Add to collection(s) Add to saved
  1. Social Science
  2. Political Science
  3. Media

Internet Artifacts

advertisement 
Computer Forensics
INTERNET ARTIFACTS
BROWSERS

Leave behind:
 Caches
 Cookies
 Browser
settings (favorites, history)
 Erasing
history does not always erase the entries
created, only changes what browser displays
INTERNET EXPLORER

Index.dat
 Located
in
 c:\documents
and settings\user\local
settings\temporary internet files\
 c:\Users\user\AppDataLocal\Microsoft\Windows\Tempo
rary Internet Files\
 In
MS IE Cache File (MSIECF)
INTERNET EXPLORER

Investigate IE index.dat with
 Pasco
from foundstone
 Metz: libmsiecf project at sourceforge
 Ishigaki Win32::URLCache perl module
Keith J. Jones
Foundstone
http://www.foundstone.com/pdf/wp_index_dat.pdf
INDEX.DAT ANALYSIS
INDEX.DAT FILE HEADER
Null terminated version string.
 Followed by file size.

0x 00 80 00 00 0x 00 00 80 00 (little endian conversion)
 32768
INDEX.DAT FILE HEADER

Bytes 0x20 – 0x23: Location of hash table.
 Hash
table is used to store the actual entries.
Go to byte 0x 00 00 40 00
INDEX.DAT FILE HEADER

Beginning of hash table
INDEX.DAT FILE HEADER: HISTORY
INDEX.DAT FILE HEADER: HISTORY
Size: 0x00394000 3751936
Hash Table: 0x00005000
Directories: (null-terminated, 0x50)
INDEX.DAT FILE

Hash Table:
INDEX.DAT FILE

Hash Table:
 There
can be several hash tables. Each one
contains a pointer to the next one.

Fields in Hash Table:
 Magic
Marker “HASH”
 4B Number of Entries in Hash table.
 Multiply
 Pointer
this number by 128B
to next hash table
INDEX.DAT FILE

Hash Table:
20 entries  Total size of
hash table is 32*128B = 4KB
Next hash table at
0x 00 01 80 00
INDEX.DAT FILE HEADER
Activity flag 40 03 6C DA
Activity record pointer:
00 03 48 00
Go to 00 03 48 00
INDEX.DAT FILE HEADER
Go to that location:
INDEX.DAT FILE HEADER

Activity Record
 Type
field 4B:
 REDR
 URL
 LEAK
 Length
Field 4B:
 Multiply
 Data
with 0x80
Field
INDEX.DAT FILE HEADER

URL Activity Record
 Represents
website visited
 Record Length (4B)
 Time stamps
 8B

 8B

starting at offset +8 in the activity record:
Last Modified
starting at offset +16 in the activity record:
Last accessed
 Organized
like file MAC times.
INDEX.DAT FILE HEADER

REDR Activity Record
 Subject’s
browser redirected to another site
 Same Type, length, data format
 Followed by URL at offset 16 in activity record
INDEX.DAT FILE HEADER

LEAK activity record
 Same
as URL
INDEX.DAT FILE HEADER

Deleted Records:
 Will
not show up when consulting IE history.
 But often still there.
 “Delete history” is not rewriting the history file.
Computer Forensics, 2013
INTERNET EXPLORER ARTIFACTS
(CONTINUED)
INDEX.DAT ARTIFACTS
IE artifacts created by the WinInet API
 Often, malware uses same API

 If
at administrator level:
 Entries
in index.dat for “Default User” or “LocalService”
account
IE FAVORITES

Located in
 %USERPROFILE%\Favorites

Is a file with MAC times
COOKIES

Cookie files generated in
 Documents
and Settings\%username%\cookies
 Users\%username%\AppData\Roaming\Microsoft\
Windows\Cookies
Can be inspected directly or by using galleta
 Time stamps:

 Can
be from issuing site
 More likely, created by java-script (giving local time)
CACHES

Stored in system-type specific directories
Computer Forensics 2013
FIREFOX
FIREFOX

Stores data in SQLite 3 databases

Open tools to access them
Firefox stores in a user-specific profile directory
 Folder contains profiles.ini

Profiles.ini contains various folders
 Important:

 Formhistory.sqlite
 Downloads.sqlite
 Cookies.sqlite
 Places.sqlite
FIREFOX

Cache
 Cache
directory contains numbered files in binary
format
 NirSoft, Woanware
FIREFOX

sessionstore.js
 If
firefox is not terminated properly
 Used to restore browsing session
 Content: JSON objects (use JSON viewer)
Computer Forensics 2013
CHROME
CHROME
Uses system-type dependent directory location
 Uses SQLite

Cookies
 History: tables downloads, urls, visits

 Time
values stored in seconds since Jan 1, 1601 UTC
Login Data
 Web Data (autofill)
 Thumbnails (of websites visited)


Chrome bookmarks

File with JSON objects
CHROME

Cache
 index
file
 four number files data_0, .., data_3
 f_(six hex digits) files
 Creation
time of f_files can be correlated with data from
history data base
 No open source tools
Computer Forensics, 2013
SAFARI
SAFARI

History in History.plist
 times
stored as MacAbsoluteTime
 (Seconds
since January 1, 2001 GMT)
 Use Safari Forensics Tools (SFT) for scanning
Downloads.plist
 Bookmarks.plist
 Cookies.plist

SAFARI

Cache information in Cache.db SQLite3
database
 cfurl_cache_response
(URL)
 cfurl_cache_blob_data (actual cached data)

LastSession.plist
Computer Forensics 2013
OUTLOOK ARTIFACTS
OUTLOOK

Storage format is PST
 OST

for offline storage of email
PST format information at
msdn.microsoft.com/enus/library/ff385210.aspx
Related documents
Electron-Phonon Coupling and Electron Heat Capacity in Metals at
Electron-Phonon Coupling and Electron Heat Capacity in Metals at
Bekijk een voorbeeldtoets voor writing
Bekijk een voorbeeldtoets voor writing
Pdf information about the book
Pdf information about the book
academic performance
academic performance
Direct Antiglobulin Test
Direct Antiglobulin Test
File - Pre-Dental Club at MSU
File - Pre-Dental Club at MSU
Formatting APA Research Paper
Formatting APA Research Paper
Lecture 2 - Health Computing: Pitt CPATH Project
Lecture 2 - Health Computing: Pitt CPATH Project
table
table
R Basics 2 exercise answers (64 KB pptx)
R Basics 2 exercise answers (64 KB pptx)
Guide for Preparation to Dental School - Pre
Guide for Preparation to Dental School - Pre
Table text formatted for Microsoft Word (separate file)
Table text formatted for Microsoft Word (separate file)
Download
advertisement