Skip to main content

Reconstructing Tabbed Browser Sessions Using Metadata Associations

Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT,volume 484)


Internet browsers support multiple browser tabs, each browser tab capable of initiating and maintaining a separate web session, accessing multiple uniform resource identifiers (URIs) simultaneously. As a consequence, network traffic generated as part of a web request becomes indistinguishable across tabbed sessions. However, it is possible to find the specificity of attribution in the session-related context information recorded as metadata in log files (in servers and clients) and as network traffic related logs in routers and firewalls, along with their metadata. The forensic questions of “who,” “what” and “how” are easily answered using the metadata-based approach presented in this chapter. The same questions can help systems administrators decide on monitoring and prevention strategies. Metadata, by definition, records context information related to a session; such metadata recordings transcend sources.

This chapter presents an algorithm for reconstructing multiple simultaneous browser sessions on browser applications with multi-threaded implementations. Two relationships, coherency and concurrency, are identified based on metadata associations across artifacts from browser history logs and network packets recorded during active browser sessions. These relationships are used to develop the algorithm that identifies the number of simultaneous browser sessions that are deployed and then reconstructs the sessions. Specially-designed experiments that leverage timing information alongside the browser and session contexts are used to demonstrate the processes for eliciting intelligence and separating and reconstructing tabbed browser sessions.


  • Tabbed browser sessions
  • Metadata association
  • Session reconstruction


  1. Chromium Projects, Multi-Process Architecture (2016).

  2. Cohen, M.: PyFlag - An advanced network forensic framework. Digital Investigation 5(S), S112–S120 (2008)

    CrossRef  Google Scholar 

  3. Combs, G.: Wireshark (2016).

  4. Grosskurth, A., Godfrey, M.: A reference architecture for web browsers. In: Proceedings of the Twenty-First IEEE International Conference on Software Maintenance, pp. 661–664 (2005)

    Google Scholar 

  5. Lwin, N.: Agent based web browser. In: Proceedings of the Fifth International Conference on Autonomic and Autonomous Systems, pp. 106–110 (2009)

    Google Scholar 

  6. Mozilla, Mozilla Browser Architecture, Mountain View, California (2014)

    Google Scholar 

  7. Neasbitt, C., Perdisci, R., Li, K.: ClickMiner: towards forensic reconstruction of user-browser interactions from network traces. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 1244–1255 (2014)

    Google Scholar 

  8. Oh, J., Lee, S., Lee, S.: Advanced evidence collection and analysis of web browser activity. Digital Investigation 8(S), S62–S70 (2011)

    CrossRef  Google Scholar 

  9. Raghavan, S., Raghavan, S.: AssocGEN: engine for analyzing metadata-based associations in digital evidence. In: Proceedings of the Eighth International Workshop on Systematic Approaches to Digital Forensic Engineering (2013)

    Google Scholar 

  10. Raghavan, S., Raghavan, S.: Determining the origin of downloaded files using metadata associations. Journal of Communications 8(12), 902–910 (2013)

    MathSciNet  CrossRef  Google Scholar 

  11. Xie, G., Iliofotou, M., Karagiannis, T., Faloutsos, M., Jin, Y.: ReSurf: reconstructing web-surfing activity from network traffic. In: Proceedings of the IFIP Networking Conference (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Sriram Raghavan .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 IFIP International Federation for Information Processing

About this paper

Cite this paper

Raghavan, S., Raghavan, S.V. (2016). Reconstructing Tabbed Browser Sessions Using Metadata Associations. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XII. DigitalForensics 2016. IFIP Advances in Information and Communication Technology, vol 484. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-46278-3

  • Online ISBN: 978-3-319-46279-0

  • eBook Packages: Computer ScienceComputer Science (R0)