Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone

Published byKent Muscat Modified over 10 years ago

Similar presentations

Presentation on theme: "Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone"— Presentation transcript:

1 Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone http://www.foundstone.com/pdf/wp_index_dat.pdf

2 Basics Internet Explorer Market Share 2002 92.9% (WebSideStory) 2004 81.4% (www.w3schools.com/browsers/browsers- stats.app) (user bias towards alternatives)www.w3schools.com/browsers/browsers- stats.app 2007 58.6% (same source)

3 Basics Win9* ME \Windows\Temporary Internet Files\Content.IE.5 \Windows\Cookies \Windows\History\History.IE5 WinNT \Winnt\Profiles\ \Local Settings\Temporary Internet Files\Content.IE5\ Winnt\Profiles\ \Cookies\ Winnt\Profiles\ Local Settings\History\History.IE5 Win2K WinXP \Documents and Settings\ \Local Settings\Temporary Internet Files\Content.IE5 \Documents and Settings\ \Cookies \Documents and Settings\ \ Local Settings\History\History.IE5

4 index.dat File Header Contains basic information on the file

5 index.dat file header Null terminated version string. Followed by file size. 0x 00 80 00 00 0x 00 00 80 00 (little endian conversion) 32768

6 index.dat file header Bytes 0x20 – 0x23: Location of hash table. Hash table is used to store the actual entries. Go to byte 0x 00 00 40 00

7 index.dat file header Beginning of hash table

8 index.dat file header: History

9 Size: 0x00394000 3751936 Hash Table: 0x00005000 Directories: (null-terminated, 0x50)

10 index.dat file Hash Table:

11 index.dat file Hash Table: There can be several hash tables. Each one contains a pointer to the next one. Fields in Hash Table: Magic Marker HASH 4B Number of Entries in Hash table. Multiply this number by 128B Pointer to next hash table

12 index.dat file Hash Table: 20 entries Total size of hash table is 32*128B = 4KB Next hash table at 0x 00 01 80 00

13 index.dat file Hash Table Entries FieldOffsetSizeDescription Hash Table Length 44Length of hash table in 0x80 long blocks Next Hash Table 84Offset in table to next hash table. Zero values shows that this is the last hash table Activity Records Flags 16+8n4First byte 0x01: record deleted First byte 0x03: Else: Activity Record Pointers 20+*n4Offset of activity record

14 index.dat file header Activity flag 40 03 6C DA Activity record pointer: 00 03 48 00 Go to 00 03 48 00

15 index.dat file header Go to that location:

16 index.dat file header Activity Record Type field 4B: REDR URL LEAK Length Field 4B: Multiply with 0x80 Data Field

17 index.dat file header URL Activity Record Represents website visited Record Length (4B) Time stamps 8B starting at offset +8 in the activity record: Last Modified 8B starting at offset +16 in the activity record: Last accessed Organized like file MAC times.

18 index.dat file header REDR Activity Record Subjects browser redirected to another site Same Type, length, data format Followed by URL at offset 16 in activity record

19 index.dat file header LEAK activity record Same as URL

20 index.dat file header Deleted Records: Will not show up when consulting IE history. But often still there. Delete history is not rewriting the history file.

21 index.dat file header Tool to sort things out: PASCO for index.dat Galleta for cookies.

Download ppt "Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone"

Similar presentations

CS193H: High Performance Web Sites Lecture 12: Rule 8 – Make JavaScript and CSS External Steve Souders Google

CS193H: High Performance Web Sites Lecture 12: Rule 8 – Make JavaScript and CSS External Steve Souders Google
Using the National Document Assembly Server Marc Lauritsen Bart Earle Alan Soudakoff Capstone Practice Systems December 12, 2008.

Using the National Document Assembly Server Marc Lauritsen Bart Earle Alan Soudakoff Capstone Practice Systems December 12, 2008.
The Internet and the Web

The Internet and the Web
Internet English by Nicole Huang Minimum Requirements to Access the Internet Pentium Processor 128/256 MB of RAM 10 GB of free drive space.

Internet English by Nicole Huang Minimum Requirements to Access the Internet Pentium Processor 128/256 MB of RAM 10 GB of free drive space.
Computer Forensics Internet Artifacts.

Computer Forensics Internet Artifacts.
CSN11121 System Administration and Forensics Web Browser Forensic

CSN11121 System Administration and Forensics Web Browser Forensic
Structure of a DBMS A typical DBMS has a layered architecture. The figure does not show the concurrency control and recovery components. This is one of.

Structure of a DBMS A typical DBMS has a layered architecture. The figure does not show the concurrency control and recovery components. This is one of.
Tutorial 1: Developing a Basic Web site

Tutorial 1: Developing a Basic Web site
File Systems: Fundamentals.

File Systems: Fundamentals.
Chapter 6 File Systems 6.1 Files 6.2 Directories

Chapter 6 File Systems 6.1 Files 6.2 Directories
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Services Course Windows Live SkyDrive Participant Guide.

Services Course Windows Live SkyDrive Participant Guide.
: 3 00.

: 3 00.
5 minutes.

5 minutes.
DAT2343 File Analysis with MicroSoft DEBUG © Alan T. Pinck / Algonquin College; 2003.

DAT2343 File Analysis with MicroSoft DEBUG © Alan T. Pinck / Algonquin College; 2003.
Browser Guideline Powered by DonorCommunity TM DonorCommunity eLearning Series v1.2, February 2012 Browser Guideline.

Browser Guideline Powered by DonorCommunity TM DonorCommunity eLearning Series v1.2, February 2012 Browser Guideline.
Introduction to Database Systems1 Records and Files Storage Technology: Topic 3.

Introduction to Database Systems1 Records and Files Storage Technology: Topic 3.
ICOM 6005 – Database Management Systems Design Dr. Manuel Rodríguez-Martínez Electrical and Computer Engineering Department Lecture 8 – File Structures.

ICOM 6005 – Database Management Systems Design Dr. Manuel Rodríguez-Martínez Electrical and Computer Engineering Department Lecture 8 – File Structures.
Internet Browser History Presented by K. SURESH sureshsrikalahasti.weebly.com

Internet Browser History Presented by K. SURESH sureshsrikalahasti.weebly.com
Internet Artifacts Dr. John Abraham Professor UTPA.

Internet Artifacts Dr. John Abraham Professor UTPA.

Similar presentations

Ads by Google