The Duck Hunters Guide - Blog #1 - DuckDuckGo Privacy Browser Research Project

One of my passions in Digital Forensics is ripping apart applications and trying to figure out how they work and how they store data. Over the past 5 years as part of my job, I have had what some may call an "unhealthy" obsession with Dark Web applications. I have looked into Tor, I2P, Hyphanet (Formerly Freenet) and ZeroNet on multiple platforms, examining the features as new updates come out, in an attempt to uncover
usage artifacts. 

So, for a new research project (in my personal time) and for my first blog series I will be following a similar methodology to track down user artifacts associated with the DuckDuckGo privacy browser. This project has been on my research list for some time, and what sparked my interest was a blog I read in early 2024 that compares the application decoding capabilities of forensics tools. 

Link: iOS 15 Image Forensics Analysis and Tools Comparison - Browsers, Mail Clients, and Productivity apps

I wasn't entirely shocked about the differences between the tools and really in general the parsed data for DuckDuckGo as it is designed to not store usage outside a current session. That being said, from the research I have done so far, there is far more that exists that perhaps our tools might not be parsing such as the IndexedDB's, or maybe just don't have the capabilities to dig deep enough into the data. An example being pulling out an embedded serialized bplist that is stored in a data object inside of bplist. This is where open tab information is stored in the iOS version of the browser and none of the commercial tools that I use can parse it out.


I did do some Google searches to see what research was out there already, but I didn't find much that digs into the applications themselves, especially papers and such that aren't behind a paywall. Hopefully this project will prove fruitful, and this blog can be a central repository for all things DuckDuckGo.

Goal for the Project

Beyond satisfying my obsession with understanding how apps work. The ultimate goal is to educate DFIR professionals, so if they encounter DuckDuckGo during an examination they know where to look and how to extract and interpret the data. 

I will probably end up writing some code to parse some of the artifacts which I will make available for those who want to use it or want to incorporate into their open-source tools.

My Plan 

My plan is to rip apart the browser on iOS, Android and Windows and see what is there. It won't be one long blog post for each OS as when I do research, I really do research, and you could be waiting months for it. My approach will be a series of mini posts that cover a browser feature or artifact for a specific OS. I will get everything labeled as Duck Hunters Guide along with the OS so you can find it all amongst the other posts I plan to do here.

The questions I want to answer as part of the project are: 
  • What session data is stored?
  • Does session data persist when the application closes?
  • What persists after the Fire button is used?
  • Where is fireproofed site information stored?
  • Where is Bookmark information stored?
  • Are there usage artifacts associated with using the built in Duck Player?

Note: This list is subject to change if more features are added to the browser

Whilst I will be using my own test devices for the research, If the artifacts are in Josh Hickmans Public datasets, I will use those in my posts so you can validate my findings for yourselves.


I will try get a post up later this weekend regarding the Android version of the Browser.

Here's to the Duck Hunt 🍻

Comments

Popular posts from this blog

Introducing SQBite (Alpha) - Python Tool for Extracting Records from SQLite Databases

The Duck Hunters Guide - Blog #2 - DuckDuckGo Browsing History (Android)