Computer Forensics INTERNET ARTIFACTS BROWSERS Leave behind Caches

Computer Forensics INTERNET ARTIFACTS

BROWSERS � Leave behind: � Caches � Cookies � Browser settings (favorites, history) � Erasing history does not always erase the entries created, only changes what browser displays

INTERNET EXPLORER � Index. dat � Located in � c: documents and settingsuserlocal settingstemporary internet files � c: UsersuserApp. Data. LocalMicrosoftWindowsTemp orary Internet Files � In MS IE Cache File (MSIECF)

INTERNET EXPLORER � Investigate � Pasco IE index. dat with from foundstone � Metz: libmsiecf project at sourceforge � Ishigaki Win 32: : URLCache perl module

Keith J. Jones Foundstone http: //www. foundstone. com/pdf/wp_index_dat. pdf INDEX. DAT ANALYSIS

INDEX. DAT FILE HEADER � Null terminated version string. � Followed by file size. 0 x 00 80 00 00 0 x 00 00 80 00 (little endian conversion) 32768

INDEX. DAT FILE HEADER � Bytes 0 x 20 – 0 x 23: Location of hash table. � Hash table is used to store the actual entries. Go to byte 0 x 00 00 40 00

INDEX. DAT FILE HEADER � Beginning of hash table

INDEX. DAT FILE HEADER: HISTORY

INDEX. DAT FILE HEADER: HISTORY Size: 0 x 00394000 3751936 Hash Table: 0 x 00005000 Directories: (null-terminated, 0 x 50)

INDEX. DAT FILE � Hash Table:

INDEX. DAT FILE � Hash Table: � There can be several hash tables. Each one contains a pointer to the next one. � Fields in Hash Table: � Magic Marker “HASH” � 4 B Number of Entries in Hash table. � Multiply � Pointer this number by 128 B to next hash table

INDEX. DAT FILE � Hash Table: 20 entries Total size of hash table is 32*128 B = 4 KB Next hash table at 0 x 00 01 80 00

INDEX. DAT FILE HEADER Activity flag 40 03 6 C DA Activity record pointer: 00 03 48 00 Go to 00 03 48 00

INDEX. DAT FILE HEADER Go to that location:

INDEX. DAT FILE HEADER � Activity � Type Record field 4 B: � REDR � URL � LEAK � Length Field 4 B: � Multiply � Data with 0 x 80 Field

INDEX. DAT FILE HEADER � URL Activity Record � Represents website visited � Record Length (4 B) � Time stamps � 8 B starting at offset +8 in the activity record: � Last � 8 B Modified starting at offset +16 in the activity record: � Last accessed � Organized like file MAC times.

INDEX. DAT FILE HEADER � REDR Activity Record � Subject’s browser redirected to another site � Same Type, length, data format � Followed by URL at offset 16 in activity record

INDEX. DAT FILE HEADER � LEAK activity record � Same as URL

INDEX. DAT FILE HEADER � Deleted � Will Records: not show up when consulting IE history. � But often still there. � “Delete history” is not rewriting the history file.

Computer Forensics, 2013 INTERNET EXPLORER ARTIFACTS (CONTINUED)

INDEX. DAT ARTIFACTS � IE artifacts created by the Win. Inet API � Often, malware uses same API � If at administrator level: � Entries in index. dat for “Default User” or “Local. Service” account

IE FAVORITES � Located in � %USERPROFILE%Favorites � Is a file with MAC times

COOKIES � Cookie files generated in � Documents and Settings%username%cookies � Users%username%App. DataRoamingMicrosof tWindowsCookies � Can be inspected directly or by using galleta � Time stamps: � Can be from issuing site � More likely, created by java-script (giving local time)

CACHES � Stored in system-type specific directories

Computer Forensics 2013 FIREFOX

FIREFOX � Stores data in SQLite 3 databases � Open tools to access them � Firefox stores in a user-specific profile directory � Folder contains profiles. ini � Profiles. ini contains various folders � Important: � Formhistory. sqlite � Downloads. sqlite � Cookies. sqlite � Places. sqlite

FIREFOX � Cache directory contains numbered files in binary format � Nir. Soft, Woanware

FIREFOX � sessionstore. js � If firefox is not terminated properly � Used to restore browsing session � Content: JSON objects (use JSON viewer)

Computer Forensics 2013 CHROME

CHROME � Uses system-type dependent directory location � Uses SQLite � Cookies � History: � Time tables downloads, urls, visits values stored in seconds since Jan 1, 1601 UTC � Login Data � Web Data (autofill) � Thumbnails (of websites visited) � Chrome � File bookmarks with JSON objects

CHROME � Cache � index file � four number files data_0, . . , data_3 � f_(six hex digits) files � Creation time of f_files can be correlated with data from history data base � No open source tools

Computer Forensics, 2013 SAFARI

SAFARI � History � times in History. plist stored as Mac. Absolute. Time � (Seconds since January 1, 2001 GMT) � Use Safari Forensics Tools (SFT) for scanning � Downloads. plist � Bookmarks. plist � Cookies. plist

SAFARI � Cache information in Cache. db SQLite 3 database � cfurl_cache_response (URL) � cfurl_cache_blob_data (actual cached data) � Last. Session. plist

Computer Forensics 2013 OUTLOOK ARTIFACTS

OUTLOOK � Storage � OST � PST format is PST for offline storage of email format information at msdn. microsoft. com/enus/library/ff 385210. aspx