Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only.

Similar presentations


Presentation on theme: "Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only."— Presentation transcript:

1 Computer Forensics

2 Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only changes what browser displays

3 Index.dat Located in c:\documents and settings\user\local settings\temporary internet files\ c:\Users\user\AppDataLocal\Microsoft\Windows\Tempo rary Internet Files\ In MS IE Cache File (MSIECF)

4 Investigate IE index.dat with Pasco from foundstone Metz: libmsiecf project at sourceforge Ishigaki Win32::URLCache perl module

5 Keith J. Jones Foundstone

6 Null terminated version string. Followed by file size. 0x x (little endian conversion) 32768

7 Bytes 0x20 – 0x23: Location of hash table. Hash table is used to store the actual entries. Go to byte 0x

8 Beginning of hash table

9

10 Size: 0x Hash Table: 0x Directories: (null-terminated, 0x50)

11 Hash Table:

12 There can be several hash tables. Each one contains a pointer to the next one. Fields in Hash Table: Magic Marker HASH 4B Number of Entries in Hash table. Multiply this number by 128B Pointer to next hash table

13 Hash Table: 20 entries Total size of hash table is 32*128B = 4KB Next hash table at 0x

14 Activity flag C DA Activity record pointer: Go to

15 Go to that location:

16 Activity Record Type field 4B: REDR URL LEAK Length Field 4B: Multiply with 0x80 Data Field

17 URL Activity Record Represents website visited Record Length (4B) Time stamps 8B starting at offset +8 in the activity record: Last Modified 8B starting at offset +16 in the activity record: Last accessed Organized like file MAC times.

18 REDR Activity Record Subjects browser redirected to another site Same Type, length, data format Followed by URL at offset 16 in activity record

19 LEAK activity record Same as URL

20 Deleted Records: Will not show up when consulting IE history. But often still there. Delete history is not rewriting the history file.

21 Computer Forensics, 2013

22 IE artifacts created by the WinInet API Often, malware uses same API If at administrator level: Entries in index.dat for Default User or LocalService account

23 Located in %USERPROFILE%\Favorites Is a file with MAC times

24 Cookie files generated in Documents and Settings\%username%\cookies Users\%username%\AppData\Roaming\Microsoft\ Windows\Cookies Can be inspected directly or by using galleta Time stamps: Can be from issuing site More likely, created by java-script (giving local time)

25 Stored in system-type specific directories

26 Computer Forensics 2013

27 Stores data in SQLite 3 databases Open tools to access them Firefox stores in a user-specific profile directory Folder contains profiles.ini Profiles.ini contains various folders Important: Formhistory.sqlite Downloads.sqlite Cookies.sqlite Places.sqlite

28 Cache Cache directory contains numbered files in binary format NirSoft, Woanware

29 sessionstore.js If firefox is not terminated properly Used to restore browsing session Content: JSON objects (use JSON viewer)

30 Computer Forensics 2013

31 Uses system-type dependent directory location Uses SQLite Cookies History: tables downloads, urls, visits Time values stored in seconds since Jan 1, 1601 UTC Login Data Web Data (autofill) Thumbnails (of websites visited) Chrome bookmarks File with JSON objects

32 Cache index file four number files data_0,.., data_3 f_(six hex digits) files Creation time of f_files can be correlated with data from history data base No open source tools

33 Computer Forensics, 2013

34 History in History.plist times stored as MacAbsoluteTime (Seconds since January 1, 2001 GMT) Use Safari Forensics Tools (SFT) for scanning Downloads.plist Bookmarks.plist Cookies.plist

35 Cache information in Cache.db SQLite3 database cfurl_cache_response (URL) cfurl_cache_blob_data (actual cached data) LastSession.plist

36 Computer Forensics 2013

37 Storage format is PST OST for offline storage of PST format information at msdn.microsoft.com/en- us/library/ff aspx


Download ppt "Computer Forensics. Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only."

Similar presentations


Ads by Google