1 Browser Artifacts

!  Bulk of a user’s time is spent on the Internet

!  Nearly all of that time is spent interacting with a Web
browser

!  Everything that a user does today can occur via the Web
Internet Artifacts !  From browsing to creating documents
!  Google Chromebook

COMP 2555: Principles of Computer Forensics !  Web browsers are a popular tool to load additional
Autumn 2014
http://www.cs.du.edu/2555 tools into compromised servers

L10: Internet Artifacts

2 Internet Explorer
3 Index.dat

!  Default browser shipped with Microsoft’s operating !  Contains records of different types of information
systems !  Temporary internet files
!  Few interesting places !  History
!  Index.dat !  Cookies
!  Favorites
!  Cookies !  Cache location:
!  Cache !  XP and 2003: Documents and Settings\user\Local Settings
\Temporary Internet Files\Content.IE5\index.dat
!  Vista and 7: Users\user\AppData\Local\Microsoft\Windows
\Temporary Internet Files\Content.IE5\index.dat
L10: Internet Artifacts

L10: Internet Artifacts

!  Correspondingly other directories may also have an
index.dat file
4 Favorites
5 Cookies

!  Documents and Settings\user\Favorites !  Found in

!  Appears as <filename>.url files !  XP: Documents and Settings\%username%\Cookies
!  Simple text files !  Vista and 7: Users\%username%\AppData\Roaming\Microsoft
\Windows\Cookies
!  Analyze MAC times of .url files
!  Example
SaneID!
3a345581bb019948!
geico.com/!
1536!
3378255872!
30795568!
4048194256!
30118489!

L10: Internet Artifacts

L10: Internet Artifacts

*!

6 Cache
7 Firefox

!  Files that are cached locally on the system !  Uses SQLite3 databases to store history data
!  Location: !  Uses user-specific profile directories
!  XP: Documents and Settings\%username%\Local Settings !  XP: Documents and Settings\%username%\Local Settings
\Temporary Internet Files\Content.IE5\ \Application Data\Mozilla\Firefox\Profiles
!  Vista and 7: Users\%username%\AppData\Local\Microsoft !  Vista/7: Users\%username%\AppData\Roaming\Mozilla\Firefox
\Windows\Temporary Internet Files\Content.IE5 \Profiles
!  Cached file are located in four randomly named !  Linux: /home/$username/.mozilla/firefox/Profiles
subdirectories !  OS X: /Users/$username/Library/Application Support/
!  MSIE Cache File (index.dat) has all the information needed to Firefox/Profiles
map any file of interest with the URL the file was retrieved !  profiles.ini lists which is the default profile
from
!  Time of last access by client
L10: Internet Artifacts

L10: Internet Artifacts

8 Profile Directories
9 Firefox SQLite Data

!  One directory is created for each profile !  Form history

!  Few important files !  Stored in the formhistory.sqlite database
!  Formhistory.sqlite: stores data about form submission !  Includes items entered into form fields
inputs !  Such as names, addresses, email addresses, phone numbers, Web
mail subject lines, ...
!  Downloads.sqlite: stores data about downloaded files
!  Database table of importance: moz_formhistory
!  Cookies.sqlite: stores data about cookies
!  Places.sqlite: stores the bulk of “Internet history” data
!  Downloaded files
!  List of files downloaded using the Firefox Download Manager
!  Correlate items found on the file system to the URLs where
they originated
!  Database table of importance: moz_downloads

L10: Internet Artifacts

L10: Internet Artifacts

10 Firefox SQLite Data
11 Bookmarks and Extensions

!  Cookies !  Bookmarks
!  In the cookies.sqlite database !  In the places.sqlite database
!  Can produce information such as !  Database table of importance: moz_bookmarks
!  last time user visited a site
!  whether or not the user was registered or logged in at a particular !  Extensions
site
!  Enhance or modify the behavior of the browser
!  Database table of importance: moz_cookies
!  Installed extensions are listed in “extensions.rdf” XML file in
the profiles directory
!  Visited places
!  In the places.sqlite database
!  Contains URLs visited and time of visit
!  Database tables of importance: moz_places and
L10: Internet Artifacts

L10: Internet Artifacts

moz_historyvisits
12 Firefox Cache
13 Chrome

!  Typically stored in subdirectory named “Cache” in the !  Open source Web browser developed by Google
user’s Library/Caches/Firefox/%profile%/ directory !  Utilizes a variety of SQLite databases to store user data
!  check location using about:cache URL on Firefox
!  Contains a number of unidentifiable files along with !  Profile location
!  One _CACHE_MAP_ file !  XP: Documents and Settings\%username%\Application Data
!  Three cache block files _CACHE_001_ through \Google\Chrome\default
_CACHE_003_ !  Vista/7: Users\%username%\AppData\Local\Google\Chrome
!  Together they contain information regarding the URLs and \default
filenames associated with cached data !  Linux: /home/$username/.config/google-chrome/Default
!  As well as a time stamp
!  OS X: /Users/$username/Library/Application Support/
!  No open source tool to parse this data! Google/Chrome/Default

L10: Internet Artifacts

L10: Internet Artifacts

14 Chrome SQLite Databases
15 Chrome SQLite Databases

!  “Cookies” database !  “Login Data” database

!  Used to store cookies used by Chrome !  Saved login data
!  Includes creation time of the cookies, last access time and !  Includes URLs, usernames and passwords (encrypted)
the host
!  “Web Data” database
!  “History” database !  Contains data the user has opted to save for form auto-fill
!  Downloads table: tracks downloaded files capabilities
!  Includes local path, URL and time of download !  Can include names, addresses, credit data, and more
!  Urls and Visits table: can be used to construct an overview of
the user’s browsing history !  “Thumbnails” database
!  Stores thumbnail images of visited sites
L10: Internet Artifacts

L10: Internet Artifacts

16 Other Chrome Artifacts
17 Safari

!  Bookmarks are stored in the “Bookmarks” file under !  Default browser included on Mac OS X
the user’s profile directory !  Also available for Windows
!  Uses the JavaScript Object Notation (JSON) format
!  File locations
!  The “Local State” file is used by Chrome to restore !  XP : Documents and Settings\%username%\Application Data
state after an unexpected shutdown \Apple Computer\Safari
!  Uses JSON format !  Vista/7 : Users\%username%\AppData\Roaming\Apple
Computer\Safari
!  Chrome cache !  OS X: /Users/$username/Library/Safari
!  Consists of an index file (file name to URL mapping)
!  Four numbered data files (data_0 through data_3)

L10: Internet Artifacts

L10: Internet Artifacts

!  Many numbered files starting with f_
!  No open source tools to process these files (yet!)

18 Safari .plist Files

19 Safari Cache

!  History.plist !  Stored in Cache.db file

!  Records URL visited, data and time of last visit, number of !  Table cfurl_cache_response
times visited !  Stores URL and request metadata
!  Time value is number of seconds since midnight Jan 1, 2001
!  Table cfurl_cache_blob_data
GMT
!  Stores actual cache data
!  Downloads.plist
!  Files downloaded to the system
!  Bookmarks.plist !  Cache maps (URL to data in cfurl_cache_blob_data) may
be empty but cfurl_cache_blob_data may still be carved
!  Stores bookmarks, but no time stamps
!  Cookies.plist
!  Cookies used by Safari
L10: Internet Artifacts

L10: Internet Artifacts

20 References

!  You can find more information by googling for the

specific item

L10: Internet Artifacts