Presentation is loading. Please wait.

Presentation is loading. Please wait.

Browsers and Email "Of course, the best way to get accurate information on the Internet is to post something wrong and wait for corrections."

Published byΆμωσις Σπανού Modified over 6 years ago

Similar presentations

Presentation on theme: "Browsers and Email "Of course, the best way to get accurate information on the Internet is to post something wrong and wait for corrections.""— Presentation transcript:

1 Browsers and "Of course, the best way to get accurate information on the Internet is to post something wrong and wait for corrections."

2 In This Lecture Browser Artifacts Internet Explorer Firefox Chrome
Investigation Outlook

3 Internet and Host Forensics
Most users make extensive use of internet connected software and services. Tricking users into clicking malicious links is one of the most widely used exploit vectors. Analyzing the internet history of a suspect’s machine helps reconstruct their actions and intentions based on the websites they visit and files they download.

4 Internet Explorer Default browser in Microsoft Windows
Currently on version 11 Many older versions persist in the wild. Exact storage locations and structures and types of artifacts will vary based on the combination of MSIE version and the OS version.

5 Internet Explorer Accounts for ~7-8% of browser use.
MSIE has enough of a market share that it’s worth an examiner’s time to understand. Even though most people probably know it as “the program that downloads Chrome.” Personal Observation - the people who prefer to use MSIE are the people most likely to generate forensic artifacts for you to examine.

6 MSIE History Allows an investigator to profile system users and track their activities. Windows defaults to 20 days of storage. Configuration can be found in the “DaysToKeep” in the Software registry hive under \Microsoft\Windows\CurrentVersion\Internet Settings\Url. Can help indicate a user cleared their browsing history or that the history found is the maximum available. From Windows 8 onward, history files are stored in < SystemPartition >\ Users\ < Username >\ AppData\ Local\ Microsoft\ Windows\ WebCache\WebCacheV#.dat

7 MSIE Cache Contains files cached locally on the system as a result of a user’s web browsing activity. Local copies of web pages are stored to speed up browsing. Beginning with Windows 8.1 the cache is moved to the WebCacheV#.dat file. The old location holds a 0 byte cache file: <SystemPartition>\Users|<Username>\AppData\Local\Microsoft\Windows\Ine tCache\IE <SystemPartition>\Users|<Username>\AppData\Local\Microsoft\Windows\Lo w\InetCache\IE. The “low” schema is for when browsing is done in low privilege mode for security reasons.

8 MSIE WebCacheV#.dat Newer format released with MSIEv10.0 alongside Windows 8. The # represents an arbitrary two digit number. This number will very from system to system but will only ever be one file with this name on a system. Replaces the old cache and index.dat files. Location:< SystemPartition >\ Users\ < Username >\ AppData\ Local\ Microsoft\ Windows\ WebCache\

9 MSIE WebCacheV#.dat This file is an Extensible Storage Engine (ESE) database file or EDB. Common database type used in many MS application such as Windows Search, Active Directory, and Windows Mail. Useful (Windows platform) GUI tool: Looks like library to parse it is in development?

10 MSIE Favorites and Session Restore
Websites stored by the user for future use. Assist with identifying and profiling user activities < SystemPartition >\ Users\ < Username >\ Favorites

11 MSIE Favorites and Session Restore
Recovery mode to recover opened tabs following a crash Each opened tab has a file describing the pages opened with the tab. Each file is OLE-structured (propriety MS format for storing structured data in a single file) with signature 0xD0CF11E0A1B11AE1. Location Windows Vista, Windows 7, Windows 8, and Windows 8.1: < SystemPartition >\ Users\ < Username >\ AppData\ Local\ Microsoft\ Internet Explorer\ Recovery

12 Incognito Mode Privacy modes are common to most modern browsers.
All information is kept in memory and not written to hard drive. Can still be recovered using memory forensics. Some recovery files are written to the hard drive but deleted after closing the session. Can sometimes be carved from unallocated space.

13 Mozilla Firefox Open source browser from the Mozilla Foundation
Common default browser in Linux distros like Ubuntu. Accounts for ~9% of browser use. Stores profile data using SQLite 3 databases. < SystemPartition >\ Users\ < Username >\ AppData\ Roaming\ Mozilla\ Firefox\ Profiles\ < profile folder > Directory will contain one or more profiles and a profiles.ini file. Cache found at:< SystemPartition >\ Users\ < Username >\ AppData\ Local\ Mozilla\ Firefox\ Profiles\ < profile folder >

14 Firefox Profiles.ini When firefox starts it uses this file to determine which profile directory to read from. StartWithLastProfile=1 loads the last loaded user profile. Then comes the blocks of profile info. Each profile directory has numerous subdirectories and files. SQLite 3 databases are denoted with the .sqlite extension.

15 SQLite sqlite3 To open sqlite3 database: sqlite3 <database file> on the command line Will open a sqlite> prompt. Special sqlite3 queries .headers on: Add column headers to output .tables: Displays all tables in the database .schema <tablename>: Displays all fields in the table. .output <filename>: Writes output to named file instead of screen

16 SQLite sqliteman Graphical program for interacting with sqlite databases and displaying results. Install: apt install sqliteman Note: when using this or other standard tools, it is possible to write to the database as well. So always work with a validated copy.

17 Firefox Databases Formhistory.sqlite: stores data about form submission inputs—search boxes, usernames, etc. Includes names, addresses, addresses, phone numbers, web mail subject lines, search queries, and usernames entered into forums. Downloads.sqlite: stores data about downloaded files Files handled by the Firefox Download Manager. allows the investigator to correlate items found on the file system to the URLs where they originated. Multimedia files handled by browser plug-ins and other items that end up in the browser cache will not show up in this database.

18 Firefox Databases Cookies.sqlite: stores data about cookies
Deduce information about the last time a user visited a site that set or requested a specific cookie Deduce whether a user was logged into a particular site. Stores: Remote website Cookie name Creation time Last access time Connection type (secure/not secure) Stored data from website.

19 Firefox Databases Places.sqlite: stores the bulk of “Internet history” data Contains most data related to user activity. Usually most interested in URLs visited and time of visit.

20 Firefox Places.sqlite Contains: URL First visit date/time
Last visit date/time Visit count Referrer Title of the visited page

21 Firefox Places.sqlite Contains: Visit type, including: Clicked link
Typed URL Redirected Opened from bookmarks

22 Firefox Saved Session Data and Extensions
If Firefox is not terminated properly, a “sessionstore.js” file will be present in the user’s profile directory. Firefox uses this file to restore the windows and tabs open before the shutdown. Content is stored as JavaScript Object Notation (JSON) objects. Viewable in any text editor. Easier to read in dedicated JSON viewer.

23 Firefox Saved Session Data and Extensions
A manifest of installed extensions is in the user’s profile directory in the “extensions.rdf” file. XML document.

24 Firefox Cache Contains the following info about cached files: Name
Type Source URL Size Timestamps Last modified Last request Expiration time Count (how many times this file was used from cached data)

25 Google Chrome Open source web browsers developed by Google.
Accounts for ~58% of browser share. You probably know what Chrome is because you use it. Uses SQLite databases to store user data. Data usually found at: C:\Users\%username%\AppData\Local\Google\Chrome\default

26 Chrome Cookies SQLite database used to store all cookies
Creation time of cookie Last access time of cookie Host cookie is issued for

27 Chrome History Contains the majority of user activity of interests
Downloads table Tracks downloaded files Local path of saved file Remote URL Time the download was initiated

28 Chrome History Urls table & Visits table
The two together help construct a view of user browsing activity. Id field of url table maps to url field of the visits table. To generate report of browsing activity: Note visit time is stored in “seconds since UTC”.

29 Chrome History

30 Chrome Databases Login Data - stores saved login data.
Web Data - data user has saved for form auto-fill capabilities Names Addresses Credit cards Thumbnails Thumbnail images of visited sites Viewable using SQLiteman’s image preview function

31 More Chrome Bookmarks File in each user’s profile directory.
Con tains a series of JSON objects. A copy labeled “Bookmarks.bak” is also stored in the directory. Local State Used to restore state after unexpected shutdown. Information stored as a collection of JSON objects.

32 More Chrome Cache Consists of index file and four data files (data_0 through data_3). Also includes many numbered files f_{0-F}6.

33 Other Browser Analysis Tools
This guy offers a large collection of tools: Many of these operate in a Windows Environment

34 Microsoft Outlook Everyone uses Email
Most of us probably get too much of it. Microsoft Outlook is one of the most commonly used clients. Stores all messages, contacts, and calendar in a Personal File Folder (PFF) file. Most commonly used PFF type is the Personal Storage Table (PST)

35 Personal Storage Table
Format used by Microsoft’s Outlook client. Stores from POP3, IMAP, and other types of accounts. Can also be used to backup, export, and import messages, calendar events, contacts, task data, etc. Used for the storage of files on a user’s personal system. Are not used for Office 365 accounts, Exchange accounts, and Outlook.com accounts.

36 Personal Storage Table
Two most commonly configured default locations: drive:\Users\<username>\AppData\Local\Microsoft\Outlook drive:\Users\<username>\Roaming\Local\Microsoft\Outlook These will change with OS and with Outlook version.

37 Personal Storage Table
Get the file specifications here: More information: Personal File Folder (PFF) Forensics: Analyzing the Horrible File Format s%20- %20analyzing%20the%20horrible%20reference%20file%20format.pdf and appointment falsification analysis - s%20- %20analyzing%20the%20horrible%20reference%20file%20format.pdf

38 Offline Storage Table (OST)
Synchronized copy of mailbox information on the local computer. Allows users to create, edit, or delete messages while not connected to server. Offline changes automatically resynched when connection restored. Unlike PST files, cannot import items from an OST file

39 readpst Reads Outlook PST file and convert it into an mbox file, a format suitable for KMail, a recursive mbox structure, or separate s. apt install readpst Extract messages (keeping the folder structure) and create files in .msg, and .eml format: readpst -o ~/ArchivedMessages -D -j 4 -r -tea -u -w -m ./ArchiveBackup.pst After converting to open source format, can parse with linux mail analysis tools: Grepmail: utility designed to search for individual mail entries matching supplied set of criteria. Mairix: powerful mail searching utility. Builds an index of the mailbox. More useful in investigations involving large mailboxes or which lack clear examination criteria.

40 libpff Cross platform library and tools for accessing pst and ost files. Github project found at: Building instructions: Provides two tools: pffinfo pffexport Pffinfo Tool for extracting basic information about a PST pffinfo <file.pst>

41 libpff pffexport -m flag - defines the export mode
Defaults to only “allocated” messages. Default includes items in the “Deleted items” directory not yet purged by user. The all option causes pffexport to attempt to carve and export messages from unallocated space of the PST structure. -l flag - log exported items

42 libpff pffexport -m all -t outlook-export <file.pst>
Creates output directories for allocated and recovered items. In outlook-export.allocated directory will be a directory named “Top of Personal Folders”. This is the top level directory s are stored in. Messages stored in the directores will be carved into .txt files holding the component pieces. Messages.txt is the actual mail content, the other are just outlook metadata If create log file, can filter with grep to find locations of items of interest.

43 Windows Tools A collection of free but not open source tools for PST, OST and other formats: Can be run in SIFT using Wine (probably)

44 Questions?

Download ppt "Browsers and Email "Of course, the best way to get accurate information on the Internet is to post something wrong and wait for corrections.""

Similar presentations

The Internet and the Web

The Internet and the Web
Computer Forensics Internet Artifacts.

Computer Forensics Internet Artifacts.
CSN11121 System Administration and Forensics Web Browser Forensic

CSN11121 System Administration and Forensics Web Browser Forensic
® Microsoft Office 2010 Browser and Email Basics.

® Microsoft Office 2010 Browser and Basics.
How to Get Back Outlook OST File ?

How to Get Back Outlook OST File ?
Internet Artifacts Dr. John Abraham Professor UTPA.

Internet Artifacts Dr. John Abraham Professor UTPA.
XP Browser and E-mail Basics1. XP Browser and E-mail Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.

XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
The Internet 8th Edition Tutorial 1 Browser Basics.

The Internet 8th Edition Tutorial 1 Browser Basics.
Browser and E-mail Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
FIRST COURSE Computer Concepts Internet and Email Microsoft Office Get to Know Your Computer.

FIRST COURSE Computer Concepts Internet and Microsoft Office Get to Know Your Computer.
1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
Practical PC, 7 th Edition Chapter 9: Sending E-mail and Attachments.

Practical PC, 7 th Edition Chapter 9: Sending and Attachments.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 E-mail Investigations.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.

With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.
Microsoft Windows LEARNING HOW USE AN OPERATING SYSTEM 1.

Microsoft Windows LEARNING HOW USE AN OPERATING SYSTEM 1.
Software All parts of the computer people can NOT touch, such as programs, files, documents and any other data.

Software All parts of the computer people can NOT touch, such as programs, files, documents and any other data.
Classroom User Training June 29, 2005 Presented by:

Classroom User Training June 29, 2005 Presented by:
Session 26-1. 2 Session 26 SAIG (Title IV WAN) Connectivity.

Session Session 26 SAIG (Title IV WAN) Connectivity.

Similar presentations

Ads by Google