TY  - BOOK
AU  - Sally Mosaad Mohamed
TI  - A Postmortem Forensic Analysis for a JavaScript Based Attack / 
U1  - 610 
PY  - 2017///
KW  - Informatics-IFM
KW  - NULIB
KW  - Dissertation, Academic
N1  - Thesis (M.A.)—Nile University, Egypt, 2017; "Includes bibliographical references"; Contents:
1 AnOverviewofWebBrowsersandTheirPossibleAttacks 1
1.1 InternetBrowsers . ........................... 1
1.2 Webbasedattacks . .......................... 4
1.2.1 Drive-by-Download . ...................... 6
2 DrivebyDownloadAttackandWebBrowserForensics 13
2.1 BrowserForensics . ........................... 16
2.1.1 BrowserForensicTool(BFT): . ................ 19
2.1.2 NETANALYSIS: . ....................... 19
2.1.3 Nirsoft: . ............................ 21
2.1.4 InternetEvidenceFinder(IEF): . ............... 22
2.1.5 CacheBack: . .......................... 22
3 ProposedSystemDescription 27
3.0.6 DataGathering: . ........................ 30
3.0.7 DataAnalysis . ......................... 32
3.0.8 DataClassication . ...................... 35
4 ExperimentandFindings 39
5 ConclusionandFutureWork 45
A FirefoxExtensionSourceCode 47
B AnalyzerSourceCode
C AnalyzerOutputData 54
Bibliography
N2  - Abstract:
In recentyears,attacksthattargetbrowsers'vulnerabilitieshaveincreasedsignif-
icantly.Aninnocentusermaybeluredtoaccessuntrustedwebsiteandmalicious
contentpassivelydownloadedandexecutedbyher/hiswebbrowser.Thisattack
vectorisknownas,Drive-by-Downloadattack.Systemsandsecurityresearchers
haveaddressedthisattackfromdierentperspectives.Severaltechniquesandtools
wereintroducedtodetectandpreventDrive-by-Downloadattack.However,few
researcheshaveaddressesthebrowserforensicsperspectivesto(1)identifytraces
(2) reconstructtheexecutedeventsofadownloadedmaliciouscontent,toassist
the digitalforensicinvestigationprocess.Inthisstudy,adigitalforensicmethodis
introducedtoinvestigateawebbrowsersubjecttoDrive-by-Downloadattack.We
developedaProof-of-ConceptimplementationbasedonFirefoxbrowser-extension
to inspectandanalyzemaliciousURLsthathostmaliciousexecutables.The
developedsystemistestedusinganumberofmaliciouswebpagesandsuccess-
fully identiedthedigitalevidenceoftheattack.81%oftheidentiedevidence
wereartifactsthatwebelievecouldassistforensicinvestigatorstodetermineif
a web-browserorasystemsubjecttoexaminationiscompromisedornot,and
the indicationsofcompromises.Theindicationforcompromisecouldbeadown-
loaded maliciouscode,acreatedtemporaryleand/oralinktomaliciousserver
that downloadedmalwareintothesystem
ER  -