An Automated User Transparent Approach to log Web URLs for Forensic Analysis

This paper presents an automated approach to record Web activity as the user connects to Internet. It includes monitoring and logging of Web URLs visited by the user. The distinctive features of this approach are a) it starts automatically, b) it is transparent to users, c) it is robust against intentional or un-intentional process kill, and d) it is robust against intentional or un-intentional corruption or deletion of log file. The first feature is achieved as the program/application will run with svchost.exe service which is initiated automatically. Transparency is achieved by storing the log file to a default hidden location defined by system variables as well as at a third location (logging server) on the network. Process killing is prevented through dependencies of this application on essential service required to connect to network and thus World Wide Web. The last feature determines that a log activity is also stored in logging server (not accessible to users) even if a user deletes or corrupts it from his local system. The log file contains important information of client, username, date and time of activity and URLs visited. The approach can give vital and potential evidential information of corporate Web policy violations, employee monitoring, and law enforcement agencies (digital forensics investigators). This paper also carries out a comparative analysis of the performance and security of proposed scheme against some existing Web forensic and antiforensic tools.