1 / 27

Web Forensics

Web Forensics. Matthew M. Kimball. Overview. Purpose Where & How Data Is Stored Private Browsing Where Else to Look. Purpose. Reconstruct suspect’s browsing Cyberstalking Cyberterrorism Child Pornography Fraud IP Theft Cracks, Patches, Torrents. Where. Obvious

ivi
Download Presentation

Web Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Forensics Matthew M. Kimball

  2. Overview • Purpose • Where & How Data Is Stored • Private Browsing • Where Else to Look

  3. Purpose • Reconstruct suspect’s browsing • Cyberstalking • Cyberterrorism • Child Pornography • Fraud • IP Theft • Cracks, Patches, Torrents

  4. Where • Obvious • Cache / Temporary Internet Files • Cookies • Favorites • History • Less Obvious • DNS Cache • PlugIns • More to come…

  5. Profiles • Profiles can be moved. • Profile ‘owner’ doesn’t indicate guilt. • Share passwords?

  6. Internet Explorer • index.dat files • Cookies, History, & Temp • Stores: • Timestamps • Headers • Visited URLs • Cached pages • …in a binary format • View cache…see what they saw

  7. Pasco (IE)

  8. Web Historian (IE)

  9. FireFox • *.sqlite • about:cache • Memory • Disk • Offline • “Deleted” favorites are recoverable • FF automatically backups favorites • Not deleted when clearing data

  10. FireFox • about:cache • browser.cache.disk.enable • = false…disable disk caching.

  11. FireFox • about:cache • disk cache

  12. FireFox • MozzilaCacheView

  13. FireFox • MozillaHistoryView High visit count = intent = guilty

  14. Opera • cookies4.dat • dcache4.url • Binary index of cache • opr*.* • Cached files in same format as originals but missing extension

  15. Opera • opera:cache

  16. What Is Really Meant By Private? • "Incognito is designed to hide your browsing from your computer, not hide it from the Web," says Google engineer Sundar Pichai.

  17. Incognito & InPrivate • Still Stores on HDD • PC Inspector File Recovery • Recovered a lot but not Incognito or InPrivate data. • Since it’s written to the drive…it’s recoverable • Maybe not with free software but likely with FTK.

  18. Where Else To Look • Downloads • Not deleted after using Incognito & InPrivate • Opera manages torrents • Mostly illegal… • Clipboard • clipbrd.exe • Extensions (FireFox)

  19. Where Else To Look • SharedObjects / Plugins • Tested & failed a break.com visit. • Must disable on Macromedia’s website. • Requires more work to delete.

  20. DNS Cache • Windows • /ipconfig displaydns • Lists websites even after clearing info stored by browsers. • /ipconfig flushdns • Clears DNS listings • Mac • dscacheutil -cachedump -entries Host • dscacheutil -flushcache

  21. HOSTS • Maps host names to IP addresses. • Redirect www.csus.edu to site containing illegal images • Favorites addresses may be altered • Compare with HOSTS files, caches, and current content on site.

  22. HOSTS

  23. DNS Cache • Windows • Lists entries while using InPrivate & Incognito

  24. RAM Disk • Allows RAM to act like a hard drive • Simply relocate where cache is stored • Erased just like RAM • Much more difficult to recover, if possible at all! • Unless it’s in swap or slack space

  25. Still Can’t Find Anything? • Recover Deleted Files • Page files • Opera: Group Project • Slack space • ISP logs • Network & router logs

  26. Tools • Web Historian • Pasco • IE Historian • FTK • EnCase

  27. Summary • Prevents average users using the same computer from revealing your tracks… • If it wasn’t bleached/shredded…they will find it on the hard drive…

More Related