Identifying suspects through browser language

Swedish keyboard by Håkan Nylén

A new feature in version 1.1 of NetworkMiner aids the task of identifying a suspect user by extracting information about browser language and screen resolution sent to Google Analytics.

Google Analytics is the most popular website statistics service and is used by roughly half of all websites on the Internet. This means that a user surfing the Internet will most likely send data to Google Analytics. The data being sent to Google's servers include Flash version, screen resolution, color depth and browser language. This data isn't very intrusive on the privacy of Internet users, but can still provide some value to an investigator who wants to gain more information about a computer with a particular IP address as well as the user of that computer.

The browser language can, for example, be used to gain more information about the nationality of a particular user. In the screenshot below we can see that the user was running a web browser with Swedish language (look at “Browser Language” under “Host Details” and you'll see “sv” for “svenska”).

Observant blog readers might also notice the odd screen resolution used by this particular user, namely “971x779”. The most common reason for having such an odd resolutions is that the web browser is run in a virtual machine (likely VMware with VMware tools installed). This assumption is in this case enforced by the fact that the MAC address starts with 000c29, which is a VMware OUI. The MAC address will, however, not be visible as soon as the network traffic from the suspect's computer passes the first router hop. The screen resolution parameter sent to Google will, on the other hand, be visible all the way from the suspect's computer to google-analytics.com.

Information like this about the screen resolution can be used as evidence for an investigator in order to better prove that a particular computer was being used from a particular IP address at some specific point in time.

More information about Google Analytics can be found here: http://www.christopher-parsons.com/blog/privacy/google-analytics-privacy-and-legalese/

More... Share  |  Facebook   Twitter   Reddit   Hacker News Short URL: http://netres.ec/?b=11ADE66

Posted by Erik Hjelmvik on Monday, 03 October 2011 21:54:00 (UTC/GMT)

twitter

NETRESEC on Twitter

Follow @netresec on twitter:
» twitter.com/netresec


book

Recommended Books

» The Practice of Network Security Monitoring, Richard Bejtlich (2013)

» Applied Network Security Monitoring, Chris Sanders and Jason Smith (2013)

» Network Forensics, Sherri Davidoff and Jonathan Ham (2012)

» The Tao of Network Security Monitoring, Richard Bejtlich (2004)

» Practical Packet Analysis, Chris Sanders (2017)

» Windows Forensic Analysis, Harlan Carvey (2009)

» TCP/IP Illustrated, Volume 1, Kevin Fall and Richard Stevens (2011)

» Industrial Network Security, Eric D. Knapp and Joel Langill (2014)