Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Internet Artifacts.

Similar presentations

Presentation on theme: "Computer Forensics Internet Artifacts."— Presentation transcript:

1 Computer Forensics Internet Artifacts

2 Browsers Leave behind: Caches Cookies
Browser settings (favorites, history) Erasing history does not always erase the entries created, only changes what browser displays

3 Internet Explorer Index.dat Located in In MS IE Cache File (MSIECF)
c:\documents and settings\user\local settings\temporary internet files\ c:\Users\user\AppDataLocal\Microsoft\Windows\Temporary Internet Files\ In MS IE Cache File (MSIECF)

4 Internet Explorer Investigate IE index.dat with Pasco from foundstone
Metz: libmsiecf project at sourceforge Ishigaki Win32::URLCache perl module

5 Index.dat Analysis Keith J. Jones Foundstone
Index.dat Analysis

6 index.dat file header Null terminated version string.
Followed by file size. 0x 0x (little endian conversion)  32768

7 index.dat file header Bytes 0x20 – 0x23: Location of hash table.
Hash table is used to store the actual entries. Go to byte 0x

8 index.dat file header Beginning of hash table

9 index.dat file header: History

10 index.dat file header: History
Size: 0x Hash Table: 0x Directories: (null-terminated, 0x50)

11 index.dat file Hash Table:

12 index.dat file Hash Table: Fields in Hash Table:
There can be several hash tables. Each one contains a pointer to the next one. Fields in Hash Table: Magic Marker “HASH” 4B Number of Entries in Hash table. Multiply this number by 128B Pointer to next hash table

13 index.dat file Hash Table:
20 entries  Total size of hash table is 32*128B = 4KB Next hash table at 0x

14 index.dat file header Activity flag 40 03 6C DA
Activity record pointer: Go to

15 index.dat file header Go to that location:

16 index.dat file header Activity Record Type field 4B: Length Field 4B:
REDR URL LEAK Length Field 4B: Multiply with 0x80 Data Field

17 index.dat file header URL Activity Record Represents website visited
Record Length (4B) Time stamps 8B starting at offset +8 in the activity record: Last Modified 8B starting at offset +16 in the activity record: Last accessed Organized like file MAC times.

18 index.dat file header REDR Activity Record
Subject’s browser redirected to another site Same Type, length, data format Followed by URL at offset 16 in activity record

19 index.dat file header LEAK activity record Same as URL

20 index.dat file header Deleted Records:
Will not show up when consulting IE history. But often still there. “Delete history” is not rewriting the history file.

21 Internet Explorer Artifacts (continued)
Computer Forensics, 2013 Internet Explorer Artifacts (continued)

22 Index.dat artifacts IE artifacts created by the WinInet API
Often, malware uses same API If at administrator level: Entries in index.dat for “Default User” or “LocalService” account

23 IE Favorites Located in Is a file with MAC times
%USERPROFILE%\Favorites Is a file with MAC times

24 Cookies Cookie files generated in
Documents and Settings\%username%\cookies Users\%username%\AppData\Roaming\Microsoft\Windows\Cookies Can be inspected directly or by using galleta Time stamps: Can be from issuing site More likely, created by java-script (giving local time)

25 Caches Stored in system-type specific directories

26 Computer Forensics 2013 Firefox

27 FireFox Stores data in SQLite 3 databases
Open tools to access them Firefox stores in a user-specific profile directory Folder contains profiles.ini Profiles.ini contains various folders Important: Formhistory.sqlite Downloads.sqlite Cookies.sqlite Places.sqlite

28 Firefox Cache Cache directory contains numbered files in binary format
NirSoft, Woanware

29 Firefox sessionstore.js If firefox is not terminated properly
Used to restore browsing session Content: JSON objects (use JSON viewer)

30 Computer Forensics 2013 Chrome

31 Chrome Uses system-type dependent directory location Uses SQLite
Cookies History: tables downloads, urls, visits Time values stored in seconds since Jan 1, 1601 UTC Login Data Web Data (autofill) Thumbnails (of websites visited) Chrome bookmarks File with JSON objects

32 Chrome Cache index file four number files data_0, .., data_3
f_(six hex digits) files Creation time of f_files can be correlated with data from history data base No open source tools

33 Computer Forensics, 2013 Safari

34 SAFARI History in History.plist Downloads.plist Bookmarks.plist
times stored as MacAbsoluteTime (Seconds since January 1, 2001 GMT) Use Safari Forensics Tools (SFT) for scanning Downloads.plist Bookmarks.plist Cookies.plist

35 Safari Cache information in Cache.db SQLite3 database
cfurl_cache_response (URL) cfurl_cache_blob_data (actual cached data) LastSession.plist

36 Computer Forensics 2013 Outlook Artifacts

37 Outlook Storage format is PST
OST for offline storage of PST format information at aspx

Download ppt "Computer Forensics Internet Artifacts."

Similar presentations

Ads by Google