CSN11121 System Administration and Forensics Web Browser Forensic - PowerPoint PPT Presentation

CSN11121 System Administration and Forensics Web Browser Forensic r.ludwiniak@napier.ac.uk

Overview • Forensics on Internet Explorer and Firefox – Structure – Information storage – Access to the Information storage – Tools used to analyze IE’s history, cached files, cookies and stored credentials

Forensics on Windows Web Browsers – The “Market” • The major browsers (most to least-used): – Internet Explorer – 61.58% – Mozilla Firefox – 24.23% – Everything else! – 14.19% Hitslink.com – February 2010

Internet Explorer - storage Stores files used in displaying web pages (cache), tracking pages visited (history) and automatic identification / authentication (cookies, credentials) Viewed pages will retrieve its page code and embedded files (such as • graphics) from the hard drive rather than the server, so the page loads faster (cache) Able to see a record of recently visited pages (history) • No sign in again at sites that require it, or to specify preferences again • (cookies and credentials). Also cookies are used by the visited site and other sites to track web browsing, which is a privacy discussion on its own.

Internet Explorer – History Menu • The easiest way to access the browsing history in Internet Explorer: History menu! • Click on the icon (clock with a green arrow running down the left side in IE6, orange star on the left in IE7 & 8) or hit <Ctrl>-<h> • Brings up a sidebar with the history nicely arranged, including Windows documents viewed • Use the View menu to arrange the pages visited by date, by site, by most visited, and by order visited today

Internet Explorer – File Locations • Windows 2000, XP, and 2003 – Stores the evidence of pages visited in index.dat in 4 locations, pertaining to the cache, history and cookies – These files may be difficult to find, as Windows persists in “hiding” them from Windows Explorer, Search, and even command-line browsing • Windows Vista, 7 and 2008 changed the locations!

Internet Explorer – Browsing History With Cache Files • For the subject's browsing history ( index.dat and the cache files themselves – in subdirectories), use Windows Explorer to look in C:\Documents and Settings\<subject User’s ID>\Local Settings\Temporary Internet Files\Content.IE5\ C:\Users\<subject User’sID>\AppData\Local\Microsoft\ Windows\Temporary Internet Files\Content.IE5

Internet Explorer – Browsing History Without Cache Files • For the subject's browsing history ( index.dat without the cache files), use a browser (NOT Windows Explorer) or command prompt to look in C:\Documents and Settings\<subject User’s ID>\Local Settings\History\History.IE5\ Daily history: MSHist01(start)YYYYMMDD(end)YYYYMMDD Weekly history: MSHist01(start)YYYYMMDD(end)YYYYMMDD

Internet Explorer – Index.dat In Depth - Header ��������������� �����������������������������

Internet Explorer – Index.dat In Depth - Activity Record �������� ������ ����������������������� ����������������������� �������� ��� ������ ��������� ����� ������� ������ ������������������

IE – What If The subject Clears The Cache? • In IE6, when you select Delete Files, the cache files are deleted from the hard drive, but the entries in index.dat are marked “free” and NOT removed! • IE7 & 8 is more thorough – Selecting Delete Files removes both the files and the entries in index.dat (although you can restore the files themselves as they are not overwritten)

IE8 – What If The subject uses “InPrivate Browsing”?

Internet Explorer – Cookies • For cookies saved on the subject's hard drive (individual cookie text files), use Windows Explorer to look in C:\Documents and Settings\<subject User’s ID>\Cookies\

Internet Explorer 6 and Before – Identification / Authentication • Stores encrypted userIDs and passwords (AutoComplete) in HKCU\Software\Microsoft\Internet Explorer\IntelliForms\ SPW, and web addresses in HKLM\Software\Microsoft\Protected Storage System Provider\<subject’s user ID>

Internet Explorer 7 & 8 – Identification / Authentication • Stores encrypted userIDs and passwords (AutoComplete) in HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 • Encryption has been improved

Mandiant Web Historian - Overview • A tool that allows you to take a given index.dat file and parse it into a readable / exportable format • Available at http://www.mandiant.com/webhistorian.htm • The best part: It’s FREE!

Mandiant Web Historian – Running • When you run the program, you are presented with two ways of obtaining an index.dat file • Note that only certain approaches work for certain files, and using the wrong approach may lock the Web Historian program!

Mandiant Web Historian – History Report

Pasco • Pasco is another tool for analysis of the index.dat files, but this one also runs on Unix, which is another environment where you may be running other forensics tools • Does basically the same operation as Web Historian, outputting to delimited text files that can be imported elsewhere

Pasco - History with Cache

Galleta - Cookie analysis • From the command line (Unix or Windows): galleta <option> (filename) • Option: -t (column delimiter – defaults to tab) • Use > to redirect output into a file

IE PassView - Stored Credentials • IE PassView reads the stored Internet Explorer credentials from the Windows Registry and returns the website, userID and password in columnar format • Note that this will obtain the user credentials, but not other autocomplete information such as form fields • You will have to run it on the subject's computer – not a very good idea, so create a (forensic) working copy and run it from there

Firefox – What We Will Cover • Where Firefox stores files used in displaying web pages (cache), tracking pages visited (history) and automatic identification / authentication (cookies, credentials) • How to access the information using just the browser • Tools used to analyze Firefox’s history, cached files, cookies and stored credentials • Tools used to override protection of the stored credentials

Firefox - Overview • Open source web browser • Evolved from the Netscape Navigator web browser • Support for images, frames, SSL and javascript • Full disk cache support

Firefox – File Locations • Firefox stores its history, downloads, form fields, cookies, and Identification / Authentication files in the same location: C:\Documents and Settings\<subject User’s ID>\Application Data\Mozilla \Firefox\Profiles\<seemingly random characters>.default\ (Windows XP) or C:\Users\<subject User’s ID>\AppData\Local\Mozilla \Firefox\Profiles\<seemingly random characters>.default\ (Windows Vista, 7 and 2008)

Firefox – File Locations (2) • Firefox stores its cache files in a different location: C:\Documents and Settings\<subject User’s ID>\Local Settings\Application Data\Mozilla \Firefox\Profiles\<seemingly random characters>.default\Cache\ (Windows XP) or C:\Users\<subject User’s ID>\AppData\Local\Mozilla \Firefox\Profiles\<seemingly random characters>.default\Cache\ (Windows Vista)

SQLite Library • Software library that implements a transactional SQL Database Engine • Used by Firefox to store information in the files we discussed before • Unlike with earlier Firefox versions, the text in SQLite format can be read easily within Firefox

Firefox Data Files – In Depth • places.sqlite : Stores information regarding the places where the user has browsed. – moz_places : records each URL visited and related information – moz_historyvisits : records all visits to URLs recorded in the moz_places table – moz_inputhistory : records information typed into text boxes on web pages – moz_favicons : records information for the page’s favorite icon.

Firefox Data Files – In Depth (2) • formhistory.sqlite: Store values with corresponding fields filled in on a web page. – moz_formhistory: Records information typed on HTML forms • cookies.sqlite: Stores cookies obtained from URLs – moz_cookies: Records places, values and expiration of obtained cookies

Firefox– Viewing Without Tools • View the History menu, or display in a sidebar with <Ctrl>-<h> • Type “about:cache” in the address bar to view cache files • Tools / Options / Privacy / Cookies / Show Cookies

Firefox– Viewing (Almost) Without Tools

Mandiant Web Historian – Firefox

Firefox Cache – Inside The Files • On Firefox, the cache information is stored across 3 types of files: one (1) cache map file, three (3) cache block files, and as many additional cache data files as required to store additional cache data