Computer Forensics Internet Artifacts.

Slides:

Advertisements

Similar presentations

WordPress Installation for Beginners Sheila Bergman

Advertisements

Step 1 Start your web browser (Internet Explorer or Firefox). Step 2 Type: in the Address box Step 3 Press Enter on the keyboard.

Using the National Document Assembly Server Marc Lauritsen Bart Earle Alan Soudakoff Capstone Practice Systems December 12, 2008.

COMPANY LOGO HERE Getting Started 1. Download the setup file: Go to Click on the Visit Setup Page link (includes Java.

The Internet and the Web

Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone

CSN11121 System Administration and Forensics Web Browser Forensic

MS Exchange and MS SharePoint Connectors Version

Presenter: James Huang Date: Sept. 29,  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.

Browser Guideline Powered by DonorCommunity TM DonorCommunity eLearning Series v1.2, February 2012 Browser Guideline.

 2008 Pearson Education, Inc. All rights reserved Web Browser Basics: Internet Explorer and Firefox.

Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.

Reference Management Software Tools Mendeley. Table of Contents: Part A Background/Location Signup/Login Import References Organize (Manage) References.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

SQLite Forensics David Dym G-C Partners.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Internet Browser History Presented by K. SURESH sureshsrikalahasti.weebly.com

Lesson 4: Web Browsing.

Internet Artifacts Dr. John Abraham Professor UTPA.

Technology for Computer Forensics by Alicia Castro.

Physical, Logical, Conceptual DSA Lecture

Management of information. Objectives Discuss the benefits of good management practice Present reference management tools Present bookmark management.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Operating System & Application Files BACS 371 Computer Forensics.

Simple Web SQLite Manager/Form/Report

OS and Application Files BACS 371 Computer Forensics.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

Presented by…. Group 2 1. Programming language 2Introduction.

1 Lecture 6 Forensic Analysis of Windows Systems (contd. after lecture 4) Prof. Shamik Sengupta Office 4210N

Microsoft Windows LEARNING HOW USE AN OPERATING SYSTEM 1.

Classroom User Training June 29, 2005 Presented by:

The purpose of this Software Requirements Specification document is to clearly define the system under development, that is, the International Etruscan.

Windows Vista Security Center Chapter 5(WV): Protecting Your Computer 9/17/20151Instructor: Shilpa Phanse.

Navigation Section 2. Objectives Student will knowhow to navigate through the browser.

Web Programming: Client/Server Applications Server sends the web pages to the client. –built into Visual Studio for development purposes Client displays.

Introduction to eChalk For Students. What is eChalk? eChalk’s unique online learning environment provides your school with its own electronic “town square”

Do you spend too much time trying to locate those favorite websites used for research?

Gaurav Aggarwal and Elie Bursztein, Collin Jackson, Dan Boneh, USENIX (Aug.,2010) A N A NALYSIS OF P RIVATE B ROWSING M ODES IN M ODERN B ROWSERS 1.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

1 and Internet Evidence Mark Pollitt Associate Professor, Engineering Technology.

Tool Names: 1. VISION 2. PASCO 3. GALLETA. Tool 1 VISION.

Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.

Technology in Computer Forensics  Alicia Castro  Thesis Defense  Master of Software Engineering  Department of Computer Science  University of Colorado,

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

MODULE 3 Internet Basics © Paradigm Publishing, Inc.1.

1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics.

Web Forensics Matthew M. Kimball.

PART 2 INTRODUCTION TO DYNAMIC WEB CONTENT AND PHP.

Internet Explorer 7 Safari 4 & 5 Internet Explorer 8 Firefox 7.

Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.

Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.

Welcome to Microsoft Office 365.

COMP2322 Lab 2 HTTP Steven Lee Feb. 8, 2017.

What Is Functionality Testing and How Does It Work?

How to fix AOL related issue AOL is a type of digital media company that has developed and maintained many online services including service, search.

Extract and Correlate Evidences in Computer Forensics

What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.

Orphaned Files What Does That Mean?

Forensic Analysis of Internet Explorer Activity Files

Bibliography and reference manager programs, Endnote 2018 Attila Skulteti

HTML5 and Local Storage.

Technology Vocabulary

INDEX Introduction What is OST file? What is the default location of OST file in MS Outlook? Causes behind OST file corruption How to fix these errors?

Francesco Giarletta.

"Q: How many MS programmers does it take to change a light bulb?

Browsers and "Of course, the best way to get accurate information on the Internet is to post something wrong and wait for corrections."

Let’s browse the web User browses to a website

Presentation transcript:

Computer Forensics Internet Artifacts

Browsers Leave behind: Caches Cookies Browser settings (favorites, history) Erasing history does not always erase the entries created, only changes what browser displays

Internet Explorer Index.dat Located in In MS IE Cache File (MSIECF) c:\documents and settings\user\local settings\temporary internet files\ c:\Users\user\AppDataLocal\Microsoft\Windows\Temporary Internet Files\ In MS IE Cache File (MSIECF)

Internet Explorer Investigate IE index.dat with Pasco from foundstone Metz: libmsiecf project at sourceforge Ishigaki Win32::URLCache perl module

Index.dat Analysis Keith J. Jones Foundstone http://www.foundstone.com/pdf/wp_index_dat.pdf Index.dat Analysis

index.dat file header Null terminated version string. Followed by file size. 0x 00 80 00 00 0x 00 00 80 00 (little endian conversion)  32768

index.dat file header Bytes 0x20 – 0x23: Location of hash table. Hash table is used to store the actual entries. Go to byte 0x 00 00 40 00

index.dat file header Beginning of hash table

index.dat file header: History

index.dat file header: History Size: 0x00394000 3751936 Hash Table: 0x00005000 Directories: (null-terminated, 0x50)

index.dat file Hash Table:

index.dat file Hash Table: Fields in Hash Table: There can be several hash tables. Each one contains a pointer to the next one. Fields in Hash Table: Magic Marker “HASH” 4B Number of Entries in Hash table. Multiply this number by 128B Pointer to next hash table

index.dat file Hash Table: 20 entries  Total size of hash table is 32*128B = 4KB Next hash table at 0x 00 01 80 00

index.dat file header Activity flag 40 03 6C DA Activity record pointer: 00 03 48 00 Go to 00 03 48 00

index.dat file header Go to that location:

index.dat file header Activity Record Type field 4B: Length Field 4B: REDR URL LEAK Length Field 4B: Multiply with 0x80 Data Field

index.dat file header URL Activity Record Represents website visited Record Length (4B) Time stamps 8B starting at offset +8 in the activity record: Last Modified 8B starting at offset +16 in the activity record: Last accessed Organized like file MAC times.

index.dat file header REDR Activity Record Subject’s browser redirected to another site Same Type, length, data format Followed by URL at offset 16 in activity record

index.dat file header LEAK activity record Same as URL

index.dat file header Deleted Records: Will not show up when consulting IE history. But often still there. “Delete history” is not rewriting the history file.

Internet Explorer Artifacts (continued) Computer Forensics, 2013 Internet Explorer Artifacts (continued)

Index.dat artifacts IE artifacts created by the WinInet API Often, malware uses same API If at administrator level: Entries in index.dat for “Default User” or “LocalService” account

IE Favorites Located in Is a file with MAC times %USERPROFILE%\Favorites Is a file with MAC times

Cookies Cookie files generated in Documents and Settings\%username%\cookies Users\%username%\AppData\Roaming\Microsoft\Windows\Cookies Can be inspected directly or by using galleta Time stamps: Can be from issuing site More likely, created by java-script (giving local time)

Caches Stored in system-type specific directories

Computer Forensics 2013 Firefox

FireFox Stores data in SQLite 3 databases Open tools to access them Firefox stores in a user-specific profile directory Folder contains profiles.ini Profiles.ini contains various folders Important: Formhistory.sqlite Downloads.sqlite Cookies.sqlite Places.sqlite

Firefox Cache Cache directory contains numbered files in binary format NirSoft, Woanware

Firefox sessionstore.js If firefox is not terminated properly Used to restore browsing session Content: JSON objects (use JSON viewer)

Computer Forensics 2013 Chrome

Chrome Uses system-type dependent directory location Uses SQLite Cookies History: tables downloads, urls, visits Time values stored in seconds since Jan 1, 1601 UTC Login Data Web Data (autofill) Thumbnails (of websites visited) Chrome bookmarks File with JSON objects

Chrome Cache index file four number files data_0, .., data_3 f_(six hex digits) files Creation time of f_files can be correlated with data from history data base No open source tools

Computer Forensics, 2013 Safari

SAFARI History in History.plist Downloads.plist Bookmarks.plist times stored as MacAbsoluteTime (Seconds since January 1, 2001 GMT) Use Safari Forensics Tools (SFT) for scanning Downloads.plist Bookmarks.plist Cookies.plist

Safari Cache information in Cache.db SQLite3 database cfurl_cache_response (URL) cfurl_cache_blob_data (actual cached data) LastSession.plist

Computer Forensics 2013 Outlook Artifacts

Outlook Storage format is PST OST for offline storage of email PST format information at msdn.microsoft.com/en-us/library/ff385210.aspx