Understand Web Applications Architecture in Forensic Investigation

Understand Web Applications Architecture in Forensic Investigation in this all web applications are executed via a support client, i.e. a web browser. Web applications use a group of client-side scripts, such as HTML, JavaScript, etc., which presents the information, and the server-side scripts, such as ASP, PHP, etc., which handles the hardware tasks such as storing and gathering of the required data, are used by the web application for its execution.

In the web application architecture mentioned above, the clients use different web browsers, devices, and external web services with the Internet for execution of the application through different scripting languages. The data access is handled by the database layer using cloud server and the database server. It is important to note that the web server, application server, and database server may either run on independent servers/machines or the same one.

The web application architecture comprises of four Layers:
  • Clients or Users Layer
  • Web Server Layer
  • Business Layer
  • Database Layer

The client layer includes all the web appliances, such as smartphones and PCs, using which a user interacts with a web application deployed on a web server. The user requests for a website by entering a URL in the web browser and the request traverses to the web server. The web server responds to the request and the web browser displays the response in the form of a website.

The Web server layer contains components that parse the request (HTTP Request Parser) coming from the clients and forwards the response to them. It holds all the business logics and databases that are responsible for building websites and store data in them. Example; IIS Web Server, Apache Web Server, etc. In some cases, the users access the application through the presentation layer, which serves as an intermediary between the user and the Web Server, This layer includes the user interface components. The presentation layer is not an absolute requirement and the client layer can interact directly with the service layer.

The Business Layer is responsible for the core functioning of the system and includes business logic and applications, such as .NET that is used by the developers to build websites according to the client’s requirements. This layer also holds a legacy application, an older system integrated as an internal or external component.

The Database Layer comprises of cloud services, BB layer that holds all the commercial transactions and a Database Server that supplies an organization’s production data in a structured form. Example: MS SQL Server, MySQL server, etc.

Related Product : Computer Hacking Forensic Investigator | CHFI

Challenges in Web Application Forensics

Web applications serve a wide range of services and can support various types of servers like IIS, Apache, etc. Therefore, the forensic investigators must have good knowledge of various servers in order to examine the logs and understand them when an incident occurs.

Web applications are often business-critical, thus making it difficult for the investigators to create their forensic image that requires the site to be down for some time for completing the process. This makes it difficult for the investigators to capture volatile data including processes, port/network connections, logs of memory dumps, and user logs during the time of the incident analysis.

The investigators must have a good understanding of all kinds of web and applications servers in order to understand, analyze and correlate various formats of logs collected from their respective sources.

As the websites’ traffic increases, the log files recorded in the database keeps on increasing. So, it becomes difficult for the investigators to collect and analyze these logs.

When a website attack occurs, the investigators need to gather the digital fingerprints left by the attacker. Then, they need to collect the following data fields associated with each HTTP request made to the website in order to get an insight of the attack performed.

  • Date and time at which the request was sent
  • IP Address from where the request has initiated
  • HTTP method used (GET/POST)
  • URI
  • HTTP Query
  • A full set of HTTP headers
  • The Full HTTP Request body
  • Event Logs (non-volatile data)
  • File listings and timestarnps (non-volatile data)

Most of the web applications restrict access to HTTP information, such as the full set of HTTP headers and the request body without which all the HTTP headers will look alike. This makes it impossible for the investigators to differentiate valid HTTP requests from the malicious ones.

Also Read : Introduction to Web Application Forensics

Questions related to this topic

  1. What are client/server applications?
  2. How client and server are involved in web application?
  3. How database server is used for database applications?
  4. Which server is best for Web application?
  5. how to Understand Web Applications Architecture in Forensic Investigation?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com


Leave a Comment