1 computer forensics dr. randy m. kaplan. 2 browser forensics
TRANSCRIPT
1
Computer ForensicsDr. Randy M. Kaplan
2
Browser Forensics
A Source of Evidence
Critical Evidence can often be found in a subject’s browsing historyEmailsSites visited Internet searches
Computer Forensics
3
Browsers
Two are dominant IEMozilla (and its derivatives and variants)
Computer Forensics
4
IE
Activity stored in –C:\Documents and Settings\user\Local Settings\
Temporary Internet Files\Content.IE5
ContainsCached pagesImages
Two other files of interestHistory without locally cached content
C:\Documents and Settings\user\History\History.IE5Cookies
C:\Documents and Settings\user\Cookies
Computer Forensics
5
Index.dat
In each of these directories there is a file named index.dat
The relationship between cached web content and URLs is maintained in this file
Computer Forensics
6
Mozilla
Web activity maintained in a file named history.dat
File located in –C:\Documents and Settings\user\Application Data\
Mozilla\Firefox\Profiles\<random text>\history.datC:\Documents and Settings\user\Application Data\
Mozilla\Profiles\<profile name>\<random text>\history.dat
Computer Forensics
7
Mozilla
history.dat differs from IE
Does not link web site activity to cached web pages
More difficult to reconstruct the activity
Computer Forensics
8
Tools
Web HistorianA tool used to reconstruct web activityApplicable to –
IE Mozilla Firefox Netscape Safari Opera
Computer Forensics
9
Downloading Web Historian
Web Historian can be downloaded from –http://www.download.com/Red-Cliff-Web-Historian/
3000-2653_4-10373157.html
Computer Forensics
10
Web Historian
Computer Forensics
11
Web Historian
Computer Forensics
12
Web Historian
Computer Forensics
13
Lots and lost of information produced by Web Historian
Web Historian
Suppose my wife wanted to know what I have been doing on the Internet
(Maybe she wants to make sure I am not spending the kid’s college fund)
What evidence in the generated file would give her the kinds of information she is looking for?
Computer Forensics
14
Web Historian
Scan the URL addresses
Computer Forensics
15
Web Historian
Scan the URL addresses
Computer Forensics
16
Trying Firefox
Set WH to Firefox directory
What are the results?
Computer Forensics
17
Trying Firefox
Computer Forensics
18
Trying Firefox
Computer Forensics
19
Very odd because this is mydefault browser
Web Historian
Not really clear why WH does not work with Firefox
Try alternative
Computer Forensics
20
Cache View
Cache View can be downloaded from –http://progsoc.org/~timj/cv/
Computer Forensics
21
Cache View
Download and install
Computer Forensics
22
Cache View
Need to point Cache View to the proper directory
Computer Forensics
23
Cache View
Point to the proper directory
Computer Forensics
24
Cache View
Computer Forensics
25
Cache View
Computer Forensics
26
Cache View
Computer Forensics
27
How To Use?
Clearly having a record of someone’s web activities can be used to determine what they have doing
For example if a subject was interested in learning how to hack a particular system then accessing web sites to learn how to do this would substantiate this theory
Computer Forensics
28
How To Use?
If a subject uses a web interface for email then we can tell if he accessed it and we can also see what the status of the access was at that time
Computer Forensics
29