DBling: Identifying extensions installed on encrypted web thin clients

Mike Mabey, Adam Doupe, Ziming Zhao, Gail Joon Ahn

Research output: Contribution to conferencePaper

Abstract

Researchers have developed forensic analysis techniques for so many types of digital media that there is a procedure for almost every digital media that a law enforcement officer may encounter at a crime scene. However, a new type of device has started to gain momentum in the consumer market: web thin clients. These web thin clients are characterized by native support for basic web browsing, yet other functionality relies on a combination of web applications and web storage. In fact, these devices are so different from other types of computing and storage devices that virtually all of the techniques forensic examiners and researchers typically use do not apply. The most popular web thin client, Chrome OS, has additional forensic challenges: (1) all data associated with users is encrypted, (2) Chrome OS correctly uses TPM and Secure Boot, and (3) user data is stored on the device and in the cloud. In this work, we present a novel approach to extract residual evidence stored on Chrome OS devices that successfully bypasses these challenges. Specifically, we are able to determine which extensions and apps are installed on an encrypted Chrome OS device, without breaking or otherwise extracting the encryption keys. Our framework, called dbling, generates signatures or fingerprints of extension and app code that persist after encryption, and we are able to use these fingerprints to identify the installed extensions and apps. We create fingerprints of 160,025 extensions for Chrome OS, we measure the uniqueness of these fingerprints, and we perform a case study by installing 14 extensions on a Chrome OS device and attempt to find their fingerprints.

Original languageEnglish (US)
PagesS55-S65
DOIs
StatePublished - Jan 1 2016
Externally publishedYes
Event16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA - Seattle, United States
Duration: Aug 7 2016Aug 10 2016

Conference

Conference16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA
CountryUnited States
CitySeattle
Period8/7/168/10/16

Fingerprint

Application programs
Digital storage
Cryptography
Crime
Law enforcement
Momentum

Keywords

  • Chrome OS
  • Digital forensics
  • Forensics on encrypted data
  • Web thin clients

ASJC Scopus subject areas

  • Information Systems

Cite this

Mabey, M., Doupe, A., Zhao, Z., & Ahn, G. J. (2016). DBling: Identifying extensions installed on encrypted web thin clients. S55-S65. Paper presented at 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA, Seattle, United States. https://doi.org/10.1016/j.diin.2016.04.007

DBling : Identifying extensions installed on encrypted web thin clients. / Mabey, Mike; Doupe, Adam; Zhao, Ziming; Ahn, Gail Joon.

2016. S55-S65 Paper presented at 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA, Seattle, United States.

Research output: Contribution to conferencePaper

Mabey, M, Doupe, A, Zhao, Z & Ahn, GJ 2016, 'DBling: Identifying extensions installed on encrypted web thin clients', Paper presented at 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA, Seattle, United States, 8/7/16 - 8/10/16 pp. S55-S65. https://doi.org/10.1016/j.diin.2016.04.007
Mabey M, Doupe A, Zhao Z, Ahn GJ. DBling: Identifying extensions installed on encrypted web thin clients. 2016. Paper presented at 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA, Seattle, United States. https://doi.org/10.1016/j.diin.2016.04.007
Mabey, Mike ; Doupe, Adam ; Zhao, Ziming ; Ahn, Gail Joon. / DBling : Identifying extensions installed on encrypted web thin clients. Paper presented at 16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA, Seattle, United States.
@conference{af47336176b3401997c2207d1bacb511,
title = "DBling: Identifying extensions installed on encrypted web thin clients",
abstract = "Researchers have developed forensic analysis techniques for so many types of digital media that there is a procedure for almost every digital media that a law enforcement officer may encounter at a crime scene. However, a new type of device has started to gain momentum in the consumer market: web thin clients. These web thin clients are characterized by native support for basic web browsing, yet other functionality relies on a combination of web applications and web storage. In fact, these devices are so different from other types of computing and storage devices that virtually all of the techniques forensic examiners and researchers typically use do not apply. The most popular web thin client, Chrome OS, has additional forensic challenges: (1) all data associated with users is encrypted, (2) Chrome OS correctly uses TPM and Secure Boot, and (3) user data is stored on the device and in the cloud. In this work, we present a novel approach to extract residual evidence stored on Chrome OS devices that successfully bypasses these challenges. Specifically, we are able to determine which extensions and apps are installed on an encrypted Chrome OS device, without breaking or otherwise extracting the encryption keys. Our framework, called dbling, generates signatures or fingerprints of extension and app code that persist after encryption, and we are able to use these fingerprints to identify the installed extensions and apps. We create fingerprints of 160,025 extensions for Chrome OS, we measure the uniqueness of these fingerprints, and we perform a case study by installing 14 extensions on a Chrome OS device and attempt to find their fingerprints.",
keywords = "Chrome OS, Digital forensics, Forensics on encrypted data, Web thin clients",
author = "Mike Mabey and Adam Doupe and Ziming Zhao and Ahn, {Gail Joon}",
year = "2016",
month = "1",
day = "1",
doi = "10.1016/j.diin.2016.04.007",
language = "English (US)",
pages = "S55--S65",
note = "16th Annual USA Digital Forensics Research Conference, DFRWS 2016 USA ; Conference date: 07-08-2016 Through 10-08-2016",

}

TY - CONF

T1 - DBling

T2 - Identifying extensions installed on encrypted web thin clients

AU - Mabey, Mike

AU - Doupe, Adam

AU - Zhao, Ziming

AU - Ahn, Gail Joon

PY - 2016/1/1

Y1 - 2016/1/1

N2 - Researchers have developed forensic analysis techniques for so many types of digital media that there is a procedure for almost every digital media that a law enforcement officer may encounter at a crime scene. However, a new type of device has started to gain momentum in the consumer market: web thin clients. These web thin clients are characterized by native support for basic web browsing, yet other functionality relies on a combination of web applications and web storage. In fact, these devices are so different from other types of computing and storage devices that virtually all of the techniques forensic examiners and researchers typically use do not apply. The most popular web thin client, Chrome OS, has additional forensic challenges: (1) all data associated with users is encrypted, (2) Chrome OS correctly uses TPM and Secure Boot, and (3) user data is stored on the device and in the cloud. In this work, we present a novel approach to extract residual evidence stored on Chrome OS devices that successfully bypasses these challenges. Specifically, we are able to determine which extensions and apps are installed on an encrypted Chrome OS device, without breaking or otherwise extracting the encryption keys. Our framework, called dbling, generates signatures or fingerprints of extension and app code that persist after encryption, and we are able to use these fingerprints to identify the installed extensions and apps. We create fingerprints of 160,025 extensions for Chrome OS, we measure the uniqueness of these fingerprints, and we perform a case study by installing 14 extensions on a Chrome OS device and attempt to find their fingerprints.

AB - Researchers have developed forensic analysis techniques for so many types of digital media that there is a procedure for almost every digital media that a law enforcement officer may encounter at a crime scene. However, a new type of device has started to gain momentum in the consumer market: web thin clients. These web thin clients are characterized by native support for basic web browsing, yet other functionality relies on a combination of web applications and web storage. In fact, these devices are so different from other types of computing and storage devices that virtually all of the techniques forensic examiners and researchers typically use do not apply. The most popular web thin client, Chrome OS, has additional forensic challenges: (1) all data associated with users is encrypted, (2) Chrome OS correctly uses TPM and Secure Boot, and (3) user data is stored on the device and in the cloud. In this work, we present a novel approach to extract residual evidence stored on Chrome OS devices that successfully bypasses these challenges. Specifically, we are able to determine which extensions and apps are installed on an encrypted Chrome OS device, without breaking or otherwise extracting the encryption keys. Our framework, called dbling, generates signatures or fingerprints of extension and app code that persist after encryption, and we are able to use these fingerprints to identify the installed extensions and apps. We create fingerprints of 160,025 extensions for Chrome OS, we measure the uniqueness of these fingerprints, and we perform a case study by installing 14 extensions on a Chrome OS device and attempt to find their fingerprints.

KW - Chrome OS

KW - Digital forensics

KW - Forensics on encrypted data

KW - Web thin clients

UR - http://www.scopus.com/inward/record.url?scp=85068712176&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85068712176&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2016.04.007

DO - 10.1016/j.diin.2016.04.007

M3 - Paper

AN - SCOPUS:85068712176

SP - S55-S65

ER -