Computer Forensics: Investigations Procedures and Responses (Chapter 7)
How FireFox stores internet data
It uses cache folders
Internet history
Stores URLs of visited websites, searches, downloaded/opened files, emails that have been sent/viewed through Outlook History\History.IE5\index.dat
index.dat cookies
Stores data written by web sites to the computer system. This is basically a log of all cookies written.
NTUser.dat
Stores information about a particular user There is an NTUSER.dat file for each user Includes browser history
Private browsing
It isn't logged in the internet history, but evidence can still be found in the registry and cache (including images, etc.)
HKEY
short for "handler to key"
The creation date of a .lnk file
When the underlying file was first opened
EXIF Data
"Exchangeable Image File" standard mostly used for JPEG compressed images can also be viewed natively in hexadecimal format
What is the Windows registry made up of
"keys" which act like folders
Cookies
A cookie is a file created by a web browser that is saved to the client machine Cookies are often used to save settings and track usage Cookies\index.dat
3 types of logs displayed by the event viewer by default
Application log: This log contains events generated by applications. For example, a spreadsheet program might save a file missing or corrupted error in this log. Security log: The system administrator can specify which events to log. Login attempts are commonly logged here. File management may also be logged. System log This logs stores events relating to system components, such as errors produced by drivers
Index.dat location for Windows XP
C:\Documents and Settings\<username>\Cookies\index.dat C:\Documents and Settings\<username>\Local Settings\History\History.IE5\index.dat C:\Documents and Settings\<username>\Local Settings\History\History.IE5
Significant Points of Evidence in Windows Systems
Internet History LINK Files AKA "Recents" Thumbs.db/thumbcache.db Document/Image MetaData Activity logs Registry
Temporary Internet Cache
Cached webpages and multimedia content from websites visited by the user Previously cached websites are still available offline Allows websites to quicker the next time they are visited Temporary Internet Files\Content.IE5\index.dat
5 types of events logged by the Event Viewer
Error-a serious problem, such as a service that fails to start or data that has been lost. Warning-a possible problem, such as low space. Information-an event that is new or successful, such as loading a new driver. Success Audit-a security event, such as a login attempt, that succeeds. Failure Audit-a security event, such as a login attempt, that fails.
Three separate concepts that index.dat is based on
History Cookies Temporary Internet Files
Information contained on Windows Registry
Keeps track of user and system configuration and preferences - Search terms - Programs that were run or installed - Web addresses - Files/software that have been recently opened
Three types of index.dat files
Master - contains overall current history Daily - stored within folder containing date range. One folder for each day Weekly - Stored within folder containing date range. When week ends, a new folder is created and the dailies are deleted.
Thumbs.db
System-generated file that catalogues images/movies Used to view thumbnail representations of files Automatically generated when a user requests to see thumbnail view (or folder is defaulted as such)
How can internet history be reconstructed?
Temporary Internet Cache History files (index.dat)
Scienter
a legal term that refers to intent or knowledge of wrongdoing
index.dat Temporary Internet Cache
assists IE in loading cached pages to improve browsing speed Pages may be renamed when cached and that information is stored here may be a place to look for evidence of web based email
Analysis of the thumbs.db file
can assist in recreating the history of a folder; or track the movement of a file
Microsoft Management Console (MMC)
contains a number of tools for monitoring and managing systems - Windows Event Viewer
HKEY_CURRENT_CONFIG
contains configuration information regenerated when the system boots.
HKEY_USERS
contains subkeys corresponding to the HKEY_CURRENT_USER keys for each registered user on the machine
index.dat
file created by internet explorer which stores information about the internet history on a computer.
file header/signature
is at the beginning of the file and programs use this signature to associate files with programs - This is why a document file can be given a .LAM extension and Word will still open it as a document file when asked
LINK Files
shortcuts that point to other files can be created by the user or by the computer Files with a .lnk extension created when registered files are opened in Windows Listings in the Recent Documents are link files
Windows Registry
simply a database for configuration files Like the computer's central nervous system
HKEY_LOCAL_MACHINE
stores general settings for all users on the computer.
HKEY_CLASSES_ROOT
stores information about registered applications.
HKEY_CURRENT_USER
stores settings for the user currently logged in.
