CNS 320 Week8 Lecture
Transcript of CNS 320 Week8 Lecture
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 1/98
1
CNS 320 COMPUTER FORENSICS &INCIDENT RESPONSE
Week 8
Copyright © 2012, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 2/98
Announcements
We will be spending some of thelast class period (Week 10)reviewing for the final
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 3/98
Quiz #2 Review
3
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 4/98
1: 6 Phases of Incident Response (99%)
Preparation
Identification
Containment Eradication
Recovery
Follow-Up & Lessons Learned
4
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 5/98
2: Most Important IR Phases (100%)
Preparation
Follow-Up & Lessons Learned
Without doing these phases properly,there‟s generally no improvementover time
IR is a continuous process, not anisolated event
5
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 6/98
3: LfLe Signature (62%)
Windows Event Log Record
Also the magic value for the file
6
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 7/98
Windows Event Logs NT/2K/XP/2K3
.evt files %systemroot%\System32\config SecEvent.evt, Appevent.evt, Sysevent.evt, sometimes others File Header/Magic Number in bytes 4-8 “LfLe” Header in 2nd 4 bytes of each record “LfLe” (same as file header) 2 timestamps per record (generated & recorded) UNIX Epoch
time format
Vista/7/2K8 .evtx files %systemroot%\System32\winevt\logs SecEvent.evtx, Appevent.evtx, Sysevent.evtx, many others Header in 1st 4 bytes: 0x2a, 0x2a, 0x00, 0x00 (two asterisks
followed by two null bytes) Logs can be sent to a remote log collector Binary XML format
File locations can be changed in the registry
UNIX Epoch time = #seconds since 00:00 Jan 1st
, 1970 GMT
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 8/98
4: Std Office Metadata (77%)
You should know, at least vaguely, whatsorts of metadata information may beavailable in various common documentformats
I might have asked about other file types
Portable Executable (.sys, .dll, .exe, .scr)
JPEG
You might go back and take another look
at this section in week 4 8
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 9/98
Office Default Metadata Values
Title Subject Author Keywords
Comments Template Last author Revision number Application name Last print date Creation date Last save time Total editing time Number of pages Number of words
Number of characters
Security Category Format Manager
Company Number of bytes Number of lines Number of paragraphs Number of slides Number of notes Number of hidden Slides Number of multimedia
clips Hyperlink base Number of characters
(with spaces)
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 10/98
5: Thumbnail Files (100%)
10
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 11/98
6: Outlook Files (85%
Personal Archive Folder .PST
Local Cache Folder .OST
These two formats are closely related toone another
Various utilities can convert OST to PST
These are the most common Windows mailformats in corporate examinations
11
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 12/98
7: File type with magic number
ending in ‘SCCA’ (54%)
Prefetch file
12
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 13/98
Data in .pf file
File Signature (beginning of file) XP \x11\x00\x00\x00\x53\x43\x43\x41 (….SCCA)
Vista/7 \x17\x00\x00\x00\x53\x43\x43\x41 (….SCCA)
Contains paths of all files & folders accessed by
the program in the first 10 seconds Create time indicates when executable was first
run
Mod date & internal FILETIME indicate last time
Run Count Volume path & serial # for all files referenced
Prefetch\Layout.ini contains path information
File Size: 4-byte quantity at offset 0x000c
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 14/98
8: Jumplist Contents
Shortcut files (.LNK)
14
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 15/98
Windows 7 Jump Lists Custom Destinations
<profile>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ <AppID>.customDestinations-ms
File contains embedded .LNK files which can be
carved out, (Begins with LNK header:\x4c\x00\x00\x00\x01\x14\x02, size is 4 bytes atoffset 34h) and analyzed
Automatic Destinations <profile>\AppData\Roaming\Microsoft\Windows\Re
cent\AutomaticDestinations\ <AppID>.automaticDestinations-ms
Contained data is stored using Structured StorageFormat, and can be parsed using MiTeC‟s StructuredStorage Viewer, from which .LNK files can beexported directly
Lists may contain up to several hundred items,though user only sees a few
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 16/98
9[Bonus]: Sector/byte offset (8%)
512 is the sector size (not the Cluster size– a bunch of people made this mistake)
What‟s a sector (anybody?)
Sector is minimum disk access/allocation unit What‟s a cluster (anybody?)
Cluster is minimum filesystem access/allocation unit
Mmls returns volume/partition offset insectors from beginning of disk
Mount command requires volume/partition
offset in bytes from beginning of disk 16
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 17/98
Material for this week
A few more words about Volume Shadow Copies
Internet Explorer Browser Forensics
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 18/98
Volume Shadow Copy Service
When a VSC is created, all Windows doesis allocate a place to save overwrittendisk clusters
Subsequently, whenever a cluster iswritten (but only if it hasn‟t been writtento since the VSC was created) that clusteris first copied into this VSC area by the
VSCS
So the VSC will always contain an oldcopy of all clusters that have been written
at least once since the VSC was created18
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 19/98
Viewing VSCs
When we do the mklink to point at the VSC,we‟re doing a virtual mount trick similar towhat we do to examine images in the SIFT Kit
Windows virtually substitutes back all the oldcopies of overwritten clusters in that view
So the disk (except for the VSC area itself?)now appears exactly as it did when the VSC
was created Consider though: What happens if the VSCS
is disabled for some period of time?
19
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 20/98
Browser Forensics
Internet Explorer (6-9)
Includes anything that uses WinInet API
Technically goes back to version 3, but I‟m
not going to torture you with Windows 3.1,95, or NT
FireFox (1.5-10)
Safari (3-5) [older versions Mac only]
Chrome (1-18)
Opera (2-11)
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 21/98
Market share as of January 2012
Internet Explorer 20.1%
Firefox 37.1%
Chrome 35.3%
Safari 4.3%
Opera 2.4%
Historically, IE & Firefox have dominated
21
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 22/98
Displayed Media Types
Text
HTML (3-5)
Images (GIF, JPG, PNG, BMP) Video (MPEG, Flash)
Plugins for virtually anything
22
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 23/98
Common Artifacts
(Implemented Differently)
Opaque to most people
Cache
Cookies
Auto-Complete
Well known (and so likely to be removed)
History
Bookmarks
Download Folders
Recovery Data
Suggested Sites 23
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 24/98
Questions we may be able to answer
What sites were visited?
How many times?
When? (last, others)
What sites were saved by the user?
What files were downloaded ?
What usernames & credentials were
used?
What searches did the user run?
What information did the user exchange
with the site? 24
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 25/98
Viewing Hidden Files
There are lots of hidden files and folderstructures in Windows
Like with the registry, monkeying
around in these locations can breakthings
To view these:
Open Folder Options Control Panel Select „Show Hidden files and folders‟
Uncheck „Hide protected OS files‟
Don‟t forget and accidentally delete 25
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 26/98
Internet Explorer
6.0 – Released with XP. Well past its sell-by date, yet still encountered frequently,especially in corporate environments
7.0 – Released on Vista (won‟t run onWin2K)
8.0 – Released on Win7
9.0 – Won‟t run on XP. Last to usecommon db (index.dat) format
10.0 – Released on Win8. Whole newballgame
Later versions have significant differences26
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 27/98
Artifact Locations for IE (XP)
Bookmarks/Favorites
<profile>\Favorites
History
<profile>\Local Settings\History\History.IE5
Cache
<profile>\Local Settings\Temporary Internet
Files\ Content.IE5 Cookies
<profile>\Cookies
Downloads
< rofile>\Downloads27
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 28/98
Artifact Locations for IE (Vista/Win7)
Bookmarks/Favorites <profile>\Favorites
Cookies: <profile>\AppData\Roaming\Microsoft\Windows\Cookies <profile>\AppData\Roaming\Microsoft\Windows\Cookies\Low
History: <profile>\AppData\Local\Microsoft\Windows\History\History.
IE5 <profile>\AppData\Local\Microsoft\Windows\History\Low\His
tory.IE5
Cache: <profile>\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5 <profile>\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5\Low
Downloads <profile>\Downloads
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 29/98
A word about profile locations
Not always in C:\Documents and Settings
Registry configurable default profilelocations. Check the following values
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList\
Default
Public
ProfilesDirectory
Builtin account profiles such as Systemare under various %Windir% folders
Windows\System32\Config
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 30/98
Index.dat Files
Binary format unchanged since IE 4
Different files use same name & format, butstore different data
Index.dat files exist in multiple places fortracking of:
History
Cookies
Cache Data Difficult to remove because always locked, but
IE settings can clear entries
File Signature: “Client UrlCache MMF Ver 5.2”
Four byte file size starting at byte 28 30
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 31/98
Index.dat Record Types
Four types of record are known
URL - Indicate URIs that were actuallyrequested
REDR - Indicate browser was redirected toanother site
HASH - Hash indexes of the contents of theindex.dat file (not useful)
LEAK – Result of attempt to delete entry whileassociated cache file is open (othermechanisms possible)
31
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 32/98
Index.dat Record Header Format
Offset Size Description
0 4 Signature/Magic Number(URL, REDR, HASH, LEAK)
4 4 # of 128 byte Blocks inrecord
32
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 33/98
Index.dat Timestamps
According to some sources:
Modified time should be when web serverlast updated file
Accessed time should be when file lastdownloaded
However actual timestamp usage variesdepending on exactly what kind of index.dat file the data is containedwithin
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 34/98
IE History
XP Location:
<profile>\Local Settings\History\History.IE5
Vista/Win7 Location:
<profile>\AppData\Local\Microsoft\Windows\ History\History.IE5
<profile>\AppData\Local\Microsoft\Windows\ History\Low\History.IE5
(we‟ll get to why you can‟t see this foldernormally in a minute)
34
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 35/98
IE History
Designed for URL autocompletion
Tracks all user browsing history for last
20 days by default If browsing history set to 0 days, still
kept, but deleted on system shutdownor next day
Also tracks Explorer access to local files
For each URL or file, tracks last accesstimestamp & number of times accessed
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 36/98
Apparent History Folder is Actually a
Windows Construct
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 37/98
Virtual History Folder
Shows Human-Readable Content
Folders or individual entries can be
manipulated/deleted directly Changes made here are propagated
to the underlying index.dat files byWindows
Last Accessed time shown is in localsystem timezone
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 38/98
Virtual History Subfolders
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 39/98
The Real History Folder
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 40/98
Under the History Folder
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 41/98
Actual History Contents
Master index.dat file under History.IE5
Daily, Weekly, or (potentially) Monthlyindex.dat files under other folders
Folders are named according to the datespan covered by the contained file
After the 6th day, aggregate daily history
content is rolled up into a weekly file Actual files and folders cannot be seen
in Windows GUI on live system, but canfrom the command line using „dir /a‟
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 42/98
Index.dat Record (URL History)
Offset Size Description
0 4 Signature/Magic Number(URL, REDR, HASH, LEAK)
4 4 # of 128 byte Blocks inrecord
8 8 LastModified FILETIME (URL)
16 8 LastAccessed FILETIME (URL)
42
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 43/98
History Record Timestamp Meanings
Location of Index.dat 1st Date (Record offset 9)
2nd Date (Record
offset 17
History.IE5 Last visited time
(GMT) Last Visited time
(GMT)
Daily History Last visited time(LOCAL TIME)
Last visited time(GMT)
Weekly History Last visited time
(LOCAL TIME) Index.dat File
created time (GMT)
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 44/98
IE Cache
XP Location:
<profile>\Local Settings\Temporary InternetFiles\ Content.IE5
Vista/Win7 Location: <profile>\AppData\Local\Microsoft\Windows\
Temporary Internet Files\Content.IE5
<profile>\AppData\Local\Microsoft\Windows\
Temporary Internet Files\Content.IE5\Low
(Another of these invisible folders)
44
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 45/98
IE Cache
Exists to speed up access by using previouslyobtained local copies of content which has notaltered since accessed
Not all entries are supposed to be cached(SSL, no-store), but IE6 used to cache a lot of content it shouldn‟t have
Also, the RFCs never formally stated SSLshould not be cached
Can include references to entries that havebeen removed in the meantime
Cleared entries are wiped more effectively by
IE7 and later
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 46/98
A word about cache usage…
Some RFCs & Microsoft specifications clearlydefine what is supposed to be cached RFC2616 (HTTP 1.1): cache-response-directive =
no-store RFC1945 (HTTP 1.0): entries past expiration date
not cached (less clear) MS: INTERNET_FLAG_DONT_CACHE, or
INTERNET_FLAG_NO_CACHE_WRITE
Developers sometimes misinterpret themeaning of the specifications For instance, „no-cache‟ (http 1.1) and „Pragma: no-
cache‟ (http 1.0) don‟t mean „do not cache‟. Bothmean „send request for content even if cached‟
Older browser versions were very bad atproperly interpreting and enforcing these
specifications because of this
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 47/98
IE Cache Size
IE6 – Default is 10% of system drive
IE7 – 50MB, increasable to 250MB
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 48/98
Another Virtual Folder
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 49/98
The Real Deal
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 50/98
Cache Subfolders
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 51/98
Cache Artifacts
Index.dat file under Content.IE5
Semirandomly named subfolderscontain files with cached content
Contain entries for cacheable URLsvisited, each of which references a filethat may or may not still exist
Original filename with bracketed
instance number before .ext Folders added in groups of four (if not,
investigate why, could be data hidinglocation)
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 52/98
FYI: Other Temporary Internet Folders
Subfolders (Not thoroughly researched)
AntiPhishing
Content.MSO – Not sure… Local copyfrom external document linking in
Office? Content.Outlook – Attachment files
opened directly in Outlook
Content.Word – Tempfiles created whenWord used as editor for Outlook
OLK5432 – Unknown
Others?
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 53/98
Index.dat Record (Cache URL)
Offset Size Description
0 4 Signature/Magic Number(URL, REDR, HASH, LEAK)
4 4 # of 128 byte Blocks inrecord
8 8 LastModified FILETIME (URL)
16 8 LastAccessed FILETIME (URL) 24 4 Expiration FATTIME
92 4 Last Checked FATTIME
53
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 54/98
FATTIME
offset size value description
0 2 date
2 2 time
In little-endian the 16-bit date value corresponds to:
offset size value description
Bit 0 (LSB) 5 bits Day of the month
Bit 5 4 bits Month 0x01 => January
Bit 9 7 bits Year 0x00 => 1980
In little-endian the 16-bit time value corresponds to:
offset size value description
Bit 0 (LSB) 5 bits Seconds in 2 second intervals
Bit 5 6 bits Minutes
Bit 11 5 bits Hours
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 55/98
Cache Timestamps from Index.dat
Modified: When content last saved tocache file (UTC)
Accessed: When content last viewed in
browser (UTC) Expiration: Set by server to ensure
content retrieved again if accessed afterspecified date (UTC)
Last Checked: When site last comparedto cache. By default, same as lastaccess, but modified browser settingscould prevent recheck (UTC)
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 56/98
IE Cookies
XP Location:
<profile\Cookies
Vista/Win7 Location:
<profile>\AppData\Roaming\Microsoft\ Windows\Cookies
<profile>\AppData\Roaming\Microsoft\
Windows\Cookies\Low
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 57/98
IE Cookies
Cookies exist to add state information toweb browser sessions
Not all sites use them
Small text files (persistent cookies) Session cookies in memory only
Included data: Issuing website
Account on that site
NTFS FILETIMEs
Website specific data in cookie
Some cookie data is encrypted & some is not
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 58/98
Index.dat Record (Cookie URL)
Offset Size Description
0 4 Signature/Magic Number(URL, REDR, HASH, LEAK)
4 4 # of 128 byte Blocks inrecord
8 8 LastModified FILETIME (URL)
16 8 LastAccessed FILETIME (URL) 24 4 Expiration FATTIME
84 4 Hits
92 4 Last Checked FATTIME 58
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 59/98
Cookie Index.dat Data (all times UTC)
Last Acessed: Last time cookie uploaded
Last Modified: Last time websitemodified cookie
Last Checked: Last time cookieexpiration was checked
Expiration: Date after which cookie will
no longer be accepted
Hits: How many times cookie wasuploaded
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 60/98
An aside about cookies in general
I put this in the IE section simplybecause cookie data is so easy toget at there.
Other browsers typically usestorage methodologies that requiremore effort to extract data from.
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 61/98
Interesting Cookie Contents
Google Analytics cookies are used bymany sites to track access
Lots of sites use completely custom
cookie data or encrypt it, but alwaystake a look. You may be surprised whatyou can find there.
I‟ve seen an example of Mapquest.com,actually storing unencrypted location history(physical addresses) there.
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 62/98
Sample Google Analytics Cookies
(from a file named 6B36WGQG.txt)
__utma12495090.2011220730.1328875187.1328875187.1328875187.1w.dilbert.com/1600182738252830352782207587742430205931*
__utmb12495090.1.10.1328875187w.dilbert.com/1600 288989824030205935207587742430205931 *
__utmz12495090.1328875187.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)w.dilbert.com/1600935429376302426442075407424
30205931*
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 63/98
__utma (Timestamps in UNIX Epoch Time)
Contents similar toXXXX.RRRR.FFFF.PPPP.CCCC.N
XXXX – Hash of client‟s domain
RRRR – Random unique ID for client FFFF – Date of first visit to site (probably
following the last clear of cookies)
PPPP – Timestamp of previous (last) visit
CCCC – Current timestamp
N – Number of sessions since first visit(Incremented each time new session startedafter first)
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 64/98
__utmb
Contents similar to XXXX.P.10.C
XXXX = The Domain Hash.
P = Pages of the site viewed in most recent
session C = Timestamp of most recent session
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 65/98
__utmz
Contents similar toXXXX.TTTT.V.S.utmcsr{source}|utmccn{campaign}|utmcmd{medium}|utmctr{keyword}
XXXX – Hash of client‟s domain.
TTTT – Timestamp when cookie last set
V – Total visitor sessions (supposed to be the sameas last # in __utma)
S – Count of different referrers followed to this site
Utmcsr{source} – Last referrer domain Utmccn{campaign} – Ad followed if any
Utmcmd{medium} – Search channel information(paid ad, etc.)
Utmctr{keyword} – Search term used to find site
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 66/98
IE Favorites (<profile>\Favorites)
Stored as .URL files
Contains complete target URL
File timestamps show creation, last
written, and last accessed times It‟s also possible to „import‟ favorites
from other sources, so timestamps may
reflect that instead of their acualcreation by the user
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 67/98
IE Downloads
Often saved to default locations XP default download folder defined by
registry valueHKCU\Software\Microsoft\Internet
Explorer\Download Directory Defaults to the user‟s desktop
Vista/Win7 uses <profile>\Downloads\ asdefault
If file opened rather than saved, temp copycreated in IE cache folder, never cleanedunless manually
IE9 has separate index.dat for downloads
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 68/98
IE Auto-Complete (other than history)
Typed URLs registry key maintains list of last 25 URLs typed by the user
HKU\*\Software\Microsoft\InternetExplorer\Ty
pedURLs
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 69/98
Typed URLs (Or Pasted…)
#1 is most recent
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 70/98
IE Auto-Complete (other than history)
Protected Storage (IE4-6; Also used byOutlook Express & MSN Explorer) Form Autofill Field Data
Accounts & Passwords (Web, FTP,Others)[checkbox]
Encrypted on disk but not in memory. Trivialto acquire from live system, & crackable froma dead one
(IE4-6) HKU\*\Software\Microsoft\ProtectedStorage System Provider\<SID>
(IE7+) HKU\*\Software\Microsoft\InternetExplorer\IntelliForms\Storage2 Encrypted – But key is name of website
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 71/98
A note about found passwords
These are great for using in crackingattempts against encrypted files sincepeople often reuse the same passwords
elsewhere
You will rarely be authorized to log intothe other accounts referenced
You can provide usernames to legal forsubpoena generation from other accountproviders
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 72/98
Changes in Vista/Win7
As mentioned previously, file locationshave changed
„Protected Mode‟ web browsing is
performed as an unprivileged user This is where the 2nd „Low‟ filename comes
from in the various file artifacts
There are two sets because not all
operations use Protected Mode
IE7-9 all support Protected Mode onVista/Win7
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 73/98
Changes in IE7
New Security Features
Move away from „Protected Storage‟ use
Added the „Delete All‟ button to clear
browser artifacts Combines four different operations under IE6
When clearing entries, IE6 did a poor job of cleaning out index.dat records. IE7 does a
more thorough job, but some records canstill be retrieved.
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 74/98
Changes in IE8/9
New Artifacts Recovery Folders
Suggested Sites
DOM Storage New Security Options
InPrivate Browsing Mode reduces artifactsfor specified sessions
„Empty Temporary Internet Files folder whenbrowser is closed‟ option
„Delete browsing history on exit‟ option
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 75/98
IE8/9 Automatic Crash Recovery
Complete activity tracking for current & previous session
Enabled by default (even in InPrivate Mode).Deleted (but often recoverable) when Historycleared
Information tracked: Tabs Open List of websites viewed in each tab, with referrers for
each Session end time Time each tab was opened (Only if a crash occurred
or if for some other reason files are still present inthe Active folder)
Code from the page Form data & Other artifacts
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 76/98
IE8/9 Crash Recovery Folders
XP (IE8 Only) <profile>\Local Settings\Application
Data\Microsoft\Internet Explorer\Recovery\Active <profile>\Local Settings\Application
Data\Microsoft\Internet Explorer\Recovery\LastActive
Vista/Win7 Current: <profile>\AppData\Local\Microsoft\Internet
Explorer\Recovery\Active Previous:
<profile>\AppData\Local\Microsoft\Internet
Explorer\Recovery\Last Active Files have .dat extension & are stored in
Structured Storage Format Like Jump Lists, can be examined using MiTeC
Structured Storage Viewer
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 77/98
Tab Title & Last Site Viewed
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 78/98
Recovery Files in MiTeC SSV
Each TL# stream is a different sitevisited in this tab. Each includes thefollowing data in unicode (completeformat not well understood): Full path & Referring path
Page code to reconstruct
Form data and other data, possibly includingpasswords
TravelLog contains forward/back buttonuse, but there‟s no reference for theformat
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 79/98
Structured Storage Format
File signature: D0CF11E0A1B11AE1
No easy way to find the total size of the file
Can still carve, just allow largerthan expected file size
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 80/98
Site & Referrer
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 81/98
IE8/9 Suggested Sites
Opt-in or out at install time Data located in
<profile>\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Low\SuggestedSites.dat
Tracks all sites visited to suggest similarones
Does not track local, HTTPS, or InPrivatebrowsing
Normally deleted when history is, butmay get out of sync. May not be handled
by 3rd party wiping utilities.
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 82/98
SuggestedSites.dat
Starts out 5M in size
Records Include in order:
URL of visited page (null terminated)
Title of visited page (null terminated)
URL of referring page (null terminated)
5 unknown bytes
Windows FILETIME when page visited
Could probably write a simple perl or python
script to parse
Unknown binary format, so view with a hex editor
Didn‟t test this myself. All direct data fromInternet sources
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 83/98
IE8/9 InPrivate (Porn) Browsing Mode
When used, opens a new browser session thatrecords & saves less data
No History data saved
All cookies treated as session cookies (No filescreated. Memory only)
Typed URL & Form data not saved
Cache files are created, but deleted at end of
session Cache index.dat file may not be completely
cleared
You may want to have your admins disable via
group policy (can prevent history clearing too)
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 84/98
IE8/9 InPrivate (Porn) Browsing Mode
So what‟s left?
Recover deleted cache files
Session Recovery files (& deleted
session recovery files)
Incompletely cleaned remnants fromindex.dat
Network traffic or proxy logs
Data from memory if you can get it
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 85/98
PrivacIE Index.dat Entries
NOT from InPrivate Browsing Modesessions
Result of InPrivate Filtering enabled
to prevent upload of trackinginformation
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 86/98
Brief Detour: IE Browser Extensions
BHOs
Flash
Java
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 87/98
IE Browser ‘Helper’ Objects
A Browser Helper Object ( BHO ) is a DLL module designed as a plugin for Microsoft 'sInternet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet
Explorer. Most BHOs are loaded once by eachnew instance of Internet Explorer. However, inthe case of Windows Explorer , a new instance islaunched for each window.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\<CLSID>
Details of BHO under HKLM\SOFTWARE\Classes\CLSID\<CLSID>
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 88/98
Macromedia/Adobe Flash
Plugin for most web browsers Effectively a separate application, but not
installed like one
Lives in:C:\WINDOWS\system32\Macromed\Flash
Has a built-in scripting language;Actionscript
Can make independent web requests
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 89/98
Flash Cookies/Local Shared Objects
Potentially much larger than regular cookies Not cleared when they are.
.SOL file extension
Usually stored in folders under: Vista/Win7:
<profile>\AppData\Roaming\Macromedia\FlashPlayer
XP: <profile>\Application Data\Macromedia\FlashPlayer
Sometimes found in other locations
Until recent updates, no easy way to clear
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 90/98
Managing Flash Cookies
Until recent updates, these had to bemanaged via the website
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manag
er07.html
Visits to this site can be an indication of attempted history removal
Now there‟s a „Flash Player‟ control panelapplication
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 91/98
Information from Flash Cookies
User/website access (full folderpath)
First/last access time (file
timestamps)
Data stored by the site (may beencrypted)
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 92/98
Java Downloads
Another separate application, butpotentially runs downloaded code
Applets are used as normal web content,
but sandbox escape is easy on oldversions, which are disturbingly common
Cache folder:
XP: <profile>\ApplicationData\Sun\Java\Deployment\cache\6.0
Vista/Win7:<profile>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 93/98
Java Downloads
IDX files in this cache are Javaapplet cache indexes
Included data:
Filename
URL downloaded from
IP of source host
last modified date downloaded date
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 94/98
Java Exploitability
Old versions of Java did not upgradethemselves, just installed new versionsalongside the old ones
Web applications that knew the correctpath to the old version could still accessit.
There‟s lots of this still out there
Specific versions of Java install withmany applications, and aren‟t necessarilyupgraded because the security issuesdon‟t affect the applications they support
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 95/98
IE8/9 DOM Storage
HTML 5.0 equivalent to Flash Cookies
Located in XML files and Index.datunder:
XP: <profile>\Local Settings\ApplicationData\Microsoft\InternetExplorer\DOMStore
Vista/Win7:<profile>\AppData\Local\Microsoft\Internet Explorer\DOMStore
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 96/98
IE8/9 DOM Storage
Up to 10MB per user & per site for anydata a site cares to cache. Examplesinclude: Preferences
Keywords
visit tracking
Usernames
offline files
Does not expire, but is cleared whencookie are
Prediction: In about ten years, HTML5
will be about like Java & Flash are now
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 97/98
Differences in IE 10
IE 10 Registry Keys TypedURLSTime
IE 10 Files/Folders
<profile>\appdata\roaming\microsoft\windows\cookies\low
<profile>\appdata\roaming\microsoft\windows\WebCacheV##\WebCacheV##.dat (ese dbformat)
No more index.dat. All old index.datartifacts are stored in WebcacheV##.dat
97
7/28/2019 CNS 320 Week8 Lecture
http://slidepdf.com/reader/full/cns-320-week8-lecture 98/98
Questions?