150 likes | 297 Views
Internet Artifacts. Dr. John Abraham Professor UTPA. Linux and MAC. Linux and Mac artifacts are given in chapters 6 and 7 Students are encouraged to read these chapters.+. Introduction. Bulk of the user interaction now is through the Internet
E N D
Internet Artifacts Dr. John Abraham Professor UTPA
Linux and MAC • Linux and Mac artifacts are given in chapters 6 and 7 • Students are encouraged to read these chapters.+
Introduction • Bulk of the user interaction now is through the Internet • Application specific artifacts created by web browsers provide important evidence
Explorer (IE) • he index.dat file is a database file. • It is a repository of information such as web URLs, search queries and recently opened files. • Its purpose is to enable quick access to data used by Internet Explorer. • For example, every web address visited is stored in the index.dat file, allowing Internet Explorer to quickly find Autocomplete matches as the user types a web address. • The index.dat file is user-specific and is open as long a user is logged on in Windows. • Separate index.dat files exist for the Internet Explorer history, cache, and cookies. • The index.dat file is never resized or deleted. A large index.dat file can impair performance. • Pasco (download) can be used to view. • Malware can make use of WinInet API to infect computers. Entries are made in index.dat files for the default user or localService accounts.
Favorites • A user’s favorites can provide info regarding a users movement across the Internet.
Cookies • Cookies are saved as plain text files • Galleta (download) can display formatted. • The cookie will have creation time and expiration time, site name and other useful information.
Cache • Cache is created as a result of a users browsing activities. They are stored in temporary internet files. • It will contain url location, times and file name.
Firefox • Mozilla’s firefox is the second most widely used browser. • Stores history in the SQLite 3 database in Firefox profiles. • Files of interest: Formhistory.sqlite (contains data filled out to submit forms and webmail subject lines), downloads.sqlite, cookies.sqllite and places.sqlite (users browsing activity).
Firefox (2) • Cache • Saved session data – if firefox is not terminated properly, a file named sessionstore.js is created. Used to recover from a crash. • Bookmarks and backups
Mail artifacts • Personal storage table (PST) • Use Outlook to open or there are other tools available such as http://www.nucleustechnologies.com/pst-viewer.html • Mbox and maildir • Local mail storage formats used by Linux. Both formats are plaintext. Mairix is a searching utility.