Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Forensics Matthew M. Kimball.

Published byGiles Carpenter Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Forensics Matthew M. Kimball."— Presentation transcript:

1 Web Forensics Matthew M. Kimball

2 Overview Purpose Where & How Data Is Stored Private Browsing
Where Else to Look

3 Purpose Reconstruct suspect’s browsing Cyberstalking Cyberterrorism
Child Pornography Fraud IP Theft Cracks, Patches, Torrents

4 Where Obvious Less Obvious Cache / Temporary Internet Files Cookies
Favorites History Less Obvious DNS Cache PlugIns More to come…

5 Profiles Profiles can be moved.
Profile ‘owner’ doesn’t indicate guilt. Share passwords?

6 Internet Explorer index.dat files View cache…see what they saw
Cookies, History, & Temp Stores: Timestamps Headers Visited URLs Cached pages …in a binary format View cache…see what they saw

7 Pasco (IE)

8 Web Historian (IE)

9 FireFox *.sqlite about:cache “Deleted” favorites are recoverable
Memory Disk Offline “Deleted” favorites are recoverable FF automatically backups favorites Not deleted when clearing data

10 FireFox about:cache browser.cache.disk.enable
= false…disable disk caching.

11 FireFox about:cache disk cache

12 FireFox MozzilaCacheView

13 FireFox MozillaHistoryView High visit count = intent = guilty

14 Opera cookies4.dat dcache4.url opr*.* Binary index of cache
Cached files in same format as originals but missing extension

15 Opera opera:cache

16 What Is Really Meant By Private?
"Incognito is designed to hide your browsing from your computer, not hide it from the Web," says Google engineer Sundar Pichai.

17 Incognito & InPrivate Still Stores on HDD PC Inspector File Recovery
Recovered a lot but not Incognito or InPrivate data. Since it’s written to the drive…it’s recoverable Maybe not with free software but likely with FTK.

18 Where Else To Look Downloads Clipboard Extensions (FireFox)
Not deleted after using Incognito & InPrivate Opera manages torrents Mostly illegal… Clipboard clipbrd.exe Extensions (FireFox)

19 Where Else To Look SharedObjects / Plugins
Tested & failed a break.com visit. Must disable on Macromedia’s website. Requires more work to delete.

20 DNS Cache Windows Mac /ipconfig displaydns /ipconfig flushdns
Lists websites even after clearing info stored by browsers. /ipconfig flushdns Clears DNS listings Mac dscacheutil -cachedump -entries Host dscacheutil -flushcache

21 HOSTS Maps host names to IP addresses.
Redirect to site containing illegal images Favorites addresses may be altered Compare with HOSTS files, caches, and current content on site.

22 HOSTS

23 DNS Cache Windows Lists entries while using InPrivate & Incognito

24 RAM Disk Allows RAM to act like a hard drive
Simply relocate where cache is stored Erased just like RAM Much more difficult to recover, if possible at all! Unless it’s in swap or slack space

25 Still Can’t Find Anything?
Recover Deleted Files Page files Opera: Group Project Slack space ISP logs Network & router logs

26 Tools Web Historian Pasco IE Historian FTK EnCase

27 Summary Prevents average users using the same computer from revealing your tracks… If it wasn’t bleached/shredded…they will find it on the hard drive…

Download ppt "Web Forensics Matthew M. Kimball."

Similar presentations

The Internet and the Web

The Internet and the Web
Computer Forensics Internet Artifacts.

Computer Forensics Internet Artifacts.
CSN11121 System Administration and Forensics Web Browser Forensic

CSN11121 System Administration and Forensics Web Browser Forensic
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Max Secure Software founded in Jan 2003 develops innovative privacy, security, protection and performance solutions for Internet users. The company is.

Max Secure Software founded in Jan 2003 develops innovative privacy, security, protection and performance solutions for Internet users. The company is.
OC RIMS Cyber Safety & Security Incident Response.

OC RIMS Cyber Safety & Security Incident Response.
 2008 Pearson Education, Inc. All rights reserved. 1 2 2 Web Browser Basics: Internet Explorer and Firefox.

 2008 Pearson Education, Inc. All rights reserved Web Browser Basics: Internet Explorer and Firefox.
Putting It All Together 1.  Maintaining a Hard Drive Ch 4 Lab  Hardware cleaning tips ▪ Microsoft Tips Microsoft Tips ▪ Computer Hope Tips Computer.

Putting It All Together 1.  Maintaining a Hard Drive Ch 4 Lab  Hardware cleaning tips ▪ Microsoft Tips Microsoft Tips ▪ Computer Hope Tips Computer.
Browser Comparisons Internet Explorer 8 & 9, Chrome 11 and Firefox 4 Security, Privacy, Add-ons & Convenience.

Browser Comparisons Internet Explorer 8 & 9, Chrome 11 and Firefox 4 Security, Privacy, Add-ons & Convenience.
Facebook Login Helper By loginhelper.com. Facebook Login Is the Facebook Homepage, located at Loading Properly?

Facebook Login Helper By loginhelper.com. Facebook Login Is the Facebook Homepage, located at Loading Properly?
Google Docs is a free, web-based office suite offered by Google within its Google Drive service. It was formerly a storage service as well, but has since.

Google Docs is a free, web-based office suite offered by Google within its Google Drive service. It was formerly a storage service as well, but has since.
Google Chrome & Search C Chapter 18. Objectives 1.Use Google Chrome to navigate the Word Wide Web. 2.Manage bookmarks for web pages. 3.Perform basic keyword.

Google Chrome & Search C Chapter 18. Objectives 1.Use Google Chrome to navigate the Word Wide Web. 2.Manage bookmarks for web pages. 3.Perform basic keyword.
Web browsers It’s a software application for retrieving and presenting information on WWW. An information resource is identified by a Uniform Resource.

Web browsers It’s a software application for retrieving and presenting information on WWW. An information resource is identified by a Uniform Resource.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Internet Browser History Presented by K. SURESH sureshsrikalahasti.weebly.com

Internet Browser History Presented by K. SURESH sureshsrikalahasti.weebly.com
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Internet Artifacts Dr. John Abraham Professor UTPA.

Internet Artifacts Dr. John Abraham Professor UTPA.
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.

X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Similar presentations

Ads by Google