View
227
Download
3
Category
Tags:
Preview:
Citation preview
INTERNET ARTIFACTSComputer Forensics
BROWSERS
Leave behind: Caches Cookies Browser settings (favorites, history)
Erasing history does not always erase the entries created, only changes what browser displays
INTERNET EXPLORER
Index.dat Located in
c:\documents and settings\user\local settings\temporary internet files\
c:\Users\user\AppDataLocal\Microsoft\Windows\Temporary Internet Files\
In MS IE Cache File (MSIECF)
INTERNET EXPLORER
Investigate IE index.dat with Pasco from foundstone Metz: libmsiecf project at sourceforge Ishigaki Win32::URLCache perl module
Keith J. JonesFoundstone
http://www.foundstone.com/pdf/wp_index_dat.pdf
INDEX.DAT ANALYSIS
INDEX.DAT FILE HEADER
Null terminated version string. Followed by file size.
0x 00 80 00 00 0x 00 00 80 00 (little endian conversion)
32768
INDEX.DAT FILE HEADER
Bytes 0x20 – 0x23: Location of hash table. Hash table is used to store the actual
entries.
Go to byte 0x 00 00 40 00
INDEX.DAT FILE HEADER
Beginning of hash table
INDEX.DAT FILE HEADER: HISTORY
INDEX.DAT FILE HEADER: HISTORY
Size: 0x00394000 3751936
Hash Table: 0x00005000
Directories: (null-terminated, 0x50)
INDEX.DAT FILE
Hash Table:
INDEX.DAT FILE
Hash Table: There can be several hash tables. Each
one contains a pointer to the next one. Fields in Hash Table:
Magic Marker “HASH” 4B Number of Entries in Hash table.
Multiply this number by 128B Pointer to next hash table
INDEX.DAT FILE
Hash Table: 20 entries Total size of hash table is 32*128B = 4KB
Next hash table at
0x 00 01 80 00
INDEX.DAT FILE HEADER
Activity flag 40 03 6C DA
Activity record pointer:
00 03 48 00
Go to 00 03 48 00
INDEX.DAT FILE HEADER
Go to that location:
INDEX.DAT FILE HEADER
Activity Record Type field 4B:
REDR URL LEAK
Length Field 4B: Multiply with 0x80
Data Field
INDEX.DAT FILE HEADER
URL Activity Record Represents website visited Record Length (4B) Time stamps
8B starting at offset +8 in the activity record: Last Modified
8B starting at offset +16 in the activity record: Last accessed
Organized like file MAC times.
INDEX.DAT FILE HEADER
REDR Activity Record Subject’s browser redirected to another
site Same Type, length, data format Followed by URL at offset 16 in activity
record
INDEX.DAT FILE HEADER
LEAK activity record Same as URL
INDEX.DAT FILE HEADER
Deleted Records: Will not show up when consulting IE
history. But often still there. “Delete history” is not rewriting the history
file.
Computer Forensics, 2013
INTERNET EXPLORER ARTIFACTS(CONTINUED)
INDEX.DAT ARTIFACTS
IE artifacts created by the WinInet API Often, malware uses same API
If at administrator level: Entries in index.dat for “Default User” or
“LocalService” account
IE FAVORITES
Located in %USERPROFILE%\Favorites
Is a file with MAC times
COOKIES
Cookie files generated in Documents and Settings\%username%\cookies Users\%username%\AppData\Roaming\
Microsoft\Windows\Cookies Can be inspected directly or by using
galleta Time stamps:
Can be from issuing site More likely, created by java-script (giving local
time)
CACHES
Stored in system-type specific directories
Computer Forensics 2013
FIREFOX
FIREFOX
Stores data in SQLite 3 databases Open tools to access them
Firefox stores in a user-specific profile directory
Folder contains profiles.ini Profiles.ini contains various folders Important:
Formhistory.sqlite Downloads.sqlite Cookies.sqlite Places.sqlite
FIREFOX
Cache Cache directory contains numbered files in
binary format NirSoft, Woanware
FIREFOX
sessionstore.js If firefox is not terminated properly Used to restore browsing session Content: JSON objects (use JSON viewer)
Computer Forensics 2013
CHROME
CHROME
Uses system-type dependent directory location Uses SQLite
Cookies History: tables downloads, urls, visits
Time values stored in seconds since Jan 1, 1601 UTC Login Data Web Data (autofill) Thumbnails (of websites visited)
Chrome bookmarks File with JSON objects
CHROME
Cache index file four number files data_0, .., data_3 f_(six hex digits) files
Creation time of f_files can be correlated with data from history data base
No open source tools
Computer Forensics, 2013
SAFARI
SAFARI
History in History.plist times stored as MacAbsoluteTime
(Seconds since January 1, 2001 GMT) Use Safari Forensics Tools (SFT) for scanning
Downloads.plist Bookmarks.plist Cookies.plist
SAFARI
Cache information in Cache.db SQLite3 database cfurl_cache_response (URL) cfurl_cache_blob_data (actual cached data)
LastSession.plist
Computer Forensics 2013
OUTLOOK ARTIFACTS
OUTLOOK
Storage format is PST OST for offline storage of email
PST format information at msdn.microsoft.com/en-us/library/ff385210.aspx
Recommended