Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Analysis of Internet Explorer Activity Files

Published byAgustín Sánchez Benítez Modified over 6 years ago

Similar presentations

Presentation on theme: "Forensic Analysis of Internet Explorer Activity Files"— Presentation transcript:

1 Forensic Analysis of Internet Explorer Activity Files
Based on article by Keith J. Jones Foundstone

2 Basics Internet Explorer Market Share 2009 September
% (WebSideStory) % ( (user bias towards alternatives) % (same source) % (same source) 2009 September IE IE IE8 Firefox Chrome Safari Opera 15.3% % % 46.6% % % 2.2%

3 Basics Win9* ME WinNT Win2K WinXP
\Windows\Temporary Internet Files\Content.IE.5 \Windows\Cookies \Windows\History\History.IE5 WinNT \Winnt\Profiles\<user>\Local Settings\Temporary Internet Files\Content.IE5\ Winnt\Profiles\<user>\Cookies\ Winnt\Profiles\<user>Local Settings\History\History.IE5 Win2K WinXP \Documents and Settings\<user>\Local Settings\Temporary Internet Files\Content.IE5 \Documents and Settings\<user>\Cookies \Documents and Settings\<user>\ Local Settings\History\History.IE5

4 index.dat File Header Contains basic information on the file

5 index.dat file header Null terminated version string.
Followed by file size. 0x 0x (little endian conversion)  32768

6 index.dat file header Bytes 0x20 – 0x23: Location of hash table.
Hash table is used to store the actual entries. Go to byte 0x

7 index.dat file header Beginning of hash table

8 index.dat file header: History

9 index.dat file header: History
Size: 0x Hash Table: 0x Directories: (null-terminated, 0x50)

10 index.dat file Hash Table:

11 index.dat file Hash Table: Fields in Hash Table:
There can be several hash tables. Each one contains a pointer to the next one. Fields in Hash Table: Magic Marker “HASH” 4B Number of Entries in Hash table. Multiply this number by 128B Pointer to next hash table

12 index.dat file Hash Table:
20 entries  Total size of hash table is 32*128B = 4KB Hash Table: Next hash table at 0x

13 index.dat file Hash Table Entries Field Offset Size Description
Hash Table Length 4 Field contains the length of hash table in 0x80 byte blocks. Next Hash Table 8 Offset (in bytes from the beginning of the file) to next hash table. Zero values show that this is the last hash table Activity Records Flags 16+8n First byte 0x01: record deleted First byte 0x03: Else: Activity Record Pointers 20+*n Offset of activity record

14 index.dat file header Activity flag 40 03 6C DA
Activity record pointer: Go to

15 index.dat file header Go to that location:

16 index.dat file header Activity Record Type field 4B: Length Field 4B:
REDR URL LEAK Length Field 4B: contains the length, measured in 0x80 (128) byte sized blocks, of the activity record Data Field dependent upon the type of activity record – discussed further

17 index.dat file header URL Activity Record Represents website visited
Record Length (4B) Time stamps 8B starting at offset +8 in the activity record: Last Modified 8B starting at offset +16 in the activity record: Last accessed Organized like file MAC times.

18 index.dat file header REDR Activity Record
Subject’s browser redirected to another site Same Type, length, data format Followed by URL at offset 16 in activity record

19 index.dat file header LEAK activity record
Same as URL other than the TYPE difference for the record.

20 index.dat file header Deleted Records:
Will not show up when consulting IE history. But often still there. “Delete history” is not rewriting the history file.

21 index.dat file header Tool to sort things out: PASCO for index.dat
Galleta for cookies.

Download ppt "Forensic Analysis of Internet Explorer Activity Files"

Similar presentations

Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone

Forensic Analysis of Internet Explorer Activity Files Based on article by Keith J. Jones Foundstone
Computer Forensics Internet Artifacts.

Computer Forensics Internet Artifacts.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Assessing Privacy Risks of Flash Cookies Kevin Fuller and Stacy Jordan February.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Assessing Privacy Risks of Flash Cookies Kevin Fuller and Stacy Jordan February.
CSN11121 System Administration and Forensics Web Browser Forensic

CSN11121 System Administration and Forensics Web Browser Forensic
Browser Guideline Powered by DonorCommunity TM DonorCommunity eLearning Series v1.2, February 2012 Browser Guideline.

Browser Guideline Powered by DonorCommunity TM DonorCommunity eLearning Series v1.2, February 2012 Browser Guideline.
Introduction to Database Systems1 Records and Files Storage Technology: Topic 3.

Introduction to Database Systems1 Records and Files Storage Technology: Topic 3.
ICOM 6005 – Database Management Systems Design Dr. Manuel Rodríguez-Martínez Electrical and Computer Engineering Department Lecture 8 – File Structures.

ICOM 6005 – Database Management Systems Design Dr. Manuel Rodríguez-Martínez Electrical and Computer Engineering Department Lecture 8 – File Structures.
Internet Browser History Presented by K. SURESH sureshsrikalahasti.weebly.com

Internet Browser History Presented by K. SURESH sureshsrikalahasti.weebly.com
Creating Databases for Web Applications Courses example Persistent information. Cookies. Session Homework: Examine a computer (your own or in a lab) for.

Creating Databases for Web Applications Courses example Persistent information. Cookies. Session Homework: Examine a computer (your own or in a lab) for.
Internet Artifacts Dr. John Abraham Professor UTPA.

Internet Artifacts Dr. John Abraham Professor UTPA.
NTFS MFT Example COEN 152 / 252. MFT Table Entry.

NTFS MFT Example COEN 152 / 252. MFT Table Entry.
Browser Toolbars You Shouldn’t Do Without How the WAT and WDT Can Help You Design Accessible Websites.

Browser Toolbars You Shouldn’t Do Without How the WAT and WDT Can Help You Design Accessible Websites.
6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?

6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?
Interface Design 2 Week 9. Interface Design 2 :: Week 9 :: Calendar.

Interface Design 2 Week 9. Interface Design 2 :: Week 9 :: Calendar.
Link Files.lnk Jesse Hager “The Windows Shortcut File Format” ws_Shortcut_File_Format.pdf&can=2&q=

Link Files.lnk Jesse Hager “The Windows Shortcut File Format” ws_Shortcut_File_Format.pdf&can=2&q=
Efficient Storage and Retrieval of Data

Efficient Storage and Retrieval of Data
Technology for Computer Forensics by Alicia Castro.

Technology for Computer Forensics by Alicia Castro.
13.5 Representing Data Elements Fields, Records, Blocks Variable-length Data Modifying Records.

13.5 Representing Data Elements Fields, Records, Blocks Variable-length Data Modifying Records.
Physical, Logical, Conceptual DSA Lecture 2 2006-7.

Physical, Logical, Conceptual DSA Lecture
Physical, Logical, Conceptual DSA Lecture 2 2006-7.

Physical, Logical, Conceptual DSA Lecture

Similar presentations

Ads by Google