A Postmortem Forensic Analysis for a JavaScript Based Attack

  • Sally MosaadEmail author
  • Nashwa Abdelbaki
  • Ahmed F. Shosha


Nowadays, users and corporates are more and more connected to the web. User accesses her/his sensitive business/non-business applications using a web browser. There are numerous browsers’ based attacks and many of them are implemented using JavaScript. One of these attacks is Drive-by-Download. Security researchers introduced several tools and techniques to detect and/or prevent this serious attack. Few address the browser forensics to identify the attack traces/evidences and reconstruct the executed events of a downloaded malicious content. In this study, we introduce a postmortem forensic methodology that investigates a web browser subjected to Drive-by-Download attack. We develop a Firefox browser extension (FEPFA) to delve into the malicious URLs. The developed system is tested on malicious web pages and successfully identifies the digital evidences of the attack. The majority of the collected evidences were non-volatile evidences that could assist forensic investigator in the postmortem analysis.


  1. 1.
    Afonso, V. M., Grgio, A. R. A., Fernandes Filho, D. S., & de Geus, P. L. (2011). A hybrid system for analysis and detection of web-based client-side malicious code. In Proceedings of the IADIS international conference www/internet (Vol. 2011).Google Scholar
  2. 2.
    Canali, D., Cova, M., Vigna, G., & Kruegel, C. (2011, March). Prophiler: a fast filter for the large-scale detection of malicious web pages. In Proceedings of the 20th international conference on world wide web (pp. 197–206). ACM.Google Scholar
  3. 3.
    Catakoglu, O., Balduzzi, M., & Balzarotti, D. (2016, April). Automatic extraction of indicators of compromise for web applications. In Proceedings of the 25th international conference on WorldWideWeb (pp. 333–343). InternationalWorldWideWeb Conferences Steering Committee.Google Scholar
  4. 4.
    Choi, J. H., Lee, K. G., Park, J., Lee, C., & Lee, S. (2012). Analysis framework to detect artifacts of portable web browser. In Information technology convergence, secure and trust computing, and data management (pp. 207–214). Netherlands: Springer.Google Scholar
  5. 5.
    Cova, M., Kruegel, C., & Vigna, G. (2010, April). Detection and analysis of drive-by-download attacks and malicious JavaScript code. In Proceedings of the 19th international conference on world wide web (pp. 281–290). ACM.Google Scholar
  6. 6.
    Curtsinger, C., Livshits, B., Zorn, B. G., & Seifert, C. (2011, August). ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection. In USENIX security symposium (pp. 33–48).Google Scholar
  7. 7.
    De Maio, G., Kapravelos, A., Shoshitaishvili, Y., Kruegel, C., & Vigna, G. (2014, July). Pexy: The other side of exploit kits. In International conference on detection of intrusions and malware, and vulnerability assessment (pp. 132–151). Cham: Springer.Google Scholar
  8. 8.
    Fratantonio, Y., Kruegel, C., & Vigna, G. (2011, September). Shellzer: a tool for the dynamic analysis of malicious shellcode. In International workshop on recent advances in intrusion detection (pp. 61–80). Berlin Heidelberg: Springer.Google Scholar
  9. 9.
    Gu, B., Zhang, W., Bai, X., Champion, A. C., Qin, F., & Xuan, D. (2012, September). Jsguard: shellcode detection in JavaScript. In International conference on security and privacy in communication systems (pp. 112–130). Berlin Heidelberg: Springer.Google Scholar
  10. 10.
    Invernizzi, L., & Comparetti, P. M. (2012, May). Evilseed: A guided approach to finding malicious web pages. In 2012 IEEE symposium on security and privacy (SP), (pp. 428–442). IEEE.Google Scholar
  11. 11.
    Jayasinghe, G. K., Culpepper, J. S., & Bertok, P. (2014). Efficient and effective realtime prediction of drive-by download attacks. Journal of Network and Computer Applications, 38, 135–149.CrossRefGoogle Scholar
  12. 12.
    Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., & Vigna, G. (2013, August). Revolver: An automated approach to the detection of evasive web-based malware. In USENIX security (pp. 637–652).Google Scholar
  13. 13.
    Kolbitsch, C., Livshits, B., Zorn, B., & Seifert, C. (2012, May). Rozzle: De-cloaking internet malware. In 2012 IEEE symposium on security and privacy (SP), (pp. 443–457). IEEE.Google Scholar
  14. 14.
    Kotov, V., & Massacci, F. (2013, February). Anatomy of exploit kits. In International symposium on engineering secure software and systems (pp. 181–196). Berlin Heidelberg: Springer.Google Scholar
  15. 15.
    Laskov, P., & Šrndić, N. (2011, December). Static detection of malicious JavaScript-bearing PDF documents. In Proceedings of the 27th annual computer security applications conference (pp. 373–382). ACM.Google Scholar
  16. 16.
    Ligh, M., Adair, S., Hartstein, B., & Richard, M. (2010). Malware analyst’s cookbook and DVD: Tools and techniques for fighting malicious code. Hoboken, NJ: Wiley.Google Scholar
  17. 17.
    Lu, L., Yegneswaran, V., Porras, P., & Lee, W. (2010, October). Blade: An attack-agnostic approach for preventing drive-by malware infections. In Proceedings of the 17th ACM conference on computer and communications security (pp. 440–450). ACM.Google Scholar
  18. 18.
    Mohamed, S. M., Abdelbaki, N., & Shosha, A. F. (2016, January). Digital forensic analysis of web-browser based attacks. In Proceedings of the international conference on security and management (SAM) (p. 237). The Steering Committee of the World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp).Google Scholar
  19. 19.
    Oh, J., Lee, S., & Lee, S. (2011). Advanced evidence collection and analysis of web browser activity. Digital Investigation, 8, S62–S70.CrossRefGoogle Scholar
  20. 20.
    Ohana, D. J., & Shashidhar, N. (2013). Do private and portable web browsers leave incriminating evidence?: A forensic analysis of residual artifacts from private and portable web browsing sessions. EURASIP Journal on Information Security, 2013(1), 6.CrossRefGoogle Scholar
  21. 21.
    Ratanaworabhan, P., Livshits, V. B., & Zorn, B. G. (2009, August). NOZZLE: A defense against heap-spraying code injection attacks. In USENIX security symposium (pp. 169–186).Google Scholar
  22. 22.
    Van Overveldt, T., Kruegel, C., & Vigna, G. (2012, September). FlashDetect: ActionScript 3 malware detection. In International workshop on recent advances in intrusion detection (pp. 274–293). Berlin Heidelberg: Springer.Google Scholar
  23. 23.
    Virvilis, N., Mylonas, A., Tsalis, N., & Gritzalis, D. (2015). Security busters: Web browser security vs. rogue sites. Computers & Security, 52, 90–105.CrossRefGoogle Scholar
  24. 24.
    Xing, X., Meng, W., Lee, B., Weinsberg, U., Sheth, A., Perdisci, R., & Lee, W. (2015, May). Understanding malvertising through ad-injecting browser extensions. In Proceedings of the 24th international conference on world wide web (pp. 1286–1295). ACM.Google Scholar
  25. 25.
    Zhang, J., Seifert, C., Stokes, J. W., & Lee, W. (2011, March). Arrow: Generating signatures to detect drive-by downloads. In Proceedings of the 20th international conference on world wide web (pp. 187–196). ACM.Google Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Sally Mosaad
    • 1
    Email author
  • Nashwa Abdelbaki
    • 1
  • Ahmed F. Shosha
    • 1
  1. 1.Nile UniversityCairoEgypt

Personalised recommendations