1

Computer ForensicsDr. Randy M. Kaplan

2

Browser Forensics

A Source of Evidence

Critical Evidence can often be found in a subject’s browsing historyEmailsSites visited Internet searches

Computer Forensics

3

Browsers

Two are dominant IEMozilla (and its derivatives and variants)

Computer Forensics

4

IE

Activity stored in –C:\Documents and Settings\user\Local Settings\

Temporary Internet Files\Content.IE5

ContainsCached pagesImages

Two other files of interestHistory without locally cached content

C:\Documents and Settings\user\History\History.IE5Cookies

C:\Documents and Settings\user\Cookies

Computer Forensics

5

Index.dat

In each of these directories there is a file named index.dat

The relationship between cached web content and URLs is maintained in this file

Computer Forensics

6

Mozilla

Web activity maintained in a file named history.dat

File located in –C:\Documents and Settings\user\Application Data\

Mozilla\Firefox\Profiles\<random text>\history.datC:\Documents and Settings\user\Application Data\

Mozilla\Profiles\<profile name>\<random text>\history.dat

Computer Forensics

7

Mozilla

history.dat differs from IE

Does not link web site activity to cached web pages

More difficult to reconstruct the activity

Computer Forensics

8

Tools

Web HistorianA tool used to reconstruct web activityApplicable to –

IE Mozilla Firefox Netscape Safari Opera

Computer Forensics

9

Downloading Web Historian

Web Historian can be downloaded from –http://www.download.com/Red-Cliff-Web-Historian/

3000-2653_4-10373157.html

Computer Forensics

10

Web Historian

Computer Forensics

11

Web Historian

Computer Forensics

12

Web Historian

Computer Forensics

13

Lots and lost of information produced by Web Historian

Web Historian

Suppose my wife wanted to know what I have been doing on the Internet

(Maybe she wants to make sure I am not spending the kid’s college fund)

What evidence in the generated file would give her the kinds of information she is looking for?

Computer Forensics

14

Web Historian

Scan the URL addresses

Computer Forensics

15

Web Historian

Scan the URL addresses

Computer Forensics

16

Trying Firefox

Set WH to Firefox directory

What are the results?

Computer Forensics

17

Trying Firefox

Computer Forensics

18

Trying Firefox

Computer Forensics

19

Very odd because this is mydefault browser

Web Historian

Not really clear why WH does not work with Firefox

Try alternative

Computer Forensics

20

Cache View

Cache View can be downloaded from –http://progsoc.org/~timj/cv/

Computer Forensics

21

Cache View

Download and install

Computer Forensics

22

Cache View

Need to point Cache View to the proper directory

Computer Forensics

23

Cache View

Point to the proper directory

Computer Forensics

24

Cache View

Computer Forensics

25

Cache View

Computer Forensics

26

Cache View

Computer Forensics

27

How To Use?

Clearly having a record of someone’s web activities can be used to determine what they have doing

For example if a subject was interested in learning how to hack a particular system then accessing web sites to learn how to do this would substantiate this theory

Computer Forensics

28

How To Use?

If a subject uses a web interface for email then we can tell if he accessed it and we can also see what the status of the access was at that time

Computer Forensics

29