Forensic Analysis of Internet Explorer Activity Files

Slides:



Advertisements
Similar presentations
Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone
Advertisements

Computer Forensics Internet Artifacts.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Assessing Privacy Risks of Flash Cookies Kevin Fuller and Stacy Jordan February.
CSN11121 System Administration and Forensics Web Browser Forensic
Browser Guideline Powered by DonorCommunity TM DonorCommunity eLearning Series v1.2, February 2012 Browser Guideline.
Introduction to Database Systems1 Records and Files Storage Technology: Topic 3.
ICOM 6005 – Database Management Systems Design Dr. Manuel Rodríguez-Martínez Electrical and Computer Engineering Department Lecture 8 – File Structures.
Internet Browser History Presented by K. SURESH sureshsrikalahasti.weebly.com
Creating Databases for Web Applications Courses example Persistent information. Cookies. Session Homework: Examine a computer (your own or in a lab) for.
Internet Artifacts Dr. John Abraham Professor UTPA.
NTFS MFT Example COEN 152 / 252. MFT Table Entry.
Browser Toolbars You Shouldn’t Do Without How the WAT and WDT Can Help You Design Accessible Websites.
6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?
Interface Design 2 Week 9. Interface Design 2 :: Week 9 :: Calendar.
Link Files.lnk Jesse Hager “The Windows Shortcut File Format” ws_Shortcut_File_Format.pdf&can=2&q=
Efficient Storage and Retrieval of Data
Technology for Computer Forensics by Alicia Castro.
13.5 Representing Data Elements Fields, Records, Blocks Variable-length Data Modifying Records.
Physical, Logical, Conceptual DSA Lecture
Physical, Logical, Conceptual DSA Lecture
13.5 Arranging data on disk Meghna Jain ID-205CS257 ‏Prof: Dr. T.Y.Lin.
“InPrivate” Jennifer Bui MIS 304 September 4, 2008 Professor Fang Jennifer Bui MIS 304 September 4, 2008 Professor Fang.
File Analysis Chapter 5 – Harlan Carvey Event Logs File Metadata.
13.5 Arranging data on disk Meghna Jain ID-205CS257 ‏Prof: Dr. T.Y.Lin.
WEB BROWSERS. W EB B ROWSER B ASICS Define: a software application for retrieving, presenting, and traversing information resources on the World Wide.
Operating System & Application Files BACS 371 Computer Forensics.
OS and Application Files BACS 371 Computer Forensics.
Computer Concepts 2014 Chapter 7 The Web and .
BACS 371 Computer Forensics
The purpose of this Software Requirements Specification document is to clearly define the system under development, that is, the International Etruscan.
13.6 Representing Block and Record Addresses
DISCLAIMER: This help document will require you to make changes to your computer’s internet settings. Any changes you make are done at your own risk! If.
OWL Jan How Websites Work. “The Internet” vs. “The Web”?
Tool Names: 1. VISION 2. PASCO 3. GALLETA. Tool 1 VISION.
Investigation of a USB Storage Device (FAT16)
Paging Example What is the data corresponding to the logical address below:
File Storage Organization The majority of space on a device is reserved for the storage of files. When files are created and modified physical blocks are.
Web Design Introduction Quiz Review. Who is Tim Berners-Lee?
1/14/2005Yan Huang - CSCI5330 Database Implementation – Storage and File Structure Storage and File Structure II Some of the slides are from slides of.
1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics.
Web Forensics Matthew M. Kimball.
Internet Explorer 7 Safari 4 & 5 Internet Explorer 8 Firefox 7.
Browser Wars By: Jesse Arredondo
NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.
Thực hiện: D3 GVLT: BROWERS. Browser Compatibility I Check the compatibility II Tools III.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Files An operating system, maintains descriptive information about files in a data structure called a file descriptor. NameDeletion control Storage Organization.
1 Browser Selection & Setup For Cayuse Browser Performance Firefox - Recommended browser for Cayuse424 with any operating system. Has the fastest.
Internet Basics 10/23/2012. What is the Internet? It’s a world-wide network of computer networks. It grows hourly and involves national governments, communities,
The World Wide Web.
Storage and File Organization
Internet Search What you need to know!.
Module 11: File Structure
CS522 Advanced database Systems
Browser Settings *Failure to have the correct Browser cache setting may result in incorrect data being displayed. This is the procedure to allow Indistar.
What Is Functionality Testing and How Does It Work?
UW-Superior V10.7 for Students
Chapter 1 : 1.4 Web Browsers TA. Alhanof Alolyan The source:
Cookies and JavaScript
Internet Basics.
Extract and Correlate Evidences in Computer Forensics
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
Orphaned Files What Does That Mean?
Openreach Application
Technology Vocabulary
ICOM 5016 – Introduction to Database Systems
File Organization.
Interface Design 2 Week 11.
Lecture 20: Representing Data Elements
Presentation transcript:

Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone http://www.foundstone.com/pdf/wp_index_dat.pdf

Basics Internet Explorer Market Share 2009 September 2002 92.9% (WebSideStory) 2004 81.4% (www.w3schools.com/browsers/browsers-stats.app) (user bias towards alternatives) 2007 58.6% (same source) 2008 26.1% (same source) 2009 September IE7 IE6 IE8 Firefox Chrome Safari Opera 15.3% 12.1% 12.2% 46.6% 7.1% 3.6% 2.2%

Basics Win9* ME WinNT Win2K WinXP \Windows\Temporary Internet Files\Content.IE.5 \Windows\Cookies \Windows\History\History.IE5 WinNT \Winnt\Profiles\<user>\Local Settings\Temporary Internet Files\Content.IE5\ Winnt\Profiles\<user>\Cookies\ Winnt\Profiles\<user>Local Settings\History\History.IE5 Win2K WinXP \Documents and Settings\<user>\Local Settings\Temporary Internet Files\Content.IE5 \Documents and Settings\<user>\Cookies \Documents and Settings\<user>\ Local Settings\History\History.IE5

index.dat File Header Contains basic information on the file

index.dat file header Null terminated version string. Followed by file size. 0x 00 80 00 00 0x 00 00 80 00 (little endian conversion)  32768

index.dat file header Bytes 0x20 – 0x23: Location of hash table. Hash table is used to store the actual entries. Go to byte 0x 00 00 40 00

index.dat file header Beginning of hash table

index.dat file header: History

index.dat file header: History Size: 0x00394000 3751936 Hash Table: 0x00005000 Directories: (null-terminated, 0x50)

index.dat file Hash Table:

index.dat file Hash Table: Fields in Hash Table: There can be several hash tables. Each one contains a pointer to the next one. Fields in Hash Table: Magic Marker “HASH” 4B Number of Entries in Hash table. Multiply this number by 128B Pointer to next hash table

index.dat file Hash Table: 20 entries  Total size of hash table is 32*128B = 4KB Hash Table: Next hash table at 0x 00 01 80 00

index.dat file Hash Table Entries Field Offset Size Description Hash Table Length 4 Field contains the length of hash table in 0x80 byte blocks. Next Hash Table 8 Offset (in bytes from the beginning of the file) to next hash table. Zero values show that this is the last hash table Activity Records Flags 16+8n First byte 0x01: record deleted First byte 0x03: Else: Activity Record Pointers 20+*n Offset of activity record

index.dat file header Activity flag 40 03 6C DA Activity record pointer: 00 03 48 00 Go to 00 03 48 00

index.dat file header Go to that location:

index.dat file header Activity Record Type field 4B: Length Field 4B: REDR URL LEAK Length Field 4B: contains the length, measured in 0x80 (128) byte sized blocks, of the activity record Data Field dependent upon the type of activity record – discussed further

index.dat file header URL Activity Record Represents website visited Record Length (4B) Time stamps 8B starting at offset +8 in the activity record: Last Modified 8B starting at offset +16 in the activity record: Last accessed Organized like file MAC times.

index.dat file header REDR Activity Record Subject’s browser redirected to another site Same Type, length, data format Followed by URL at offset 16 in activity record

index.dat file header LEAK activity record Same as URL other than the TYPE difference for the record.

index.dat file header Deleted Records: Will not show up when consulting IE history. But often still there. “Delete history” is not rewriting the history file.

index.dat file header Tool to sort things out: PASCO for index.dat Galleta for cookies.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.