Internet Artifacts
Download
Report
Transcript Internet Artifacts
Computer Forensics
INTERNET ARTIFACTS
BROWSERS
Leave behind:
Caches
Cookies
Browser
settings (favorites, history)
Erasing
history does not always erase the entries
created, only changes what browser displays
INTERNET EXPLORER
Index.dat
Located
in
c:\documents
and settings\user\local
settings\temporary internet files\
c:\Users\user\AppDataLocal\Microsoft\Windows\Tempo
rary Internet Files\
In
MS IE Cache File (MSIECF)
INTERNET EXPLORER
Investigate IE index.dat with
Pasco
from foundstone
Metz: libmsiecf project at sourceforge
Ishigaki Win32::URLCache perl module
Keith J. Jones
Foundstone
http://www.foundstone.com/pdf/wp_index_dat.pdf
INDEX.DAT ANALYSIS
INDEX.DAT FILE HEADER
Null terminated version string.
Followed by file size.
0x 00 80 00 00 0x 00 00 80 00 (little endian conversion)
32768
INDEX.DAT FILE HEADER
Bytes 0x20 – 0x23: Location of hash table.
Hash
table is used to store the actual entries.
Go to byte 0x 00 00 40 00
INDEX.DAT FILE HEADER
Beginning of hash table
INDEX.DAT FILE HEADER: HISTORY
INDEX.DAT FILE HEADER: HISTORY
Size: 0x00394000 3751936
Hash Table: 0x00005000
Directories: (null-terminated, 0x50)
INDEX.DAT FILE
Hash Table:
INDEX.DAT FILE
Hash Table:
There
can be several hash tables. Each one
contains a pointer to the next one.
Fields in Hash Table:
Magic
Marker “HASH”
4B Number of Entries in Hash table.
Multiply
Pointer
this number by 128B
to next hash table
INDEX.DAT FILE
Hash Table:
20 entries Total size of
hash table is 32*128B = 4KB
Next hash table at
0x 00 01 80 00
INDEX.DAT FILE HEADER
Activity flag 40 03 6C DA
Activity record pointer:
00 03 48 00
Go to 00 03 48 00
INDEX.DAT FILE HEADER
Go to that location:
INDEX.DAT FILE HEADER
Activity Record
Type
field 4B:
REDR
URL
LEAK
Length
Field 4B:
Multiply
Data
with 0x80
Field
INDEX.DAT FILE HEADER
URL Activity Record
Represents
website visited
Record Length (4B)
Time stamps
8B
8B
starting at offset +8 in the activity record:
Last Modified
starting at offset +16 in the activity record:
Last accessed
Organized
like file MAC times.
INDEX.DAT FILE HEADER
REDR Activity Record
Subject’s
browser redirected to another site
Same Type, length, data format
Followed by URL at offset 16 in activity record
INDEX.DAT FILE HEADER
LEAK activity record
Same
as URL
INDEX.DAT FILE HEADER
Deleted Records:
Will
not show up when consulting IE history.
But often still there.
“Delete history” is not rewriting the history file.
Computer Forensics, 2013
INTERNET EXPLORER ARTIFACTS
(CONTINUED)
INDEX.DAT ARTIFACTS
IE artifacts created by the WinInet API
Often, malware uses same API
If
at administrator level:
Entries
in index.dat for “Default User” or “LocalService”
account
IE FAVORITES
Located in
%USERPROFILE%\Favorites
Is a file with MAC times
COOKIES
Cookie files generated in
Documents
and Settings\%username%\cookies
Users\%username%\AppData\Roaming\Microsoft\
Windows\Cookies
Can be inspected directly or by using galleta
Time stamps:
Can
be from issuing site
More likely, created by java-script (giving local time)
CACHES
Stored in system-type specific directories
Computer Forensics 2013
FIREFOX
FIREFOX
Stores data in SQLite 3 databases
Open tools to access them
Firefox stores in a user-specific profile directory
Folder contains profiles.ini
Profiles.ini contains various folders
Important:
Formhistory.sqlite
Downloads.sqlite
Cookies.sqlite
Places.sqlite
FIREFOX
Cache
Cache
directory contains numbered files in binary
format
NirSoft, Woanware
FIREFOX
sessionstore.js
If
firefox is not terminated properly
Used to restore browsing session
Content: JSON objects (use JSON viewer)
Computer Forensics 2013
CHROME
CHROME
Uses system-type dependent directory location
Uses SQLite
Cookies
History: tables downloads, urls, visits
Time
values stored in seconds since Jan 1, 1601 UTC
Login Data
Web Data (autofill)
Thumbnails (of websites visited)
Chrome bookmarks
File with JSON objects
CHROME
Cache
index
file
four number files data_0, .., data_3
f_(six hex digits) files
Creation
time of f_files can be correlated with data from
history data base
No open source tools
Computer Forensics, 2013
SAFARI
SAFARI
History in History.plist
times
stored as MacAbsoluteTime
(Seconds
since January 1, 2001 GMT)
Use Safari Forensics Tools (SFT) for scanning
Downloads.plist
Bookmarks.plist
Cookies.plist
SAFARI
Cache information in Cache.db SQLite3
database
cfurl_cache_response
(URL)
cfurl_cache_blob_data (actual cached data)
LastSession.plist
Computer Forensics 2013
OUTLOOK ARTIFACTS
OUTLOOK
Storage format is PST
OST
for offline storage of email
PST format information at
msdn.microsoft.com/enus/library/ff385210.aspx