Authors: Dohun Kim, Sangjin Lee, Jungheum Park
DFRWS USA 2024
Abstract
Various technical and legal issues hinder direct investigation on cloud services, which facilitates alternative approach to investigate services through artifacts left by web browsers. Among diverse web browser artifacts, client-side storages such as IndexedDB have been focused to retrieve contextual information about user behavior. However, analyzing such client-side storages has been difficult in private mode environments, as they were only kept in memory or not supported at all, depending on the browser. Recently, Firefox has started to support IndexedDB storage in private mode by storing encrypted files on disk during private sessions since July 2023. Since then, Gecko-based browsers’ effort to support client-side storages through encrypted files on disk has been continued with Tor Browser also began supporting IndexedDB in the same way since October 2023. Meanwhile, the research to utilize those encrypted files on investigation has not progressed much yet. This paper shows how to decrypt client-side storages generated on Gecko-based browsers’ private mode by extracting cipherkeys in memory. Experimental results indicate that when private session is running, our proof-of-concept tool successfully decrypts all encrypted files. Additionally, there is a possibility of recovering data even in an inactive state by utilizing hibernation file on disk.