Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Internet Artifacts.

Published byMalik Buff Modified over 10 years ago

Similar presentations

Presentation on theme: "Computer Forensics Internet Artifacts."— Presentation transcript:

1 Computer Forensics Internet Artifacts

2 Browsers Leave behind: Caches Cookies
Browser settings (favorites, history) Erasing history does not always erase the entries created, only changes what browser displays

3 Internet Explorer Index.dat Located in In MS IE Cache File (MSIECF)
c:\documents and settings\user\local settings\temporary internet files\ c:\Users\user\AppDataLocal\Microsoft\Windows\Temporary Internet Files\ In MS IE Cache File (MSIECF)

4 Internet Explorer Investigate IE index.dat with Pasco from foundstone
Metz: libmsiecf project at sourceforge Ishigaki Win32::URLCache perl module

5 Index.dat Analysis Keith J. Jones Foundstone
Index.dat Analysis

6 index.dat file header Null terminated version string.
Followed by file size. 0x 0x (little endian conversion)  32768

7 index.dat file header Bytes 0x20 – 0x23: Location of hash table.
Hash table is used to store the actual entries. Go to byte 0x

8 index.dat file header Beginning of hash table

9 index.dat file header: History

10 index.dat file header: History
Size: 0x Hash Table: 0x Directories: (null-terminated, 0x50)

11 index.dat file Hash Table:

12 index.dat file Hash Table: Fields in Hash Table:
There can be several hash tables. Each one contains a pointer to the next one. Fields in Hash Table: Magic Marker “HASH” 4B Number of Entries in Hash table. Multiply this number by 128B Pointer to next hash table

13 index.dat file Hash Table:
20 entries  Total size of hash table is 32*128B = 4KB Next hash table at 0x

14 index.dat file header Activity flag 40 03 6C DA
Activity record pointer: Go to

15 index.dat file header Go to that location:

16 index.dat file header Activity Record Type field 4B: Length Field 4B:
REDR URL LEAK Length Field 4B: Multiply with 0x80 Data Field

17 index.dat file header URL Activity Record Represents website visited
Record Length (4B) Time stamps 8B starting at offset +8 in the activity record: Last Modified 8B starting at offset +16 in the activity record: Last accessed Organized like file MAC times.

18 index.dat file header REDR Activity Record
Subject’s browser redirected to another site Same Type, length, data format Followed by URL at offset 16 in activity record

19 index.dat file header LEAK activity record Same as URL

20 index.dat file header Deleted Records:
Will not show up when consulting IE history. But often still there. “Delete history” is not rewriting the history file.

21 Internet Explorer Artifacts (continued)
Computer Forensics, 2013 Internet Explorer Artifacts (continued)

22 Index.dat artifacts IE artifacts created by the WinInet API
Often, malware uses same API If at administrator level: Entries in index.dat for “Default User” or “LocalService” account

23 IE Favorites Located in Is a file with MAC times
%USERPROFILE%\Favorites Is a file with MAC times

24 Cookies Cookie files generated in
Documents and Settings\%username%\cookies Users\%username%\AppData\Roaming\Microsoft\Windows\Cookies Can be inspected directly or by using galleta Time stamps: Can be from issuing site More likely, created by java-script (giving local time)

25 Caches Stored in system-type specific directories

26 Computer Forensics 2013 Firefox

27 FireFox Stores data in SQLite 3 databases
Open tools to access them Firefox stores in a user-specific profile directory Folder contains profiles.ini Profiles.ini contains various folders Important: Formhistory.sqlite Downloads.sqlite Cookies.sqlite Places.sqlite

28 Firefox Cache Cache directory contains numbered files in binary format
NirSoft, Woanware

29 Firefox sessionstore.js If firefox is not terminated properly
Used to restore browsing session Content: JSON objects (use JSON viewer)

30 Computer Forensics 2013 Chrome

31 Chrome Uses system-type dependent directory location Uses SQLite
Cookies History: tables downloads, urls, visits Time values stored in seconds since Jan 1, 1601 UTC Login Data Web Data (autofill) Thumbnails (of websites visited) Chrome bookmarks File with JSON objects

32 Chrome Cache index file four number files data_0, .., data_3
f_(six hex digits) files Creation time of f_files can be correlated with data from history data base No open source tools

33 Computer Forensics, 2013 Safari

34 SAFARI History in History.plist Downloads.plist Bookmarks.plist
times stored as MacAbsoluteTime (Seconds since January 1, 2001 GMT) Use Safari Forensics Tools (SFT) for scanning Downloads.plist Bookmarks.plist Cookies.plist

35 Safari Cache information in Cache.db SQLite3 database
cfurl_cache_response (URL) cfurl_cache_blob_data (actual cached data) LastSession.plist

36 Computer Forensics 2013 Outlook Artifacts

37 Outlook Storage format is PST
OST for offline storage of PST format information at msdn.microsoft.com/en-us/library/ff aspx

Download ppt "Computer Forensics Internet Artifacts."

Similar presentations

WordPress Installation for Beginners Sheila Bergman

WordPress Installation for Beginners Sheila Bergman
Step 1 Start your web browser (Internet Explorer or Firefox). Step 2 Type: in the Address box Step 3 Press Enter on the keyboard.

Step 1 Start your web browser (Internet Explorer or Firefox). Step 2 Type: in the Address box Step 3 Press Enter on the keyboard.
Using the National Document Assembly Server Marc Lauritsen Bart Earle Alan Soudakoff Capstone Practice Systems December 12, 2008.

Using the National Document Assembly Server Marc Lauritsen Bart Earle Alan Soudakoff Capstone Practice Systems December 12, 2008.
COMPANY LOGO HERE Getting Started 1. Download the setup file: Go to Click on the Visit Setup Page link (includes Java.

COMPANY LOGO HERE Getting Started 1. Download the setup file: Go to Click on the Visit Setup Page link (includes Java.
The Internet and the Web

The Internet and the Web
Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone

Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone
CSN11121 System Administration and Forensics Web Browser Forensic

CSN11121 System Administration and Forensics Web Browser Forensic
MS Exchange and MS SharePoint Connectors Version 1.30.03.10.

MS Exchange and MS SharePoint Connectors Version
Presenter: James Huang Date: Sept. 29, 2014 1.  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.

Presenter: James Huang Date: Sept. 29,  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.
Browser Guideline Powered by DonorCommunity TM DonorCommunity eLearning Series v1.2, February 2012 Browser Guideline.

Browser Guideline Powered by DonorCommunity TM DonorCommunity eLearning Series v1.2, February 2012 Browser Guideline.
 2008 Pearson Education, Inc. All rights reserved. 1 2 2 Web Browser Basics: Internet Explorer and Firefox.

 2008 Pearson Education, Inc. All rights reserved Web Browser Basics: Internet Explorer and Firefox.
Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.

Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.
Reference Management Software Tools Mendeley. Table of Contents: Part A Background/Location Signup/Login Import References Organize (Manage) References.

Reference Management Software Tools Mendeley. Table of Contents: Part A Background/Location Signup/Login Import References Organize (Manage) References.
On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.
SQLite Forensics David Dym G-C Partners.

SQLite Forensics David Dym G-C Partners.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Internet Browser History Presented by K. SURESH sureshsrikalahasti.weebly.com

Internet Browser History Presented by K. SURESH sureshsrikalahasti.weebly.com
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Internet Artifacts Dr. John Abraham Professor UTPA.

Internet Artifacts Dr. John Abraham Professor UTPA.
Technology for Computer Forensics by Alicia Castro.

Technology for Computer Forensics by Alicia Castro.

Similar presentations

Ads by Google