CSN09105 Security and Forensic Computing
Download
Report
Transcript CSN09105 Security and Forensic Computing
CSN11121
System Administration and Forensics
Web Browser Forensic
[email protected]
Overview
• Forensics on Internet Explorer and Firefox
– Structure
– Information storage
– Access to the Information storage
– Tools used to analyze IE’s history, cached files,
cookies and stored credentials
Forensics on Windows
Web Browsers – The “Market”
• The major browsers (most to least-used):
– Internet Explorer – 61.58%
– Mozilla Firefox – 24.23%
– Everything else! – 14.19%
Hitslink.com – February 2010
Internet Explorer - storage
Stores files used in displaying web pages (cache), tracking pages
visited (history) and automatic identification / authentication
(cookies, credentials)
• Viewed pages will retrieve its page code and embedded files (such as
graphics) from the hard drive rather than the server, so the page loads
faster (cache)
• Able to see a record of recently visited pages (history)
• No sign in again at sites that require it, or to specify preferences again
(cookies and credentials). Also cookies are used by the visited site and
other sites to track web browsing, which is a privacy discussion on its
own.
Internet Explorer – History Menu
• The easiest way to access the browsing history in Internet
Explorer: History menu!
• Click on the icon (clock with a green arrow running down
the left side in IE6, orange star on the left in IE7 & 8) or
hit <Ctrl>-<h>
• Brings up a sidebar with the history nicely arranged,
including Windows documents viewed
• Use the View menu to arrange the pages visited by date,
by site, by most visited, and by order visited today
Internet Explorer – File Locations
• Windows 2000, XP, and 2003
– Stores the evidence of pages visited in
index.dat in 4 locations, pertaining to the
cache, history and cookies
– These files may be difficult to find, as Windows
persists in “hiding” them from Windows Explorer,
Search, and even command-line browsing
• Windows Vista, 7 and 2008 changed the
locations!
Internet Explorer – Browsing History
With Cache Files
• For the subject's browsing history (index.dat and
the cache files themselves – in subdirectories), use
Windows Explorer to look in
C:\Documents and Settings\<subject User’s ID>\Local
Settings\Temporary Internet Files\Content.IE5\
C:\Users\<subject User’sID>\AppData\Local\Microsoft\
Windows\Temporary Internet Files\Content.IE5
Internet Explorer – Browsing History
Without Cache Files
• For the subject's browsing history (index.dat
without the cache files), use a browser (NOT
Windows Explorer) or command prompt to look
in
C:\Documents and Settings\<subject User’s
ID>\Local Settings\History\History.IE5\
Daily history:
MSHist01(start)YYYYMMDD(end)YYYYMMDD
Weekly history:
MSHist01(start)YYYYMMDD(end)YYYYMMDD
Internet Explorer – Index.dat
In Depth - Header
Start of header
Start of cache folder listing
Internet Explorer – Index.dat In Depth
- Activity Record
Start of
record
Last modified timestamp
Last accessed timestamp
Start of
URL
Cached
file name
Start
of http
header
Start of user name
IE – What If The subject Clears The
Cache?
• In IE6, when you select Delete Files, the cache
files are deleted from the hard drive, but the
entries in index.dat are marked “free” and
NOT removed!
• IE7 & 8 is more thorough – Selecting Delete
Files removes both the files and the entries in
index.dat (although you can restore the
files themselves as they are not overwritten)
IE8 – What If The subject uses
“InPrivate Browsing”?
Internet Explorer – Cookies
• For cookies saved on the subject's hard drive
(individual cookie text files), use Windows
Explorer to look in
C:\Documents and
Settings\<subject User’s
ID>\Cookies\
Internet Explorer 6 and Before –
Identification / Authentication
• Stores encrypted userIDs and passwords
(AutoComplete) in
HKCU\Software\Microsoft\Internet
Explorer\IntelliForms\ SPW, and web
addresses in
HKLM\Software\Microsoft\Protected
Storage System Provider\<subject’s
user ID>
Internet Explorer 7 & 8 – Identification
/ Authentication
• Stores encrypted userIDs and passwords
(AutoComplete) in
HKCU\Software\Microsoft\Internet
Explorer\IntelliForms\Storage2
• Encryption has been improved
Mandiant Web Historian - Overview
• A tool that allows you to take a given
index.dat file and parse it into a readable /
exportable format
• Available at
http://www.mandiant.com/webhistorian.htm
• The best part: It’s FREE!
Mandiant Web Historian – Running
• When you run the
program, you are
presented with two ways
of obtaining an
index.dat file
• Note that only certain
approaches work for
certain files, and using the
wrong approach may lock
the Web Historian
program!
Mandiant Web Historian – History
Report
Pasco
• Pasco is another tool for analysis of the
index.dat files, but this one also runs on
Unix, which is another environment where
you may be running other forensics tools
• Does basically the same operation as Web
Historian, outputting to delimited text files
that can be imported elsewhere
Pasco - History with Cache
Galleta - Cookie analysis
• From the command line (Unix or Windows):
galleta <option> (filename)
• Option: -t (column delimiter – defaults to tab)
• Use > to redirect output into a file
IE PassView - Stored Credentials
• IE PassView reads the stored Internet Explorer
credentials from the Windows Registry and returns
the website, userID and password in columnar
format
• Note that this will obtain the user credentials, but
not other autocomplete information such as form
fields
• You will have to run it on the subject's computer –
not a very good idea, so create a (forensic) working
copy and run it from there
Firefox – What We Will Cover
• Where Firefox stores files used in displaying web pages
(cache), tracking pages visited (history) and automatic
identification / authentication (cookies, credentials)
• How to access the information using just the browser
• Tools used to analyze Firefox’s history, cached files,
cookies and stored credentials
• Tools used to override protection of the stored
credentials
Firefox - Overview
• Open source web browser
• Evolved from the Netscape Navigator web
browser
• Support for images, frames, SSL and javascript
• Full disk cache support
Firefox – File Locations
• Firefox stores its history, downloads, form fields, cookies,
and Identification / Authentication files in the same
location:
C:\Documents and Settings\<subject User’s
ID>\Application Data\Mozilla
\Firefox\Profiles\<seemingly random
characters>.default\ (Windows XP) or
C:\Users\<subject User’s
ID>\AppData\Local\Mozilla
\Firefox\Profiles\<seemingly random
characters>.default\ (Windows Vista, 7 and 2008)
Firefox – File Locations (2)
• Firefox stores its cache files in a different location:
C:\Documents and Settings\<subject User’s
ID>\Local Settings\Application
Data\Mozilla
\Firefox\Profiles\<seemingly random
characters>.default\Cache\ (Windows XP) or
C:\Users\<subject User’s
ID>\AppData\Local\Mozilla
\Firefox\Profiles\<seemingly random
characters>.default\Cache\ (Windows Vista)
SQLite Library
• Software library that implements a
transactional SQL Database Engine
• Used by Firefox to store information in the
files we discussed before
• Unlike with earlier Firefox versions, the text in
SQLite format can be read easily within Firefox
Firefox Data Files – In Depth
• places.sqlite: Stores information regarding the
places where the user has browsed.
– moz_places: records each URL visited and
related information
– moz_historyvisits: records all visits to URLs
recorded in the moz_places table
– moz_inputhistory: records information
typed into text boxes on web pages
– moz_favicons: records information for the
page’s favorite icon.
Firefox Data Files – In Depth (2)
• formhistory.sqlite: Store values with
corresponding fields filled in on a web page.
– moz_formhistory: Records information typed
on HTML forms
• cookies.sqlite: Stores cookies obtained from
URLs
– moz_cookies: Records places, values and
expiration of obtained cookies
Firefox– Viewing Without Tools
• View the History menu, or display in a sidebar
with <Ctrl>-<h>
• Type “about:cache” in the address bar to view
cache files
• Tools / Options / Privacy / Cookies / Show
Cookies
Firefox– Viewing (Almost) Without
Tools
Mandiant Web Historian – Firefox
Firefox Cache – Inside The Files
• On Firefox, the cache information is stored
across 3 types of files: one (1) cache map
file, three (3) cache block files, and as many
additional cache data files as required to
store additional cache data
Firefox – What If The subject Clears
The Cache?
• In Firefox, the situation is skewed much more
in favor of the subject. Going to Tools and
selecting Clear Private Data deletes not only
the cache files, but handily removes the cache
map and cache block files, so tying the files
(assuming you could recover them) to the
cache map and blocks becomes quite a bit
more difficult
Cache View - Overview
• Fortunately, we’re going to forgo the math
and utilize the Cache View tool, a shareware
program that can be fully registered for all of
US $25
• This program extracts the cache data,
organizes it and displays it in columnar
format, and allows export to commaseparated files
Cache View - Firefox
MozillaCookiesView - Firefox
FireMaster – Stored Credentials
• Firefox gives you the option to save your often-used
userIDs and passwords that you utilize to access
websites
• Unfortunately for the forensic investigator, the
subject may specify a Master password, which
prevents access to all the other passwords
• FireMaster cracks this master password, allowing you
to access the password list in the browser or via
FirePassword
FirePassword – Stored Credentials
• Used with or without the Master Password
(depending on if it’s been set) to see the
websites your subject visited and the
userIDs and passwords s/he used to get in
• Much quicker than FireMaster, as you either
don’t have a Master Password or have
already specified it!
Dump AutoComplete – Stored Form Fields
• Information in formhistory.sqlite can be
viewed with any sqlite-compatible program, but
must be extracted to be the most useful to the
investigator
• Use the Dump Auto Complete program to bring out
the form field name and what was entered
• Even though these aren’t credentials, a lot of
information about the subject can be gleaned