Brett Shavers & Ron Godfrey

The Internet Can Save Your Life http://www.ratemyeverything.net/post/1267/SURGERY_COM.aspx

What Good is Browser Forensics? Criminal Cases Show the jury what the suspect was searching for, looking at, downloading, and deleting on his computer. Civil Cases Show the boss or counsel what dirty deeds the former employee was doing with his bosses computer during work hours.

Criminal Cases

Show the jury what the suspect was searching for, looking at, downloading, and deleting on his computer.

Civil Cases

Show the boss or counsel what dirty deeds the former employee was doing with his bosses computer during work hours.

Internet Tech Email Newsgroups Short Message Service (SMS) AOL Instant Messaging, MSN Messenger, Yahoo! Pager Broadcast Media Real Audio, Real Video Distributed File Sharing (Peer to Peer) Remote access to shared files World Wide Web- Browsers Internet Relay Chat (IRC)

Email

Newsgroups

Short Message Service (SMS)

AOL Instant Messaging, MSN Messenger, Yahoo! Pager

Broadcast Media

Real Audio, Real Video

Distributed File Sharing (Peer to Peer)

Remote access to shared files

World Wide Web- Browsers

Internet Relay Chat (IRC)

Browsers Programs used to access internet web sites.

Programs used to access internet web sites.

The Evidence Server Side: Access logs, Error Logs, FTP Logs Intermediate Site Logs Firewall logs, Anti-virus server logs, spam filter logs, web filtering logs Client Side: Temporary Internet Files, index.dat, history.dat, cookies, favorites, html pages in un-allocated space We are focusing on the client side today.

Server Side:

Access logs, Error Logs, FTP Logs

Intermediate Site Logs

Firewall logs, Anti-virus server logs, spam filter logs, web filtering logs

Client Side:

Temporary Internet Files, index.dat, history.dat, cookies, favorites, html pages in un-allocated space

We are focusing on the client side today.

The Target OS Since Windows seems to run the world in OS’s, we’ll be talking mostly about artifacts found on Windows’ systems.

Since Windows seems to run the world in OS’s, we’ll be talking mostly about artifacts found on Windows’ systems.

Topics Internet Browsers Overview Mozilla Forensics Internet Explorer Forensics Chat Overview Chat Forensics This is not an internet investigations class, it’s web browser forensics!

Internet Browsers Overview

Mozilla Forensics

Internet Explorer Forensics

Chat Overview

Chat Forensics

This is not an internet investigations class, it’s web browser forensics!

Software Applications Commercial-ware Probably safe to use (virus free) Freeware/Shareware You are on your own (check and doublecheck what you use) We are not validating any freeware, but will be using several tools to illustrate some points.

Commercial-ware

Probably safe to use (virus free)

Freeware/Shareware

You are on your own (check and doublecheck what you use)

We are not validating any freeware, but will be using several tools to illustrate some points.

Internet Browsers

KHTML (KDE project) and WebKit-based browsers (Apple) ABrowse Web Browser for Android iCab Epiphany Konqueror LimeChat Midori OmniWeb Safari Web Browser for S60 Shiira Swift

ABrowse

Web Browser for Android

iCab

Epiphany

Konqueror

LimeChat

Midori

OmniWeb

Safari

Web Browser for S60

Shiira

Swift

Gecko-based browsers (developed by the Mozilla Foundation) Alefox Beonex Communicator Camino CompuServe DocZilla Epiphan Flock Galeo IceWease K-Meleon K-MeleonCC K-Ninja Kazehakase Madfox ManyOne Mozilla Firefox Netscape SeaMonkey Skipstone XeroBank Browser Deepnet

Alefox

Beonex Communicator

Camino

CompuServe

DocZilla

Epiphan

Flock

Galeo

IceWease

K-Meleon

K-MeleonCC

K-Ninja

Kazehakase

Madfox

ManyOne

Mozilla Firefox

Netscape

SeaMonkey

Skipstone

XeroBank Browser

Deepnet

Trident-based browsers (developed by Microsoft) AOL Explorer Altimit OS Web Browser Avant Browser Bento Browser Enigma Maxthon Slim Browser NeoPlanet NetCaptor Many other Internet Explorer shells Yahoo!Browser iRider Smart Bro

AOL Explorer

Altimit OS Web Browser

Avant Browser

Bento Browser

Enigma

Maxthon

Slim Browser

NeoPlanet

NetCaptor

Many other Internet Explorer shells

Yahoo!Browser

iRider

Smart Bro

Specialty browsers Flock Ghostzilla HeatSeek Songbird SpaceTime Wyzo Sometimes, even the intended purpose of the type of browser can give user intent! Ghostzilla-intention is to hide internet use. HeatSeek-intention is to seek online porn.

Flock

Ghostzilla

HeatSeek

Songbird

SpaceTime

Wyzo

Text Based Abaco Alynx cUR DosLynx ELinks Links Lynx Net-Tamer w3m WebbIE wget

Abaco

Alynx

cUR

DosLynx

ELinks

Links

Lynx

Net-Tamer

w3m

WebbIE

wget

Other browsers 3B Abaco Amaya Arachn AWeb Charon Emacs/W3 Gollum browser IBrowse Krozilo Mothra NetPositive NetSurf Oregano Planetweb Sleipnir Tkhtml VMS Mosaic Voyager

3B

Abaco

Amaya

Arachn

AWeb

Charon

Emacs/W3

Gollum browser

IBrowse

Krozilo

Mothra

NetPositive

NetSurf

Oregano

Planetweb

Sleipnir

Tkhtml

VMS Mosaic

Voyager

Keep this in mind… Be wary of pinning evidence on a user based solely on web activity. http://www.darkreading.com/document.asp?doc_id=144350&WT.svl=news1_1

Be wary of pinning evidence on a user based solely on web activity.

So test your findings! http://shiflett.org/blog/2007/jul/csrf-redirector Free Tool!!

A sneaky method of getting infected… False URLS Surfer searches for “computer forensics” in Google Surfer clicks on an Ad description (not the actual shown URL) The browser is sent to the malicious site, code installed in the browser and then redirected to the intended website All without the surfer knowing what happened…

False URLS

Surfer searches for “computer forensics” in Google

Surfer clicks on an Ad description (not the actual shown URL)

The browser is sent to the malicious site, code installed in the browser and then redirected to the intended website

All without the surfer knowing what happened…

* The above site is not malicious, just an example of how this works. This would be the false link that leads to the malware site before being redirected to the real site. This would be the real link. Tip: ALWAYS click the full link!

Do a Good Job! If you investigate Child Porn (CP) cases, do a good job to make what you find truly implicates the suspect, if that is the case. If you don’t, they will get away with possessing and/or distributing CP. Then they will get more, and share more, and more kids will be abused to fulfill the increased demand, and those predators may eventually take a step beyond visual gratification and physically abuse kids themselves, and those kids may never recover, and they could turn out to be your kids, your brother’s kids, your sister’s kids, your neighbor’s kids, or my kids. If the suspect is guilty, make him go to jail by doing a good job. Disclaimer: Brett’s opinion and soapbox.

If you investigate Child Porn (CP) cases, do a good job to make what you find truly implicates the suspect, if that is the case.

If you don’t, they will get away with possessing and/or distributing CP. Then they will get more, and share more, and more kids will be abused to fulfill the increased demand, and those predators may eventually take a step beyond visual gratification and physically abuse kids themselves, and those kids may never recover, and they could turn out to be your kids, your brother’s kids, your sister’s kids, your neighbor’s kids, or my kids.

If the suspect is guilty, make him go to jail by doing a good job.

Disclaimer: Brett’s opinion and soapbox.

What are you looking for? Surfing history Typed URLS ( intention and knowledge ) Redirects Number of visits to particular sites ( intention and knowledge ) Bookmarks ( intention and knowledge ) Downloads Default download locations User defined download locations Files downloaded to default location and moved/copied to user defined location ( intention and knowledge ) Cookies Cache

Surfing history

Typed URLS ( intention and knowledge )

Redirects

Number of visits to particular sites ( intention and knowledge )

Bookmarks ( intention and knowledge )

Downloads

Default download locations

User defined download locations

Files downloaded to default location and moved/copied to user defined location ( intention and knowledge )

Cookies

Cache

The Two Big Players Internet Explorer Mozilla Firefox About 55% About 36%

Internet Explorer

Mozilla Firefox

Internet Explorer

IE File Storage IE stores data in the drive:Documents and Settingsuser profile folders (Win2k, XP) Drive:Windows folder (Win9x) Folders = Favorites, Cookies, History, and Temporary Internet Files Registry stores Typed URL’s, Passwords, and Protected Storage Information

IE stores data in the drive:Documents and Settingsuser profile folders (Win2k, XP)

Drive:Windows folder (Win9x)

Folders = Favorites, Cookies, History, and Temporary Internet Files

Registry stores Typed URL’s, Passwords, and Protected Storage Information

IE Cookies Cookies are individual files that contain time, date, and the depositing website information Cookies folder contains an index.dat file that tracks the cookie files within the folder

Cookies are individual files that contain time, date, and the depositing website information

Cookies folder contains an index.dat file that tracks the cookie files within the folder

IE History History tracks the websites visited by the user and includes date/time info History folder contains a master index.dat file that tracks the History The History folder displays icons that represent the Weekly / Daily History activity. Each of these folders contains an index.dat file

History tracks the websites visited by the user and includes date/time info

History folder contains a master index.dat file that tracks the History

The History folder displays icons that represent the Weekly / Daily History activity. Each of these folders contains an index.dat file

IE History

IE History Date Range (FTK)

IE History Date Range Operating system generates a new folder each day with a one day range Each Sunday at 2359 hours, a new week range folder is generated Previous weeks daily folders get merged into a new Last Week folder FTK, X-Ways Trace, IEHistory are useful tools to view index.dat

Operating system generates a new folder each day with a one day range

Each Sunday at 2359 hours, a new week range folder is generated

Previous weeks daily folders get merged into a new Last Week folder

FTK, X-Ways Trace, IEHistory are useful tools to view index.dat

IE Temporary Internet Files Located at drive:Documents and SettingsuserLocal Settings Contains an index.dat file that records the URL, Filename, Username, and Content Info Provides information about browser activity even if the user deletes their Temporary Internet Files

Located at drive:Documents and SettingsuserLocal Settings

Contains an index.dat file that records the URL, Filename, Username, and Content Info

Provides information about browser activity even if the user deletes their Temporary Internet Files

IE Temporary Internet Files Review the Temporary Internet Files for cached Internet emails Hotmail = getmsg~.htm or hotmail~.htm AOL = msgview~.adp or msglist~.adp Outlook = read~.htm or main~.htm Yahoo = showletter~.htm or showfolder~.htm FTK generally will list these files under the “Unknown Type:” button on the Overview tab

Review the Temporary Internet Files for cached Internet emails

Hotmail = getmsg~.htm or hotmail~.htm

AOL = msgview~.adp or msglist~.adp

Outlook = read~.htm or main~.htm

Yahoo = showletter~.htm or showfolder~.htm

FTK generally will list these files under the “Unknown Type:” button on the Overview tab

IE Temporary Internet Files

Registry - Typed URLs Typed URLs are saved in the Registry at NTUSER.DATMicrosoftInternet ExplorerTyped URLs The lowest numbered entry is the most recent site visited (url1, url2, url3, etc)

Typed URLs are saved in the Registry at NTUSER.DATMicrosoftInternet ExplorerTyped URLs

The lowest numbered entry is the most recent site visited (url1, url2, url3, etc)

Registry – Protected Storage System Provider NTUSER.DATSoftwareMicrosoftProtected Storage System Provider Contains User IDs and passwords for websites Q:StringIndex contains Internet search engine searches initiated by the user (Google, Yahoo, etc) with date/time Stored in an encrypted form Registry Viewer displays the information in an unencrypted form

NTUSER.DATSoftwareMicrosoftProtected Storage System Provider

Contains User IDs and passwords for websites

Q:StringIndex contains Internet search engine searches initiated by the user (Google, Yahoo, etc) with date/time

Stored in an encrypted form

Registry Viewer displays the information in an unencrypted form

Vista File Locations Temporary Internet Files "C:Users[your user name]AppData Local MicrosoftWindowsTemporary Internet FilesContent.IE5 " Laptops using Vista Media Edition "C:Users[your user name]AppData Roaming or Local MicrosoftWindowsTemporary Internet FilesContent.IE5 " Roaming = public network? Local = private network?

Temporary Internet Files

"C:Users[your user name]AppData Local MicrosoftWindowsTemporary Internet FilesContent.IE5 "

Laptops using Vista Media Edition

"C:Users[your user name]AppData Roaming or Local MicrosoftWindowsTemporary Internet FilesContent.IE5 "

Roaming = public network?

Local = private network?

Mozilla Firefox

The Directory history.dat bookmarks.html downloads.rdf cookies.txt signons2.txt prefs.js bookmarks.bak formhistory.dat

Briefly… Mozilla is not a browser Mozilla Firefox is a browser project Mozilla Firefox is not the same as Netscape 2 nd most popular web browser It is different from IE And it can also be run from a portable device….leaving few traces on the computer. Worse still, it can be run from a CD, leaving behind even fewer traces on the computer, none on the CD. A USB can be set to write block, also eliminating evidence from being created on the USB when running Firefox from the USB device.

Mozilla is not a browser

Mozilla Firefox is a browser project

Mozilla Firefox is not the same as Netscape

2 nd most popular web browser

It is different from IE

And it can also be run from a portable device….leaving few traces on the computer.

Worse still, it can be run from a CD, leaving behind even fewer traces on the computer, none on the CD.

A USB can be set to write block, also eliminating evidence from being created on the USB when running Firefox from the USB device.

Good for forensics! Firefox is not like MSIE Firefox stores most of it’s data in files instead of the registry Easy to find, in individual folders Many of the tasks you want to do with Firefox forensics, you can do using Firefox!

Firefox is not like MSIE

Firefox stores most of it’s data in files instead of the registry

Easy to find, in individual folders

Many of the tasks you want to do with Firefox forensics, you can do using Firefox!

Not Good for forensics! Since the user data is in individual folders, it is very easy for a user to wipe the folders securely! Profile with all your evidence!!

Since the user data is in individual folders, it is very easy for a user to wipe the folders securely!

Your Profile

Your Profile Firefox stores a user's personal information such as bookmarks, extensions, and user preferences in a unique profile, called, you guessed it, a Profile. “ My profile-tall, smart, handsome”

Firefox stores a user's personal information such as bookmarks, extensions, and user preferences in a unique profile, called, you guessed it, a Profile.

Your Profile A profile is a self-contained unit stored in a physical folder in your file system. From Firefox 1.5 onwards you can move or copy an entire profile folder from one location to another. You then use the Profile Manager to register it to use on different machines. A suspect can share his profiles on several computers, tying him to all of them 

A profile is a self-contained unit stored in a physical folder in your file system. From Firefox 1.5 onwards you can move or copy an entire profile folder from one location to another. You then use the Profile Manager to register it to use on different machines.

A suspect can share his profiles on several computers, tying him to all of them 

Your Profile Files located in Profile Folder include: Cache, chrome, extensions bookmarks.html, bookmarks.bak, mimeTypes.rdf, cert8.db, compatibility.ini, key3.db, search.rdf, XUL.mfl, prefs.js, signons.txt, components.ini, cookies.txt, defaults.ini, formhistory.dat, compreq.dat, localstore.rdf, xpti.dat, history.dat, secmod.db Strange thing…if you delete these files, upon restart of Firefox, it gets created again, but it’s a clean new copy.

Files located in Profile Folder include: Cache, chrome, extensions bookmarks.html, bookmarks.bak, mimeTypes.rdf, cert8.db, compatibility.ini, key3.db, search.rdf, XUL.mfl, prefs.js, signons.txt, components.ini, cookies.txt, defaults.ini, formhistory.dat, compreq.dat, localstore.rdf, xpti.dat, history.dat, secmod.db

Your Profile Sometimes, Firefox may just ‘lose’ your profile (it’s still there, but the pointer gets corrupted). You can use the “PROFILE MANAGER” in Firefox to look for it and fix it. The profile.ini keeps track of the profiles This is how someone could manage multiple profiles (a good one and a bad one…) You can store your profile ANYWHERE!

Sometimes, Firefox may just ‘lose’ your profile (it’s still there, but the pointer gets corrupted).

You can use the “PROFILE MANAGER” in Firefox to look for it and fix it.

The profile.ini keeps track of the profiles

This is how someone could manage multiple profiles (a good one and a bad one…)

You can store your profile ANYWHERE!

Your Profile If there are several profiles, the .ini will look something like this: [General] StartWithLastProfile=1 [Profile0] Name=default IsRelative=1 Path=Profiles/default.cta [Profile1] Name= goodboy IsRelative=0 Path=D:MozillaFirefoxProfiles goodboy Default=1 [Profile2] Name= reallybadboy IsRelative=0 Path=D:MozillaFirefoxProfiles reallybadboy

Your Profile It is possible to have an instance of Firefox operating with one profile while at the same time, you can open another instance of Firefox and point to a DIFFERENT PROFILE by a command line ( C:Program FilesMozilla Firefoxfirefox.exe" -P "My Profile" -no-remote ). This could appear to be two users browsing the internet at the same time, when in fact, it’s the same person. You can also carry around your profile on a flashdrive and use it on any computer.

Your Profile-default locations ~/Library/Mozilla/ ~/Library/Application Support/ Mac OS X ~/.mozilla/ Unix C:Users<Windows login/user name>AppDataRoamingMozilla Windows Vista C:Documents and Settings<Windows login/user name>Application DataMozilla Windows 2000 and XP C:WinntProfiles<Windows login/user name>Application DataMozilla Windows NT 4.x C:WindowsApplication DataMozilla C:WindowsProfiles<Windows login/user name>Application DataMozilla Windows 95 (with Desktop Update)/98/Me C:WindowsMozilla Windows 95 (without Desktop Update) Profile folder location(s) Operating system

Neat Files of Interest Download history. This file can be changed to READ ONLY and no more logging of downloads. downloads.rdf & downloads.sqlite Temporary cookies file. cookies.txt.moztmp Holds all of your cookies, including login information, session data, and preferences. cookies.txt Daily rotating backups of your bookmarks. bookmarks- (date) .html Temporary bookmarks file. If found, remove the 'read-only' attribute, as it results in creation of multiple numbered bookmarks-n.html files. bookmarks.html.moztmp Bookmarks (another file in the Program directory is NOT the bookmarks for a profile, it’s a template) bookmarks.html Backup of bookmarks.html, located in your profile folder. Makes a back up each time you run Firefox, 5 times and then starts to overwrite the oldest backup. bookmarks.bak Contains cached Internet files Cache Daily rotating backups of your bookmarks, located in your profile folder bookmarkbackups

More Neat Files of Interest A file that can be used to change the way Mozilla applications' interfaces look. Editing this file can disable Autocomplete. However, the autocomplete is still there, just not visible to the user. serChrome.css in Stores preference settings prefs.js Keeps track of profile location. Located in the &quot;Firefox&quot; folder containing the profiles. Can be edited to point to a moved profile folder. If deleted, profiles.ini will be regenerated along with a new default profile folder upon program restart. profiles.ini Key database for passwords (this needs to be copied over with the previous .txt signons key3.db Encrypted saved passwords, requires key3.db to work signons.txt & signons2.txt & signons3.txt (each for different versions of Firefox) 3.0 and above Bookmarks and browsing history places.sqlite Browsing history history.dat Saved form data formhistory.dat

Default Installation Folder PROGRAM FILES: C:Program FilesMozilla Firefox (Windows) USER FILES: C:Documents and Settingsuser_nameApplication DataMozillaFirefoxProfile

PROGRAM FILES:

C:Program FilesMozilla Firefox (Windows)

USER FILES:

C:Documents and Settingsuser_nameApplication DataMozillaFirefoxProfile

It’s Not about the Money… … it’s about the cache !

Browser Cache “ A temporary storage area in memory or on disk that holds the most recently downloaded Web pages. When you quit the browser session, the cached pages are stored on disk. Settings in your Web browser let you set the amount of space to use for the cache, which is essentially a disk folder, and the length of time to hold the pages.” http://www.pcmag.com/encyclopedia_term/0,2542,t=browser+cache&i=38971,00.asp

“ A temporary storage area in memory or on disk that holds the most recently downloaded Web pages.

When you quit the browser session, the cached pages are stored on disk. Settings in your Web browser let you set the amount of space to use for the cache, which is essentially a disk folder, and the length of time to hold the pages.”

The Location Of the Mozilla Cache Folder The cache folder of Mozilla Firefox is located under: C:Documents and Settings[User Name]Local SettingsApplication DataMozillaFirefoxProfiles[Profile Name]Cache Cache = Temporary Internet Files (simple enough)

The cache folder of Mozilla Firefox is located under:

C:Documents and Settings[User Name]Local SettingsApplication DataMozillaFirefoxProfiles[Profile Name]Cache

Cache = Temporary Internet Files (simple enough)

Looking at the Cache FTK will parse out the cache to an HTML view. Easy to read, difficult to print, impossible to sort, or figure out what you have. I don’t like that at all. ( Brett’s opinion developed after an attorney gave his opinion to Brett…) But, you can export the native files and use other tools that can create csv/spreadsheets of the data, which is what many attorneys may want.

FTK will parse out the cache to an HTML view. Easy to read, difficult to print, impossible to sort, or figure out what you have. I don’t like that at all. ( Brett’s opinion developed after an attorney gave his opinion to Brett…)

But, you can export the native files and use other tools that can create csv/spreadsheets of the data, which is what many attorneys may want.

History vs. Cache Internet history is stored for 9 days by default. The cache is based on the amount of space you have allocated. The Cache contains the files (HTML, image files, scripts, etc.) stored by viewing websites. Depending on the amount of space allocated there may be items in the history that are not in the Cache .

Internet history is stored for 9 days by default. The cache is based on the amount of space you have allocated. The Cache contains the files (HTML, image files, scripts, etc.) stored by viewing websites. Depending on the amount of space allocated there may be items in the history that are not in the Cache .

Cache The Cache also does not show you Visit Count, First Visit Date and Last Visit Date, but the History will show that information. The cache also shows the HTTP headers (with the times of the requests) The number of fetches are also stored in cache, indicating that a particularly website was accessed more than once! Cache is not nice to view. An easy method is to replace the evidence cache on a forensic machine and display it through Firefox.

The Cache also does not show you Visit Count, First Visit Date and Last Visit Date, but the History will show that information.

The cache also shows the HTTP headers (with the times of the requests)

The number of fetches are also stored in cache, indicating that a particularly website was accessed more than once!

Cache is not nice to view. An easy method is to replace the evidence cache on a forensic machine and display it through Firefox.

Quick and Dirty Cache In the Firefox address bar, type: about:cache

In the Firefox address bar, type: about:cache

Cache Viewer Add-On https://addons.mozilla.org/en-US/firefox/addon/2489 Nice Viewer!

MozillaCacheView v1.05 http://nirsoft.net/utils/mozilla_cache_viewer.html FREE TOOL!

URL History The good stuff! History is the version of past events that people have decided to agree upon.

The good stuff!

History.dat A very neat file (browsing history) MORK is the file system (complex code) Several tools can parse out the information quickly and cleanly Version 2x will be storing the history in: moz_history&quot; and &quot;moz_historyvisit This file can be compared to the MSIE index.dat

A very neat file (browsing history)

MORK is the file system (complex code)

Several tools can parse out the information quickly and cleanly

Version 2x will be storing the history in:

moz_history&quot; and &quot;moz_historyvisit

This file can be compared to the MSIE index.dat

IE vs Firefox History Files With Mozilla, the history.dat file is saved in an ASCII format rather than binary as IE. This makes it easier to view, but it does not link website activity with the cache.

With Mozilla, the history.dat file is saved in an ASCII format rather than binary as IE.

This makes it easier to view, but it does not link website activity with the cache.

Good Ol’ FTK

FTK Printing out the results as shown in FTK file resulted in 602 pages of one history.dat file (not sortable). Technically speaking, “Dat Not Good”.

Printing out the results as shown in FTK file resulted in 602 pages of one history.dat file (not sortable). Technically speaking, “Dat Not Good”.

FTK Better to export the history.txt file and open with by way of spreadsheet.

Better to export the history.txt file and open with by way of spreadsheet.

Search History Search for “search” in the history.dat file to find user typed searches.

Search for “search” in the history.dat file to find user typed searches.

URL History Browser http://www.passcape.com/firefox_url_history.htm

MozillaHistoryView v1.02 http://nirsoft.net/utils/mozilla_history_view.html FREE TOOL!

http://nirsoft.net/utils/mozilla_history_view.html

Mandiant Web Historian http://www.mandiant.com/webhistorian.htm FREE TOOL!

URL History FREE TOOL!

HTML Output is not enough information

But .xls is.

But .xls is.

Of Mork and Mindy M ork is the name of the code for Mozilla (1x. Version 2x uses SQLite). D ork is a small, free, and neat program to parse the history.dat file! Get Dork here http://i.ndustrio.us/2007/06/23/converting-the-firefox-history-file-to-readable-text/ FREE TOOL!

M ork is the name of the code for Mozilla (1x. Version 2x uses SQLite).

D ork is a small, free, and neat program to parse the history.dat file!

Get Dork here

Dork Reader Sortable in a spreadsheet Quick, easy, free FREE TOOL!

Sortable in a spreadsheet

Quick, easy, free

History.dat with Dork Reader Just drag the file here and… A history.txt file is created in the same directory as the history.dat file

prefs.js Profile Settings You can find nearly every setting you are in need of finding (start up page, etc…).

Profile Settings

You can find nearly every setting you are in need of finding (start up page, etc…).

Downloads downloads.rdf Location of default downloads Tracks the downloads

downloads.rdf

Location of default downloads

Tracks the downloads

Default download location Last download location User created folder History save override Startup webpage/homepage

Default download location

Last download location

User created folder

History save override

Startup webpage/homepage

BOOKMARKS

Bookmarks (MSIE=Favorites) A HTML file of the bookmarks (ie, favorties) A bookmarks.bak file is also created when last accessed.

A HTML file of the bookmarks (ie, favorties)

A bookmarks.bak file is also created when last accessed.

Bookmarks (MSIE=Favorites) FTK view of bookmarks.html

FTK view of bookmarks.html

Bookmarks (MSIE=Favorites) Viewing the bookmarks via HTML is the least productive way (you can’t see the metadata). Visually, it works best to export the bookmarks file and open using Firefox on your forensic machine. Bookmarks are backed up every 5 days. Web pages are stored as (in brief): Site URL : ADD_DATE : LAST_VISIT : LAST _MODIFIED : SITE NAME : SITE DESCRIPTION

Viewing the bookmarks via HTML is the least productive way (you can’t see the metadata).

Visually, it works best to export the bookmarks file and open using Firefox on your forensic machine.

Bookmarks are backed up every 5 days.

Web pages are stored as (in brief):

Site URL : ADD_DATE : LAST_VISIT : LAST _MODIFIED : SITE NAME : SITE DESCRIPTION

Form History

Firefox Password Cracking Several FREE tools available If it’s a live system, and Firefox is running, and the user has logged in, you can get ALL the passwords for everything that is password protected (website logins, master password, etc…). All passwords are clear text.

Several FREE tools available

If it’s a live system, and Firefox is running, and the user has logged in, you can get ALL the passwords for everything that is password protected (website logins, master password, etc…). All passwords are clear text.

Signons.txt Contains user saved names and passwords to website logons. Use PRTK to crack the passwords Field names are plain text, passwords are a low level protection.

Contains user saved names and passwords to website logons.

Use PRTK to crack the passwords

Field names are plain text, passwords are a low level protection.

Signons.txt To decrypt: Export the Key3.db files Drop the Signons.txt into PRTK Browse to the Key3.db when prompted

To decrypt:

Export the Key3.db files

Drop the Signons.txt into PRTK

Browse to the Key3.db when prompted

Master Password Triple DES Password is required to access a website that has a stored password in Signons.txt The master password is stored in the Key3.db file (use a dictionary profile in PRTK to find the password)

Triple DES

Password is required to access a website that has a stored password in Signons.txt

The master password is stored in the Key3.db file (use a dictionary profile in PRTK to find the password)

Firefox Password Cracking Several FREE tools available http://securityxploded.com/firemaster.php Free Dos Program to crack the Firefox Master Passwor FREE TOOL!

Several FREE tools available

COOKIES

http://www.passcape.com/firefox_url_history.htm

Cookies Cookies are used by a web site to store values on the client that create a web session. They can be used to track your activity, as each one contains a username. They are pieces of code placed on your computer as you surf the internet. Firefox cookies are human readable in the format of username@domainname.txt You can open them with any text editor, but there are better ways to read them…

Cookies are used by a web site to store values on the client that create a web session. They can be used to track your activity, as each one contains a username.

They are pieces of code placed on your computer as you surf the internet.

Firefox cookies are human readable in the format of username@domainname.txt

You can open them with any text editor, but there are better ways to read them…

Cookies Cookies are set to expire after a set amount of time. It is possible to determine the accuracy of the system time when comparing cookie’s expire date and last modified date.

Cookies are set to expire after a set amount of time. It is possible to determine the accuracy of the system time when comparing cookie’s expire date and last modified date.

Ugly!

Better! http://www.karenware.com/powertools/ptcookie.asp FREE TOOL!

Better! http://www.nirsoft.net/utils/iecookies.html FREE TOOL!

Better! http://www.pablosoftwaresolutions.com/html/cookie_viewer.html FREE TOOL!

Firefox Add On https://addons.mozilla.org/en-US/firefox/addon/315 FREE TOOL!

FTK

The Forensic Tools Run them across the entire image/drive Great for getting EVERYTHING, including the deleted history and files There are very few tools that do this AND put it in a format that can be manipulated for an attorney to understand…

Run them across the entire image/drive

Great for getting EVERYTHING, including the deleted history and files

There are very few tools that do this AND put it in a format that can be manipulated for an attorney to understand…

Some of the tools Full Suites (FTK, ProDiscovery, Encase, etc) ACES - $FREE NetAnalsysis - $100EUR (about $200USD) X-Ways Trace - $52.70GSB (about $75USD) CacheBack - $399CDN (about $395USD) Let’s talk about the smaller tools, not full suites.

Full Suites (FTK, ProDiscovery, Encase, etc)

ACES - $FREE

NetAnalsysis - $100EUR (about $200USD)

X-Ways Trace - $52.70GSB (about $75USD)

CacheBack - $399CDN (about $395USD)

Let’s talk about the smaller tools, not full suites.

Internet and Email Analysis Free to law enforcement Not updated that often (2006?) https://www.acesle.com/ FREE TOOL!

Internet and Email Analysis

Free to law enforcement

Not updated that often (2006?)

NetAnalysis Extracts deleted history from Unallocated Space, Swap Files, File Slack, Unused Disk Space, Flat File Images, DD Images and binary files. It can also extract directly from a physical or logical drive. Can conduct keyword searching, has cookie viewer, and lots of other very neat features. Best thing is, you can create an output that is understandable, searchable, and sortable. http://www.digital-detective.co.uk/netanalysis.asp

Extracts deleted history from Unallocated Space, Swap Files, File Slack, Unused Disk Space, Flat File Images, DD Images and binary files. It can also extract directly from a physical or logical drive.

Can conduct keyword searching, has cookie viewer, and lots of other very neat features.

Best thing is, you can create an output that is understandable, searchable, and sortable.

NetAnalysis http://www.digital-detective.co.uk/netanalysis.asp

X-Ways Trace Extracts from allocated space, free space, and slack space. Deciphers the Windows recycle bin file info2 located in every Recycled/Recycler folder. Displays the original path and filename, date and time of deletion, file size, etc.. Results can be exported to a spreadsheet. http://www.x-ways.net/trace/index-m.html

Extracts from allocated space, free space, and slack space.

Deciphers the Windows recycle bin file info2 located in every Recycled/Recycler folder. Displays the original path and filename, date and time of deletion, file size, etc..

Results can be exported to a spreadsheet.

X-Ways Trace http://www.x-ways.net/trace/index-m.html

A new contender in the internet analysis software arena

CacheBack Does everything that both X-Ways Trace and NetAnalysis does, and more. More types of reports can be created Comparison of history to cache ability Sortable, searchable, presentable But costs a little more..* *CTIN members can get a 10% discount on CacheBack prior to Feb 29,2008

Does everything that both X-Ways Trace and NetAnalysis does, and more.

More types of reports can be created

Comparison of history to cache ability

Sortable, searchable, presentable

But costs a little more..*

A new tool from Paraben

http://beta.paraben.com/

Other ‘little things’ you can do with small tools… Autocomplete Typed searches Video Cache Cookies

Autocomplete

Typed searches

Video Cache

Cookies

MyLastSearch Runs from any external media (CD, USB, etc…), therefore, can be run on a live system. Takes about 5 seconds…. FREE TOOL!

Runs from any external media (CD, USB, etc…), therefore, can be run on a live system.

Takes about 5 seconds….

VideoCacheView Runs from any external media (CD, USB, etc…), therefore, can be run on a live system. Takes about 5 seconds…. FREE TOOL!

Runs from any external media (CD, USB, etc…), therefore, can be run on a live system.

Takes about 5 seconds….

Firefox Autocomplete If an URL is typed, and that URL were already in the history, the ranking of that URL is increased. “ If there is no history entry for the typed URL, a new one is created marked typed but hidden and never visited. When the document is loaded, the history system is notified of the visit and it unhides the entry and saves the visit date, preserving the typed flag. This way, typing an invalid URL that is never loaded will not fill the history and autocomplete lists with junk.” Autocomplete data is in the history file, not in the registry. http://wiki.mozilla.org/Browser_History:Redirects

If an URL is typed, and that URL were already in the history, the ranking of that URL is increased.

“ If there is no history entry for the typed URL, a new one is created marked typed but hidden and never visited. When the document is loaded, the history system is notified of the visit and it unhides the entry and saves the visit date, preserving the typed flag. This way, typing an invalid URL that is never loaded will not fill the history and autocomplete lists with junk.”

Autocomplete data is in the history file, not in the registry.

http://www.foundstone.com/us/resources/proddesc/dumpautocomplete.htm FREE TOOL!

In less than 10 minutes, with some free software, you can get… Typed internet searches Autocomplete entries Internet history Video from cache Spreadsheet of cookies You can also throw in USB devices connected too with USBDeview… You can restore an image with Liveview to VMware and run these on the live system. This takes about 25 minutes if everything goes smooth with the virtual booting. In the civil world, this could work well with a ‘quick peek’.

Typed internet searches

Autocomplete entries

Internet history

Video from cache

Spreadsheet of cookies

You can also throw in USB devices connected too with USBDeview…

You can restore an image with Liveview to VMware and run these on the live system.

This takes about 25 minutes if everything goes smooth with the virtual booting.

In the civil world, this could work well with a ‘quick peek’.

http://www.nirsoft.net/utils/usb_devices_view.html FREE TOOL!

Future Feature of Firefox Firefox may soon be able to track: Visit trails, with information about how each visit occurred: For example, a user typed the URL for site A, went from A to B by following a link, was automatically redirected to C, and then followed a link on C to open D in a new window. Technically, that is called, “Niiiiccceee”.

Firefox may soon be able to track:

Visit trails, with information about how each visit occurred: For example, a user typed the URL for site A, went from A to B by following a link, was automatically redirected to C, and then followed a link on C to open D in a new window.

Technically, that is called, “Niiiiccceee”.

REDIR (internet traffic is redirected to another site) Client-side redirect Meta refresh redirect (which is a special type of client side redirect) Server-side redirect Both 1 & 2 above need the webpage to load in order for a script to run to cause the redirect. #3 is redirected from the server (the page doesn’t get loaded before the redirect occurs.

Client-side redirect

Meta refresh redirect (which is a special type of client side redirect)

Server-side redirect

Both 1 & 2 above need the webpage to load in order for a script to run to cause the redirect.

#3 is redirected from the server (the page doesn’t get loaded before the redirect occurs.

REDIR (internet traffic is redirected to another site) Be aware of the malware that can be installed without user knowledge that cause redirects and popups. A study in 2005 showed over half a million webpages installed malware designed for redirects using ‘drive by’ installations. Niels Provos; Dean McNamee; Panayiotis Mavrommatis; Ke Wang; Nagendra Modadugu (2007-04-10

Be aware of the malware that can be installed without user knowledge that cause redirects and popups.

A study in 2005 showed over half a million webpages installed malware designed for redirects using ‘drive by’ installations.

Niels Provos; Dean McNamee; Panayiotis Mavrommatis; Ke Wang; Nagendra Modadugu (2007-04-10

REDIR (internet traffic is redirected to another site) HOWEVER, even a REDIR to an illegal website will not cause the suspect machine to create specific folders in which specific image downloads were stored and then burned to a CD…

HOWEVER, even a REDIR to an illegal website will not cause the suspect machine to create specific folders in which specific image downloads were stored and then burned to a CD…

This was not caused by a Trojan! = Guilty as sin (and pretty sick too)

Putting Together Your Findings Timelines Simple, visual , timelines paint an easy picture to understand Logins If your suspect denies visiting or downloading certain sites, find if s/he accessed sites on either end of the evidence sites access (such as logging into email prior to visiting the bad site and logging into email afterwards).

Timelines

Simple, visual , timelines paint an easy picture to understand

Logins

If your suspect denies visiting or downloading certain sites, find if s/he accessed sites on either end of the evidence sites access (such as logging into email prior to visiting the bad site and logging into email afterwards).

Putting Together Your Findings Downloads User created folders Altered extensions Number of downloads Does it seem automated? Downloads that were accessed after downloading, but not deleted (innocent downloads of bad stuff will normally be deleted by normal people) Downloads that were copied to CD and then deleted Average times of downloads (were there hundreds downloaded within a short time frame of each other-trojan(?) or slowly-human(?) Link files to external media from evidence files?

Downloads

User created folders

Altered extensions

Number of downloads

Does it seem automated?

Downloads that were accessed after downloading, but not deleted (innocent downloads of bad stuff will normally be deleted by normal people)

Downloads that were copied to CD and then deleted

Average times of downloads (were there hundreds downloaded within a short time frame of each other-trojan(?) or slowly-human(?)

Link files to external media from evidence files?

Putting Together Your Findings Frequent Visitor One visit to a bad website could be innocent… More than once is a sick puppy.

Frequent Visitor

One visit to a bad website could be innocent…

More than once is a sick puppy.

A defense to CP Possession? “ CP images found in cache aren’t intentionally created and knowingly stored in the cache by the user”. This is true… … however, if the user was intentionally searching for CP, and it was found in the cache, then he knowingly possessed the CP. A case with such as example is: Commonwealth v. Simone, 2003 WL 22994245 (Va. Cir. Ct. Nov 12, 2003) Add other evidence, such as prior convictions, admissions, statements, etc…and that cache evidence is as good as CASH!

“ CP images found in cache aren’t intentionally created and knowingly stored in the cache by the user”. This is true…

… however, if the user was intentionally searching for CP, and it was found in the cache, then he knowingly possessed the CP.

A case with such as example is: Commonwealth v. Simone, 2003 WL 22994245 (Va. Cir. Ct. Nov 12, 2003)

Add other evidence, such as prior convictions, admissions, statements, etc…and that cache evidence is as good as CASH!

If you find… Suspect downloaded CP and… Suspect viewed CP and… Suspect didn’t delete the CP… Then you have a good case of CP possession! And if… Suspect moved the CP to different folders, you have a great case of CP possession!

Suspect downloaded CP and…

Suspect viewed CP and…

Suspect didn’t delete the CP…

Then you have a good case of CP possession!

And if…

Suspect moved the CP to different folders, you have a great case of CP possession!

Quick surveys you can conduct during breaks in trial Given the defense of accidental viewing and downloading of child porn, a poll of anyone in the courthouse could give you a quick answer as to how often this really occurs…..how often have you come across child porn when on the internet? The defense may not like the results of this poll brought up in court 

Given the defense of accidental viewing and downloading of child porn, a poll of anyone in the courthouse could give you a quick answer as to how often this really occurs…..how often have you come across child porn when on the internet?

The defense may not like the results of this poll brought up in court 

Result of “Battle of the Software” ( Brett’s opinion ) CacheBack is VERY impressive (I’m buying it)! NetAnalysis is also one of the best overall applications with X-Ways Trace trailing behind. These tools are each able to grab unallocated space as well as creating a sortable output. The ‘little tools’ work well for what they do (quick and dirty work, but nice outputs). The new Paraben Suite looks promising too.

CacheBack is VERY impressive (I’m buying it)!

NetAnalysis is also one of the best overall applications with X-Ways Trace trailing behind.

These tools are each able to grab unallocated space as well as creating a sortable output.

The ‘little tools’ work well for what they do (quick and dirty work, but nice outputs).

The new Paraben Suite looks promising too.

Current & Future Challenges

Virtual Systems If Virtual PC, VMware, MojoPac, or other virtual application is installed, your internet artifacts may ONLY reside in that virtual file. These can be run from external devices, so you may not even have the virtual file on the hard drive.

If Virtual PC, VMware, MojoPac, or other virtual application is installed, your internet artifacts may ONLY reside in that virtual file.

These can be run from external devices, so you may not even have the virtual file on the hard drive.

External Devices Several web browser applications are available that run from either CD’s or USB devices, such as Firefox Portable.

Several web browser applications are available that run from either CD’s or USB devices, such as Firefox Portable.

Free Tool!! Your evidence is all in here… Only the USB connection evidence will be here.

http://www.mojopac.com/portal/content/how/ Your evidence is all in here… Only the USB connection evidence will be here.

http://xcerion.com/ http://blogs.zdnet.com/microsoft/?p=293 Internet Operating System Free and Open Source Software Everything runs in XML Files are stored at Xcerion Everything runs in the IE browser I have no idea of the artifacts left on the host OS yet…

Internet Operating System

Free and Open Source Software

Everything runs in XML

Files are stored at Xcerion

Everything runs in the IE browser

I have no idea of the artifacts left on the host OS yet…

This is the OS browser

This is being run online

CHAT-IM FORENSICS An Introduction, because we are running out of time, sorry.

FYI: Cutting and Pasting Chats Court Issues Adverse Jury Instruction Where Plaintiff Disposed of Home Computer after Filing Discrimination Suit United States v. Jackson , 2007 WL 1381772 (D. Neb. May 8, 2007). In a criminal case, the defendant filed a motion in limine to exclude evidence of chat room conversations. At the conclusion of each chat room session, an undercover police officer conducting the chat room conversation would cut-and-paste the entire conversation into a word document for later review . However, a computer forensics expert testified that this cut-and-paste method created several errors and that several portions of the defendant’s conversations were omitted. The defendant argued the omitted portions of the transcript contained evidence relating directly to his intent and should not be admitted as evidence. The court found that the cut-and-paste document was not admissible evidence at trial because it was not authentic under the Federal Rules of Evidence . The government did not prove the proper foundation to show that the cut-and-paste transcript was a trustworthy source of evidence. Additionally, the court found that the transcript was not the “best evidence” as required by the Federal Rules of Evidence. Although original duplicate documents may be admitted as evidence in lieu of original documents, they still must be an accurate reflection of the original’s content. The court found the cut-and-paste document offered by the government could not be proven to be an accurate reflection of the original chat room discussions. http://www.krollontrack.com/newsletters/cybercrime/jun07.html

Court Issues Adverse Jury Instruction Where Plaintiff Disposed of Home Computer after Filing Discrimination Suit United States v. Jackson , 2007 WL 1381772 (D. Neb. May 8, 2007). In a criminal case, the defendant filed a motion in limine to exclude evidence of chat room conversations. At the conclusion of each chat room session, an undercover police officer conducting the chat room conversation would cut-and-paste the entire conversation into a word document for later review . However, a computer forensics expert testified that this cut-and-paste method created several errors and that several portions of the defendant’s conversations were omitted. The defendant argued the omitted portions of the transcript contained evidence relating directly to his intent and should not be admitted as evidence. The court found that the cut-and-paste document was not admissible evidence at trial because it was not authentic under the Federal Rules of Evidence . The government did not prove the proper foundation to show that the cut-and-paste transcript was a trustworthy source of evidence. Additionally, the court found that the transcript was not the “best evidence” as required by the Federal Rules of Evidence. Although original duplicate documents may be admitted as evidence in lieu of original documents, they still must be an accurate reflection of the original’s content. The court found the cut-and-paste document offered by the government could not be proven to be an accurate reflection of the original chat room discussions.

What are They? Internet services which allow real time messaging between individuals-ie.. CHAT

Internet services which allow real time messaging between individuals-ie.. CHAT

Introduction There are several IM services which offer: Voice chat Video Cellular/pager messaging Chat rooms File sharing E-mail interface Remote desktop control

There are several IM services which offer:

Voice chat

Video

Cellular/pager messaging

Chat rooms

File sharing

E-mail interface

Remote desktop control

Popular Services AOL Instant Messenger (AIM) ICQ (I Seek You) MSN Messenger Yahoo! Messenger Trillian Easily over 50 other popular applications!

AOL Instant Messenger (AIM)

ICQ (I Seek You)

MSN Messenger

Yahoo! Messenger

Trillian

Easily over 50 other popular applications!

Common Features Free Client Software Chat Rooms File Transfers Web Based Voice and/or Web Cam Support Internet Phone Capable Web Page chat rooms

Free Client Software

Chat Rooms

File Transfers

Web Based

Voice and/or Web Cam Support

Internet Phone Capable

Web Page chat rooms

Web based Chat Access is into web based chat rooms.

Access is into web based chat rooms.

Other Information AIM connection logs held for 10-14 days and must specify the AIM user name Of course, this could change…

AIM connection logs held for 10-14 days and must specify the AIM user name

Of course, this could change…

File Sharing All of the IM clients allow for peer - to - peer file sharing

All of the IM clients allow for peer - to - peer file sharing

File Sharing Files can be transferred using two methods: Direct connection File – Send File menu (any file type) The IM providers will not have records regarding the files transferred

Files can be transferred using two methods:

Direct connection

File – Send File menu (any file type)

The IM providers will not have records regarding the files transferred

So what software did we talk about? Forensic Tool Kit www.accessdata.com Encase www.guidancesoftware.com X-Ways Trace www.x-ways.net Lots of free tools www.nirsoft.net www.karentools.com http://www.pablosoftwaresolutions.com/ NetAnalysis www.digital-detective.com.uk CacheBack http://www.cacheback.ca/ VMware www.vmware.com Virtual PC www.microsoft.com Xercion Autocomplete Dump www.foundstone.com Mojopac www.mojopac.om Passcape Tools http://www.passcape.com/firefox_url_history.htm Mandiant Web Historian http://www.mandiant.com/webhistorian.htm Dork Reader http://i.ndustrio.us/2007/06/23/converting-the-firefox-history-file-to-readable-text/ Security Exploded http://securityxploded.com/firemaster.php There are also several Perl programs (free) floating on the internet that do the same things as these programs.

Forensic Tool Kit

www.accessdata.com

Encase

www.guidancesoftware.com

X-Ways Trace

www.x-ways.net

Lots of free tools

www.nirsoft.net

www.karentools.com

http://www.pablosoftwaresolutions.com/

NetAnalysis

www.digital-detective.com.uk

CacheBack

http://www.cacheback.ca/

VMware

www.vmware.com

Virtual PC

www.microsoft.com

Xercion

Autocomplete Dump

www.foundstone.com

Mojopac

www.mojopac.om

Passcape Tools

http://www.passcape.com/firefox_url_history.htm

Mandiant Web Historian

http://www.mandiant.com/webhistorian.htm

Dork Reader

http://i.ndustrio.us/2007/06/23/converting-the-firefox-history-file-to-readable-text/

Security Exploded

http://securityxploded.com/firemaster.php

There are also several Perl programs (free) floating on the internet that do the same things as these programs.

Your Presenters Brett Shavers, e3Discovery & Ron Godfrey, Boeing Company

Brett Shavers, e3Discovery

&

Ron Godfrey, Boeing Company