CNS 320 Week8 Lecture

7/28/2019 CNS 320 Week8 Lecture

http://slidepdf.com/reader/full/cns-320-week8-lecture 1/98

1

CNS 320 COMPUTER FORENSICS &INCIDENT RESPONSE

Week 8

Copyright © 2012, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

http://creativecommons.org/licenses/by-nc/2.0/






Announcements

We will be spending some of thelast class period (Week 10)reviewing for the final



Quiz #2 Review

3



1: 6 Phases of Incident Response (99%)

Preparation

Identification

Containment Eradication

Recovery

Follow-Up & Lessons Learned

4



2: Most Important IR Phases (100%)

Preparation

Follow-Up & Lessons Learned

Without doing these phases properly,there‟s generally no improvementover time

IR is a continuous process, not anisolated event

5



3: LfLe Signature (62%)

Windows Event Log Record

Also the magic value for the file

6



Windows Event Logs NT/2K/XP/2K3

.evt files %systemroot%\System32\config SecEvent.evt, Appevent.evt, Sysevent.evt, sometimes others File Header/Magic Number in bytes 4-8 “LfLe” Header in 2nd 4 bytes of each record “LfLe” (same as file header) 2 timestamps per record (generated & recorded) UNIX Epoch

time format

Vista/7/2K8 .evtx files %systemroot%\System32\winevt\logs SecEvent.evtx, Appevent.evtx, Sysevent.evtx, many others Header in 1st 4 bytes: 0x2a, 0x2a, 0x00, 0x00 (two asterisks

followed by two null bytes) Logs can be sent to a remote log collector Binary XML format

File locations can be changed in the registry

UNIX Epoch time = #seconds since 00:00 Jan 1st

, 1970 GMT



4: Std Office Metadata (77%)

You should know, at least vaguely, whatsorts of metadata information may beavailable in various common documentformats

I might have asked about other file types

PDF

Portable Executable (.sys, .dll, .exe, .scr)

JPEG

You might go back and take another look

at this section in week 4 8



Office Default Metadata Values

Title Subject Author Keywords

Comments Template Last author Revision number Application name Last print date Creation date Last save time Total editing time Number of pages Number of words

Number of characters

Security Category Format Manager

Company Number of bytes Number of lines Number of paragraphs Number of slides Number of notes Number of hidden Slides Number of multimedia

clips Hyperlink base Number of characters

(with spaces)



5: Thumbnail Files (100%)

10



6: Outlook Files (85%

Personal Archive Folder .PST

Local Cache Folder .OST

These two formats are closely related toone another

Various utilities can convert OST to PST

These are the most common Windows mailformats in corporate examinations

11



7: File type with magic number

ending in ‘SCCA’ (54%)

Prefetch file

12



Data in .pf file

File Signature (beginning of file) XP \x11\x00\x00\x00\x53\x43\x43\x41 (….SCCA)

Vista/7 \x17\x00\x00\x00\x53\x43\x43\x41 (….SCCA)

Contains paths of all files & folders accessed by

the program in the first 10 seconds Create time indicates when executable was first

run

Mod date & internal FILETIME indicate last time

Run Count Volume path & serial # for all files referenced

Prefetch\Layout.ini contains path information

File Size: 4-byte quantity at offset 0x000c



8: Jumplist Contents

Shortcut files (.LNK)

14



Windows 7 Jump Lists Custom Destinations

<profile>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ <AppID>.customDestinations-ms

File contains embedded .LNK files which can be

carved out, (Begins with LNK header:\x4c\x00\x00\x00\x01\x14\x02, size is 4 bytes atoffset 34h) and analyzed

Automatic Destinations <profile>\AppData\Roaming\Microsoft\Windows\Re

cent\AutomaticDestinations\ <AppID>.automaticDestinations-ms

Contained data is stored using Structured StorageFormat, and can be parsed using MiTeC‟s StructuredStorage Viewer, from which .LNK files can beexported directly

Lists may contain up to several hundred items,though user only sees a few



9[Bonus]: Sector/byte offset (8%)

512 is the sector size (not the Cluster size– a bunch of people made this mistake)

What‟s a sector (anybody?)

Sector is minimum disk access/allocation unit What‟s a cluster (anybody?)

Cluster is minimum filesystem access/allocation unit

Mmls returns volume/partition offset insectors from beginning of disk

Mount command requires volume/partition

offset in bytes from beginning of disk 16



Material for this week

A few more words about Volume Shadow Copies

Internet Explorer Browser Forensics



Volume Shadow Copy Service

When a VSC is created, all Windows doesis allocate a place to save overwrittendisk clusters

Subsequently, whenever a cluster iswritten (but only if it hasn‟t been writtento since the VSC was created) that clusteris first copied into this VSC area by the

VSCS

So the VSC will always contain an oldcopy of all clusters that have been written

at least once since the VSC was created18



Viewing VSCs

When we do the mklink to point at the VSC,we‟re doing a virtual mount trick similar towhat we do to examine images in the SIFT Kit

Windows virtually substitutes back all the oldcopies of overwritten clusters in that view

So the disk (except for the VSC area itself?)now appears exactly as it did when the VSC

was created Consider though: What happens if the VSCS

is disabled for some period of time?

19



Browser Forensics

Internet Explorer (6-9)

Includes anything that uses WinInet API

Technically goes back to version 3, but I‟m

not going to torture you with Windows 3.1,95, or NT

FireFox (1.5-10)

Safari (3-5) [older versions Mac only]

Chrome (1-18)

Opera (2-11)



Market share as of January 2012

Internet Explorer 20.1%

Firefox 37.1%

Chrome 35.3%

Safari 4.3%

Opera 2.4%

Historically, IE & Firefox have dominated

21



Displayed Media Types

Text

HTML (3-5)

Images (GIF, JPG, PNG, BMP) Video (MPEG, Flash)

Plugins for virtually anything

22



Common Artifacts

(Implemented Differently)

Opaque to most people

Cache

Cookies

Auto-Complete

Well known (and so likely to be removed)

History

Bookmarks

Download Folders

Recovery Data

Suggested Sites 23



Questions we may be able to answer

What sites were visited?

How many times?

When? (last, others)

What sites were saved by the user?

What files were downloaded ?

What usernames & credentials were

used?

What searches did the user run?

What information did the user exchange

with the site? 24



Viewing Hidden Files

There are lots of hidden files and folderstructures in Windows

Like with the registry, monkeying

around in these locations can breakthings

To view these:

Open Folder Options Control Panel Select „Show Hidden files and folders‟

Uncheck „Hide protected OS files‟

Don‟t forget and accidentally delete 25



Internet Explorer

6.0 – Released with XP. Well past its sell-by date, yet still encountered frequently,especially in corporate environments

7.0 – Released on Vista (won‟t run onWin2K)

8.0 – Released on Win7

9.0 – Won‟t run on XP. Last to usecommon db (index.dat) format

10.0 – Released on Win8. Whole newballgame

Later versions have significant differences26



Artifact Locations for IE (XP)

Bookmarks/Favorites

<profile>\Favorites

History

<profile>\Local Settings\History\History.IE5

Cache

<profile>\Local Settings\Temporary Internet

Files\ Content.IE5 Cookies

<profile>\Cookies

Downloads

< rofile>\Downloads27



Artifact Locations for IE (Vista/Win7)

Bookmarks/Favorites <profile>\Favorites

Cookies: <profile>\AppData\Roaming\Microsoft\Windows\Cookies <profile>\AppData\Roaming\Microsoft\Windows\Cookies\Low

History: <profile>\AppData\Local\Microsoft\Windows\History\History.

IE5 <profile>\AppData\Local\Microsoft\Windows\History\Low\His

tory.IE5

Cache: <profile>\AppData\Local\Microsoft\Windows\Temporary

Internet Files\Content.IE5 <profile>\AppData\Local\Microsoft\Windows\Temporary

Internet Files\Content.IE5\Low

Downloads <profile>\Downloads



A word about profile locations

Not always in C:\Documents and Settings

Registry configurable default profilelocations. Check the following values

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList\

Default

Public

ProfilesDirectory

Builtin account profiles such as Systemare under various %Windir% folders

Windows\System32\Config



Index.dat Files

Binary format unchanged since IE 4

Different files use same name & format, butstore different data

Index.dat files exist in multiple places fortracking of:

History

Cookies

Cache Data Difficult to remove because always locked, but

IE settings can clear entries

File Signature: “Client UrlCache MMF Ver 5.2”

Four byte file size starting at byte 28 30



Index.dat Record Types

Four types of record are known

URL - Indicate URIs that were actuallyrequested

REDR - Indicate browser was redirected toanother site

HASH - Hash indexes of the contents of theindex.dat file (not useful)

LEAK – Result of attempt to delete entry whileassociated cache file is open (othermechanisms possible)

31



Index.dat Record Header Format

Offset Size Description

0 4 Signature/Magic Number(URL, REDR, HASH, LEAK)

4 4 # of 128 byte Blocks inrecord

32



Index.dat Timestamps

According to some sources:

Modified time should be when web serverlast updated file

Accessed time should be when file lastdownloaded

However actual timestamp usage variesdepending on exactly what kind of index.dat file the data is containedwithin



IE History

XP Location:

<profile>\Local Settings\History\History.IE5

Vista/Win7 Location:

<profile>\AppData\Local\Microsoft\Windows\ History\History.IE5

<profile>\AppData\Local\Microsoft\Windows\ History\Low\History.IE5

(we‟ll get to why you can‟t see this foldernormally in a minute)

34



IE History

Designed for URL autocompletion

Tracks all user browsing history for last

20 days by default If browsing history set to 0 days, still

kept, but deleted on system shutdownor next day

Also tracks Explorer access to local files

For each URL or file, tracks last accesstimestamp & number of times accessed



Apparent History Folder is Actually a

Windows Construct



Virtual History Folder

Shows Human-Readable Content

Folders or individual entries can be

manipulated/deleted directly Changes made here are propagated

to the underlying index.dat files byWindows

Last Accessed time shown is in localsystem timezone



Virtual History Subfolders



The Real History Folder



Under the History Folder



Actual History Contents

Master index.dat file under History.IE5

Daily, Weekly, or (potentially) Monthlyindex.dat files under other folders

Folders are named according to the datespan covered by the contained file

After the 6th day, aggregate daily history

content is rolled up into a weekly file Actual files and folders cannot be seen

in Windows GUI on live system, but canfrom the command line using „dir /a‟



Index.dat Record (URL History)




8 8 LastModified FILETIME (URL)

16 8 LastAccessed FILETIME (URL)

42



History Record Timestamp Meanings

Location of Index.dat 1st Date (Record offset 9)

2nd Date (Record

offset 17

History.IE5 Last visited time

(GMT) Last Visited time

(GMT)

Daily History Last visited time(LOCAL TIME)

Last visited time(GMT)

Weekly History Last visited time

(LOCAL TIME) Index.dat File

created time (GMT)



IE Cache

XP Location:

<profile>\Local Settings\Temporary InternetFiles\ Content.IE5

Vista/Win7 Location: <profile>\AppData\Local\Microsoft\Windows\

Temporary Internet Files\Content.IE5

<profile>\AppData\Local\Microsoft\Windows\

Temporary Internet Files\Content.IE5\Low

(Another of these invisible folders)

44



IE Cache

Exists to speed up access by using previouslyobtained local copies of content which has notaltered since accessed

Not all entries are supposed to be cached(SSL, no-store), but IE6 used to cache a lot of content it shouldn‟t have

Also, the RFCs never formally stated SSLshould not be cached

Can include references to entries that havebeen removed in the meantime

Cleared entries are wiped more effectively by

IE7 and later



A word about cache usage…

Some RFCs & Microsoft specifications clearlydefine what is supposed to be cached RFC2616 (HTTP 1.1): cache-response-directive =

no-store RFC1945 (HTTP 1.0): entries past expiration date

not cached (less clear) MS: INTERNET_FLAG_DONT_CACHE, or

INTERNET_FLAG_NO_CACHE_WRITE

Developers sometimes misinterpret themeaning of the specifications For instance, „no-cache‟ (http 1.1) and „Pragma: no-

cache‟ (http 1.0) don‟t mean „do not cache‟. Bothmean „send request for content even if cached‟

Older browser versions were very bad atproperly interpreting and enforcing these

specifications because of this



IE Cache Size

IE6 – Default is 10% of system drive

IE7 – 50MB, increasable to 250MB



Another Virtual Folder



The Real Deal



Cache Subfolders



Cache Artifacts

Index.dat file under Content.IE5

Semirandomly named subfolderscontain files with cached content

Contain entries for cacheable URLsvisited, each of which references a filethat may or may not still exist

Original filename with bracketed

instance number before .ext Folders added in groups of four (if not,

investigate why, could be data hidinglocation)



FYI: Other Temporary Internet Folders

Subfolders (Not thoroughly researched)

AntiPhishing

Content.MSO – Not sure… Local copyfrom external document linking in

Office? Content.Outlook – Attachment files

opened directly in Outlook

Content.Word – Tempfiles created whenWord used as editor for Outlook

OLK5432 – Unknown

Others?



Index.dat Record (Cache URL)





16 8 LastAccessed FILETIME (URL) 24 4 Expiration FATTIME

92 4 Last Checked FATTIME

53



FATTIME

offset size value description

0 2 date

2 2 time

In little-endian the 16-bit date value corresponds to:


Bit 0 (LSB) 5 bits Day of the month

Bit 5 4 bits Month 0x01 => January

Bit 9 7 bits Year 0x00 => 1980

In little-endian the 16-bit time value corresponds to:


Bit 0 (LSB) 5 bits Seconds in 2 second intervals

Bit 5 6 bits Minutes

Bit 11 5 bits Hours



Cache Timestamps from Index.dat

Modified: When content last saved tocache file (UTC)

Accessed: When content last viewed in

browser (UTC) Expiration: Set by server to ensure

content retrieved again if accessed afterspecified date (UTC)

Last Checked: When site last comparedto cache. By default, same as lastaccess, but modified browser settingscould prevent recheck (UTC)



IE Cookies

XP Location:

<profile\Cookies

Vista/Win7 Location:

<profile>\AppData\Roaming\Microsoft\ Windows\Cookies

<profile>\AppData\Roaming\Microsoft\

Windows\Cookies\Low



IE Cookies

Cookies exist to add state information toweb browser sessions

Not all sites use them

Small text files (persistent cookies) Session cookies in memory only

Included data: Issuing website

Account on that site

NTFS FILETIMEs

Website specific data in cookie

Some cookie data is encrypted & some is not



Index.dat Record (Cookie URL)





16 8 LastAccessed FILETIME (URL) 24 4 Expiration FATTIME

84 4 Hits

92 4 Last Checked FATTIME 58



Cookie Index.dat Data (all times UTC)

Last Acessed: Last time cookie uploaded

Last Modified: Last time websitemodified cookie

Last Checked: Last time cookieexpiration was checked

Expiration: Date after which cookie will

no longer be accepted

Hits: How many times cookie wasuploaded



An aside about cookies in general

I put this in the IE section simplybecause cookie data is so easy toget at there.

Other browsers typically usestorage methodologies that requiremore effort to extract data from.



Interesting Cookie Contents

Google Analytics cookies are used bymany sites to track access

Lots of sites use completely custom

cookie data or encrypt it, but alwaystake a look. You may be surprised whatyou can find there.

I‟ve seen an example of Mapquest.com,actually storing unencrypted location history(physical addresses) there.



Sample Google Analytics Cookies

(from a file named 6B36WGQG.txt)

__utma12495090.2011220730.1328875187.1328875187.1328875187.1w.dilbert.com/1600182738252830352782207587742430205931*

__utmb12495090.1.10.1328875187w.dilbert.com/1600 288989824030205935207587742430205931 *

__utmz12495090.1328875187.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)w.dilbert.com/1600935429376302426442075407424

30205931*



__utma (Timestamps in UNIX Epoch Time)

Contents similar toXXXX.RRRR.FFFF.PPPP.CCCC.N

XXXX – Hash of client‟s domain

RRRR – Random unique ID for client FFFF – Date of first visit to site (probably

following the last clear of cookies)

PPPP – Timestamp of previous (last) visit

CCCC – Current timestamp

N – Number of sessions since first visit(Incremented each time new session startedafter first)



__utmb

Contents similar to XXXX.P.10.C

XXXX = The Domain Hash.

P = Pages of the site viewed in most recent

session C = Timestamp of most recent session



__utmz

Contents similar toXXXX.TTTT.V.S.utmcsr{source}|utmccn{campaign}|utmcmd{medium}|utmctr{keyword}

XXXX – Hash of client‟s domain.

TTTT – Timestamp when cookie last set

V – Total visitor sessions (supposed to be the sameas last # in __utma)

S – Count of different referrers followed to this site

Utmcsr{source} – Last referrer domain Utmccn{campaign} – Ad followed if any

Utmcmd{medium} – Search channel information(paid ad, etc.)

Utmctr{keyword} – Search term used to find site



IE Favorites (<profile>\Favorites)

Stored as .URL files

Contains complete target URL

File timestamps show creation, last

written, and last accessed times It‟s also possible to „import‟ favorites

from other sources, so timestamps may

reflect that instead of their acualcreation by the user



IE Downloads

Often saved to default locations XP default download folder defined by

registry valueHKCU\Software\Microsoft\Internet

Explorer\Download Directory Defaults to the user‟s desktop

Vista/Win7 uses <profile>\Downloads\ asdefault

If file opened rather than saved, temp copycreated in IE cache folder, never cleanedunless manually

IE9 has separate index.dat for downloads



IE Auto-Complete (other than history)

Typed URLs registry key maintains list of last 25 URLs typed by the user

HKU\*\Software\Microsoft\InternetExplorer\Ty

pedURLs



Typed URLs (Or Pasted…)

#1 is most recent



IE Auto-Complete (other than history)

Protected Storage (IE4-6; Also used byOutlook Express & MSN Explorer) Form Autofill Field Data

Accounts & Passwords (Web, FTP,Others)[checkbox]

Encrypted on disk but not in memory. Trivialto acquire from live system, & crackable froma dead one

(IE4-6) HKU\*\Software\Microsoft\ProtectedStorage System Provider\<SID>

(IE7+) HKU\*\Software\Microsoft\InternetExplorer\IntelliForms\Storage2 Encrypted – But key is name of website



A note about found passwords

These are great for using in crackingattempts against encrypted files sincepeople often reuse the same passwords

elsewhere

You will rarely be authorized to log intothe other accounts referenced

You can provide usernames to legal forsubpoena generation from other accountproviders



Changes in Vista/Win7

As mentioned previously, file locationshave changed

„Protected Mode‟ web browsing is

performed as an unprivileged user This is where the 2nd „Low‟ filename comes

from in the various file artifacts

There are two sets because not all

operations use Protected Mode

IE7-9 all support Protected Mode onVista/Win7



Changes in IE7

New Security Features

Move away from „Protected Storage‟ use

Added the „Delete All‟ button to clear

browser artifacts Combines four different operations under IE6

When clearing entries, IE6 did a poor job of cleaning out index.dat records. IE7 does a

more thorough job, but some records canstill be retrieved.



Changes in IE8/9

New Artifacts Recovery Folders

Suggested Sites

DOM Storage New Security Options

InPrivate Browsing Mode reduces artifactsfor specified sessions

„Empty Temporary Internet Files folder whenbrowser is closed‟ option

„Delete browsing history on exit‟ option



IE8/9 Automatic Crash Recovery

Complete activity tracking for current & previous session

Enabled by default (even in InPrivate Mode).Deleted (but often recoverable) when Historycleared

Information tracked: Tabs Open List of websites viewed in each tab, with referrers for

each Session end time Time each tab was opened (Only if a crash occurred

or if for some other reason files are still present inthe Active folder)

Code from the page Form data & Other artifacts



IE8/9 Crash Recovery Folders

XP (IE8 Only) <profile>\Local Settings\Application

Data\Microsoft\Internet Explorer\Recovery\Active <profile>\Local Settings\Application

Data\Microsoft\Internet Explorer\Recovery\LastActive

Vista/Win7 Current: <profile>\AppData\Local\Microsoft\Internet

Explorer\Recovery\Active Previous:

<profile>\AppData\Local\Microsoft\Internet

Explorer\Recovery\Last Active Files have .dat extension & are stored in

Structured Storage Format Like Jump Lists, can be examined using MiTeC

Structured Storage Viewer



Tab Title & Last Site Viewed



Recovery Files in MiTeC SSV

Each TL# stream is a different sitevisited in this tab. Each includes thefollowing data in unicode (completeformat not well understood): Full path & Referring path

Page code to reconstruct

Form data and other data, possibly includingpasswords

TravelLog contains forward/back buttonuse, but there‟s no reference for theformat



Structured Storage Format

File signature: D0CF11E0A1B11AE1

No easy way to find the total size of the file

Can still carve, just allow largerthan expected file size



Site & Referrer



IE8/9 Suggested Sites

Opt-in or out at install time Data located in

<profile>\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Low\SuggestedSites.dat

Tracks all sites visited to suggest similarones

Does not track local, HTTPS, or InPrivatebrowsing

Normally deleted when history is, butmay get out of sync. May not be handled

by 3rd party wiping utilities.



SuggestedSites.dat

Starts out 5M in size

Records Include in order:

URL of visited page (null terminated)

Title of visited page (null terminated)

URL of referring page (null terminated)

5 unknown bytes

Windows FILETIME when page visited

Could probably write a simple perl or python

script to parse

Unknown binary format, so view with a hex editor

Didn‟t test this myself. All direct data fromInternet sources



IE8/9 InPrivate (Porn) Browsing Mode

When used, opens a new browser session thatrecords & saves less data

No History data saved

All cookies treated as session cookies (No filescreated. Memory only)

Typed URL & Form data not saved

Cache files are created, but deleted at end of

session Cache index.dat file may not be completely

cleared

You may want to have your admins disable via

group policy (can prevent history clearing too)



IE8/9 InPrivate (Porn) Browsing Mode

So what‟s left?

Recover deleted cache files

Session Recovery files (& deleted

session recovery files)

Incompletely cleaned remnants fromindex.dat

Network traffic or proxy logs

Data from memory if you can get it



PrivacIE Index.dat Entries

NOT from InPrivate Browsing Modesessions

Result of InPrivate Filtering enabled

to prevent upload of trackinginformation



Brief Detour: IE Browser Extensions

BHOs

Flash

Java



IE Browser ‘Helper’ Objects

A Browser Helper Object ( BHO ) is a DLL module designed as a plugin for Microsoft 'sInternet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet

Explorer. Most BHOs are loaded once by eachnew instance of Internet Explorer. However, inthe case of Windows Explorer , a new instance islaunched for each window.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\<CLSID>

Details of BHO under HKLM\SOFTWARE\Classes\CLSID\<CLSID>

http://en.wikipedia.org/wiki/Library_%28computer_science%29

http://en.wikipedia.org/wiki/Module_%28programming%29

http://en.wikipedia.org/wiki/Plug-in_%28computing%29

http://en.wikipedia.org/wiki/Microsoft

http://en.wikipedia.org/wiki/Internet_Explorer

http://en.wikipedia.org/wiki/Web_browser

http://en.wikipedia.org/wiki/Internet_Explorer_4

http://en.wikipedia.org/wiki/Windows_Explorer

http://en.wikipedia.org/wiki/Windows_Explorer

http://en.wikipedia.org/wiki/Internet_Explorer_4

http://en.wikipedia.org/wiki/Web_browser

http://en.wikipedia.org/wiki/Internet_Explorer

http://en.wikipedia.org/wiki/Microsoft

http://en.wikipedia.org/wiki/Plug-in_%28computing%29

http://en.wikipedia.org/wiki/Module_%28programming%29

http://en.wikipedia.org/wiki/Library_%28computer_science%29



Macromedia/Adobe Flash

Plugin for most web browsers Effectively a separate application, but not

installed like one

Lives in:C:\WINDOWS\system32\Macromed\Flash

Has a built-in scripting language;Actionscript

Can make independent web requests



Flash Cookies/Local Shared Objects

Potentially much larger than regular cookies Not cleared when they are.

.SOL file extension

Usually stored in folders under: Vista/Win7:

<profile>\AppData\Roaming\Macromedia\FlashPlayer

XP: <profile>\Application Data\Macromedia\FlashPlayer

Sometimes found in other locations

Until recent updates, no easy way to clear



Managing Flash Cookies

Until recent updates, these had to bemanaged via the website

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manag

er07.html

Visits to this site can be an indication of attempted history removal

Now there‟s a „Flash Player‟ control panelapplication

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html








Information from Flash Cookies

User/website access (full folderpath)

First/last access time (file

timestamps)

Data stored by the site (may beencrypted)



Java Downloads

Another separate application, butpotentially runs downloaded code

Applets are used as normal web content,

but sandbox escape is easy on oldversions, which are disturbingly common

Cache folder:

XP: <profile>\ApplicationData\Sun\Java\Deployment\cache\6.0

Vista/Win7:<profile>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6



Java Downloads

IDX files in this cache are Javaapplet cache indexes

Included data:

Filename

URL downloaded from

IP of source host

last modified date downloaded date



Java Exploitability

Old versions of Java did not upgradethemselves, just installed new versionsalongside the old ones

Web applications that knew the correctpath to the old version could still accessit.

There‟s lots of this still out there

Specific versions of Java install withmany applications, and aren‟t necessarilyupgraded because the security issuesdon‟t affect the applications they support



IE8/9 DOM Storage

HTML 5.0 equivalent to Flash Cookies

Located in XML files and Index.datunder:

XP: <profile>\Local Settings\ApplicationData\Microsoft\InternetExplorer\DOMStore

Vista/Win7:<profile>\AppData\Local\Microsoft\Internet Explorer\DOMStore



IE8/9 DOM Storage

Up to 10MB per user & per site for anydata a site cares to cache. Examplesinclude: Preferences

Keywords

visit tracking

Usernames

offline files

Does not expire, but is cleared whencookie are

Prediction: In about ten years, HTML5

will be about like Java & Flash are now



Differences in IE 10

IE 10 Registry Keys TypedURLSTime

IE 10 Files/Folders

<profile>\appdata\roaming\microsoft\windows\cookies\low

<profile>\appdata\roaming\microsoft\windows\WebCacheV##\WebCacheV##.dat (ese dbformat)

No more index.dat. All old index.datartifacts are stored in WebcacheV##.dat

97



Questions?

CNS 320 Week8 Lecture

Documents

Transcript of CNS 320 Week8 Lecture