Re-engineering simultaneous Internet sessions process-separated browsers

Analysis of contemporary web browser sessions for forensic purposes has one major challenge-that of distinguishing Internet events and sessions across multiple tabs. While some information is contained inside the log files, identifying the coherency and concurrency is necessary to generate "specificity of attribution". In this work, we focus on isolating multiple simultaneous browser sessions using network and browser-related metadata on browsers that deploy a separate process for each browser session, which we term process-separated browser implementation. In a previous work, it was shown that network artifacts can be associated with browser artifacts to relate network stream with browser sessions on multi-threaded browser implementations. However, in process-separated browser implementations, where each session has its own network stream, the ability to track all network streams via a single process is not available. Therefore, there is a need to associate each network stream with its corresponding process for reconstruction. In this paper, we propose an algorithm to reconstruct multiple simultaneous browser sessions on browser applications that use a separate process for each browser session. We achieve this by developing a representation for the information associated with a browser session. Further, we define two relationships, viz., 'stream coherency' and 'session concurrency' based on the associations discovered among the network and browser artifacts. Finally, we develop an algorithm called "Samhita" to identify number of simultaneous browser sessions that are deployed and associate them with the respective processes and network streams. We take the reader through specially designed experiments to elicit browser-session intelligence and the process to separate out the tabbed sessions using the timing information present in the browser context and session context.