Embed Size (px)
Citation preview
Overview
• Forensics on Internet Explorer and Firefox– Structure– Information storage– Access to the Information storage – Tools used to analyze IE’s history, cached files,
cookies and stored credentials
Forensics on Windows Web Browsers – The “Market”
• The major browsers (most to least-used):– Internet Explorer – 61.58%– Mozilla Firefox – 24.23%– Everything else! – 14.19%
Hitslink.com – February 2010
Internet Explorer - storage
Stores files used in displaying web pages (cache), tracking pages visited (history) and automatic identification / authentication (cookies, credentials)
• Viewed pages will retrieve its page code and embedded files (such as graphics) from the hard drive rather than the server, so the page loads faster (cache)
• Able to see a record of recently visited pages (history)• No sign in again at sites that require it, or to specify preferences again
(cookies and credentials). Also cookies are used by the visited site and other sites to track web browsing, which is a privacy discussion on its own.
Internet Explorer – History Menu• The easiest way to access the browsing history in
Internet Explorer: History menu!• Click on the icon (clock with a green arrow running down
the left side in IE6, orange star on the left in IE7 & 8) or hit <Ctrl>-<h>
• Brings up a sidebar with the history nicely arranged, including Windows documents viewed
• Use the View menu to arrange the pages visited by date, by site, by most visited, and by order visited today
Internet Explorer – File Locations
• Windows 2000, XP, and 2003– Stores the evidence of pages visited in index.dat in 4 locations, pertaining to the cache, history and cookies
– These files may be difficult to find, as Windows persists in “hiding” them from Windows Explorer, Search, and even command-line browsing
• Windows Vista, 7 and 2008 changed the locations!
Internet Explorer – Browsing History With Cache Files
• For the subject's browsing history (index.dat and the cache files themselves – in subdirectories), use Windows Explorer to look in
C:\Documents and Settings\<subject User’s ID>\Local Settings\Temporary Internet Files\Content.IE5\
C:\Users\<subject User’sID>\AppData\Local\Microsoft\ Windows\Temporary Internet Files\Content.IE5
Internet Explorer – Browsing History Without Cache Files
• For the subject's browsing history (index.dat without the cache files), use a browser (NOT Windows Explorer) or command prompt to look inC:\Documents and Settings\<subject User’s ID>\Local Settings\History\History.IE5\
Daily history: MSHist01(start)YYYYMMDD(end)YYYYMMDD
Weekly history: MSHist01(start)YYYYMMDD(end)YYYYMMDD
Internet Explorer – Index.datIn Depth - Header
Start of header
Start of cache folder listing
Internet Explorer – Index.dat In Depth - Activity Record
Start ofrecord
Last modified timestamp
Last accessed timestamp
Start ofURL
Cachedfile name
Startof httpheader
Start of user name
IE – What If The subject Clears The Cache?
• In IE6, when you select Delete Files, the cache files are deleted from the hard drive, but the entries in index.dat are marked “free” and NOT removed!
• IE7 & 8 is more thorough – Selecting Delete Files removes both the files and the entries in index.dat (although you can restore the files themselves as they are not overwritten)
IE8 – What If The subject uses “InPrivate Browsing”?
Internet Explorer – Cookies
• For cookies saved on the subject's hard drive (individual cookie text files), use Windows Explorer to look in
C:\Documents and Settings\<subject User’s ID>\Cookies\
Internet Explorer 6 and Before – Identification / Authentication
• Stores encrypted userIDs and passwords (AutoComplete) in HKCU\Software\Microsoft\Internet Explorer\IntelliForms\ SPW, and web
addresses in HKLM\Software\Microsoft\Protected Storage System Provider\<subject’s user ID>
Internet Explorer 7 & 8 – Identification / Authentication
• Stores encrypted userIDs and passwords (AutoComplete) in HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
• Encryption has been improved
Mandiant Web Historian - Overview
• A tool that allows you to take a given index.dat file and parse it into a readable / exportable format
• Available at http://www.mandiant.com/webhistorian.htm
• The best part: It’s FREE!
Mandiant Web Historian – Running
• When you run the program, you are presented with two ways of obtaining an index.dat file
• Note that only certain approaches work for certain files, and using the wrong approach may lock the Web Historian program!
Mandiant Web Historian – History Report
Pasco
• Pasco is another tool for analysis of the index.dat files, but this one also runs on Unix, which is another environment where you may be running other forensics tools
• Does basically the same operation as Web Historian, outputting to delimited text files that can be imported elsewhere
Pasco - History with Cache
Galleta - Cookie analysis
• From the command line (Unix or Windows):galleta <option> (filename)
• Option: -t (column delimiter – defaults to tab)• Use > to redirect output into a file
IE PassView - Stored Credentials
• IE PassView reads the stored Internet Explorer credentials from the Windows Registry and returns the website, userID and password in columnar format
• Note that this will obtain the user credentials, but not other autocomplete information such as form fields
• You will have to run it on the subject's computer – not a very good idea, so create a (forensic) working copy and run it from there
Firefox – What We Will Cover
• Where Firefox stores files used in displaying web pages (cache), tracking pages visited (history) and automatic identification / authentication (cookies, credentials)
• How to access the information using just the browser• Tools used to analyze Firefox’s history, cached files,
cookies and stored credentials• Tools used to override protection of the stored
credentials
Firefox - Overview
• Open source web browser• Evolved from the Netscape Navigator web
browser• Support for images, frames, SSL and javascript• Full disk cache support
Firefox – File Locations• Firefox stores its history, downloads, form fields, cookies,
and Identification / Authentication files in the same location:
C:\Documents and Settings\<subject User’s ID>\Application Data\Mozilla \Firefox\Profiles\<seemingly random characters>.default\ (Windows XP) or
C:\Users\<subject User’s ID>\AppData\Local\Mozilla \Firefox\Profiles\<seemingly random characters>.default\ (Windows Vista, 7 and 2008)
Firefox – File Locations (2)• Firefox stores its cache files in a different location:
C:\Documents and Settings\<subject User’s ID>\Local Settings\Application Data\Mozilla \Firefox\Profiles\<seemingly random characters>.default\Cache\ (Windows XP) or
C:\Users\<subject User’s ID>\AppData\Local\Mozilla \Firefox\Profiles\<seemingly random characters>.default\Cache\ (Windows Vista)
SQLite Library
• Software library that implements a transactional SQL Database Engine
• Used by Firefox to store information in the files we discussed before
• Unlike with earlier Firefox versions, the text in SQLite format can be read easily within Firefox
Firefox Data Files – In Depth
• places.sqlite: Stores information regarding the places where the user has browsed.– moz_places: records each URL visited and
related information– moz_historyvisits: records all visits to URLs
recorded in the moz_places table– moz_inputhistory: records information
typed into text boxes on web pages– moz_favicons: records information for the
page’s favorite icon.
Firefox Data Files – In Depth (2)
• formhistory.sqlite: Store values with corresponding fields filled in on a web page.–moz_formhistory: Records information typed
on HTML forms
• cookies.sqlite: Stores cookies obtained from URLs–moz_cookies: Records places, values and
expiration of obtained cookies
Firefox– Viewing Without Tools
• View the History menu, or display in a sidebar with <Ctrl>-<h>
• Type “about:cache” in the address bar to view cache files
• Tools / Options / Privacy / Cookies / Show Cookies
Firefox– Viewing (Almost) Without Tools
Mandiant Web Historian – Firefox
Firefox Cache – Inside The Files
• On Firefox, the cache information is stored across 3 types of files: one (1) cache map file, three (3) cache block files, and as many additional cache data files as required to store additional cache data
Firefox – What If The subject Clears The Cache?
• In Firefox, the situation is skewed much more in favor of the subject. Going to Tools and selecting Clear Private Data deletes not only the cache files, but handily removes the cache map and cache block files, so tying the files (assuming you could recover them) to the cache map and blocks becomes quite a bit more difficult
Cache View - Overview
• Fortunately, we’re going to forgo the math and utilize the Cache View tool, a shareware program that can be fully registered for all of US $25
• This program extracts the cache data, organizes it and displays it in columnar format, and allows export to comma-separated files
Cache View - Firefox
MozillaCookiesView - Firefox
FireMaster – Stored Credentials
• Firefox gives you the option to save your often-used userIDs and passwords that you utilize to access websites
• Unfortunately for the forensic investigator, the subject may specify a Master password, which prevents access to all the other passwords
• FireMaster cracks this master password, allowing you to access the password list in the browser or via FirePassword
FirePassword – Stored Credentials
• Used with or without the Master Password (depending on if it’s been set) to see the websites your subject visited and the userIDs and passwords s/he used to get in
• Much quicker than FireMaster, as you either don’t have a Master Password or have already specified it!
Dump AutoComplete – Stored Form Fields
• Information in formhistory.sqlite can be viewed with any sqlite-compatible program, but must be extracted to be the most useful to the investigator
• Use the Dump Auto Complete program to bring out the form field name and what was entered
• Even though these aren’t credentials, a lot of information about the subject can be gleaned
