Flash cookies have been a hot topic lately with the release of an excellent research paper titled Flash Cookies and Privacy. Flash Cookies, or local Shared Objects in Macromedia parlance, are a great example of a forensic artifact that has existed for a long time but was virtually ignored until someone decided to shine some light on it. Whenever I see new research about problematic privacy controls, I immediately get out my notepad, because I know that I am going to find some great artifacts that can help in my forensic investigations.First some basics:
- Macromedia Flash has become ubiquitous on the web, providing features such as streaming video and a "rich client" experience. Many of the most popular sites on the web are dependent on Flash, and thus a high percentage of Internet users have installed the Flash plug-in.
- The Flash standard incorporates local Shared Objects (LSOs), which allow data (such as preferences) to be stored in the local Flash instance on a user's machine.
- LSOs are stored as individual files with a .SOL file extension. By default they are less than 100 kB in size and have no expiration (unlike traditional HTTP cookies).
- I have found .SOL files in two locations on the local system: %user profile%\Application Data\Macromedia\Flash Player and %user profile%\Application Data\Macromedia\Flash Player\#SharedObjects\<random profile id>\ (%user profile% is shorthand for where the user folders reside - typically C:\Documents and Settings\<account name>\ on a XP system). For Vista analysis, you will need to look in the Roaming folder within %user profile%.
- LSOs are not browser based, so there is currently no easy way for the average user to remove them (simply deleting the files does the job, but a user would need to know where they are located). This makes LSOs very persistent on the local system.
Analysis
For our purposes, the term Flash Cookies is an apt descriptor for LSOs since they give very similar information to what we find in traditional HTTP cookies. Those of you that have taken the SANS SEC 408 Computer Forensic Essentials course will recall that HTTP cookies can give us the following information:
Websites that were visited
Macromedia Flash requires that LSOs be stored hierarchically by domain. This is one way it is able to enforce the rule that each domain may only store up to 100k on the local system. From our perspective, this gives us a very handy means for quickly reviewing the sites visited.
Figure 1: Directory listing displaying LSO domains
One thing to note is that Flash based advertisements also have the ability to save LSOs. This is important because in some cases we can't necessarily conclude that it was the user's intent to access the domain. The origin of the LSO is often obvious (see Figure 2), but further testing or additional artifacts may be necessary to make any definitive conclusions.
Figure 2: LSO saved from a Flash advertisement
Local user account that visited the site
Recall that the .SOL files are located within the %user profile% folder, indicating the account that was logged in when the LSO was saved.
When the site was first and last visited
Since the .SOL files are saved individually, we have a nice set of file system timestamps to utilize. On Windows XP (which has Access time stamping on by default) we can use the Access Time to tell us when the LSO was last read. This can potentially tell us when the site was last visited, but we have to be careful since I am not aware of any standard that requires an issuing site to read the LSO. It is certainly in their best interests and in my testing all appear to be doing so, but if the site does not read the LSO for some reason, the Access time will not be updated.
The .SOL file Creation Time can potentially tell us when the site was first visited. Again, we are not assured that the LSO was created on the first visit to the site, so it is difficult to be conclusive. A better way of looking at this would be the "first known visit to the site". Other artifacts on the system may be able to corroborate this time or indicate an even earlier visit time.
So looking again at Figure 1, we can see that the first known visit to mg3.mail.yahoo.com was 11/27/2008 at 1:38am and the last known visit was 8/17/2009 at 5:27pm (local machine time).
Data stored by the website
Flash specifically attempts to obfuscate data within each LSO by controlling the format and forcing a binary serialization of any stored data. That being said, if you find a relevant file, don't overlook this data area. I have found interesting tidbits such as text-based location information stored by a weather website.
Tools
While not recommended as a forensic tool (primarily because it requires installation / execution on a live system), the Better Privacy Firefox extension is a great tool for identifying (and removing) LSOs on your local system. One of the best ways to learn about forensic artifacts is by reviewing them on a system with known behavior (i.e. your own system). The Better Privacy plug-in allows you to easily review (and manage) LSOs on a live system.
Figure 3: Better Privacy Firefox Plug-in Screenshot
This is just a first look at Flash Cookies — I encourage our readers to post any links or information they have discovered in the blog comments.
Chad Tilbury, GCFA, has spent over ten years conducting computer crime investigations ranging from hacking to espionage to multi-million dollar fraud cases. He teaches FOR408 Windows Forensics and FOR508 Advanced Computer Forensic Analysis and Incident Response for the SANS Institute. Find him on Twitter @chadtilbury or at http://ForensicMethods.com.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
