computer forensics. leave behind: caches cookies browser settings (favorites, history) erasing...
TRANSCRIPT
![Page 1: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/1.jpg)
INTERNET ARTIFACTSComputer Forensics
![Page 2: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/2.jpg)
BROWSERS
Leave behind: Caches Cookies Browser settings (favorites, history)
Erasing history does not always erase the entries created, only changes what browser displays
![Page 3: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/3.jpg)
INTERNET EXPLORER
Index.dat Located in
c:\documents and settings\user\local settings\temporary internet files\
c:\Users\user\AppDataLocal\Microsoft\Windows\Temporary Internet Files\
In MS IE Cache File (MSIECF)
![Page 4: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/4.jpg)
INTERNET EXPLORER
Investigate IE index.dat with Pasco from foundstone Metz: libmsiecf project at sourceforge Ishigaki Win32::URLCache perl module
![Page 5: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/5.jpg)
Keith J. JonesFoundstone
http://www.foundstone.com/pdf/wp_index_dat.pdf
INDEX.DAT ANALYSIS
![Page 6: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/6.jpg)
INDEX.DAT FILE HEADER
Null terminated version string. Followed by file size.
0x 00 80 00 00 0x 00 00 80 00 (little endian conversion)
32768
![Page 7: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/7.jpg)
INDEX.DAT FILE HEADER
Bytes 0x20 – 0x23: Location of hash table. Hash table is used to store the actual
entries.
Go to byte 0x 00 00 40 00
![Page 8: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/8.jpg)
INDEX.DAT FILE HEADER
Beginning of hash table
![Page 9: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/9.jpg)
INDEX.DAT FILE HEADER: HISTORY
![Page 10: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/10.jpg)
INDEX.DAT FILE HEADER: HISTORY
Size: 0x00394000 3751936
Hash Table: 0x00005000
Directories: (null-terminated, 0x50)
![Page 11: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/11.jpg)
INDEX.DAT FILE
Hash Table:
![Page 12: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/12.jpg)
INDEX.DAT FILE
Hash Table: There can be several hash tables. Each
one contains a pointer to the next one. Fields in Hash Table:
Magic Marker “HASH” 4B Number of Entries in Hash table.
Multiply this number by 128B Pointer to next hash table
![Page 13: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/13.jpg)
INDEX.DAT FILE
Hash Table: 20 entries Total size of hash table is 32*128B = 4KB
Next hash table at
0x 00 01 80 00
![Page 14: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/14.jpg)
INDEX.DAT FILE HEADER
Activity flag 40 03 6C DA
Activity record pointer:
00 03 48 00
Go to 00 03 48 00
![Page 15: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/15.jpg)
INDEX.DAT FILE HEADER
Go to that location:
![Page 16: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/16.jpg)
INDEX.DAT FILE HEADER
Activity Record Type field 4B:
REDR URL LEAK
Length Field 4B: Multiply with 0x80
Data Field
![Page 17: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/17.jpg)
INDEX.DAT FILE HEADER
URL Activity Record Represents website visited Record Length (4B) Time stamps
8B starting at offset +8 in the activity record: Last Modified
8B starting at offset +16 in the activity record: Last accessed
Organized like file MAC times.
![Page 18: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/18.jpg)
INDEX.DAT FILE HEADER
REDR Activity Record Subject’s browser redirected to another
site Same Type, length, data format Followed by URL at offset 16 in activity
record
![Page 19: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/19.jpg)
INDEX.DAT FILE HEADER
LEAK activity record Same as URL
![Page 20: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/20.jpg)
INDEX.DAT FILE HEADER
Deleted Records: Will not show up when consulting IE
history. But often still there. “Delete history” is not rewriting the history
file.
![Page 21: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/21.jpg)
Computer Forensics, 2013
INTERNET EXPLORER ARTIFACTS(CONTINUED)
![Page 22: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/22.jpg)
INDEX.DAT ARTIFACTS
IE artifacts created by the WinInet API Often, malware uses same API
If at administrator level: Entries in index.dat for “Default User” or
“LocalService” account
![Page 23: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/23.jpg)
IE FAVORITES
Located in %USERPROFILE%\Favorites
Is a file with MAC times
![Page 24: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/24.jpg)
COOKIES
Cookie files generated in Documents and Settings\%username%\cookies Users\%username%\AppData\Roaming\
Microsoft\Windows\Cookies Can be inspected directly or by using
galleta Time stamps:
Can be from issuing site More likely, created by java-script (giving local
time)
![Page 25: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/25.jpg)
CACHES
Stored in system-type specific directories
![Page 26: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/26.jpg)
Computer Forensics 2013
FIREFOX
![Page 27: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/27.jpg)
FIREFOX
Stores data in SQLite 3 databases Open tools to access them
Firefox stores in a user-specific profile directory
Folder contains profiles.ini Profiles.ini contains various folders Important:
Formhistory.sqlite Downloads.sqlite Cookies.sqlite Places.sqlite
![Page 28: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/28.jpg)
FIREFOX
Cache Cache directory contains numbered files in
binary format NirSoft, Woanware
![Page 29: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/29.jpg)
FIREFOX
sessionstore.js If firefox is not terminated properly Used to restore browsing session Content: JSON objects (use JSON viewer)
![Page 30: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/30.jpg)
Computer Forensics 2013
CHROME
![Page 31: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/31.jpg)
CHROME
Uses system-type dependent directory location Uses SQLite
Cookies History: tables downloads, urls, visits
Time values stored in seconds since Jan 1, 1601 UTC Login Data Web Data (autofill) Thumbnails (of websites visited)
Chrome bookmarks File with JSON objects
![Page 32: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/32.jpg)
CHROME
Cache index file four number files data_0, .., data_3 f_(six hex digits) files
Creation time of f_files can be correlated with data from history data base
No open source tools
![Page 33: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/33.jpg)
Computer Forensics, 2013
SAFARI
![Page 34: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/34.jpg)
SAFARI
History in History.plist times stored as MacAbsoluteTime
(Seconds since January 1, 2001 GMT) Use Safari Forensics Tools (SFT) for scanning
Downloads.plist Bookmarks.plist Cookies.plist
![Page 35: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/35.jpg)
SAFARI
Cache information in Cache.db SQLite3 database cfurl_cache_response (URL) cfurl_cache_blob_data (actual cached data)
LastSession.plist
![Page 36: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/36.jpg)
Computer Forensics 2013
OUTLOOK ARTIFACTS
![Page 37: Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only](https://reader038.vdocuments.net/reader038/viewer/2022102710/5516a372550346f0208b4d46/html5/thumbnails/37.jpg)
OUTLOOK
Storage format is PST OST for offline storage of email
PST format information at msdn.microsoft.com/en-us/library/ff385210.aspx