Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only

INTERNET ARTIFACTSComputer Forensics

BROWSERS

Leave behind: Caches Cookies Browser settings (favorites, history)

Erasing history does not always erase the entries created, only changes what browser displays

INTERNET EXPLORER

Index.dat Located in

c:\documents and settings\user\local settings\temporary internet files\

c:\Users\user\AppDataLocal\Microsoft\Windows\Temporary Internet Files\

In MS IE Cache File (MSIECF)

INTERNET EXPLORER

Investigate IE index.dat with Pasco from foundstone Metz: libmsiecf project at sourceforge Ishigaki Win32::URLCache perl module

Keith J. JonesFoundstone

http://www.foundstone.com/pdf/wp_index_dat.pdf

INDEX.DAT ANALYSIS

http://www.foundstone.com/pdf/wp_index_dat.pdf

INDEX.DAT FILE HEADER

Null terminated version string. Followed by file size.

0x 00 80 00 00 0x 00 00 80 00 (little endian conversion)

32768


Bytes 0x20 – 0x23: Location of hash table. Hash table is used to store the actual

entries.

Go to byte 0x 00 00 40 00


Beginning of hash table

INDEX.DAT FILE HEADER: HISTORY

INDEX.DAT FILE HEADER: HISTORY

Size: 0x00394000 3751936

Hash Table: 0x00005000

Directories: (null-terminated, 0x50)

INDEX.DAT FILE

Hash Table:

INDEX.DAT FILE

Hash Table: There can be several hash tables. Each

one contains a pointer to the next one. Fields in Hash Table:

Magic Marker “HASH” 4B Number of Entries in Hash table.

Multiply this number by 128B Pointer to next hash table

INDEX.DAT FILE

Hash Table: 20 entries Total size of hash table is 32*128B = 4KB

Next hash table at

0x 00 01 80 00


Activity flag 40 03 6C DA

Activity record pointer:

00 03 48 00

Go to 00 03 48 00


Go to that location:


Activity Record Type field 4B:

REDR URL LEAK

Length Field 4B: Multiply with 0x80

Data Field


URL Activity Record Represents website visited Record Length (4B) Time stamps

8B starting at offset +8 in the activity record: Last Modified

8B starting at offset +16 in the activity record: Last accessed

Organized like file MAC times.


REDR Activity Record Subject’s browser redirected to another

site Same Type, length, data format Followed by URL at offset 16 in activity

record


LEAK activity record Same as URL


Deleted Records: Will not show up when consulting IE

history. But often still there. “Delete history” is not rewriting the history

file.

Computer Forensics, 2013

INTERNET EXPLORER ARTIFACTS(CONTINUED)

INDEX.DAT ARTIFACTS

IE artifacts created by the WinInet API Often, malware uses same API

If at administrator level: Entries in index.dat for “Default User” or

“LocalService” account

IE FAVORITES

Located in %USERPROFILE%\Favorites

Is a file with MAC times

COOKIES

Cookie files generated in Documents and Settings\%username%\cookies Users\%username%\AppData\Roaming\

Microsoft\Windows\Cookies Can be inspected directly or by using

galleta Time stamps:

Can be from issuing site More likely, created by java-script (giving local

time)

CACHES

Stored in system-type specific directories

Computer Forensics 2013

FIREFOX

FIREFOX

Stores data in SQLite 3 databases Open tools to access them

Firefox stores in a user-specific profile directory

Folder contains profiles.ini Profiles.ini contains various folders Important:

Formhistory.sqlite Downloads.sqlite Cookies.sqlite Places.sqlite

FIREFOX

Cache Cache directory contains numbered files in

binary format NirSoft, Woanware

FIREFOX

sessionstore.js If firefox is not terminated properly Used to restore browsing session Content: JSON objects (use JSON viewer)


CHROME

CHROME

Uses system-type dependent directory location Uses SQLite

Cookies History: tables downloads, urls, visits

Time values stored in seconds since Jan 1, 1601 UTC Login Data Web Data (autofill) Thumbnails (of websites visited)

Chrome bookmarks File with JSON objects

CHROME

Cache index file four number files data_0, .., data_3 f_(six hex digits) files

Creation time of f_files can be correlated with data from history data base

No open source tools

Computer Forensics, 2013

SAFARI

SAFARI

History in History.plist times stored as MacAbsoluteTime

(Seconds since January 1, 2001 GMT) Use Safari Forensics Tools (SFT) for scanning

Downloads.plist Bookmarks.plist Cookies.plist

SAFARI

Cache information in Cache.db SQLite3 database cfurl_cache_response (URL) cfurl_cache_blob_data (actual cached data)

LastSession.plist


OUTLOOK ARTIFACTS

OUTLOOK

Storage format is PST OST for offline storage of email

PST format information at msdn.microsoft.com/en-us/library/ff385210.aspx