Internet Artifacts

Computer Forensics
INTERNET ARTIFACTS
BROWSERS
 Leave behind:
 Caches
 Cookies
 Browser settings (favorites, history)

 Erasinghistory does not always erase the entries
created, only changes what browser displays
INTERNET EXPLORER
 Index.dat
 Located in
 c:\documents and settings\user\local
settings\temporary internet files\
 c:\Users\user\AppDataLocal\Microsoft\Windows\Tempo
rary Internet Files\
 In MS IE Cache File (MSIECF)
INTERNET EXPLORER
 Investigate IE index.dat with

 Pasco from foundstone
 Metz: libmsiecf project at sourceforge
 Ishigaki Win32::URLCache perl module

Keith J. Jones
Foundstone
http://www.foundstone.com/pdf/wp_index_dat.pdf
INDEX.DAT ANALYSIS
INDEX.DAT FILE HEADER
 Null terminated version string.

 Followed by file size.
0x 00 80 00 00 0x 00 00 80 00 (little endian conversion)

 32768
 Bytes 0x20 – 0x23: Location of hash table.

 Hash table is used to store the actual entries.
Go to byte 0x 00 00 40 00
 Beginning of hash table

INDEX.DAT FILE HEADER: HISTORY
INDEX.DAT FILE HEADER: HISTORY
Size: 0x00394000 3751936

Hash Table: 0x00005000
Directories: (null-terminated, 0x50)
INDEX.DAT FILE
 Hash Table:
INDEX.DAT FILE
 Hash Table:
 There can be several hash tables. Each one
contains a pointer to the next one.
 Fields in Hash Table:
 MagicMarker “HASH”
 4B Number of Entries in Hash table.
 Multiply this number by 128B
 Pointer to next hash table
INDEX.DAT FILE
20 entries  Total size of
 Hash Table: hash table is 32*128B = 4KB
Next hash table at

0x 00 01 80 00
Activity flag 40 03 6C DA
Activity record pointer:
00 03 48 00
Go to 00 03 48 00
Go to that location:
 Activity Record
 Type field 4B:
 REDR
 URL
 LEAK
 Length Field 4B:

 Multiply with 0x80
 Data Field
 URL Activity Record
 Represents website visited
 Record Length (4B)
 Time stamps
 8B starting at offset +8 in the activity record:
 Last Modified
 8B starting at offset +16 in the activity record:
 Last accessed
 Organized like file MAC times.
 REDR Activity Record

 Subject’sbrowser redirected to another site
 Same Type, length, data format
 Followed by URL at offset 16 in activity record

 LEAK activity record

 Same as URL
 Deleted Records:
 Willnot show up when consulting IE history.
 But often still there.
 “Delete history” is not rewriting the history file.

Computer Forensics, 2013
INTERNET EXPLORER ARTIFACTS

(CONTINUED)
INDEX.DAT ARTIFACTS
 IE artifacts created by the WinInet API

 Often, malware uses same API
 If at administrator level:
 Entries in index.dat for “Default User” or “LocalService”
account
IE FAVORITES
 Located in
 %USERPROFILE%\Favorites
 Is a file with MAC times

COOKIES
 Cookie files generated in
 Documents and Settings\%username%\cookies
 Users\%username%\AppData\Roaming\Microsoft\
Windows\Cookies
 Can be inspected directly or by using galleta
 Time stamps:
 Canbe from issuing site
 More likely, created by java-script (giving local time)
CACHES
 Stored in system-type specific directories

Computer Forensics 2013
FIREFOX
FIREFOX
 Stores data in SQLite 3 databases
 Open tools to access them
 Firefox stores in a user-specific profile directory
 Folder contains profiles.ini
 Profiles.ini contains various folders
 Important:
 Formhistory.sqlite
 Downloads.sqlite
 Cookies.sqlite
 Places.sqlite
FIREFOX
 Cache
 Cache directory contains numbered files in binary
format
 NirSoft, Woanware
FIREFOX
 sessionstore.js
 If
firefox is not terminated properly
 Used to restore browsing session
 Content: JSON objects (use JSON viewer)

CHROME
CHROME
 Uses system-type dependent directory location
 Uses SQLite
 Cookies
 History: tables downloads, urls, visits
 Time values stored in seconds since Jan 1, 1601 UTC
 Login Data
 Web Data (autofill)
 Thumbnails (of websites visited)
 Chrome bookmarks
 File with JSON objects
CHROME
 Cache
 index file
 four number files data_0, .., data_3
 f_(six hex digits) files

 Creation time of f_files can be correlated with data from
history data base
 No open source tools
Computer Forensics, 2013
SAFARI
SAFARI
 History in History.plist
 times stored as MacAbsoluteTime
 (Seconds since January 1, 2001 GMT)
 Use Safari Forensics Tools (SFT) for scanning
 Downloads.plist
 Bookmarks.plist
 Cookies.plist
SAFARI
 Cache information in Cache.db SQLite3

database
 cfurl_cache_response (URL)
 cfurl_cache_blob_data (actual cached data)
 LastSession.plist
OUTLOOK ARTIFACTS
OUTLOOK
 Storage format is PST

 OST for offline storage of email
 PST format information at
msdn.microsoft.com/en-
us/library/ff385210.aspx

Internet Artifacts

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Internet Artifacts

Transféré par

Droits d'auteur :

Formats disponibles

Computer Forensics

 Browser settings (favorites, history)

 Investigate IE index.dat with

 Ishigaki Win32::URLCache perl module

 Null terminated version string.

0x 00 80 00 00 0x 00 00 80 00 (little endian conversion)

 Bytes 0x20 – 0x23: Location of hash table.

 Beginning of hash table

Size: 0x00394000 3751936

Next hash table at

 Length Field 4B:

 REDR Activity Record

 Followed by URL at offset 16 in activity record

 LEAK activity record

 “Delete history” is not rewriting the history file.

INTERNET EXPLORER ARTIFACTS

 IE artifacts created by the WinInet API

 Is a file with MAC times

 Stored in system-type specific directories

 Content: JSON objects (use JSON viewer)

 f_(six hex digits) files

 Cache information in Cache.db SQLite3

 Storage format is PST

Vous aimerez peut-être aussi