DEAD FORENSIC ANALYSIS OF QUTEBROWSER AND LIBREWOLF BROWSERS USING THE NIST 800-86 METHOD

A browser is software used to access web pages to obtain clear and readable information. Information resources are identified by a Uniform Resource Identifier (URI) and can be web pages, images, videos, or other content. When a browser user engages in online activities, they usually leave traces on the device such as history, cookies, cache files, and even emails and passwords. Such traces can usually help users access a website or input something, such as emails and passwords. The purpose of this research is to obtain digital evidence in the form of a cache on the hard disk in the Librewolf and Qutebrowser browsers. In this study, researchers used the National Institute of Standards and Technology (NIST) 800-86 method which consists of four stages, namely collection, examination, analysis, and reporting. which focuses on the Qutebrowser and LibreWolf browsers. The results obtained from this study were found to be 21 caches, 2 Sessions, 6 Cookies, 8 Network Persistent State, 9 QuotaManager, 11 IndexedDB, 24 LevelDB, 48 Cache Storage, 14 Favicons, 3 History, 6 Database, 3 StartupCache, 4 Alternate Services, 6 Content-Pref, Notification amounted to 1, Permission amounted to 7, Service Worker amounted to 6, SiteSecuristyServiceState amounted to 7, Webappstore amounted to 8, Sessionstore-Backups amounted to 5, Storage amounted to 47 NIST 800-86 method can be properly used in the acquisition of digital evidence and the most crucial data obtained in the Librewolf browser on the telegram and whatsapp sites.


INTRODUCTION
In the era of rapid development of information technology, browsers are now applications that must be installed on desktop and mobile devices, even TVs and refrigerators are now also integrated with browsers.A browser is software used to access web pages to obtain clear and easy-to-read information.Information resources are identified by a Uniform Resource Identifier (URI) and can be web pages, images, videos, or other content [1].The activity of using the browser itself is called browsing, usually browser users use the browser to access web pages such as shopping online, interacting with people using social media, accessing email or uploading and downloading files [2].
Qutebrowser and LibreWolf are two examples of existing browsers.Qutebrowser is an open-source browser that focuses on using the keyboard [3].While LibreWolf is a browser produced by the open-source software community that focuses on security and privacy [4].
When a browser user performs activities in cyberspace, the browser user usually leaves traces on the device such as history, cookies, cache files, even email addresses and passwords [5].Traces like this can usually help users access a website or input something, such as email and password [6].If information such as emails or passwords are too open or can be easily accessed by others, there is a possibility of misuse of personal data such as copying information on ATM cards (skimming) where the perpetrators of email and password abuse can withdraw funds elsewhere [7].It will lead to Cybercrime, cybercrime itself is a crime committed using computer networks or digitally by misusing digital technology as the main crime tool [8].
This can be used as an important part of digital forensics as digital evidence.In general, digital forensics itself is a scientific process or to collect, analyze and present evidence to assist in the law enforcement process to solve digital crime cases [9].Digital Forensics is a branch of forensic science that focuses on evidence derived from computers or digital sources such as photo files, flash drives, hard disks, emails, passwords, log files, data packets in computer networks [10].One example of a digital forensic technique is dead forensic, dead forensic itself is a technique where the acquisition of digital evidence is acquired on an operating system where the digital evidence to be acquired is permanently stored in storage such as a solid slate drive or hard disk [11].
In the focus of the problem above, the researcher decided to analyze dead forensics on browsers with the NIST 800-86 method which focuses on the Qutebrowser and LibreWolf browsers.So, with this research, it can be used as a benchmark to determine the level of security and find out what crucial data is obtained through the Qutebrowser and LibreWolf browsers.

Problem Identification
At this stage, the existing problems are identified, namely how to perform dead forensic analysis on the Librewolf and Qutebrowser browsers to obtain digital evidence.

Literature Review
This research stage is to collect data related to the problem in question.Literature study is carried out after the identification process as a reference from related research and journals to assist researchers in completing the research.

Case Scenario
The scenario in this study was created by researchers to carry out the research process.In this scenario, it begins with the acquisition of a user's computer that has been used to access the browser.After that, the acquisition and clone of data from the computer user's flashdisk is carried out.then after the acquisition process is complete, the data analysis process is carried out on the acquired flashdisk [12].

Dead Forensic Analysis
Dead Forensic is a digital evidence acquisition technique that requires data that is permanently stored on a storage hardware device such as a hard disk .Dead forensic techniques allow investigators to recover deleted or corrupted files from disk drives and other storage media.[13] After performing data acquisition using the dead forensic method, the next step is data anlaysing using the National Institute of Standards and Technology (NIST) 800-86 method.At this stage the first NIST 800-86 is Collection, which is the activity of collecting digital data evidence.In this scenario, digital evidence in the form of cached data comes from the browser used to access social media sites [14].Next is the examination stage, which is the stage of activity to process the data that has been obtained.At this stage the data that has been found will be examined using Autopsy.After getting the file results obtained through Autopsy [15].At the analysis stage, a detailed analysis will be carried out to obtain information in accordance with the scenario that has been made [16].The last stage will be reporting, reporting is stage for reporting the results of analysis and examination from the previous stage.These results will be used as reporting what evidence is obtained from this research [17].

Collection
At the collection stage, researchers collect tools and materials such as the QuteBrowser and Librewolf browsers and Autopsy as forensic tools.forensic tools will be used to search for digital evidence stored on a flash drive.After that the researcher cloned the data contained on the flashdisk in a dead forensic manner.after that the digital evidence obtained will be recognized using forensic tools with predetermined parameters.Below is an advanced description of the tools used for digital evidence collection:

Examination
At the examination stage, an investigation and data search will be carried out using the Autopsy tool, using this tool, data stored in the flashdisk clone that has been cloned by the researcher will be searched by analyzing each browser that has been determined.

Analysis
At the analysis stage, we will analyze the evidence that has been obtained in the previous stages.This research uses autopsy as a digital forensic analysis tool and uses the artix linux rolling release operating system as the operating system, the following are the results of the data analysis that has been obtained.

Reporting
Reporting is done by explaining the digital evidence that has been obtained previously.With the proof of the digital evidence can be included as follows.

DISCUSSION
From the digital evidence acquisition technique with the NIST 800-86 method on the QuteBrowser and Librewolf browsers, digital evidence can be found in the form of telephone numbers, userids, important messages, etc.
In the NIST 800-86 method, there are four stages, namely Collection, Examination, Analysis, and Reporting.At the collection stage, we will collect cache data on librewolf and QuteBrowser browsers.After the collection stage, then the examination stage is carried out, namely the stage where the search and processing of data that has been obtained using the Autopsy tool.Autopsy is used to search for data that has been cloned from a flashdisk, Data search using the Autopsy tool is carried out by opening each folder and sub folder in the specified browser folder.
After searching for digital evidence data, digital evidence such as username, url, phone number, and cache can be found.As in the folder /home/vengenz/.cache/qutebrowser/webengine/Cache/ there is a file called 035316b882ed2ccc_0, the file contains a link to an image on the twitter site.
Next is the analysis stage, which is the stage for analyzing the digital evidence that has been obtained in the previous process.At the last stage is the reporting stage, which is the stage for reporting digital evidence found in this study.Such as digital evidence found on the QuteBrowser browser located at /home/vengenz/.cache/qutebrowser/webengine/Cache/08a47460b3eac7ba_0, and the LibreWolf browser located at /http://ome/vengenz/.cache/librewolf/k41e26jp.defau lt-release/startupCache/ScriptCachechildcurrent.bin.

CONCLUSION
After carrying out the stages of analyzing digital evidence with the NIST 800-86 method can result in a large number of examined cahce files, after the examined data from these two browsers is compared, it is found that there is a difference in the amount of crucial data exposed, and results in data results in the form of Cache totaling 21, Sessions totaling 2, Cookies totaling 6, Network Persistent State totaling 8, QuotaManager totaling 9, IndexedDB totaling 11, LevelDB totaling 24, Cache Storage totaling 48, Favicons totaling 14, History is 3, Database is 6, StartupCache is 3, Alternate Services is 4, Content-Pref is 6, Notification is 1, Permission is 7, Service Worker is 6, SiteSecurityServiceState is 7, Webappstore is 8, Sessionstore-Backups is 5, Storage is 47.The most crucial data obtained in the Librewolf browser on the telegram and whatsapp sites.The use of Autopsy as a forensic tool has proven to be able to acquire digital evidence well.In using the NIST 800-86 method in this research, it is proven that this method can be used properly in the acquisition of digital evidence.It is recommended to delete browser data and cache, or use the Auto-delete cookies and data feature, to prevent data leakage such as cookies, which contain usernames, emails, passwords, and other important data that may be misused.

Figure 3 .Figure 4 .
Figure 3.The process of cloning data from the harddrive