Erik Hjelmvik
Monday, 03 October 2011 21:54:00 (UTC/GMT)

Identifying suspects through browser language

Swedish keyboard by Håkan Nylén

A new feature in version 1.1 of NetworkMiner aids the task of identifying a suspect user by extracting information about browser language and screen resolution sent to Google Analytics.

Google Analytics is the most popular website statistics service and is used by roughly half of all websites on the Internet. This means that a user surfing the Internet will most likely send data to Google Analytics. The data being sent to Google's servers include Flash version, screen resolution, color depth and browser language. This data isn't very intrusive on the privacy of Internet users, but can still provide some value to an investigator who wants to gain more information about a computer with a particular IP address as well as the user of that computer.

The browser language can, for example, be used to gain more information about the nationality of a particular user. In the screenshot below we can see that the user was running a web browser with Swedish language (look at “Browser Language” under “Host Details” and you'll see “sv” for “svenska”).

Observant blog readers might also notice the odd screen resolution used by this particular user, namely “971x779”. The most common reason for having such an odd resolutions is that the web browser is run in a virtual machine (likely VMware with VMware tools installed). This assumption is in this case enforced by the fact that the MAC address starts with 000c29, which is a VMware OUI. The MAC address will, however, not be visible as soon as the network traffic from the suspect's computer passes the first router hop. The screen resolution parameter sent to Google will, on the other hand, be visible all the way from the suspect's computer to google-analytics.com.

Information like this about the screen resolution can be used as evidence for an investigator in order to better prove that a particular computer was being used from a particular IP address at some specific point in time.

More information about Google Analytics can be found here: http://www.christopher-parsons.com/blog/privacy/google-analytics-privacy-and-legalese/

Posted by Erik Hjelmvik on Monday, 03 October 2011 21:54:00 (UTC/GMT)

Tags:

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=11ADE66

Recent Posts

» Network Forensics training at x33fcon

» Hunting for Cobalt Strike in PCAP

» Network Forensics Training - Spring 2024

» CapLoader 1.9.6 Released

» Forensic Timeline of an IcedID Infection

Blog Archive

» 2024 Blog Posts

» 2023 Blog Posts

» 2022 Blog Posts

» 2021 Blog Posts

» 2020 Blog Posts

» 2019 Blog Posts

» 2018 Blog Posts

» 2017 Blog Posts

» 2016 Blog Posts

» 2015 Blog Posts

» 2014 Blog Posts

» 2013 Blog Posts

» 2012 Blog Posts

» 2011 Blog Posts

List all blog posts

Video blog posts

News Feeds

» Google News

» FeedBurner

» RSS Feed

X / twitter

NETRESEC on X / Twitter: @netresec

Mastodon

NETRESEC on Mastodon: @netresec@infosec.exchange