1 / 37

Internet Artifacts

Computer Forensics. Internet Artifacts. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only changes what browser displays. Browsers. Index.dat Located in

hume
Download Presentation

Internet Artifacts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Forensics Internet Artifacts

  2. Leave behind: • Caches • Cookies • Browser settings (favorites, history) • Erasing history does not always erase the entries created, only changes what browser displays Browsers

  3. Index.dat • Located in • c:\documents and settings\user\local settings\temporary internet files\ • c:\Users\user\AppDataLocal\Microsoft\Windows\Temporary Internet Files\ • In MS IE Cache File (MSIECF) Internet Explorer

  4. Investigate IE index.dat with • Pasco from foundstone • Metz: libmsiecf project at sourceforge • Ishigaki Win32::URLCacheperl module Internet Explorer

  5. Keith J. Jones Foundstone http://www.foundstone.com/pdf/wp_index_dat.pdf Index.dat Analysis

  6. index.dat file header • Null terminated version string. • Followed by file size. 0x 00 80 00 00 0x 00 00 80 00 (little endian conversion)  32768

  7. index.dat file header • Bytes 0x20 – 0x23: Location of hash table. • Hash table is used to store the actual entries. Go to byte 0x 00 00 40 00

  8. index.dat file header • Beginning of hash table

  9. index.dat file header: History

  10. index.dat file header: History Size: 0x00394000 3751936 Hash Table: 0x00005000 Directories: (null-terminated, 0x50)

  11. index.dat file • Hash Table:

  12. index.dat file • Hash Table: • There can be several hash tables. Each one contains a pointer to the next one. • Fields in Hash Table: • Magic Marker “HASH” • 4B Number of Entries in Hash table. • Multiply this number by 128B • Pointer to next hash table

  13. index.dat file 20 entries  Total size of hash table is 32*128B = 4KB • Hash Table: Next hash table at 0x 00 01 80 00

  14. index.dat file header Activity flag 40 03 6C DA Activity record pointer: 00 03 48 00 Go to 00 03 48 00

  15. index.dat file header Go to that location:

  16. index.dat file header • Activity Record • Type field 4B: • REDR • URL • LEAK • Length Field 4B: • Multiply with 0x80 • Data Field

  17. index.dat file header • URL Activity Record • Represents website visited • Record Length (4B) • Time stamps • 8B starting at offset +8 in the activity record: • Last Modified • 8B starting at offset +16 in the activity record: • Last accessed • Organized like file MAC times.

  18. index.dat file header • REDR Activity Record • Subject’s browser redirected to another site • Same Type, length, data format • Followed by URL at offset 16 in activity record

  19. index.dat file header • LEAK activity record • Same as URL

  20. index.dat file header • Deleted Records: • Will not show up when consulting IE history. • But often still there. • “Delete history” is not rewriting the history file.

  21. Computer Forensics, 2013 Internet Explorer Artifacts(continued)

  22. IE artifacts created by the WinInet API • Often, malware uses same API • If at administrator level: • Entries in index.dat for “Default User” or “LocalService” account Index.dat artifacts

  23. Located in • %USERPROFILE%\Favorites • Is a file with MAC times IE Favorites

  24. Cookie files generated in • Documents and Settings\%username%\cookies • Users\%username%\AppData\Roaming\Microsoft\Windows\Cookies • Can be inspected directly or by using galleta • Time stamps: • Can be from issuing site • More likely, created by java-script (giving local time) Cookies

  25. Stored in system-type specific directories Caches

  26. Computer Forensics 2013 Firefox

  27. Stores data in SQLite 3 databases • Open tools to access them • Firefox stores in a user-specific profile directory • Folder contains profiles.ini • Profiles.ini contains various folders • Important: • Formhistory.sqlite • Downloads.sqlite • Cookies.sqlite • Places.sqlite FireFox

  28. Cache • Cache directory contains numbered files in binary format • NirSoft, Woanware Firefox

  29. sessionstore.js • If firefox is not terminated properly • Used to restore browsing session • Content: JSON objects (use JSON viewer) Firefox

  30. Computer Forensics 2013 Chrome

  31. Uses system-type dependent directory location • Uses SQLite • Cookies • History: tables downloads, urls, visits • Time values stored in seconds since Jan 1, 1601 UTC • Login Data • Web Data (autofill) • Thumbnails (of websites visited) • Chrome bookmarks • File with JSON objects Chrome

  32. Cache • index file • four number files data_0, .., data_3 • f_(six hex digits) files • Creation time of f_files can be correlated with data from history data base • No open source tools Chrome

  33. Computer Forensics, 2013 Safari

  34. History in History.plist • times stored as MacAbsoluteTime • (Seconds since January 1, 2001 GMT) • Use Safari Forensics Tools (SFT) for scanning • Downloads.plist • Bookmarks.plist • Cookies.plist SAFARI

  35. Cache information in Cache.db SQLite3 database • cfurl_cache_response (URL) • cfurl_cache_blob_data (actual cached data) • LastSession.plist Safari

  36. Computer Forensics 2013 Outlook Artifacts

  37. Storage format is PST • OST for offline storage of email • PST format information at msdn.microsoft.com/en-us/library/ff385210.aspx Outlook

More Related