Due to privacy issues, Flash cookies have become a hot topic of security. However, from another perspective, Flash cookies (that is, local shared objects) are a good piece of court evidence-because everything that has problems with personal privacy is useful in forensic investigations. This article first introduces the basic knowledge of Flash cookies in detail, then describes its application in forensic analysis, and finally provides a small tool for operating Flash cookies.
I. Basic Flash cookie knowledge
First, introduce some basic knowledge about Flash cookies:
◆ Flash is widely used on the Internet. It not only provides streaming videos, but also provides rich client experience. Currently, many popular websites rely on Flash. Therefore, the installation rate of Flash plug-ins in Internet users is extremely high. Bytes
◆ Flash standard local shared objects: Local shared objects can be stored in local Flash instances on users' computers. Bytes
◆ Local shared objects are stored as separate files. Their file extensions are. SOL. By default, they are not larger than kb and will not expire-this is different from the traditional HTTP Cookie. Bytes
◆ I have found two locations on the local system. the SOL file is % user profile % Application DataMacromediaFlash Player and % user profile % Application DataMacromediaFlash Player # export dobjects \. Here, % user profile % indicates the user folder directory, generally, C: Documents and Settings \ is used in XP \. For the Vista system, you may also pay attention to the Roaming folder under the % user profile % directory. Bytes
◆ Local shared objects are not browser-based, so it is not easy for common users to delete them. If you want to delete these files, you must first know the specific location of these files. This allows the local shared object to be retained on the local system for a long time.
Ii. Forensic Analysis
During computer investigation and evidence collection, it is appropriate to describe local shared objects as Flash cookies because they provide various information similar to traditional HTTP cookies. Generally, Flash cookies provide the following information:
Visited websites
Flash requires that local shared objects be stored hierarchically according to the domain name architecture. In this way, each domain name can only store up to KB of data on the local system. From our perspective, this opens a convenient way for the investigation and evidence collection to quickly check the accessed sites.
Figure 1 shows the directory list of the local shared object domain
It is important to note that Flash-based advertisements can also store local shared objects, because in some cases, we need to consider whether these sites are specially accessed by users. The source of the local shared object is obvious (see figure 2), but further testing or additional evidence may have to be inferred.
Figure 2 local shared object from a Flash Advertisement
Local user account logged on to the website
We know that the. SOL file is located in the % user profile % folder, and it indicates the account that the user logged on to when saving the file.
Start Time and end time of site access
Because the. SOL file is stored separately, we can use the time stamp of the file system to determine the file creation and last modification time. On Windows XP, we can use the access time to determine the time when the file was last read. Through this, we can understand the time of the last visit to the site, but we must be careful, because we do not know the standards that require the site to read the local shared object. However, in most cases, when accessing these sites, they will access the local shared objects they store on the client. However, if the site does not read the local shared object for some reason, the access time will not change.
The time when the SOL file was created may tell us the time when the site was accessed for the first time. Once again, we cannot guarantee that the local shared object will be created when we first access the site, so it is difficult to determine. The best argument should be the known time when the site was initially accessed. Other evidence on the system may prove that this is indeed the first access time, or that there is an earlier access time.
So let's go back and look at Figure 1. We can see that the earliest time for access to mg3.mail.yahoo.com is A.M. On 11/27/2008, and the last known access time is A.M. On, the time here is the time of the local computer.
Website Storage Data
Flash tries to confuse local shared object data by controlling the format and forcing all data to be stored in a binary sequence. That is to say, if you find a related file, do not ignore this data area. I also found interesting plaintext messages, such as text-based location information stored on the weather website.
Iii. Flash cookie Tool
Although not recommended as a forensic tool, it requires installation and running on a working system, however, the Better Privacy Firefox extension is used to discover and clear local shared objects on the local system. One of the best ways to understand court evidence is to perform checks on a system that already knows its behavior, such as on its own system. The Better Privacy plugin allows you to easily view and manage local shared objects in a running system.
Figure 3 screenshot of the Better Privacy plug-in
Iv. Summary
Due to privacy issues, Flash cookies have become a hot topic of security. However, from another perspective, Flash cookies (that is, local shared objects) are a good piece of court evidence-because everything that has problems with personal privacy is useful in forensic investigations. This article first introduces the basic knowledge of Flash cookies in detail, then describes its application in forensic analysis, and finally provides a small tool for operating Flash cookies.