Chapter 7: Spying on Web Browsing – Cyber Spying Tracking Your Family's (Sometimes) Secret Online Lives

Chapter 7

Spying on Web Browsing

The printing press is either the greatest blessing or the greatest curse of modern times, sometimes one forgets which it is. — E. F. Schumacher


Like the printing press, radio, and television, Web browsers have revolutionized the way people obtain information. The World Wide Web (WWW) has become the premier information source for most of the world. It offers a faster, more expansive view of the news and other events than most traditional media. In some government-controlled states where all media is “approved,” people use the Web to learn about events in the outside world as reported by unbiased (relatively) views. Everywhere else it has been embraced as a quick and convenient method of finding information.

To fully empathize just how powerful and pervasive the Internet has become, ponder these figures from the U.S. Department of Commerce: it took radio 38 years to reach an audience of 50 million, it took television 13 years, and it took the Internet only four. This rapid growth demonstrates just how much this network of computers has become a part of people’s lives.

What Is Web Browsing?

To many people, Web browsing is the Internet. The advent of the WWW revolutionized how people used and viewed the Internet. It is one of the major factors responsible for the popularity of the Internet. Web browsing has created an easy way for people to publish and view all types of information and has allowed many to share their views and perspectives. Web browsing involves two separate entities: a server that contains the Web pages and a browser that displays them.

A Web page itself consists of two main components: its core information that is to be presented and directions on how to display the information. When you use a Web browser to read a page, your browser starts by sending a “request” to the remote server. The server reads the request and sends the browser a copy of the Web page. This copy is then stored on your machine and displayed by your browser. The Web browser interprets the instructions in the page to display the images, text, and multimedia elements as the designer intended. By having the browser actually interpret the instructions, the amount of information that must be passed between the Web server and your computer is significantly reduced.

Web pages are written in Hypertext Markup Language (HTML), which is a simple text-based representation of the core information and the instructions to display it. As a result, raw Web pages can be viewed in any file editor, such as Notepad or Microsoft Word. On first glance, raw HTML may look odd, as most of it will be the markup commands used to tell the browser how to format and display the contents. If you look carefully, you will find the core or main information that the page is trying to convey.

The first Web pages were completely text based with little markup and no graphics. Over time, capabilities have been added to improve the Web-surfing experience. Modern Web pages can embed Java applications, flash animations, media, and images. Flash animations are embedded in Web pages in such a manner that when the page is retrieved from the server, the animation is shown. The advent of rich multimedia and fast connectivity has allowed the Web to flourish. It has gotten so popular and content rich that it rivals traditional media outlets such as television and newspapers. In fact, many people no longer subscribe to newspapers because they read the content via the Web.

What Can You Get from Web Browsing?

Because Web browsers are the main entrance to the Internet for most people, it is important to know what kind of information you can find when exploiting one. For most people, the online experience starts and ends with a Web browser, which they may use to read Web mail online, shop, bank, pay bills, and search for topics of interest. Being able to monitor a Web browser offers an opportunity to skim vital intelligence from these activities. Several important areas you can collect information from are Web mail, online accounts, sites visited (histories), and multimedia. Using the information from these areas, you can reconstruct a good deal of your target’s online activity.

Web Mail

Web mail is currently the trendy way for sending and viewing e-mail. E-mail in its pure form has been around since the dawn of the Internet. In the older days, it was viewed and composed with text-based programs on the servers that people logged into. By the mid-90s, some programs such as America Online’s (AOL’s) email software, Eudora, and Microsoft Outlook allowed people to download their e-mail from the servers to view and store on their personal computers. Using these same programs, people could write and respond to the downloaded messages and transmit the new mail back through their mail servers. These mail programs had many advantages; people no longer had to log in to difficult mail servers and struggle with UNIX commands to view their e-mail. However, there were also several disadvantages posed by these tools. Because mail was downloaded to a specific application, management became much more difficult. Viewing e-mail couldn’t be done without a computer that had e-mail software. If you wanted to view e-mail from multiple computers, there were coordination problems between the different clients on the different machines.

In the mid to late 90s, Web mail began to appear. Realizing the increasing role of Web browsers in the Internet experience, clever programmers began to develop a Web interface to traditional e-mail. Users could log on to a Web site and view a Web representation of their e-mail box. While initially rather crude and plain, Web mail has improved over the last few years. Current implementations have more advanced features and closely resemble more advanced clientside e-mail programs. Web mail allows people to read and write e-mail with only a Web browser as their client program. Now, you can view e-mail from any machine that has a Web browser. This is great for people who travel or rarely sit at the same computer.

Because e-mail is now combined into the ubiquitous WWW, collection strategies that work against browsers have the opportunity to provide you with your target’s e-mail.

Online Accounts

With the rise in the use of Web mail, several other types of online transactions have also risen in popularity. It is not unusual for people to do banking, bill paying, and shopping online. In most of those cases, a person would have an account with the respective institution. There are also other situations where a person would have a virtual online account. They may be a member of different hobby clubs that have their own respective Web sites and message forums. These online accounts are often accessed through Web browsers.

Being able to monitor these activities can be extremely useful. By combining most of a person’s economic transactions (shopping, bills, banking) with some of his or her leisure transactions (online forums, and so on), you can build a fairly complete picture of what a person has going on in his or her life. By focusing on and exploiting the common ground of Web browsers, you can collect a lot of information from one location.

Sites Visited

Most browsers keep a history of the sites they have been to. A history can also be obtained from the network by recording all of the HTTP requests for different Uniform Resource Locators (URLs). Although seemingly useless by itself, a list of visited sites can help shine light on people’s interests and happenings. Are they visiting the same Web mail site daily? Hourly? If so, they are probably expecting important e-mail. Do they go to the same Personals site continually? Once again, this gives you more information about what a person is doing.


Multimedia can be valuable for a number of reasons. First, it in itself can be directly incriminating. For example, pornography on your family computer, while not necessarily illegal, shows that there is a member of the family with an interest in it. Multimedia content such as images and flash movies can also lead to clues about different sites. Are the images cars, computers, or single eligible women? Do the flash animations advertise for technology companies, promote the virtues of the new Ford Mustang, or tell a naughty story? Close examination of the multimedia material that comes with Web sites can help lead you to an idea of intent without ever having to examine the Web site.

Typical Web Browsers

A browser is used to access Web pages on the Internet. It is an application program on your computer that handles Web content. The Web browser will request, download, and display Web pages as you “surf” the Internet. There are many different Web browsers, with some of the most popular being Internet Explorer; Mozilla and its light version, Mozilla Firefox; and Netscape. There are many other Web browsers available; some are free, and some are available for a small price. Each has its own features, shortcomings, and eccentricities.

Currently, Internet Explorer is the most popular Web browser used; however, Mozilla Firefox is making gains. Regardless of all the bells and whistles that each Web browser advertises, they all have the same basic functionality: bookmarks, a history file, and a cache. These three commonalities are critical locations that can be examined for clues of different activities. As demonstrated in the previous chapter, some Web browsers even have the capability to remember user names and passwords. This feature was designed to enable faster surfing because you don’t need to constantly log into a Web site, but it can also be a large security risk that you can take full advantage of.

All Web browsers have the capability to bookmark favorite Web sites that a user visits regularly. By selecting a drop-down menu with a list of bookmarked pages, the user can be taken directly to that page without having to remember the site’s Web address. Depending on the browser, bookmarks are sometimes referred to as “favorites.” Bookmarks are a good indication of what sites a person regularly visits, or more importantly, has deemed essential enough to remember. Most Web browsers include some of their own bookmarks, but these are generally sites that would not be cause for alarm. Similarly, Web browsers maintain a history. In the previous chapter, we showed you how this history can be used to determine the recent Web activity of a machine.

The cache contains the very sites that the Web browser has recently displayed to the user. When a user browses to the Web site, the Web page is downloaded to the computer and stored in the cache. The browser then displays a copy of the Web page that it has downloaded. After the user has surfed to another page, that copy of the Web page remains in the cache. This is maintained for efficiency in the event that the user returns to the page within a short period of time. The Web browser determines if the Web page on the Web server is newer than the one in the cache, and if it is, the Web page is downloaded. Otherwise, the cached copy is displayed. Most Web browsers can be configured to check for a new version of a saved page every time, never, or only when the browser is restarted. By using a cache, the Web browser attempts to minimize the amount of data that needs to be sent. A cache has a set amount of size that it can utilize. Once this space has been filled up, older Web pages are deleted. Users can also clear out their cache to hide their tracks. A cache is a wonderful part of a Web browser that enables it to serve up Web pages faster and more efficiently, yet can be used to gain an insight into the activities on the computer.

Cookies are small files that are used in Web surfing for a variety of reasons. Many sites configure the Web server to send a cookie, in addition to the requested page, that is stored on your local machine. The next time you go to the Web site, the server will ask if you have a cookie; if you do, that cookie is sent to the Web server. The most common use of a cookie is to save information about you such as your IP address or an assigned ID so that the server can quickly determine who you are. Many Web sites have an option when signing in of telling the server to remember your information. This information is being stored in a cookie. There are many other useful aspects to cookies; however, in the past they have gotten a bad name because some Web sites have taken advantage of them and used them maliciously. As a result of nefarious cookies, most Web browsers allow their users to forbid cookies from being saved on their machine. This option can help prevent some nefarious activities, but most people allow cookies because many legitimate sites use them.

Using the Internet has become an increasingly greater multimedia experience. Web browsers have become more complex, and many have integrated plugins to run flash and Java applications. When viewing Web pages, the application files are often embedded directly in the page. The browser automatically loads the correct environment and runs the application. Most Web browsers also contain limited File Transfer Protocol (FTP) capability, which allows a Web server to offer up a file for download. In Chapter 5, we downloaded installation executables; the browser manages the downloading of these files.

Web Browsers

We will now analyze some of the most popular Web browsers and many of the features they implement. Special attention is paid to the information that can be used for exploiting them and making them into effective means of collecting information from your target.

Internet Explorer

Internet Explorer is far and away the most popular Web browser on Microsoft Windows-based computers. A copy of Internet Explorer comes bundled with every version of Microsoft Windows, so convenience plays a big part in its popularity. It is also the most targeted browser by hackers and other nefarious individuals. Before Windows XP Service Pack 2, Internet Explorer came with some default security settings that were absolutely worthless. With more attention being drawn to Internet Explorer’s security flaws, Microsoft has made an effective and concerted effort to improve the browser’s security profile.

Lucky for you, most of the information that you want is not affected by the new heightened security posture. Most of the information you are interested in is stored on the computer the browser is run from. In Chapter 6, we discussed finding most of this information using the browser. This is a good method, but most of this information can also be found on the file system. This method is also useful for collecting the browser’s information. By knowing where it is stored on the file system, you can copy it remotely or copy it to removable media for later examination, all without having to worry about launching the browser and affecting settings. For example, bookmarks are saved under the “Favorites” tag, and come with a number of default sites. They can be collected as an aggregate from C:/Documents and Settings/<User Name>/Favorites, where <User Name> refers to the account name you are looking for information on. Copy that folder and you have a copy of that user’s bookmarks for Internet Explorer. Internet Explorer history is set to remember Web sites for 20 days. You can view Internet Explorer’s history at C:/Documents and Settings/<User Name>/Local Settings History. Unlike Favorites, this folder is not as agreeable to copying, so it must be viewed on the disk. If you do copy it, there are certain tools that can decode it that can be found on our Web site,

Cache files are stored in C:/Documents and Settings/<UserName>/Local Settings/Temporary Internet Files. You can also discover the person’s cookies in a similar location, C:/Documents and Settings/<User Name>/Cookies. This directory has most of the cookie files that Internet Explorer has collected during its time browsing. Figure 7.1 shows the cookie directory for a typical user.

Figure 7.1 Cookie Directory for a Typical User

Internet Explorer is the most popular Web browser, and as a result, it is the first place you should look for clues as to what a person is doing online. Now you know where to find a person’s history, his or her bookmarks, and the location of the cookies and cache from both the browser (Chapter 6) and the file system.

Notes from the Underground

Super Hidden Files

So far we’ve taught you how to find Internet Explorer’s cache. Clever users, however, probably frequently clear their caches either to save space or to ensure that their caches are not browsed through. Microsoft, however, has a super secret cache that is not cleared out by the browsers’ “clear cache” feature. This directory and all of its related files are considered to be “super hidden,” meaning that in addition to the built-in hidden attributes they possess, they are also hidden with some additional steps so that they remain invisible even if Internet Explorer is configured to view all hidden files.

For an example of this hidden directory, browse to the cache directory C:/documents and settings/<current user>/local settings/temporary internet files for your current user with Internet Explorer. Now in the top menu bar, after the path listed, add the directory Content. IE5 so that the new path is C:/Documents and Settings/<Current User>/Local Settings/Temporary Internet Files/Conent. IE5. You should see something like the screen in Figure 7.2.

Figure 7.2 Content. IE5 Folder

This is a “super hidden” folder that has extra cache information. It’s very likely that your target doesn’t know it is there and has not cleared it. Although not as complete as the normal cache, it should offer you a significant window into that person’s Web-browsing habits.

Mozilla Firefox

The Mozilla Foundation is determined to provide a choice for Internet applications. It produces and distributes a Web browser, Mozilla, along with a stripped-down version, Firefox, and an e-mail application, Thunderbird. As hackers and virus creators target Internet Explorer, Mozilla gains in popularity. A vulnerability in one Web browser does not necessarily indicate an identical vulnerability in another. Mozilla endeavors to provide all of the functionality of Internet Explorer and then add some features to make Mozilla more secure and user-friendly. Mozilla has tabbed browsing enabled and thus allows multiple Web pages to be loaded within the same browser window. A user can switch between the tabs to look at the different pages. This is an alternative to having multiple instances of the browser being open. Another feature of Mozilla is the ability to remember usernames and passwords; this capability is different from using cookies to remember logins. The Mozilla browser allows the user to set the username and password for Web pages that need to be logged into. It even allows for multiple username and password combinations. Mozilla also has other extensions that can be downloaded to personalize and increase the browser’s functionality.

Like Internet Explorer, Mozilla has a cache, history file, and bookmarks that can be looked at to determine a person’s activities. Mozilla’s application information is kept in the Mozilla folder. For instance, data for a person with the username Sarah is found in C:/Documents and Settings/Sarah/Application Data/Mozilla/Firefox/Profiles/cv4uivs.default. The last folder may be named differently, as it appears to have a random name for each installation, but it will be under the Profiles folder. As can be seen in Figure 7.3, this folder contains a sub-folder titled Cache, which keeps all of the temporary Internet files.

Figure 7.3 Mozilla Firefox Application Folder

The bookmarks file is stored as an HTML document inside the Profiles folder. If you look closely at Figure 7.3, you will notice a bookmarks.html file. This can be double-clicked on and viewed like a normal Web page. There is also a cookies file, which contains the cookies for Mozilla. Mozilla Firefox continues to gain in popularity, and its features easily rival those of Internet Explorer. Once you have determined where Mozilla stores its application data, you can retrieve and look at that data.

AOL Explorer

In the past, AOL has used all types of Web browsers as its standard method of browsing. At one time, it designed its own proprietary browser. Netscape Navigator was the default choice for a while, and finally AOL settled on using Internet Explorer. Currently, AOL users are provided with a slightly customized version of Internet Explorer. This browser is integrated into the AOL application, but for the most part, acts and works like traditional Internet Explorer. From this point on we treat the AOL browser as if it is a standard installation of Internet Explorer.


When this book was written AOL’s browser was based on Microsoft Internet Explorer. However, during the editing, they announced that they are in the process of converting their browser engine to Mozilla Firefox. While they will continue to support the ability to switch to Internet Explorer as the rendering engine, don’t be surprised if in the future the look-and-feel of the AOL browser closely resembles Firefox.

Other Browsers

Many people have used the prevalent Web browsers and found them lacking. Some of these people have even gone so far as to create their own Web browser and distribute it. Features such as tabbing and pop-up blocking are included in many of these browsers. Some of these are free, such as Netscape Navigator, and others like Opera are available for free or for a small price. Advant ( is another Web browser that is gaining popularity. These browsers do not have a significant market share, but they are still popular with some users. Many of the innovations in these browsers are replicated in the more popular browsers. Most of these browsers have a history, cache, and bookmarks, all of which can be discovered.

Our Focus

Our focus is on Microsoft’s Internet Explorer. Because this is the world’s most popular Web browser, learning how to exploit it is a must. The other browser that we focus on is Mozilla’s Firefox. This browser is currently gaining in popularity, as many online viruses and spyware applications take advantage of holes in Internet Explorer. A solution to the security flaws of Internet Explorer is to use a different browser. Mozilla Firefox is rapidly gaining market share, so learning how to find its secrets is important. By learning how to find the information from these two Web browsers, using any other Web browser should be an application of the same techniques.

Basic Skills

To succeed at spying on your target’s Web browsing, you need to master some basic skills.

Running Programs from Explorer

To maintain a low profile and prevent your target from accidentally learning of your activities, we showed you how to remove a program from the Start menu. This helps prevent your target from discovering your software on his or her machine. However, now you need to use the software. Luckily, there is an easy way to do this using Explorer.

The first step is to start an Internet Explorer window and then browse to the location where the software was installed. This will most likely be in C:/Progam Files/<software vendor>/<Software application> or C:/<software application>. As shown in Figure 7.4, you must browse to C:/Program Files/Winspy in order to run WinSpy.

Figure 7.4 Starting WinSpy Using Explorer

You then start the application by double-clicking on it. This enables you to run the application without having to access it from the Start menu. This is necessary because to covertly install software you should try to minimize all traces of it.

Collecting Information from Your Target’s Computer

We now discuss some utilities that are useful in collecting information about a person’s computer activities.


WinSpy is a very useful utility that is used to analyze what people are doing on a computer. It aggregates data that reports what URLs have been visited and the addresses in the address bar. It displays the cookies on the machine and reports what documents have recently been opened. It will read the index.dat files and display the address contained.


WinSpy is available from There is also a link to this site from Download file wssetup.exe.


WinSpy is installed like most normal programs.

1. Using Internet Explorer, double-click on the wssetup.exe file. This will begin the installation process. As usual, the Security Warning will pop up; click Run to continue.

2. As the Installation Process continues, the official @WinSpy installation window will be displayed. Select Next to continue.

3. As the installation proceeds, WinSpy will ask where to place the files. Using the default is acceptable, so click Next to continue.

4. The setup program will ask where to place the Start menu folder. Again, click Next to continue.

5. Figure 7.5 shows the next window. In this window unclick the box next to Create A Desktop icon. This stops an icon from being placed upon the desktop. Select Next to continue.

Figure 7.5 Removing WinSpy’s Desktop Icon

6. The WinSpy setup program now has all of its options. Select Install to complete the installation.

7. A final pop-up window will be displayed. Select Finish to end the installation program.

WinSpy is now installed and almost ready for use. However, before you continue, there are still a few more steps necessary to decrease your profile. The first is to remove it from the Start menu (discussed in Chapter 5). If you have forgotten how to remove it, go to Start | All Programs | @WinSpy. Right-click and select Delete. This will remove it from the Start menu, but you can still start it using Internet Explorer. Next, if you want WinSpy to remain on your target’s machine, you should remove it from the “Remove Software” list and also ensure that it does not show up on the “Recently Used Programs” list on the Start menu (discussed in Chapter 5).


WinSpy is very easy to use; however, there is a limitation: WinSpy must be run from the account where the files you wish to analyze are located. The easiest way to do this is to obtain the user’s password (if there is one), log on to his or her machine, and start WinSpy using the Internet Explorer window. The main WinSpy window (see Figure 7.6) is displayed. The different buttons at the top cause WinSpy to display the differing information.

Figure 7.6 WinSpy Reveals Recent URLs

Figure 7.6 shows the URL History tab. This window displays the title of the visited URLs and the Web pages’ titles. For example, there was a Google search for anorexia. This information could be cause for concern, especially when combined with the Anorexia Nervosa page.

Figure 7.7 shows the Address Bar page. This is similar to the URL History tab, but is a record of all the addresses typed into the address bar. Again, you can see that the user visited the anorexia Web site.

Figure 7.7 WinSpy Reveals Typed-in Addresses

The Cookie tab displays all of the cookie files associated with the user. Sometimes, the cookie resides on the machine even if a user has deleted his or her cache. Next is the Recent Documents tab, which shows all of the files that the user has accessed recently (see Figure 7.8).

Figure 7.8 WinSpy Reveals the Recent Documents

By utilizing the Run History tab, all of the programs started from the run bar can be shown. This information is useful in showing programs that the user started without using Internet Explorer. The Open/Save tab displays all of the recently opened or saved pictures, bitmaps, and text files. This data can be especially useful for finding out what the user has been looking at. Finally, the index.dat tab is where Internet Explorer stores its information. This tab displays all of the Web pages that have been visited. This information is very useful because the Web pages that were just accessed by clicking links from other pages will be displayed. This tab should be explored, because it offers some of the most complete information.

Collecting Information about Your Target from the Network

Now that you have searched the person’s Web browser for evidence of his or her past activities, you must determine what your target is doing now. One effective way to do this is to sniff the network and capture all of your target’s Web traffic. Once you have the traffic, you can analyze the files to determine what your target has been doing and looking at. Although you probably can get most of the information from the computer and the Web browser, collecting off of the network offers the following advantages:

 Depending on your network’s configuration, the location of your listening post, or some advanced attack (see Chapter 10), you can eavesdrop and collect Web traffic from a completely independent computer other than your target’s. Thus, you would significantly reduce your footprint on your target’s machine and lower your chances of being discovered.

 Most of the information stored on the target is temporary, meaning it is stored in caches or history files. Caches by their very nature are temporary, and the data in them is fleeting. You can never guarantee that the data relevant to you is in the cache. By sniffing, however, you collect all the data as it happens. Nothing can be done to clear this data once you’ve obtained it. You are guaranteed to have the latest data.

 Information collected on the network can show a temporal relation. When you look at cache and histories, you can get a somewhat good idea of when different sites were viewed. Collecting off of the network can give you a real-time view of events that happen. Watching URLs on the network can show how frequently things happen and give you a more granular view of events. For example, the granularity of most browser’s history is down to one day. A network dump can show you at what time and how many times in a day a certain site was visited.

Collecting by Sniffing

To collect information by sniffing, you need to use two tools. In Chapter 5, we discussed using Snort and OWNS as sniffers. In this chapter, we show you how to use them in conjunction with each other to sniff traffic and then analyze it.

The first step is to set up Snort as a service. This will log all of the Internet activity from a machine. If you know that you can sniff the entire network, as is the case with a hub, you can run Snort on your personal machine; otherwise, you must install Snort on the target’s machine. Once you have the activity, you can examine it in file snort.log.xxxxxxxx. There may be several log files in the directory, and you may need to examine them one by one to ensure that all of the collected traffic is examined.

Now that you have the Snort log file, you must examine it. Fortunately, OWNS is very useful in analyzing a capture file. You only need to set it up to read from a capture file instead of the sniffer. Figure 7.9 shows how to configure OWNS for reading from a file.

Figure 7.9 OWNS Configured to Read from a File

There are a couple of other changes you must make to OWNS before you are ready to begin. First, you need to set the parameters so that OWNS knows to break out the captured traffic by IP address (see Figure 7.10). This way, if you track multiple computers communicating with the network, you can easily narrow down and focus on traffic related to the computer of interest. The other noteworthy thing is the Output directory. In this case, it is ./files, which means that a files directory will be created where the sniffer log is located. This is where OWNS places its output.

Figure 7.10 Setting OWNS Output Directory

Next, you must select the HTTP Filter tab, where you select what type of files to save. In this case, you select everything. It is easier to disregard extra files, than to miss something important that might have transpired. Once you have set the files, you are ready to run OWNS. Switching to the Stats tab gives you an easy way to see how much data is broken out. Select Start Capture to begin breaking out the files using OWNS. This may take some time, but the Stats tab will update everything.

Once this has finished, you can examine the output of OWNS by going into the directory. Figure 7.11 shows that under address, which is our machine, OWNS has created several directories. These files include .cab, .gif, .html, .js, .jpg, and .swf directories.

Figure 7.11 OWNS Output Directory

Now you can go into each directory and look to see what you have collected. Some of the directories will be more interesting than others. The .swf directory contains all of the shockwave flash objects that were downloaded. Similarly, the .js directory is where all of the Java Script files are found. The .cab directory has all of the cabinet files, which are a Microsoft-specific type of archive. The .gif folder contains all of the .gif files that were downloaded. This will give a clue as to what types of Web pages the user is looking at. A quick glance into the .jpg directory can reveal what your target has been doing.

The final directory is the .html directory where all of the downloaded HTML files are put. This directory may be very large, but will have all of the Web pages that were looked at. Examining these pages will shed some light onto what your target was doing.

Now that you have seen what the person has been doing on the Internet, you can decide what to do next. A good first step is to cover your tracks by deleting all of the contents that OWNS gave you. The Snort log should also be deleted. Using Snort and OWNS together, you can examine your network’s traffic and have the contents easily broken out.

Case Study: Browsing for Trouble

Most Web browsers such as Internet Explorer and Mozilla Firefox leave traces of the Web sites they have visited. It is possible to search through the log files and determine exactly what sites the person using the computer has been visiting.


Robbie was a relatively successful information technology manager in a medium-sized health-care company. He had been married to Beth, a wonderful woman whom he met at church, for the past seven years. Robbie and Beth had two young daughters Isabella, 3, and Michelle, 5. They lived in a comfortable house in the suburbs of Washington, D.C. Beth stayed at home with the kids during the day, while Robbie went to work. They found that this was the best arrangement for the kids, even if it stressed the finances of the family. They had to share a car, which Robbie commuted in, every day. From the outside, they looked like a happy family.

Unbeknownst to Beth, the marriage was not so strong as she thought. Robbie was not the devout husband that she believed he was, despite his assurances to the contrary. Beth was busy taking care of their two young children full-time, while Robbie concentrated on his job. Beth had given up her promising career to take care of their children, and had not held a full-time job since she was pregnant with Michelle. Robbie had become less interested in the marriage as time progressed.

Robbie had begun to spend more time at work and spent his free time socializing with his work friends. He had begun to drop hints that everything was not right in the marriage. Robbie’s coworkers were aware that he was not being the attentive husband that Beth deserved, but declined to intervene.

As the marriage slowly fell apart, Beth continued to be kept in the dark about Robbie’s feelings. Robbie finally decided that he wanted to leave Beth and informed his coworkers of his decision. He told them that he was going to leave his wife and kids because the marriage was not working out. He wanted to be alone.

When Robbie took a step back, he realized that he was not ready to leave the marriage. Although he wanted out, he came to the conclusion that he needed to save up money and get prepared before he left Beth. Robbie wanted to be able to have his own car and apartment when he left the marriage.

Robbie began to save money and began his preparations while keeping Beth in the dark. He even began to ask out coworkers and other women on dates, despite still being married. Robbie for all intents and purposes was single, despite not telling Beth. Robbie was going to leave the marriage when he was ready, and not before then.

Eventually, Beth began to get suspicious of Robbie’s activities. Although nobody had told her what was going on, her suspicions began to grow as Robbie became more distant. After she confronted him with her suspicions, and they had several long talks in an effort to get the marriage back on track. However, Robbie’s efforts did not match Beth’s, and her suspicions grew to where she felt she had to take action. Robbie spent more and more time at work, and when he was home, spent an excessive amount of time on the Internet. Despite her continuous questioning, Robbie never came clean about his actions.

Finally, Beth decided that she had to take action. She spent hours debating what to do about her situation. She considered hiring a detective, but did not want to pay for one, or anger Robbie if he found out. Beth decided that going through his computer and figuring out what he was doing online would give her a clue, without taking any action that was irreversible. After searching his Internet cache, she determined that he was visiting an online bank, among other places. This piqued Beth’s curiosity, as they had only one shared bank account. After this, Beth grew more suspicious of her husband’s actions.

Over the next couple of months, Beth continued to monitor her husband’s actions and tracked his Web activity. She noted that he continued to access the bank’s Web site, along with looking at rental property Web sites. There were also links to several used car dealerships in the area. Finally, Beth confronted Robbie with her knowledge of the activities. Boxed into a corner, Robbie finally came clean to Beth, filling her in on the intentions he had voiced to his coworkers months before. They are currently still living together and the situation is unresolved.


Beth managed to potentially dodge a life-altering event. Although she was not happy about violating Robbie’s privacy, she realized when talking about the situation was not alleviating her suspicions that something had to be done. Beth was still in love with Robbie and did not want to hurt him in any way. She decided to take the least intrusive method available to determine what was happening to her relationship. Beth felt that she had a responsibility to protect herself and her daughters.

The technology that Beth used was not on the cutting edge. By utilizing the Web browsers’ history, she determined what sites Robbie was visiting. Because he failed to clear his cache and history after he surfed the Web, Robbie unknowingly left a trail that could be followed. Beth did not have to be technologically competent in order to gain the information that she needed to protect herself. There were more invasive methods that Beth could have used, but she relied on the least intrusive. In this case, the technology Robbie used to help plan his future without his wife ultimately led to the discovery of his activities.

If Beth had not decided to snoop on Robbie’s activities, the outcome could have been vastly different. Robbie had planned on leaving her and their children. Beth would have been left unemployed, responsible for two young children and a mortgage, without any safety net.


The Web browser is the portal to the Internet. As your quarry browses the Internet, he or she leaves tracks that can be examined. The Web browser saves vital information that can be used to your advantage. This chapter addressed the following key points about Web browsers:

 Web browsing has defined the Internet experience for many users. A browser is the only portal and interface to the Internet for most people.

 Exploiting Web browsing can yield a wealth of information, including Web mail, online accounts, lists of visited sites, and other multimedia information.

 Internet Explorer is currently the most popular browser for Microsoft Windows users. It leaves lots of information on the disk about where it has been and what it has been used for.

 Like Internet Explorer, most other browsers have the same few fundamental components, bookmarks, cookies, and caches, all of which give valuable clues to what your target does online.

 Tools like WinSpy allow for easy aggregation of Web browsing information that is left behind on the computer.

 OWNS and Snort combined make an effective system for monitoring and analyzing Web traffic.

The information that you collect from Web browsers, both on the computer and from the network, is an important piece of the puzzle to obtaining total information awareness of your target. If you applied proper tradecraft, followed SLEUTH, and were careful how you approached your tasks, you are now holding a significant amount of information on your target with them being none the wiser. It is now time to proceed and look for more information to round out your collection and fill in the gaps not covered by Web browsers.