Browser search analysis plugin

Notes on how to use the browser_search analysis plugin.

Running the analysis plugin

First run log2timeline to extract events:

log2timeline.py --storage-file timeline.plaso image.raw

Note that the browser search analysis plugin analyzes URLS in web history data such as events with data type:

• chrome:autofill:entry

• chrome:cache:entry

• chrome:cookie:entry

• chrome:extension_activity:activity_log

• chrome:history:file_downloaded

• chrome:history:page_visited

• cookie:google:analytics:utma

• cookie:google:analytics:utmb

• cookie:google:analytics:utmt

• cookie:google:analytics:utmz

• firefox:cache:record

• firefox:cookie:entry

• firefox:downloads:download

• firefox:places:bookmark

• firefox:places:bookmark_annotation

• firefox:places:bookmark_folder

• firefox:places:page_visited

• msiecf:leak

• msiecf:redirected

• msiecf:url

• msie:webcache:container

• msie:webcache:containers

• msie:webcache:leak_file

• msie:webcache:partitions

• opera:history:entry

• opera:history:typed_entry

• safari:cookie:entry

• safari:history:visit

• safari:history:visit_sqlite

Next run psort to determine the browser searches:

psort.py --analysis browser_search -o null timeline.plaso

This will:

• extract information of searches performed in a browser, such as search engine, search term and number of queries

• tag corresponding events with the browser_search label

The analysis results can be reviewed with pinfo:

pinfo.py --report browser_search timeline.plaso