Law enforcement uses anti-virus software to recover suspect's web history

Let’s mainstream the idea that privacy is almost impossible in the face of digital forensics. Avast AV leaving behind a private browsing database, is a shocking illustration of this.

avast security pro for mac icon
Avast Software

There are two kinds of people: those who believe in digital privacy, and those who are familiar with forensics.

You see, when we interact with operating systems, applications or websites, we leave behind incredible varieties of forensic residue in local storage, referred to as “artifacts.” Like most forensic artifacts, the SQLite file left behind by anti-virus vendors has profound privacy implications. This unencrypted database records browsing history under a surprising number of conditions. It's now used by law enforcement to prosecute suspects.

Consumer and privacy advocates might feel outrage to see personal details left in the open. Forensics practitioners are not. Most applications leave a long digital trail. When programmers write operating systems, applications or client-side web code, they inadvertently hold information about users and activities. These bits of information end up in RAM, system files, cookies or in database files. Forensic residue is not something easily preventable, it's almost a natural phenomenon. This is why law enforcement take forensic images of suspects’ local storage and RAM and then pull out known artifacts to divine activities.

How the Naval Criminal Investigative Services (NCIS) found Avast’s database

Technology vendors never intended for anyone to look inside their software's innards. Forensic artifacts are certainly not documented, they're reverse engineered. Forensic technology is built by this community of researchers mapping out these artifacts. To tell this story about the evidence left behind by anti-virus software from Avast, meet Justin Bartshe. Justin is a notable forensic practitioner. I first met Justin when he took top prize in the Forensic Research Awards held last year by Guidance Software, the makers of EnCase. Justin Bartshe works at NCIS under the Cyber Operations Field Office (CFBO).

Mr. Bartshe wouldn't disclose the details of the criminal case utilizing the Avast artifact. But digital investigations often deal with some of the darkest aspects of criminality, like sex crimes, child abuse and pedophilia. Examiners often encounter information in unstructured data which have not been mapped out as known artifacts. As Justin recounts, “I wasn’t targeting any specific database or file. Basic search routines were performed to view user data and in one particular case, I noted gaps in the user’s browsing history. Several relevant entries were identified in the Avast URL.db that filled those gaps.”

Forensic is a science and reverse engineering is its tradecraft

Like his counterparts, Justin is part security researcher, part law enforcement, and part scientist. Yes, forensics is considered a science, and the findings must be reproducible by others if submitted to the courts. To complete Justin's case, he did what examiners do when they encounter new artifacts. They discover the reproducible conditions where Avast records web browsing.

“The real surprise came when noting that even files downloaded using 'InPrivate' and 'Incognito' browsing modes were also tracked by this database.” In today's internet where downloading multimedia and JavaScript files are the norm, this means pretty much every site one visits could be recorded.

Mr. Bartshe further elaborates, “The conditions that led to the user’s history being stored appear largely dependent on the type of browser. In Avast Free Antivirus (version 17.5.2302 during testing), history artifacts were found more often when using Internet Explorer or Microsoft’s new Edge browser. Some items could be found relative to Chrome and Firefox (pre-Quantum), but on a much smaller scale.”

Time to destroy the illusion of digital privacy

I wanted to write this article because forensic researchers have a fascinating habit of operating under the radar. They share artifact discoveries inside their law enforcement or the Digital Forensics and Incident Response (DFIR) communities. Yet you typically don't see them publicize findings. You won't see them grab headlines, like traditional security researchers do, when they announce exploits of cars, airplanes or IoT devices. Perhaps this culture of discretion evolves from over exposure to secrets. On a given day, a forensic practitioner might review their CEO's browsing history, read sensitive intellectual property, or witness images of unspeakable crimes.

Anti-virus providers should put more work into obfuscating the records of web activities, but that's not the point. They're just a fascinating example to tell the story of people like Justin Bartshe. If not found in Avast's database, a seasoned forensic examiner would have found the same digital trail elsewhere. It's time to mainstream the idea that, right or wrong, there is no digital privacy once a forensic examiner possesses your storage device.

I'll always remember my first forensics class, my instructor was a veteran of law enforcement. He commented that one's web browsing history was, “a window into the soul.” He explained that “everyone has a dark side or different personality on the Internet,” even the most mundane humans. I'll leave you with the great conundrum that digital citizens have in modern times. If your hard drive falls into the wrong hands, do you want your dark side exposed to the world?

Copyright © 2018 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline