Forensic Analysis of Internet Explorer Activity Files Based

Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone http: //www. foundstone. com/pdf/wp_index_dat. pdf

Basics n Internet Explorer ¨ Market Share 2002 92. 9% (Web. Side. Story) n 2004 81. 4% (www. w 3 schools. com/browsersstats. app) (user bias towards alternatives) n 2007 58. 6% (same source) n

Basics Win 9* ME WindowsTemporary Internet FilesContent. IE. 5 WindowsCookies WindowsHistory. IE 5 Win. NT WinntProfiles<user>Local SettingsTemporary Internet FilesContent. IE 5 WinntProfiles<user>Cookies WinntProfiles<user>Local SettingsHistory. IE 5 Win 2 K Win. XP Documents and Settings<user>Local SettingsTemporary Internet FilesContent. IE 5 Documents and Settings<user>Cookies Documents and Settings<user> Local SettingsHistory. IE 5

index. dat n File Header ¨ Contains basic information on the file

index. dat file header Null terminated version string. n Followed by file size. n 0 x 00 80 00 00 0 x 00 00 80 00 (little endian conversion) 32768

index. dat file header n Bytes 0 x 20 – 0 x 23: Location of hash table. ¨ Hash table is used to store the actual entries. Go to byte 0 x 00 00 40 00

index. dat file header n Beginning of hash table

index. dat file header: History

index. dat file header: History Size: 0 x 00394000 3751936 Hash Table: 0 x 00005000 Directories: (null-terminated, 0 x 50)

index. dat file n Hash Table:

index. dat file n Hash Table: ¨ There can be several hash tables. Each one contains a pointer to the next one. n Fields in Hash Table: ¨ Magic Marker “HASH” ¨ 4 B Number of Entries in Hash table. n Multiply this number by 128 B ¨ Pointer to next hash table

index. dat file n Hash Table: 20 entries Total size of hash table is 32*128 B = 4 KB Next hash table at 0 x 00 01 80 00

index. dat file Field Offset Size Description Hash Table Length 4 4 Length of hash table in 0 x 80 long blocks Next Hash Table 8 4 Offset in table to next hash table. Zero values shows that this is the last hash table Activity Records Flags 16+8 n 4 First byte 0 x 01: record deleted First byte 0 x 03: Else: Activity Record Pointers 20+*n n Hash Table Entries 4 Offset of activity record

index. dat file header Activity flag 40 03 6 C DA Activity record pointer: 00 03 48 00 Go to 00 03 48 00

index. dat file header Go to that location:

index. dat file header n Activity Record ¨ Type field 4 B: REDR n URL n LEAK n ¨ Length n Field 4 B: Multiply with 0 x 80 ¨ Data Field

index. dat file header n URL Activity Record ¨ Represents website visited ¨ Record Length (4 B) ¨ Time stamps n 8 B starting at offset +8 in the activity record: ¨ n 8 B starting at offset +16 in the activity record: ¨ n Last Modified Last accessed Organized like file MAC times.

index. dat file header n REDR Activity Record ¨ Subject’s browser redirected to another site ¨ Same Type, length, data format ¨ Followed by URL at offset 16 in activity record

index. dat file header n LEAK activity record ¨ Same as URL

index. dat file header n Deleted Records: ¨ Will not show up when consulting IE history. ¨ But often still there. ¨ “Delete history” is not rewriting the history file.

index. dat file header n Tool to sort things out: ¨ PASCO for index. dat ¨ Galleta for cookies.