Joint Writing project: February 2011



Assessing Privacy Risks from Flash CookiesSTI Joint Writing ProjectAuthors: Stacy Jordan and Kevin FullerAdvisor: Stephen Northcutt February 21, 2011AbstractIt is no longer “taboo” to purchase goods and services from the Internet. In addition, the Internet has become the new way to obtain entertainment for many people as well. Retailers have increased their presence on-line and offer discounts to consumers that are not available in-store. Television networks, record companies and other media outlets have placed their content on-line for people to view via their computer as well. The best website employs a variety of different audio-visual and Adobe Flash elements to attract people to their sites. A method to provide a good on-line experience whether it is shopping or viewing a movie is by the use of browser and flash cookies. These cookies provide retailers and content providers with the opportunity to deliver specific advertisements (ads) and store site preference information for the user. Even though cookies help retailers and content providers tailor the on-line experience, it has raised privacy concerns. This comes from the fact that not all cookies can be deleted using tools on the marketplace today and consumers are not given a chance to “opt-out” of having their information stored for later retrieval. So the question is whether or not flash cookies pose a significant privacy risk for anyone who uses the Internet? Executive SummaryThe purpose of this paper is to provide guidance that organizations could use to assess the privacy risk and data spillage as it pertains to the use of flash cookies. Several areas will be addressed in the paper to include: Analysis of flash cookiesDescription of risk of using flash cookies How to identify the use of flash cookies How to verify the storage of flash cookies on a computerUse of DOS command (DIR) to find cookies stored on a computerTechnical approaches for detection and management of flash cookiesSurvey of tools and techniques to detect flash cookiesSurvey of tools and techniques to manage or detect flash cookies Survey of forensic tools that can be used to examine the contents of flash cookiesForensic analysis of private browsing mode Finally, the appendix sections of the paper will provide additional information on tools and websites that used flash cookies. IntroductionShopping for goods and services is no longer exclusive to traditional brick and mortar retail stores. Today, the Internet pays a great role in how individuals get their entertainment via online games, streaming audio and video and music downloads. Besides entertainment, on-line shopping via a computer or mobile phone has allowed consumers to purchase almost anything without leaving the comforts of home. Because of the growth in online shopping, traditional and electronic only retailers (E-tailers) have employed a variety of different methods to ensure that your on-line shopping experience is seamless and tailored to your specific requirements. This customization of the on-line shopping experience is done through the use of cookies that are delivered or “dropped” to your computer from the browser. A special type of cookie called local shared object (LSO) also known as flash cookies provide retailers with extra functionality that have raised privacy concerns from the Federal Trade Commission and Electronic Privacy Information Center (EPIC) to name a few. As content providers and retailers utilize cookies for tracking on-line activities, what can a user do to protect them and have a good on-line experience as well?Overview of Flash CookiesBefore discussing flash cookies, defining some terms are in order. What is a cookie? A cookie is a piece of information in the form of a very small text file that is placed on an internet user's hard drive. It is generated by a web page server, which is basically the computer that operates a web site. The information the cookie contains is set by the server and it can be used by that server whenever the user visits the site. A cookie can be thought of as an internet user's identification card, which tells a web site when the user has returned. In most cases, not only does the storage of personal information into a cookie goes unnoticed, so does access to it. Web servers automatically gain access to relevant cookies whenever the user establishes a connection to them, usually in the form of Web requests.Cookies are based on a two-stage process. First, the cookie is stored in the user's computer without their consent or knowledge. For example, with customizable Web search engines like My Yahoo!, a user selects categories of interest from the Web page. The Web server then creates a specific cookie, which is essentially a tagged string of text containing the user's preferences, and it transmits this cookie to the user's computer. The user's Web browser, if cookie-savvy, receives the cookie and stores it in a special file called a cookie list. This happens without any notification or user consent. As a result, personal information (in this case the user's category preferences) is formatted by the Web server, transmitted, and saved by the user's computer. During the second stage, the cookie is clandestinely and automatically transferred from the user's machine to a Web server. Whenever a user directs her Web browser to display a certain Web page from the server, the browser will, without the user's knowledge, transmit the cookie containing personal information to the Web server.Figure 1: Example of http cookie HTTP cookie is a text file that is easily viewable and does not require any special software. The usage of http or browser cookie came into being in the early 1990 as the result of electronic commerce (E-commerce), specifically adding a “shopping cart” feature to company website by Netscape. In order to provide a new visual experience for surfing the Internet, Macromedia created a program called flash. Flash is used to create multimedia applications, including interactive content and animations embedded into web pages. Flash player is not natively built into web browsers, but rather is a plugin that works across multiple operating systems and all of the most popular web browsers. An estimated 99% of desktop web browsers have the free Flash player plugin. Java makes up the next highest installation rate at 80%. Apple’s Quicktime is installed on 57% while Adobe Shockwave and RealNetwork’s RealPlayer round out the list.Now that we have defined cookie and flash, what is a flash cookie? A flash cookie is a special type of browser cookie that can store data up to 100k. Local shared objects, sometimes referred to as "Flash cookies," are data files that can be created on your computer by the sites you visit. Shared objects are most often used to enhance your web-browsing experience.Figure 2: Example of flash cookie By assigning a unique identifier to a computer and preserving it in the space for the local shared object, a website can recognize that someone has already visited the site, and advertisers can use the information to determine that a visitor has previously viewed an ad. Websites that require users to fill out personal information can also associate that data with the identifier.Technical differences between HTTP cookies and local shared objects (LSO)sIn a recent paper by Dr. Lorrie Cranor and Ms. Aleccia McDonald, a summary of technical differences between HTTP cookies and LSOs. Other internet technologies use local storage for similar purposes (e.g. Microsoft Silverlight, Java and HTML5). Aside from technical differences, HTTP cookies and LSO are often used to perform the same functions. However, users interact with HTTP cookies and LSOs in different ways. Even though HTTP cookies and LSO perform the same function(s), there are specific advantages for using flash cookies in addition to HTTP cookies.Why are flash cookies used?Flash cookies provide the only method by which a flash movie can store information on a user's computer. Intended uses of the object include storing a user's name, a favorite color or the progress in a game. The actual information is stored in a .SOL file in a special directory on the user's computer. Flash cookies offer several advantages that lead to more persistence than standard HTTP cookies. Flash cookies do not have expiration dates by default, whereas HTTP cookies expire at the end of a session unless programmed to live longer by the domain setting the cookie.Another advantage of flash cookies is the concept of “re-spawning”. What is re-spawning? When a website sets an HTTP cookie with an identifier it also sets a flash cookie with the same value. If the user deletes the HTTP cookie and then revisits the website, the value previously set and now stored in the flash cookie is transferred to the HTTP cookie. In a paper by Soltani et al, researchers documented at least four instances of “respawning,” where users deleted their HTTP cookies only to have them recreated based on LSO data. LSOs used to respawn HTTP cookies sounds like the “best practices” description put forward in a W3C document on mobile web use:Cookies may play an essential role in application design. However since they may be lost, applications should be prepared to recover the cookie-based information when necessary. If possible, the recovery should use automated means, so the user does not have to re-enter information. But a major reason for the use of flash cookies is that these cookies are very difficult to remove from an end-user computer. Because flash cookies are stored in a different location than HTTP cookies, thus users may not know what files to delete in order to eliminate them. Additionally, they are stored so that different browsers and stand-alone Flash widgets installed on a given computer access the same persistent Flash cookies. Flash cookies are not controlled by the browser. Thus erasing HTTP cookies, clearing history, erasing the cache or choosing a delete private data option within the browser does not affect Flash cookies.It is important to differentiate between the varying uses of flash cookies. These files (any local storage in general) provides the benefit of allowing a given application to ‘save state’ on the user’s computer and provide better functionality to the user.Have you ever wondered how or why your favorite internet website saved your preferences or showed advertisements (ads) tailored to your buying habits? This is no accident as merchants utilize many different tactics to ensure what you see from their website is what the consumer wants to buy. One of the tactics used by on-line retailers is behavioral targeting. From Wikipedia, behavioral targeting or behavioral targeting is a technique used by online publishers and advertisers to increase the effectiveness of their campaigns. Behavioral targeting uses information collected on an individual's web-browsing behavior, such as the pages they have visited or the searches they have made, to select which advertisements to display to that individual. Practitioners believe this helps them deliver their online advertisements to the users who are most likely to be interested. Behavioral marketing can be used on its own or in conjunction with other forms of targeting based on factors like geography, demographics or the surrounding content. Behavioral targeting allows site owners or ad networks to display content more relevant to the interests of the individual viewing the page. On the theory that properly targeted ads will fetch more consumer interest, the seller may ask for a premium for these over random advertising or ads based on the context of a site.This so-called behavioral targeting is coming under scrutiny, in part since Google bought one of the largest practitioners — DoubleClick — and recently announced it would start using its troves of user data to deliver targeted ads. Its main money makers, the small text ads next to search results and on websites across the net, simply rely on the words in a search or on a webpage to place ads, a tactic known as contextual ads.As a result, computer users have demanded specialized software to lessen the ability of advertisers to engage them. Later in the paper, a listing of specialized software will be provided to detect, manage and delete flash cookies. However, most behavioral advertising still relies on cookies, but that doesn't mean cookies are the only tool advertisers can use to track Internet users' behavior. More and more of what you see on a single Web page is being delivered from multiple sources. Images, scripts of Web code, and "Flash cookies" may all be delivered by third parties, just as ads and cookies have been delivered by third parties for years. If these other kinds of objects are designed to be unique to an individual - that is, if the same object can uniquely identify a person across multiple Web sites - that opens up the possibility for them to be used for behavioral advertising.Structure of flash cookiesIn the blog posting by Kristinn Gunnison on SANS Computer Forensics and Incident Response, he provided the structure of flash cookies (LSO).The LSO is stored as a binary file in a network or big-endian style. The file is structured in three sections:?First 16 bytes are the file's header.?The objects name in ASCII?A series of data objects, that contain the actual values of the LSOIn addition, Eric Huber in his presentation at CEIC 2010 stated flash cookies have a common structure but come in three versions:Settings CookieContent CookieMaster Settings CookieA generic flash settings cookie shows information on how flash cookies are handled for a particular website. The cookie would have the name of the website along with information on whether or not flash cookies are allowed for a particular website.Figure 3: Example of settings cookie Content flash cookie will contain data from a specific website. The data in the cookie is pretty random—it is dependent on what was done when the cookie was saved. Figure 4: Example of content cookie Finally, master settings flash cookie shows complete information about how flash is configured on the local computer along with a listing of all domains visited as well.Figure 5: Example of master settings cookie Both master and settings cookies are stored in the same general location while a content cookie for a specific website is stored in their “domain” directory.How do flash objects work?A local shared object can be read only by the website domain that created the object. For example, if you asked [siteA].com to store your login name, it might use Flash Player to write a local shared object that contains the login name information. That local shared object can only be read by [siteA].com; it cannot be read by [siteB].com, or even a different address location2. [siteA].com. How to identify the use and storage of flash cookies on a computerAlmost all websites generate a browser cookie that is stored in a specific directory based on the operating system. Browser cookies are easily located and deleted through the various third-party tools and browser plug-ins. Windows XP store browser cookies in C:\Documents and Settings\[username]\Cookies\.While Windows Vista and Windows 7 stores browser cookies in two folders: C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Cookies C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Cookies\LowBelow is the location of flash cookies based on operating systems:Windows XP: %APPDATA%\Macromedia\Flash Player\#SharedObjects\<random code>\<domain>\<path - maybe°>\<object name>.sol %APPDATA%\Macromedia\Flash Player\\support\flashplayer\sysC:\WINDOWS\system32\Macromed\[subdirectories]\filename.solFor AIR Applications: %APPDATA%\<AIR Application Reverse Domain Name>\Local Store\#SharedObjects\<flash filename>.swf\<object name>.solWindows Vista and later: For Web sites: %APPDATA%\Roaming\Macromedia\Flash Player\#SharedObjects\<random code>\<domain>\<path - maybe°>\<object name>.solAnd also: %APPDATA%\Roaming\Macromedia\Flash Player\\support\flashplayer\sysFor AIR Applications: Users\%USER%\AppData\Roaming\Mac OS X: For Web sites: ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/<random code>/<domain>/<path - maybe°>/<object name>.sol and ~/Library/Preferences/Macromedia/Flash Player/support/flashplayer/sys/<object name>.solFor AIR Applications: ~/Library/Preferences/<AIR Application Name>/Local store/#SharedObjects/<flash filename>.swf/<object name>.solLinux/Unix: ~/.macromedia/Flash_Player/#SharedObjects/<random id>/<domain>/<path - maybe°>/<flash filename>.swf/<object name>.solAdditionally, flash player can save the file (cookie) in any path specified by the Shockwave Flash (SWF) developer, relative to the current domain.As a result, this is one way to enforce the rule that each domain may only store up to 100k on the local system. Figure 6: Listing showing LSO domains To start the search for websites that use flash cookies, the list of the top 100 popular websites maintained by Quantcast along with a few specific sites (, , , , and ). Sometimes the directory that store flash cookies will show the “Read Only” attribute in Windows Explorer and this will need to be “unchecked” in order for flash cookies to save properly. To verify whether or not a website utilizes flash cookies, a search of *.sol on the local hard drives was conducted. Individual websites that use flash cookies have separate directories that store their specific flash cookies.Figure 7: Listing of flash cookiesAnother method to detect whether or not a flash cookie has been installed is through the use of Adobe’s Flash Player setting manager utility located at: . Figure 8: Adobe flash player settings managerWhen the tool is initially run, it provides informational text that state the results shown are from the actual tool. Most importantly, Adobe has a “disclaimer” statement which notifies the user that the company does not have access to the list. Note: To see a complete listing of sites, the use of the scroll bar is required. 041910 Figure 9: Website Storage SettingsPrivacy ChoiceFinal method used to verify the use of flash cookies is by employing a tool distributed by . PrivacyChoice offers tools to help you understand and make choices about your online privacy. You can see how online tracking works (TrackerScan), see your tracking profile, decide whether companies can collect information about what you do across websites (TrackerBlock), or opt-out of seeing targeted ads (PrivacyMark). Their tool is for the Mozilla Firefox browser and generates a separate page that shows the results of the tool.Figure #10 shows the results of the tool when the site does not utilize flash cookies for tracking on its primary domain:Figure 10: No tracking cookies usedFigure #11 shows the result of the tool when a site does utilize flash cookies for tracking on its primary domain but not from secondary domain:Figure 11: Primary domain cookiesFigure #12 shows the result of the tool when a site not only utilizes flash cookies but secondary domains from other companies using flash cookies as well:Figure 12: Primary and Secondary domain cookiesFigure #13 shows information about the policies provided by the company in reference to their tracking cookies:Figure 13: Company PoliciesOne thing to note is that Flash based advertisements also has the ability to save LSOs. This is important because in some cases we can't necessarily conclude that it was the user's intent to access the domain. The origin of the LSO is often obvious, but further testing or additional artifacts may be necessary to make any definitive conclusions.Figure 14: Example of flash-based advertising LSOAnalysis of flash cookiesIn this section of the paper, flash cookies that were created in Action Message Format 0 (AMF0) were parsed using Kristinn Guidjonsson’s SOLCAT tool. Action Message Format (AMF) is a compact binary format that is used to serialize ActionScript object graphs. Once serialized an AMF encoded object graph may be used to persist and retrieve the public state of an application across sessions or allow two endpoints to communicate through the exchange of strongly typed data. AMF was introduced in Flash Player 6 in 2001 and remained unchanged with the introduction of ActionScript 2.0 in Flash Player 7. The version header of this format was set to 0 and thus this version of the format is referred to as AMF 0.NOTE: In Flash Player 9 a new version of AMF was introduced to coincide with the release of ActionScript 3.0 and a new ActionScript Virtual Machine (AVM+), namely AMF 3. AMF 0, however, continues to be supported in all versions of the Flash Player from Flash Player 6 onwards. This tool uses PERL to parse the contents of a flash cookie. The version of PERL installed on test machine two is ActivePerl version 5.12.2 build 1203 (64-bit). The tool was unable to parse AMF3 flash cookies and produced the following error message when run against this type of cookie: Figure 15: Results of parsing AMF 3 file via SOLCATWhen SOLCAT can successfully parse a flash cookie, the output is shown below:Figure 16: Results of parsing a flash cookie via SOLCATFuture revision of the tool will include support for AMF 3.0 flash cookies.Another tool used to parse raw flash cookie was Edit Plus text editor by ES-Computing. Edit Plus text editor converted the flash cookie into hexadecimal (Hex) format. Most flash cookies that are stored on the computer provide information on settings applicable to the multi-media component of flash (audio, video or game settings) and do not present a privacy concern. A sample of a settings flash cookie is below:Figure 17: Settings flash cookie However, in the course of research there were several cookies from different companies that could raise privacy or system integrity concerns. One of the flash cookies traced the geographic location of Internet protocol (IP) address used to visit the site and customize news articles based on that particular location. Figure 18: Cookie that details geographical informationAnother flash cookie stored the actual computer IP address and some random numbers. Upon further research on the Internet, this particular flash cookie relates to an online banking phishing scam related to MBNA which was sold to Bank of America in 2005. Figure 19: Flash cookie with computer IP address Another set of interesting flash cookies came from MSN and SpicyNodes. These websites had extensive data that provide information on how their specifics sites interact with flash. Figure 20: Spicy Nodes flash cookies Figure 21: MSN flash cookies By far the most interesting cookies came from two on-line radio services: Pandora and Rhapsody. These companies have different flash cookies that provide a variety of information about the individual who is using their service. Other Information besides volume include, station listened, total time on the service, password expiration setting and whether or not computer or individual has an active or valid account. Figure 22: Pandora’s flash cookie #1Figure 23: Pandora’s flash cookie #2Figure 24: Rhaposdy flash cookieLike on-line (streaming) radio stations, video sites that use flash cookies have interesting information as well. The screenshot below is from -a company that creates video for personal and professional use:Figure 25: Contents of flash cookieTheir flash cookie provides information about user birthday, stream status, whether or not the video is played in full screen and if autopopup has been enabled.These tools can provide some basic analysis of flash cookies that can start a more in-depth forensic analysis. In Section 8, more advanced tools will be provided to help with forensic analysis of flash cookies. With all the information that can be stored in flash cookies, what are the issues of that data being exposed and released to unauthorized parties without permission?Risk and privacy concerns of using flash cookiesThe use in recent years of cookies by advertising firms and E-tailers is well known and well documented. The result has been heightened concern for the risk that they presented. This concern has been amplified by the lengths that these firms have gone to gather information and their willingness to share this information with others in the name of profit. As awareness grew so did interest in preventing or mitigating the use of cookies. Browser vendors have added or upgraded features to better control cookies and third party software appeared that supplemented browser controls and/or simplified the process of removing cookies.In addition, advertisers have since turned to the Local Stored Object feature of the Adobe Flash Player as a way to get around existing privacy controls. Since flash cookies are not stored in the same location as http cookies, few tools could find and control them. They could hold more information and a wider variety of information. Ever wonder why when a playing a flash movie the volume on your PC is louder then what you had it set it at? How about when you login to your favorite online game and your current player configuration and status is readily available. Flash cookies store that information on the local machine.In 2009 a research group at the University of Berkley headed by Ashkan Soltani performed first of its kind study of flash cookies. After evaluating the top 100 websites the group found extensive use of flash cookies for identifying and tracking user’s browsing. One particularly disturbing trend that was discovered was the use of flash cookies to “re-spawn” HTTP cookies. There are significant privacy concerns with regard to Flash cookies. They can store more information than a HTTP cookie. The default size limit is 100K but can be changed to hold more data. What kind of data? One company, Disney has been accused of using flash cookies to obtain information on visitors, largely children, to its website such as viewing choices, gender, age, race, number of children, educational level, geographic location, household income, what the user looked at, what the user bought, the materials the user read, details about financial situation, sexual preference, name, home address, email address, telephone number, health conditions etc.. Another company, Rap Leaf, openly admits to collecting information in 400 different categories such as household income range, age range, political leaning, and gender and age of children in the household, as well as interests in topics including religion, the Bible, gambling, tobacco, adult entertainment and "get rich quick". They also admit to retaining user names in their databases. While the company insists that it does not hand out those names, only related, generic “ID numbers”. It is known that the customers of several users of RapLeaf’s services were singled out by name for targeted marketing and online advertising.Another issue deals with how retailers protect the collected personal information. For advertising companies they have to have the data stored somewhere for easy access. This means a computer database is somewhere on their network. What protections are in place? Is the network secure? How about the database? How are they transmitting the data securely to their customers? Are they auditing their security? Are they complying with security requirements or standards like PCI for credit card data or HIPPA if the data is medical related? Except for a couple of exceptions it is not generally known what information is being stored by advertising companies.Which lends itself to the question, have any of these companies been breached by hackers? If they are reluctant to share information on what they are routinely doing would they share information if they were hacked and lost personal information? After all many of the various categories of information that are known to be collected might not be covered by the various breach laws. So, if a breach occurred, the company might try to justify not disclosing it.The concerns about privacy and information extend to the user system and the information stored in the flash cookies used by advertising companies. Since flash cookies have no expiration date the data they contain can reside indefinitely on the user’s computer unbeknownst to the user. But a hacker with knowledge of where they are stored can access them and retrieve the information. There are also the risks that flash cookies can be used maliciously. Some flash cookies can record keystrokes according to research supported by the Wall Street Journal.Another researcher has shown that http session cloning is possible when user session information is included in a flash cookie. Another researcher, Billy Rios, demonstrated how to bypass The Flash Player’s sandbox feature to transfer stolen information to another system. In his research he discovered that Adobe uses protocol handler blacklists to prevent network access. By finding a protocol a handler that is not blacklisted (ex: MHTML :), information can be passed in a flash cookie across the network to the attacker’s server.The ability to invoke commands in flash cookies that can change the settings and behavior of operating system components borders on Trojan like. The behavior of flash cookies and the way companies are using them to gather information on users is at the center of a number of lawsuits filed against online advertising companies and websites like Quantcast, Clearspring and Disney. The Disney suit in particular detailed significant and specific information and referred to the cookies as “Zombie” cookies. In response several companies defended their use of flash cookies and the information they collected, claiming that users wanted the enhanced browsing experience. One of the advertising companies named in the lawsuits, Quantcast, immediately stopped using flash cookies and “re-spawning.”Privacy groups have applauded the suits. The Federal Trade Commission, currently the primary Federal government enforcement agency for privacy, recently released a draft report calling for a privacy frame work to be implemented. Amongst the various recommendations is the ability of users to opt-out of online tracking much like the do not call registry for telemarketing. While the framework offers some significant progress towards offering privacy protection, it is still not mandated and is offered as a voluntary option. It is generally felt that as long as self-regulation is the norm it will be difficult to reign in online collection of Internet user’s information.However there are signs of change. One advertising industry group is Network Advertising Initiative. Their goal is to promote consumer privacy education to that end they have developed an Opt Out tool which functions to provide users the ability to opt out of member advertising networks tracking. While not reviewed for this paper the main limitation on the tool is that it only works with NAI member companies. Public backlash over flash cookies appears to have had an effect in other ways. Research released this February by researchers at Carnegie Mellon revisited the original work by the University of Berkley. The team evaluated the same top 100 websites and included randomly selected websites from an additional group of 500. They evaluated routine flash cookies and also focused on flash cookie re-spawning. While their methodology was different than the Berkley team they showed a marked reduction in the number of sites using flash cookies and a general reduction in the number of sites using re-spawning.Private browsing modeEven though the practice of flash cookie “respawning” has decreased, privacy advocates and Internet users’ complaints have grown over the use of tracking cookies. In the past two years, each major browser has created private browsing modes to their user interfaces. This feature is called InPrivate (Internet Explorer), Private Browsing (Firefox and Safari) and Incognito (Chrome). Support for private browsing feature is in Internet Explorer version 8.0 or higher, Firefox 3.5, Safari version 4 and Google Chrome 5 or later.Loosely speaking, private browsing mode has two goals. First and foremost, sites visited while browsing in private mode should leave no trace on the user’s computer. Second, users may want to hide their identity from web sites they visit by, for example, making it difficult for web sites to link the user’s activities in private mode to the user’s activities in public mode. While all major browsers support private browsing, there is a great deal of inconsistency in the type of privacy provided by the different browsers. Firefox and Chrome, for example attempt to protect against a local attacker and take some steps to protect against a web attacker, while Safari browser only protects against a local attacker. In addition, each browser has varying support of plugins (add-ons) and extensions that could break the security provided in private browsing mode. Later in the paper, browser plug-ins and the results of forensic analysis of Microsoft’s In-Private Browsing will be provided. Use of DOS commands to find and delete cookiesMicrosoft has by default hidden the browser cookie directory location. Internet Explorer stores browser cookies as a text file which has the file extension of *.txt. In order to view the presence of browser cookies on your computer without needing local administrator rights, an individual can execute the following command from a DOS (command) prompt:7524750Figure 26 -listing of http cookiesResults can be piped to a file by executing the following command:1190625118110Figure 27: Piping command example Because cookies are linked to each individual who login to a particular computer, you can further refine the command in this matter:Figure 28: results of refined searchOn Windows computers, the Macromedia folder which stores flash cookies may not be marked hidden by default. Flash cookies are files that have *.sol file extension. To view all flash cookies on your computer, perform the following command: dir *.sol /A:H /A:S /A-H /A-S /S 1905093345Figure 29: Listing of LSO files outside “regular” locationFigure 30: Listing of LSO files in “traditional” location As you can see from the above screenshots, Flash cookies are not just stored in the traditional location but can be located elsewhere. In this case, Wild Tangent stores their flash cookies in separate directories for each on-line game the user downloads to their computer. In response to the fact that flash cookies are not easily deleted, several individuals who responded to Bruce Schneier’s blog post on flash cookies, documented ways to automate the process of deleting flash cookies in a variety of situationsPost by Angus S-F at August 17, 2009 3:24 PMIn Windows XP, the following lines saved to a batch file will kill Flash Cookies:======================:: nuke any existing cookies and subdirectoriesrd /q/s "%APPDATA%\Macromedia\Flash Player\#SharedObjects\"md "%APPDATA%\Macromedia\Flash Player\#SharedObjects\"rd /q/s "%APPDATA%\Macromedia\Flash Player\\support\flashplayer\sys"md "%APPDATA%\Macromedia\Flash Player\\support\flashplayer\sys"======================After creating the file "KillFlashCookies.cmd," goes into Windows and creates a "scheduled task” to delete flash cookies on a regular basis. Posted by: Psuedo at August 17, 2009 9:23 AM Under Linux, something akin to the following and run at login can be used as a partial solution (at your own risk,etc.):#!/bin/bashDEBUG="/bin/echo "#DEBUG=""RM="/bin/rm"SHRED="/usr/bin/shred"FIND="/usr/bin/find"function shred_dir {DIR="${1}"nice ${FIND} "${DIR}" -type f -exec ${DEBUG}${SHRED} -n3 -fzu {} +nice ${DEBUG} ${RM} -rf "${DIR}"}shred_dir "${HOME}/.macromedia"shred_dir "${HOME}/.adobe"To illustrate that flash cookies can be deleted from a DOS prompt, the following command was run: del *.sol /SFigure 31: Results of delete command on LSO To verify that flash cookies were deleted from the system, the following command was run: dir *.sol /s Figure 32: Results of search after LSO files were deleted Tools to Address Flash Cookies As the issue of flash cookies becomes more common-place, more and more software tools were created and existing ones modified to address detecting and managing flash cookies. For the purpose of this paper we have grouped these tools into three general categories: detection, management and evaluation. This list is by no means all-exclusive. Due to time constraints, the most popular tools in these categories were selected for review. Appendix A will provide a listing of tools that were discovered during the research phase that are available to delete, manage and analyze flash cookies. Testing MethodologyThe first test bed system is an AMD X2 laptop with 4 GB of memory. A fresh install of Windows 7 and Office 2007 was done and the only added software was Microsoft Security Essentials Antivirus and Mobile stream’s Easytether Lite software to facilitate Internet connectivity through an Android cell phone. Additionally, the latest versions of Mozilla Firefox and Google Chrome were installed to support testing browser add-ons and plugins.The second test bed system is a Windows 7 professional running full suite of application using Windows Internet Explorer as the primary browser. Additionally testing was performed using Microsoft Virtual PC (running XP Mode) and running Google Chrome and Firefox browsers. These systems were geographically located in opposite sides of the country so it was decided to review the flash cookies that were presented from the websites to see if there were any differences due to geographic location.A system restore point was set in Windows prior to the installation or, in the case of standalone software, use of each software package. If a virtual machine is utilized a snapshot was created. As the software was installed and/or used on test system #1, Microsoft SysInternals Process Monitor was run to monitor background activity. Of particular interest was what, if any attempts were made by websites to place flash cookies or other content in areas other than the known and designated ones or make changes to the registry.Depending on the tool category the methodology for collecting Flash cookies varied. While browsing websites HTTP Analyzer by IE Inspector was run. HTTP Analyzer functions as an HTTP/HTTPS sniffer, parsing and displaying only HTTP/HTTPS packets. The packet capture was saved for later review after each tool was tested. Once testing with a product was complete the product was uninstalled, the HTTP and flash cookies were removed and the system was reset to a pristine state by invoking the system restore point or the snapshot previously set. The packet capture and files generated by the SysInternal tools were saved for later review after each tool was tested.In the case of the detection tools, most were detect and delete. The goals were to see if they could effectively find and remove all flash cookies. A random set of websites were browsed by the researchers and no less than 5 pages were accessed from each site. After the browsing was completed a copy was made of a randomly selected Flash Player domain in C:\Documents and Settings\%User%\Application Data\Macromedia\Flash Player\#SharedObjects and was copied with its flash cookies and settings cookie from there to the user’s My Documents folder and the Windows\System folder. An additional copy was placed on the D drive on the testbed system 1.The detection tool was then run to see if it could first find all the cookies files that were located on the system drive and , when applicable, the D: drive. If the delete ability was available the tool was tested to see if it could completely delete all discovered cookies. If the ability to manually delete was available it was also tested.For the second test machine, two new directories were created called httpcooies2 and sol2 to copy http and flash cookies respectively. On both machines, http cookies were saved by the operating system in a hidden directory (cookies) and only visible by changing the attribute to the main (primary) user profile within Microsoft Windows. These directories where then copied over to the host operating system for analysis. To ensure “clean” results, cookies were deleted by using one specific tool-Piriform’s CCleaner. Detection tools:Tools in this category are designed to detect the presence of flash cookies. Most include the ability to arbitrarily delete discovered cookies. Our paper will document the use of the following tools: Flash Cookie Cleaner, Cookienator, FlashCookiesView and Clear all History.Flash Cookie Cleaner3267075254000Flash Cookie Cleaner is a flash cookie utility created in 2009 by ConsumerSoft. The company builds utility applications for PCs and mobile devices. The program is simple and easy to use and is a good option for an average user. The software is a self-contained executable and does not need to be installed in Windows. It does detect and it will delete flash cookies, persistent internet cookies (PIE) and other local shared objects (DOM, Silverlight, etc.). When the Figure 33: Main Screenprogram is executed, it does an initial scan and lets you know how many cookies and domains were found.2619375781685When started it displays its main screen. It has three buttons on the screen. The Scan button when clicked will scan for flash cookies. When the software starts up it scans the hard drive and lists out its findings so the button is only useful for re-scanning.Selecting the View Cookies button will open a Windows Explorer window to the #SharedObjects folder containing the content cookies. The user can view and delete individual flash cookie folders from this window. Figure 34: #Shared Objects Folder356235067310Selecting the Delete Cookies button will produce a popup asking to confirm the deletion and then delete all flash cookies from the #SharedObjects folder and the flash cookies from the ...flashplayer\sys folder when the Yes button is pushed. Figure 35: Delete popup windowThe software cannot find cookies in folders other than the default folders.CookienatorAs the name implies, it will detect cookies stored on your local computer. Original program was created in 2007 and current version is2.6.41. Cookienator is lightweight; it's a single executable that you install on your computer. When run, it will tell you how many cookies it would like to remove. Not only will the program detect but it will also clean as well. It is not limited to just flash cookies but has detect and delete capability for http cookies along with specific browsers as well. Cookienator will only locate cookies in the default storage location and does not provide the option to change it. Initial screen provides the menu of items that can be done with the tool: 1) show Details of the cookie search, 2) Clean now w/o reviewing, 3) Options which list the cookies that you would to detect and then delete from the system.Figure 36:Figure 37: Discovered cookiesFigure 38: configuration pageCookienator also provides the option to delete cookies automatically. This can be done on a daily, weekly and monthly basis and the longest time between deletions is 30 weeks. Figure 39FlashCookiesViewThis tool was created as freeware by Nir Softer and the program is a small utility that displays the list of cookie files created by Flash component (Local Shared Object) in your Web browser. For each cookie file, the lower pane of FlashCookiesView displays the content of the file in readable format or as Hex dump. You can also select one or more cookie files, and then copy them to the clipboard, save them to text/html/xml file or delete them. Figure below FlashCookiesView also provides a way to change the base directory for flash cookies. This way, the program would be able to find flash cookies in non-traditional locations. The figures below show how to change the flash cookie location and the results after it was changed.Figure 41Figure 40Figure 42 Figure 43Clear All HistoryThis program was created by and it can be downloaded separately or as a part of their Privacy Suite. Privacy Suite other application is Delete Files Permanently. Clean All History has the ability to detect and clean cookies along with other Internet artifacts as well. Program will run on 32-bit and 64-bits operating system starting with Windows 98 and also supports Windows 7 as well. Browser support includes, FireFox, Chrome, AOL Explorer and Internet Explorer among others. From its website, Clear All History completely clears all history traces of your Internet activity including browsing history, cache, cookies, form AutoComplete, Address Bar history, search history and index.dat files. Supports Internet Explorer, MSN Explorer, Firefox, Safari, AOL Explorer (AOL browser), Maxthon (MyIE2), Opera, Netscape, Mozilla and Google Chrome.Management toolsTools in this category can detect flash cookies but also have included functions to manage them such as blocking and allowing cookie placement on the user’s system or selectively deleting them.Adobe Flash Player Settings ManagerCreated by Adobe the Flash Player Settings Manager provides an easy interface whereby what the flash player is able to do can be managed by the end user.The Settings Manager has an unusual configuration. While the utility is installed locally, access to the interface can only be achieved while on the Internet. While on a website flash object a user can right click and access the Adobe webpage containing the Settings Manager interface. The user can also access the Adobe interface webpage directly. Figure 44: Opening Page The interface tabs are shown below and there are a total of eight tabs in the interface. They cover a wide variety of settings that control how flash player; four are considered Global settings.190501466852705100146685Figure 45: Global Privacy SettingsFigure 46: Global Storage SettingsThe Global Privacy Settings affect how flash objects can interface and control your camera and microphone. The Global Storage Settings are where the ability to control the setting of flash cookies by websites. Setting the slider to 0Kb is the same as blocking website flash cookies from being written to the local system.261937519050Figure 47: Global Security Settings Figure 48: Global Notification SettingsThe Global Security Settings address the cross-domain policy. A cookie normally can only be accessed by the website domain that created it. However the policy can be set to allow other domains to access cookies that they did not create.261937519050Figure 49: Website Privacy Settings Figure 50: Website Storage SettingsThese two tabs (above) appear to duplicate the same settings as the first two tabs and can confuse users trying to manage their privacy. The settings here are on a per website basis and are where the user can set the camera and microphone settings and create a blacklist or whitelist for website caching.2952750-133350-28575-133350Figure 51: Peer Assisted Networking Settings Figure 52: Protect Content PlaybackWhile the Adobe Flash Player Settings Manager has a comprehensive group of privacy settings, it tends to be confusing to an average user. Even the online instructions are a little vague. With this in mind Adobe recently announced plans to upgrade the Interface to make it easier to understand and integrating into the flash player client rather than using a web page to access it.MAXA Cookie Manager4219575150368020859751503680-285751503680The tool is developed and maintained by the Maxa Research International, Inc. in 2007 to address flash cookies and HTTP cookies. Additionally, it can also manage DOM and Silverlight “super cookies”. The utility can manage the cookies, history and browser cache for a wide variety of popular browsers. It looks for cookies in their default locations and cannot change the search directories. After the software is installed the user is presented with a first time setup wizard that walks through an initial setup.Figure 53: Websites Figure 54: Browsers Figure 55: Additional Settings On the first screen the user selects from the displayed websites those that they access regularly. On the second screen Cookie Manager determines which browsers are installed and configures it to manage their cookies. On the third screen it prompts the user on using sounds and running automatically. When running automatically is selected then the software creates a registry entry so that it can startup as a terminate and stay resident (TSR) program. This enables it to monitor cookie activity in the background on the user’s system. This feature will periodically generate popups when Cookie Manager discovers new cookies and webbugs.30765750Figure 56: Initial Findings Figure 57: Web bug domainsAfter the setup, Cookie Manager goes through an initial scan for cookies and displays the results. Clicking on the Show web bug domains opens up a window in the popup allowing the user to review installed cookie domains. The user then can use the Delete, Delete and Block and Ignore and investigate manually buttons to take action on their web bugs.After making the selection the user is presented with the main screen of Cookie Manager107632557150 Figure 58: Main ScreenWorking from this screen the user can manage and evaluate all cookies discovered by Cookie Manager. The Online Privacy Test and the Cookie diagnostics buttons will connect back to the Maxa website to evaluate the user’s system. The Online Privacy Test evaluates the data that can be extracted from the system3743325147955The Cookie diagnostics will connect to the website and it will attempt to set various cookies on the user’s system. The cookies will then show up in the main screen of Cookie Manager. This feature is useful for confirming the functionality of Cookie Manager and testing its ability to block and allow specific cookies.1076325217805This function is accessed by the block website Icon on the main page. This brings up the configuration window where specific websites can be blocked and the different cookies can be configured to be denied or allowed, including browser Figure 59: Cookie Diagnostics41338508890 specific cookies. In testing, the block lists configured effectively prevented the setting of cookies from The configured websites and the cookies types when the cookie manager was running. Using the Evaluate button on the main page Cookie Manager will rate the cookies based on their privacy risk. This can give the user an easy way to identify which cookies to be concerned with. Figure 60: Blocked Sites704850152400 Figure 61: Cookie Evaluation Results40957509525Individual cookies can be selected from the main window. Doing so will highlight the View Details and Delete buttons. Selecting the View Details button brings up a popup window highlighting detailed information on and in the cookie. The Delete button is used to delete the selected cookies.The Clean history and cache button opens an interface where the browsing history of all in installed browsers and Flash Player. The Settings brings up a settings popup window which includes a tab for configuring automatic deletion. Figure 62: Cookie DetailsCCLeanerThis tool is the “Swiss army” knife of the computer management world. CCLeaner not only detects all types of cookies it will manage them as well. The user can configure the program to delete all cookies or specify which flash cookies to keep on the system as well. As one of the most popular tools used today, it not only detects / cleans flash cookies but has the capability to manage the operating system as well. (E.g. repair issues with computer registry and manage Windows start-up programs.) CCLeaner is a product from Piriform and has been detecting flash cookies since version 2.19.901 (May 2009).Unfortunately, the program cannot be configured to detect flash cookies outside the standard location.When the program is started, it has default options that will show runs when the Analyze button is selected. If you want the program to run other options, that option will need to be checked. For the purpose of checking for flash cookies, the default program options are sufficient. Figure 63: Main ScreenOnce the Analyze button is pressed, the program performs a scan for all data that meets the criteria selected but this does not delete the items until the Run Cleaner” button is pressed. Below is showing complete results but the system by default is set for summary.Figure 64:Figure 65:After the Run Cleaner button has been selected, the system will show that cleaning has been complete and details of the files deleted.Figure 66:CCleaner provides the ability to select which cookies the system saves or delete. By default, CCleaner will delete all cookies found on the system.Figure 67:Forensic analysis of flash cookiesThere are not many tools that are geared specifically towards performing forensic analysis on flash cookies. Research has found that forensic analysis tools are geared towards http cookies instead of flash cookies. Forensic specialists use cookies as an important artifact to determine visited websites on the computer. The majority of the tools are geared towards examining Internet history files (index.dat) or recovering deleted temporary internet files. Depending on the tool, information can be exported into commercial forensic software (Encase). To perform advanced analysis of flash cookies, a mixture of tools created for other purposes were utilized to determine their usefulness on flash cookies: SOLCAT, Galleta, SoLve and NetAnalysis. Tools in this category are designed to convert the binary format of the different Adobe Action Message Format versions into a readable format and using specific fields within the file to parse data into graphical user interface (GUI). GalletaKeith Jones, while an employee at Foundstone now owned by Mcafee created Galleta, a tool for cookie analysis. The tool was created to provide computer crime investigations with the ability to recreate a subject's Internet Explorer Cookie files. Because this analysis technique is executed regularly, we researched the structure of the data found in the cookie files. Galleta, the Spanish word meaning "cookie", was developed to examine the contents of a cookie file. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.Because the analysis machine is Windows-based, Galleta tool was used under Cygwin. Cygwin is a collection of tools which provides a Linux look and feel environment for Windows. The program’s dynamic link library (DLL), acts as a Linux API layer providing substantial Linux API functionality. The Cygwin DLL (cygwin1.dll) currently works with all recent, commercially released 32-bit and 64-bit versions of Windows except Windows CE.Galleta was created to parse http cookies but it is useful for flash cookies as well. The program is run under a DOS-like command prompt and uses Linux commands. If you are un-sure how the program is run, type ./galleta and usage instruction is provided. Figure 68: Galleta command Since the tool was not created for analysis of flash cookies, below is a screenshot when the tool is not able to analyze the flash cookie file:Figure 69: Galleta unable to run flash cookieWhen the tool is able to successfully parse a cookie, the information is displayed on the screen in this manner:Figure 70: Gallenta successGalleta provides the ability to send its results to a text file and the data can be viewed in a text editor.Figure 71: Gallenta sending results to text fileWhen adding the –d switch, it allows the data to be imported into Microsoft Excel as a comma separated value (CSV). Below shows the results of Galleta when the –d switch has been used. Figure 72: Results of using –d commandSoLveAnother tool that is helpful in performing forensic analysis on a flash cookie is SoLve. The tool was created in 2004 by Darron Schall and is open-sourced executable using Java. Outside of having Java on the computer, no additional software besides the executable is required. Only limitation of the tool is that it will only open flash cookies that have the following data types: Number, Boolean, String, Object, Null, Undefined and Array.When a file can not be opened, the following error message is generated on the screen:Figure 73:The figures below shows the information that can be obtained from the program: 3054350321310Figure 74: Figure 75:NetAnalysis version 1.5The final tool in this section is from Digital Detective and it is called NetAnalysis. According to their website, NetAnalysis has become the industry standard software for the recovery and analysis of Internet browser artifacts. It was developed in 2001 by a digital forensics practitioner working for a police Digital Forensics Unit in the United Kingdom. This tool has many different functions that can be performed including, internet history extracting, and cookie analysis. Additionally, a separate tool called HstEx3 (history extractor) to be used to extract deleted data. 0-85725Figure 76: NetAnalysis cookie viewerThis window shows the Cookie Viewer activated, with the examiner selecting a cookie record in the main grid. If the cookie records are exported from your main forensic tool, along with the index files, NetAnalysis will be able to show the content of those files as well.Forensic Analysis of Microsoft Internet In-Private BrowsingAs mentioned earlier in the paper, all major browsers (Internet Explorer, Firefox, Chrome and Safari) have some type of private mode browsing. This feature was added recently to address privacy concerns that surrounds the use of flash cookies. Microsoft’s implementation is called In-Private Browsing and it was selected to find out how “private” the browsing session was for the user. Several websites were visited to determine what files if any ended up on the local computer. Sites that were visited are: , , , , , , and .In some respect, Microsoft’s version of private browsing did offer some level of privacy as flash cookies (*.sol) from the websites visited did not get saved to the local computer. However, that does not mean that other files are not saved on the computer that can be used by forensic investigators to reconstruct Internet activity. Files that are saved while using Internet Explorer In-Private browsing include the following file extensions: *.gif, *.png, *.jpg, *.js, *.swf, *.css, *.xml, *.aspx, and *.htm. Two tools were used to verify that files were saved to the local computer while using In-Private Browsing mode: CCLeaner and NetAnalysis v1.52. CCLeaner showed through its tool that files have been saved and can be deleted off the system.The figure below shows a snapshot of the files that CCleaner would be able to clean if the “Run cleaner” option was executed.064770Figure 77: CCLeaner Scan ResultsNetAnalysis was used to see if the local computer had the necessary files to reconstruct Internet history while using In-Private Browsing.There were enough files present on the local computer that the program was able to recreate Internet activity for the specific timeframe that In-Private browsing was conducted.00Figure 78: NetAnalysis ResultsSpecial note: Besides the files from the primary website visited, third party sites data was saved on the computer as well. Browser based plugin tools This was considered a separate category since browser add-ons cannot function without the associated browser.ClearSiteData Plugin APIFor a long time most browsers supported additional third party functionality through the use of plugins. This was particularly true of Netscape based browsers that took advantage of plugin functionality provided by The Netscape Application Programming Interface (NPAPI). Even Internet Explorer up to version 5.5 supported NPAPI. NPAPI works by receiving declared content types from the plugin and requiring the browser to set aside content space for the plugin to work in. This API functionality has allowed developers to contribute additional features to the browser without actually having to program the feature into the browser’s code. Also, the Mozilla browser community in particular has embraced the capability provided by NPAPI to add a wide variety of “features” to the default Firefox browser.In January of 2011 Adobe, Mozilla, and Google announced the release of a new browser API, NPAPI ClearSiteData. With it comes the ability for browsers to natively delete flash cookies and clear local storage objects from the system. The API consists of a series of methods that will function when an associated plugin is initialized the methods support detection and clearing of data.Firefox BetterPrivacy PluginBetter Privacy was developed by NettiCat and the first version was introduced in 2008. The current version is 1.48.3 and was released on July 29, 2010. It was developed to specifically address Local Storage Objects like flash cookies.The plugin installs as an add-on to Firefox and adds a Better Privacy menu item to the Tools Menu in Firefox. Clicking on the Better Privacy Link brings up the interface below.50482533020 Figure 79: Better Privacy LSO Manager tabOne immediate and unique feature is the Flash-Data Directory form field on the LSO Manager tab. This provides the plugin the ability to scan different directories from the flash default directories for flash objects and other types of LSOs. When set to the root of C: drive Better Privacy scanned and located every flash object on the drive including the flash objects relocated to the My Document folders for testing.Figure 80: Cookie discovered in user Documents folderAt the bottom of the LSO Manager tab four buttons control deletion of LSOs including setting a protected LSO list.The Options and Help tab has additional settings for managing the deletion of Flash LSOs, DOM objects723900-4445 Figure 81: Options and Help tabWhen testing the following options were set in addition to the defaultsAlso delete Flashplayer default cookie.On cookie deletion also delete empty cookie folders142875432435282892532385 Figure 81: Popup 1 Figure 82: Popup 2Several websites were browsed in Firefox to establish a repository of flash cookies and then Firefox was closed. Upon exiting, the two popups occurred sequentially. The first announcing that Better Privacy was reviewing LSOs and the second one advising the user of Better Privacy’s intent to delete LSO’s. After restart the Better Privacy LSO List was checked and showed that all LSOs were deleted. Cross checking the default Flash folders confirmed that all settings, content, and the Master LSO cookies were deleted. Since the default Flash-Data folder in Better Privacy was set to the C: drive the LSOs placed in the My Documents folder was checked and the content LSOs had been deleted.9. ConclusionThe Internet has been a way of life for many people around the world. From shopping to entertainment, it is very few people who do not have access and conduct some business activity on-line. With the rise in the number of retailers going on-line, their company web-site has to offer a good experience to entice customers to return. One way to improve the browsing experience is by using cookies. Http cookies allow companies to track your activity while on their site and when you return provide that information back to the user. HTTP cookies contain up to 4K of data and can be easily deleted from the computer if a person is worried about data privacy.Another way to improve the overall Internet browsing experience is through the use of animation, specifically flash movies. The use of flash generates a new cookie called local storage object (LSO) or flash cookies. This type of cookie can hold up to 100k of data and is not as easy to delete from the computer as a regular http cookie. From privacy perceptive, flash cookies have been known to re-generate data themselves through the concept of re-spawning. Also, no one is sure how the data from LSOs are stored or protected from harm. As a result, several companies have been sued over their use of cookies for tracking purposes.In the past couple of years, tools have been developed to analysis, detect, and manage cookies on the computer. These tools have incorporated the ability to manage flash cookies as well. If a user has a strong DOS background and appropriate rights, flash cookies can be viewed and deleted from a command prompt. Further, the major browsers have created browser plug-ins and incorporated private browsing mode into their program to elevate privacy concerns. Even with private browsing feature, a forensic analyst with the right tools can recreate the Internet history on the computer. For individuals or businesses who are concerned about privacy, restricting the use of the Internet may be the best course of action. If that is not an option, an alternative is use the private browsing feature offered by your favorite browser and a set-up a schedule for automatic cleaning of cookies (http and flash). 10. Acknowledgements Thanks go out to fellow researchers in the area of flash cookies: Eric Huber, Kristinn Gudjonsson and Aleecia McDonald. They each graciously made time to answer our questions which helped us in terms of focus, direction and clarification. In addition, Rob Lee of Mandiant was nice enough to answer forensics related questions and Jens Mueller, CTO of Maxa was also willing to answer general questions regarding their company’s product. Finally, Bob Dooling and Matt Deter responded to a discussion board inquiry and pointed us to additional information that they were aware of.Appendix A: List of Discovered ToolsFor Use with Flash CookiesDuring the course of researching tools for use with flash cookies we came across many free, open source and commercial products. The scope of project prevented us from evaluating all of these products so the list below encompasses the tools that were found during the course of our research for our paper. This list is not all-inclusive and other tools are available.Detection Tools for Flash CookiesClear All History: Developer: Clear All Available at and Clean: Developer: Available at Cookie Remover: Developer: Mischel Internet SecurityAvailable at Internet Security LtdCookienator: Developer: Marton AnkaAvailable at Cookie Cleaner: Developer: Consumersoft Available at Cookies Cleaner: Developer: Mixisoft Available at ’s Cookie Viewer: Developer:Karen KenworthyAvailable at Tools for Flash CookiesMaxa Cookie Manager: Developer: Maxa ToolsAvailable at : Developer: PiriformAvailable at Clean: Developer: White Canyon SoftwareAvailable at to perform analysis activities on flash cookiesEdit Plus Text Editor: Developer: Edit+Available at: : Developer: Kristinn GudjonssonNot currently available to the publiclog2timeline: Developer: Kristinn Gudjonsson Available at : Developer: Darron SchallAvailable at : Developer: Keith JonesAvailable at: : Developer: Digital DetectiveAvailable at: based plugin tools Google ChromeClick and Clean: Developer: My Opt-Outs: Developer: GoogleAvailable at Mozilla FirefoxBetter Privacy: Developer: Netticat Available at Not Track Header: Developer: Available at Suite: Developer: Abine Available at : Developer: Abine Available at Block: Developer: Lorenzo Coletti Available at and Clean: Developer: Available at B: Websites that use flash cookies The list below contains websites that have been confirmed through research to utilize flash cookies. This listing is not all-exclusive and partly based on Quantcast rankings of top 100 US sites for 2010. Appendix C: Using Process Monitor and HTTP AnalyzerProcess Monitor is a tool created by Sysinternals, A Microsoft division after they purchased the parent company, Winternals, in 2006. The Sysinternals tools were open source tools that complemented the built in Microsoft windows utility tools and extended the ability to analyze and manage Windows.Process Monitor encompasses two previously a standalone tools, Regmon and Filemon, includes additional thread and dll monitoring and features some robust filtering capability.21When starting up the utility you are presented with the opening screen and the utility immediately begins capturing file and registry information. Selecting the Stop (1) and Clear (2) icons halts the information capture. This sets up the interface to begin monitoring.4When monitoring an application when installing and using it the critical events to look for are object creation, deletion or changes to objects. It is these changes that have an effect on the how the system will behave when dealing with a new piece of code. The Process monitor by default captures all registry, file and process events. Parsing through this immense amount of data to locate the specific events related to the application in question can be tedious. Luckily, Process Monitor includes a granular ability to filter the output.123The Pre-run filtering can be accessed by selecting Filter from the Menu toolbar and then the filter from the menu. The filter configuration screen opens up. By selecting the dropdown to the left (1) a number of categories are displayed that can be selected from. The conditional dropdown (2) displays a number of conditions to select from. In the event window (3) the specific category event to be filtered can be input and the option drop down will present the option to Include and Exclude the event in the filter(4). The screenshot above shows the include filters that should be set for the file system, registry and processes for the purposes of this project. Additional events generated by other applications and processes could be pre-filtered but some could likely be tied to the software being evaluated.There is an option for the post run filtering that can be used on the capture also. First the application that has been installed or run and the capture stopped. When run with a filter all events for the file system, process and registry activities will be captured. Only the unfiltered and the included, filtered events are displayed in the capture window. As the capture is reviewed the events displayed can be evaluated for need or relevance. By right clicking on a highlighted event in the relevant column an additional menu will be displayed and the included menu selections provide additional filtering. For the screenshot above the goal was to exclude all events related to WlanCU.exe so right clicking on one highlighted instance in the Process Name column brought up the menu and the Exclude “WlanCU.exe”HTTP AnalyzerHTTP Analyzer is put out by IEInspector Software. They specialize in software tools for Microsoft web development and analysis. It is a packet sniffer for capturing and analyzing http and HTTPS traffic. The current version is Version 6 and we elected to work with Version 5 when version 6 proved to be unstable with some flash enabled websitesClicking on the executable opens up the main interface. The summary window (1) shows each packet in the data stream. The windows in the lower pane include the request and response detail (2) as well as the process summary information (3).23144856401082040The start and stop icons control the capture while the clear icon can clear the current capture. Because HTTP analyzer captures only web based packets (HTTP/HTTPS), it won’t appear to immediately capture packets unless the user is using their browser. The tabs in the Request and Response windows allow the user to view a high level break down of each packet.Like Process Monitor HTTP Analyzer has a fairly granular filtering capability. By selecting the Filter menu item the user is presented with a menu of preconfigured filters in addition to options to manage filters.Selecting the Customize Current Filter brings up a popup window where a custom filter can be configured.285877027241536195272415Dropdowns on the Subject and Action fields provide point and click options to set them up. The value field is filled in with the target value that will allow the filter to work. In the case of cookies, using an equal in the Action field and a wildcard in the value field for the Cookie and Set Cookie subject fields will yield packets where cookies that were set and accessed during the session.The filtering feature was not used to track flash cookies in testing. In an independent test the cookie filter displayed packets that had an ID that was also in the content flash cookie that was set.References:Aggarwal, G, Jackson, C, & Boneh, D. (2010). An analysis of private browsing modes in modern browsers. Proc. of 19th Usenix Security Symposium, Retrieved on 2-21-2011 from , A, Canty, S, Mayo, Q, Thomas, L, & Hoofnagle, C. (2009). Flash cookie and privacy. Retrieved on 1-31-2011 from Mcdonald, A, & Cranor, L. (2011). A survey of the use of adobe flash local shared objects to respawn http cookies. Retrieved on 2-2-2011 from cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab11001.pdf Mayo, O. (2009). Flash cookies and analysis of web-based businesses privacy practices involving local shared objects. Manuscript submitted for publication, Trust-REU, Jacksonville Science University, Retrieved from , E. (2010). Adobe flash cookies. Proceedings of the CEIC 2010 conference, Pinsent Mason LLP. (n.d.). Cookies: frequently asked questions. Retrieved on 1-31-2011 from Cookie Central. (1996-2011). The cookie concept. Retrieved on 1-31-2011 from Adobe Systems incorporated. (2011). Flash player penetration. Retrieved on 2-9-2011 from Adobe Systems Incorporated. (2011). Adobe flash player-what is a local storage object?. Retrieved on 1-31-2011 from Cohn, M. (2005, April 15). Flash player worries privacy advocates. Retrieved on 2-10-2011 from Singel, R. (2009, August 10). You deleted your cookies? think again. , Retrieved on 2-13-2011 from , C. (2009, August 28). Flash cookie forensics [Web log message]. Retrieved on 2-14-2011 from /2009/08/28/flash-cookie-forensics/Gudjonsson, K. Flash cookie forensics [Web log message]. (2010, February 17). Retrieved from Behavioral targeting. (2011). Wikipedia. Retrieved January 31, 2011, from shared object. (2011). Wikipedia. Retrieved February 7, 2011, from for Democracy and Technology. (2009, October 29). Controlling your data. Retrieved on 2-8-2011 from PrivacyChoice. (2009-11). Privacychoice-faq. Retrieved on 2-13-2011 from Schneier, B. (2009, August 17). Flash cookies [Web log message]. Retrieved on 2-10-2011 from . Phish tracker [Web log message]. Retrieved on 2-8-2011 from Prognosis. (2010, August 18). Disney sued for spying with flash cookies [Web log message]. Retrieved on 2-1-20011 from , R. (2010, July 27). Privacy lawsuit targets net giants over ‘zombie’ cookies. Wired, Retrieved from , E. (2010, October 26). A web pioneer profiles users by name. Wall Street Journal, Retrieved on 2-1-2011 from Angwin, J, & Mcginty, T. (2010, July 30). Sites feed personal details to new tracking industry. Wall Street Journal, Retrieved on 1-31-2011 from , B. (2010, November 30). Http session cloning via local shared objects [Web log message]. Retrieved on 1-30-2011 from , B. K. (2011, January 4). Bypassing flash’s local-with-filesystem sandbox [Web log message]. Retrieved from , R. (2009, August 12). Flash Cookie Researchers Spark Quantcast Change. Wired, Retrieved from flash-cookie-researchers-spark-quantcast-change/ Federal Trade Commission, (2010). Ftc staff issues privacy report, offers framework for consumers, businesses, and policymakers Retrieved on 2-1-2011 from The Windows Club. (2010, November 1). Don’t let advertising networks track you – use the nai opt-out tool. Retrieved from Mullin, J. (2011, January 12). Adobe to simplify flash player’s privacy controls. Retrieved on 1-18-2011 from Shankland, S. (2011, January 13). Adobe tackling 'flash cookie' privacy issue. Retrieved on 1-18-2011 from 1.0: A Internet Explorer Cookie Forensic Analysis Tool, retrieved on 1-17-2011Reschke, J. & Witte, D. & Bauer, B. & Gwalani, R. & Aas, J., NPAPI:ClearSiteData. (2011). Mozilla wiki. Retrieved January 18, 2011, from retrieved on 1-18-2011Action Message Format (AMF) specification. retrieved on 2-21-2011 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download