About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Conference paper
WebCapsule: Towards a lightweight forensic engine for web browsers
Abstract
Performing detailed forensic analysis of real-world web security incidents targeting users, such as social engineering and phishing attacks, is a notoriously challenging and time-consuming task. To reconstruct web-based attacks, forensic analysts typically rely on browser cache files and system logs. However, cache files and logs provide only sparse information often lacking adequate detail to reconstruct a precise view of the incident. To address this problem, we need an always-on and lightweight (i.e., low overhead) forensic data collection system that can be easily integrated with a variety of popular browsers, and that allows for recording enough detailed information to enable a full reconstruction of web security incidents, including phishing attacks. To this end, we propose WebCapsule, a novel record and replay forensic engine for web browsers. WebCapsule functions as an always-on system that aims to record all non-deterministic inputs to the core web rendering engine embedded in popular browsers, including all user interactions with the rendered web content, web traffic, and non-deterministic signals and events received from the runtime environment. At the same time, WebCapsule aims to be lightweight and introduce low overhead. In addition, given a previously recorded trace,WebCapsule allows a forensic analyst to fully replay and analyze past web browsing sessions in a controlled isolated environment. We design WebCapsule to also be portable, so that it can be integrated with minimal or no changes into a variety of popular web-rendering applications and platforms. To achieve this goal, we build WebCapsule as a self-contained instrumented version of Google?s Blink rendering engine and its tightly coupled V8 Java-Script engine. We evaluate WebCapsule on numerous real-world phishing attack instances, and demonstrate that such attacks can be recorded and fully replayed. In addition, we show that WebCapsule can record complex browsing sessions on popular websites and different platforms (e.g., Linux and Android) while imposing reasonable overhead, thus making always-on recording practical.
Related
Conference paper
(Un)linkable pseudonyms for governmental databases
Conference paper