern SSD’s make it impossible. ● Private browsing ○ Incognito (Chrome) ○ InPrivate (Ie&edge) ○ Private browsing (Firefox)

  4. Why traditional browser forensics may not work ● Cleared ○ Cookies ○ Cache ○ History Sometimes recoverable, Jeon et al(2012). Modern SSD’s make it impossible. ● Private browsing ○ Incognito (Chrome) ○ InPrivate (Ie&edge) ○ Private browsing (Firefox) Claims to maintain complete user privacy by not storing traces of web browsing sessions. Flowers et al. (2016) studied the validity of this claim. IE11 still left traces, Chrome and Firefox did not.

  5. Adblocker extension usage estimates Usage estimates vary widely

  6. Adblocker extension usage estimates Usage estimates vary widely ● 20% ? ( Metadata analysis within a large European ISP, 2015, Metwalley, et al. )

  7. Adblocker extension usage estimates Usage estimates vary widely ● 20% ? ( Metadata analysis within a large European ISP, 2015, Metwalley, et al. ) ● 62% ? ( Undergraduate business students, 2011, Sandvig, et al. )

  8. Adblocker extension usage estimates Usage estimates vary widely ● 20% ? ( Metadata analysis within a large European ISP, 2015, Metwalley, et al . ) ● 62% ? ( Undergraduate business students, 2011, Sandvig, et al. ) 41% increase year by year(Adobe and Pagefair, 2015)

  9. Research questions ● RQ1 - What artifacts are stored by the tested ad-blocking extensions during normal and private browsing?

  10. Research questions ● RQ1 - What artifacts are stored the tested ad-blocking extensions during normal and private browsing? ● RQ2 - If artifacts are found, what is their usefulness in browser forensics?

  11. Tested browsers & their most popular Adblocker extension. Browser Adblocker extension Mozilla Firefox 46.0 Adblock Plus 2.8.2 Google Chrome/55.0.2883.87 AdBlock 3.8.4 Internet Explorer 11 Adblock Plus 1.6 Microsoft Edge/14.14393 AdBlock 1.9.0.0 AdBlock & Adblock Plus are not related. Source most popular adblocking extensions = amount of downloads and reviews as stated by respective webstore. Other adblocking extensions have significant smaller market shares < 10%.

  12. Approach ● Automated sample gathering. ○ Control Sample. ○ Adblock Sample. ○ Private browsing sample. ○ Browsing session entails the visitation of top 50 NL websites as per alexa.com. ○ Python + selenium + save timestamps on url request. ○ Chrome & Firefox have the concept of user profiles, create a new one and extract the user data directory. ○ Ie & Edge more difficult to automate due to limited control with selenium, such as for adding an extension and it does not have the concept of user profiles.

  13. Approach ● Automated sample gathering. ○ Control Sample. ○ Adblock Sample. ○ Private browsing sample. ○ Browsing session entails the visitation of top 50 NL websites as per alexa.com. ○ Python + selenium + save timestamps on url request. ○ Chrome & Firefox have the concept of user profiles, create a new one and extract the user data directory. ○ Ie & Edge more difficult to automate due to limited control with selenium, such as for adding an extension and it does not have the concept of user profiles. ● OSForensics (trialware) ○ Also used by Flowers et al. (2016). ○ Snapshots of the file system, compare them pre and after sample gathering.

  14. Approach ● Automated sample gathering. ○ Control Sample. ○ Adblock Sample. ○ Private browsing sample. ○ Browsing session entails the visitation of top 50 NL websites as per alexa.com. ○ Python + selenium + save timestamps on url request. ○ Chrome & Firefox have the concept of user profiles, create a new one and extract the user data directory. ○ Ie & Edge more difficult to automate due to limited control with selenium, such as for adding an extension and it does not have the concept of user profiles. ● OSForensics (trialware) ○ Also used by Flowers et al. (2016). ○ Snapshots of the file system, compare them pre and after sample gathering. ● W10 Home 64-bit.

  15. Approach ● Automated sample gathering. ○ Control Sample. ○ Adblock Sample. ○ Private browsing sample. ○ Browsing session entails the visitation of top 50 NL websites as per alexa.com. ○ Python + selenium + save timestamps on url request. ○ Chrome & Firefox have the concept of user profiles, create a new one and extract the user data directory. ○ Ie & Edge more difficult to automate due to limited control with selenium, such as for adding an extension and it does not have the concept of user profiles. ● OSForensics (trialware) ○ Also used by Flowers et al. (2016). ○ Snapshots of the file system, compare them pre and after sample gathering. ● W10 Home 64-bit. ● Research indicates 80% of software is used in its default setting, Wills et al. (2016) confirms this for the use of Adblock Plus.

  16. Approach ● Automated sample gathering. ○ Control Sample. ○ Adblock Sample. ○ Private browsing sample. ○ Browsing session entails the visitation of top 50 NL websites as per alexa.com. ○ Python + selenium + save timestamps on url request. ○ Chrome & Firefox have the concept of user profiles, create a new one and extract the user data directory. ○ Ie & Edge more difficult to automate due to limited control with selenium, such as for adding an extension and it does not have the concept of user profiles. ● OSForensics (trialware) ○ Also used by Flowers et al. (2016). ○ Snapshots of the file system, compare them pre and after sample gathering. ● W10 Home 64-bit. ● Research indicates 80% of software is used in its default setting, Wills et al. (2016) confirms this for the use of Adblock Plus. But first explore the mechanisms used by ad blocking extensions and study its source code.

  17. Adblocker mechanics ● Filter lists ○ By far most popular is EasyList ○ Whitelist filters overrule

  18. Adblocker mechanics ● Filter lists ○ By far most popular is EasyList ○ Whitelist filters overrule ● Blocking requests ○ Extensions can register content policies , they get called whenever the browser needs to load something. ○ If there is a filter hit do not request the resource.

  19. Adblocker mechanics ● Filter lists ○ By far most popular is EasyList ○ Whitelist filters overrule ● Blocking requests ○ Extensions can register content policies , they get called whenever the browser needs to load something. ○ If there is a filter hit do not request the resource. ● Hiding elements ○ Some elements can not be blocked otherwise page won’t load. ○ Update user style sheet (overrides other styling) with styling > display: none !important

  20. AdBlock Plus 3.8.4 - Firefox addUserCSS(subject, selectors.map( selector => selector + "{ display: none !important; }" ).join("\n"));

  21. AdBlock Plus 3.8.4 - Firefox addUserCSS(subject, selectors.map( selector => selector + "{ display: none !important; }" ).join("\n")); if (! isPrivate (subject)) port.emit("addHits", filters);

  22. Extensions storing capabilities ● SessionStorage - stores data for one session (data is lost when the browser tab is closed).

  23. Extensions storing capabilities ● SessionStorage - stores data for one session (data is lost when the browser tab is closed). ● LocalStorage - stores data with no expiration date.

  24. Extensions storing capabilities ● SessionStorage - stores data for one session (data is lost when the browser tab is closed). ● LocalStorage - stores data with no expiration date. This concept is used in all the tested browsers.

  25. Comparing samples

  26. Comparing file change differences of samples.

  27. Results Google Chrome/55.0.2883.87 + AdBlock Chrome local storage for extensions -> LevelDB ( key-value store written by Google ) Key Value (contents) blockage_stats Epoch installation time file:pattern.ini Filter list + subscription next_ping_time Sends user data to https://ping.getadblock.com/stats/ on given epoch time pref:blocked_total Total amount of filter hits since installation pref:currentVersion Version number pref:notificationdata Stats about the subscriptions, including when to check for updates. pref:settings Some settings pref:total_pings Total amount of pings userid Unique user ID

  28. Results Google Chrome/55.0.2883.87 + AdBlock Chrome local storage for extensions -> LevelDB ( key-value store written by Google ) Key Value (contents) blockage_stats Epoch installation time file:pattern.ini Filter list + subsciption next_ping_time Sends user data to https://ping.getadblock.com/stats/ on given epoch time pref:blocked_total Total amount of filter hits since installation pref:currentVersion Version number pref:notificationdata Stats about the subscriptions, including when to check for updates. pref:settings Some settings pref:total_pings Total amount of pings userid Unique user ID

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Writing Browser Extensions in Kotlin Kirill Rakhman (@Cypressious) busradar.com KotlinJS No

Writing Browser Extensions in Kotlin Kirill Rakhman (@Cypressious) busradar.com KotlinJS No

Writing Browser Extensions in Kotlin Kirill Rakhman (@Cypressious) busradar.com KotlinJS No longer expiremental since 1.1.0 Can run anywhere where JS runs Websites NodeJS Browser Extensions Can call JS the

250 views • 24 slides
CSN11121 System Administration and Forensics Web Browser Forensic r.ludwiniak@napier.ac.uk

CSN11121 System Administration and Forensics Web Browser Forensic r.ludwiniak@napier.ac.uk

CSN11121 System Administration and Forensics Web Browser Forensic r.ludwiniak@napier.ac.uk Overview Forensics on Internet Explorer and Firefox Structure Information storage Access to the Information storage Tools used to

1.04k views • 40 slides
TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA

TOR BROWSER FORENSICS ON WINDOWS OS MATTIA EPIFANI, FRANCESCO PICASSO, MARCO SCARITO, CLAUDIA MEDA DFRWS 2015 DUBLIN, 24 MARCH 2015 REAL CASE Management salaries of a private company were published on a Blog Through an analysis of the

228 views • 21 slides
Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj Singh Gaur 1 , Vijay Laxmi 1 , Tushar Singhal 1 , Mauro Conti 2 1 Malaviya National Institute of Technology, Jaipur, India 2 University of Padua, Italy

882 views • 58 slides
Awesome Chrome Extensions Checker PLUS Gmail/Calendar Vimium The Hacker's Browser. Vimium

Awesome Chrome Extensions Checker PLUS Gmail/Calendar Vimium The Hacker's Browser. Vimium

Awesome Chrome Extensions Checker PLUS Gmail/Calendar Vimium The Hacker's Browser. Vimium provides keyboard shortcuts for navigation and control in the spirit of Vim. Context Menus WhatFont ColorZilla LastPass Dark

383 views • 15 slides
Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami ,

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami ,

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami , Panagiotis Ilia, Konstantinos Solomos, Jason Polakis University of Illinois at Chicago, USA skaram5@uic.edu February 24, 2020 Browser extensions

886 views • 30 slides
Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami ,

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami ,

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami , Panagiotis Ilia, Konstantinos Solomos, Jason Polakis University of Illinois at Chicago, USA skaram5@uic.edu February 24, 2020 Browser extensions

492 views • 28 slides
Post Message Vulnerabilities in Chrome By Alfred Zhong, Trevor Hornung Why use extensions?

Post Message Vulnerabilities in Chrome By Alfred Zhong, Trevor Hornung Why use extensions?

Post Message Vulnerabilities in Chrome By Alfred Zhong, Trevor Hornung Why use extensions? Extensions extend the functionality of the web browser. They usually serve a single purpose that is narrowly defined and easy to understand. Some of

732 views • 20 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background

Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background

Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background singers: Jay and Fabian 1 Agenda Questions and Critique of Timezones paper Extensions Network Monitoring (recap) Post-Mortem Analysis

666 views • 40 slides
CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Forensics for Graphics Files Types of graphics file formats Type of data compression How to locate

362 views • 25 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Overview of Mobile Forensics Originated in Europe and focused on the GSM SIM card. Roaming of Devices

694 views • 17 slides
Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics &amp; Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
Beach Parasol Don't get burned at the Seaside Kris Gybels 2Rivers maandag 9 september 13

Beach Parasol Don't get burned at the Seaside Kris Gybels 2Rivers maandag 9 september 13

Beach Parasol Don't get burned at the Seaside Kris Gybels 2Rivers maandag 9 september 13 maandag 9 september 13 maandag 9 september 13 maandag 9 september 13 GUI-Testing Smalltalk-AJAX/SJAX web applications with Selenium Carsten Hrle @

397 views • 17 slides
Xerography DI MICCO, MATTHEW ESPINOZA, LEO FLEMING, STEPHEN HERRMANN, ERIK Xerography

Xerography DI MICCO, MATTHEW ESPINOZA, LEO FLEMING, STEPHEN HERRMANN, ERIK Xerography

Xerography DI MICCO, MATTHEW ESPINOZA, LEO FLEMING, STEPHEN HERRMANN, ERIK Xerography Background/History Also known as Electrophotography or Electrostatic Imaging From greek radicals xeros and graphos Developed by Chester Carlson in

328 views • 10 slides
Selenium IDE Is Making a Comeback - Can Codeless Testing Scale?

Selenium IDE Is Making a Comeback - Can Codeless Testing Scale?

T8 Test Automation Thursday, October 3rd, 2019 11:15 AM Selenium IDE Is Making a Comeback - Can Codeless Testing Scale? Presented by: Moshe Milman

615 views • 60 slides
Fundamentals! Tusha Pavuluri August 16, 2017 About Tusha Tusha leads the QA department at

Fundamentals! Tusha Pavuluri August 16, 2017 About Tusha Tusha leads the QA department at

Software Quality Assurance - Foundations and Fundamentals! Tusha Pavuluri August 16, 2017 About Tusha Tusha leads the QA department at HelloSign.com, one of the major key players in the field of electronic signatures. Along with a Masters in

487 views • 48 slides
Magento Performance Toolkit William Harvey Principal Product Manager Magento What does it mean

Magento Performance Toolkit William Harvey Principal Product Manager Magento What does it mean

Magento Performance Toolkit William Harvey Principal Product Manager Magento What does it mean to me? Solution Architect, Network Architect Hosting Provider Database Admin, System Admin, Magento Admin Developer Front-end

272 views • 13 slides
AN INTRODUCTION TO ANGLO AMERICAN Robert Craike, Peace River Coal Operations, General Manager

AN INTRODUCTION TO ANGLO AMERICAN Robert Craike, Peace River Coal Operations, General Manager

AN INTRODUCTION TO ANGLO AMERICAN Robert Craike, Peace River Coal Operations, General Manager Presentation to the 2013 Northeast British Columbia Community Coal and Energy Forum ANGLO AMERICAN Anglo American is a global diversified miner with a

351 views • 18 slides
eggPlant Performance An introduction in 40 minutes Gordon McKeown Director, Performance

eggPlant Performance An introduction in 40 minutes Gordon McKeown Director, Performance

eggPlant Performance An introduction in 40 minutes Gordon McKeown Director, Performance Solutions @TestPlant Development Centers Sales Offices Accolades Product landscape eggPlant range eggPlant Performance Studio Create virtual user

224 views • 9 slides
Appium Studio Appium testing made easy at any scale 1 Appium Studio by Experitest Easily start

Appium Studio Appium testing made easy at any scale 1 Appium Studio by Experitest Easily start

Appium Studio Appium testing made easy at any scale 1 Appium Studio by Experitest Easily start with Appium testing, and scale according to need Easily write stable Appium tests, or run your existing Appium scripts Set up within minutes,

386 views • 14 slides

More recommend