Issuu on Google+

Fajar Alwafi 4711010003 Computer Forensics

WINDOWS SYSTEM ARTIFACTS


BROWSERS 

Leave behind:  Caches  Cookies

 Browser

settings (favorites, history)

 Erasing

history does not always erase the entries created, only changes what browser displays


INTERNET EXPLORER 

Index.dat  Located

in

 c:\documents

and settings\user\local settings\temporary internet files\  c:\Users\user\AppDataLocal\Microsoft\Windows\Tempo rary Internet Files\  In

MS IE Cache File (MSIECF)


INTERNET EXPLORER 

Investigate IE index.dat with  Pasco

from foundstone  Metz: libmsiecf project at sourceforge  Ishigaki Win32::URLCache perl module


Keith J. Jones Foundstone http://www.foundstone.com/pdf/wp_index_dat.pdf

INDEX.DAT ANALYSIS


INDEX.DAT FILE HEADER Null terminated version string.  Followed by file size. 

0x 00 80 00 00 0x 00 00 80 00 (little endian conversion)

 32768


INDEX.DAT FILE HEADER 

Bytes 0x20 – 0x23: Location of hash table.  Hash

table is used to store the actual entries.

Go to byte 0x 00 00 40 00


INDEX.DAT FILE HEADER 

Beginning of hash table


INDEX.DAT FILE HEADER: HISTORY


INDEX.DAT FILE HEADER: HISTORY Size: 0x00394000 3751936 Hash Table: 0x00005000 Directories: (null-terminated, 0x50)


INDEX.DAT FILE 

Hash Table:


INDEX.DAT FILE 

Hash Table:  There

can be several hash tables. Each one contains a pointer to the next one.

Fields in Hash Table:  Magic

Marker “HASH”  4B Number of Entries in Hash table.  Multiply

 Pointer

this number by 128B

to next hash table


INDEX.DAT FILE 

Hash Table:

20 entries  Total size of hash table is 32*128B = 4KB Next hash table at 0x 00 01 80 00


INDEX.DAT FILE HEADER

Activity flag 40 03 6C DA Activity record pointer: 00 03 48 00 Go to 00 03 48 00


INDEX.DAT FILE HEADER Go to that location:


INDEX.DAT FILE HEADER 

Activity Record  Type

field 4B:

 REDR  URL  LEAK

 Length

Field 4B:

 Multiply

 Data

with 0x80

Field


INDEX.DAT FILE HEADER 

URL Activity Record  Represents

website visited  Record Length (4B)  Time stamps  8B 

 8B 

starting at offset +8 in the activity record: Last Modified

starting at offset +16 in the activity record: Last accessed

 Organized

like file MAC times.


INDEX.DAT FILE HEADER 

REDR Activity Record  Subject’s

browser redirected to another site  Same Type, length, data format  Followed by URL at offset 16 in activity record


INDEX.DAT FILE HEADER 

LEAK activity record  Same

as URL


INDEX.DAT FILE HEADER 

Deleted Records:  Will

not show up when consulting IE history.  But often still there.  “Delete history” is not rewriting the history file.


Computer Forensics, 2013

INTERNET EXPLORER ARTIFACTS (CONTINUED)


INDEX.DAT ARTIFACTS IE artifacts created by the WinInet API  Often, malware uses same API 

 If

at administrator level:

 Entries

in index.dat for “Default User” or “LocalService” account


IE FAVORITES 

Located in  %USERPROFILE%\Favorites

Is a file with MAC times


COOKIES 

Cookie files generated in  Documents

and Settings\%username%\cookies  Users\%username%\AppData\Roaming\Microsoft\ Windows\Cookies

Can be inspected directly or by using galleta  Time stamps: 

 Can

be from issuing site  More likely, created by java-script (giving local time)


CACHES ďƒ’

Stored in system-type specific directories


Computer Forensics 2013

FIREFOX


FIREFOX 

Stores data in SQLite 3 databases 

Open tools to access them

Firefox stores in a user-specific profile directory  Folder contains profiles.ini 

Profiles.ini contains various folders  Important: 

 Formhistory.sqlite

 Downloads.sqlite  Cookies.sqlite  Places.sqlite


FIREFOX 

Cache  Cache

directory contains numbered files in binary

format  NirSoft, Woanware


FIREFOX 

sessionstore.js  If

firefox is not terminated properly  Used to restore browsing session  Content: JSON objects (use JSON viewer)


Computer Forensics 2013

CHROME


CHROME Uses system-type dependent directory location  Uses SQLite 

Cookies  History: tables downloads, urls, visits 

 Time

values stored in seconds since Jan 1, 1601 UTC

Login Data  Web Data (autofill)  Thumbnails (of websites visited) 

Chrome bookmarks 

File with JSON objects


CHROME 

Cache  index

file  four number files data_0, .., data_3  f_(six hex digits) files  Creation

time of f_files can be correlated with data from history data base  No open source tools


Computer Forensics, 2013

SAFARI


SAFARI 

History in History.plist  times

stored as MacAbsoluteTime

 (Seconds

since January 1, 2001 GMT)  Use Safari Forensics Tools (SFT) for scanning

Downloads.plist  Bookmarks.plist  Cookies.plist 


SAFARI 

Cache information in Cache.db SQLite3 database  cfurl_cache_response

(URL)  cfurl_cache_blob_data (actual cached data) 

LastSession.plist


Computer Forensics 2013

OUTLOOK ARTIFACTS


OUTLOOK 

Storage format is PST  OST

for offline storage of email

PST format information at msdn.microsoft.com/enus/library/ff385210.aspx


Fajar Alwafi