Amazon Kindle and its Experimental Browser: the Start of a Forensic Analysis

This Christmas, I received a Kindle as gift.

As usual, I started exploring the device content and.. surprise! There’s an experimental browser and I wasn’t expecting it!

My enthusiasm lasted until I found out it’s not a new feature: it’s called experimental but it has been around for 10 years! I didn’t give up and decided to take a look by myself anyway.

SPOILER #1: it’s very simple.
SPOILER #2: I didn’t limit to the browser.

The Device

This model is a Kindle (10th Generation).
The model number, found in the back, is J9G29R.

Reading the “Device Info” section you can also retrieve:
• MAC Adress
• Serial Number
• Network Capability
• Firmware
• Space Available

It supports different document formats such as: AZW3, AZW, TXT, PDF, HTML, DOC, DOCX, JPEG, GIF, PNG.

The Web Browser

Your Kindle includes an experimental web browser that enables you to surf the web and view most Amazon web pages. The Experimental Web Browser supports JavaScript, SSL, and cookies, but does not support media plug-ins. You must have a Wi-Fi connection to access most websites.

Kindle User Guide – HTML

First: which kind of web browser are we talking about? It’s hard to find official information about it, but looks like it’s called experimental because they haven’t decided to perfect it yet.

According to Wikipedia, it uses NetFront (the same used for Wii U, PlayStation 3, Nintendo 3DS, and many others) based on WebKit.

To find out more, I tried to visit thismachine.info:

and did a second check with user agent string:

At least we now know the version.

Acquisition and Analysis

I used FTK Imager (4.5.0.3) to perform a physical acquisition of the Kindle Internal Storage USB Device [6GB USB] drive and Autopsy (4.17.0) to analyze it.

According to the only research I found about the Kindle, Kindle Forensics & Analysis, which is from 2011 so assuming partitioning hasn’t changed, this should be the “user file system”.

Once the image has been extracted and imported on Autopsy, this is what you see:

The most interesting folders are:
• /.active_content_sandbox
• /audible [that I won’t examine since I don’t have audiobooks yet]
• /documents
• /system

  • ./active_content_sandbox

It contains information about the web browser and the store.

BROWSER:

First, I analyzed the file__0.localstorage located at /.active_content_sandobox/browser/resource/LocalStorage/ .

To take a better look at its content, I exported the file as CSV.

As you can see it’s made up of 4 rows, each containing a key and a value in JSON format.
I exported the JSONs to make them more readble with indentation. Let’s examine them one by one:

bookmarks

Each JSON object corresponds to a bookmark and is composed only by name and URL.

settings

Regarding the settings, I found a correspondence with just 2 of them: JavaScript and Images. There is no trace of the orientation, not even in the general settings.


lastUrl

As the name suggests, this is the last URL visited by the user. In fact, it matches with my browser history:

history

Once again, each JSON object corresponds to a visited URL and this time there’s also a timestamp, a Unix timestamp.

Converting the timestamp with Epoch Converter, I noticed a discrepancy: my timezone is GMT+1 and the Kindle is synchronized with it, but in the history page the timestamp (in GMT) is not converted.

I did a quick test to validate it: I changed the Kindle’s time to send it back 6 hours (you have to do it manually) to set EST time and used the browser. When I opened the history, I found again the GMT time.

STORE:

Located at /.active_content_sandbox/store/resource/LocalStorage there’s a file named https_www.amazon.it_0.localstorage [the name varies based on the user location] which refers to the Kindle’s store.

It’s very similar to the previous one but it’s more dense, even if I only made few searches and one purchase using the Kindle.

As I did before, I exported to CSV.

The first thing that you encounter is the user ID related to the Amazon account:

Then, there is an entry (both index and cache) for every single character written in the search bar, because of keyword suggestions:

Regarding the purchase, you can find the following information:
• date and time of the purchase
• price and currency
• book title
• transaction mode
• user’s first name

And you can do it by watching its index entry…

… and its cache entry

  • /documents

This is the folder that contains downloaded items (both stored in the Kindle Library and deleted).

One interesting thing that you can see here is when an ebook was downloaded (which may differ from the time of purchasing: once you buy the book you have to download it to put it in your library, and sometimes users don’t to it immediately) .

To do it, open the AssetDownloadMetadata.meta file contained in every item’s folder and look for the value of “Last-Downloaded“.
For example, this is the timestamp of the book I purchased and downloaded immediately:

I bought the book at 11:03:48 (GMT+1) and downloaded it at 11:03:59 (GMT+1).

  • /system

I found interesting 3 of its subfolders:
– documents/startactions/images
– documents/thumbnails
– documents/vocabulary


startactions/images and thumbnails

Contains all the preview images of the books shown on the homepage, that are the recommended books and the ones you’re reading or just finished.

“thumbnails” is very similar (in my case identical) but it contains only images of the books in the Library.

vocabulary

The table WORDS of the database vocab.db, stores all the words whose meaning the user searched for, with a timestamp.

Conclusions

I’m aware this is a limited analysis, and I’m sure this could be the start for something more in-depth. The information retrieved is however interesting:
• browser history and bookmarks;
• store searches;
• store purchases (price, title, date and time);
• use of the vocabulary (what and when);
• books read.

In its simplicity, I hope it arouse your curiosity.

1 commento su “Amazon Kindle and its Experimental Browser: the Start of a Forensic Analysis”

Rispondi

Inserisci i tuoi dati qui sotto o clicca su un'icona per effettuare l'accesso:

Logo di WordPress.com

Stai commentando usando il tuo account WordPress.com. Chiudi sessione /  Modifica )

Google photo

Stai commentando usando il tuo account Google. Chiudi sessione /  Modifica )

Foto Twitter

Stai commentando usando il tuo account Twitter. Chiudi sessione /  Modifica )

Foto di Facebook

Stai commentando usando il tuo account Facebook. Chiudi sessione /  Modifica )

Connessione a %s...