Computer Forensics
Download
Report
Transcript Computer Forensics
1
Computer Forensics
Dr. Randy M. Kaplan
2
Browser Forensics
3
A Source of Evidence
Critical Evidence can often be found in a subject’s
browsing history
Emails
Sites visited
Internet searches
Computer Forensics
4
Browsers
Two are dominant
IE
Mozilla (and its derivatives and variants)
Computer Forensics
5
IE
Activity stored in –
C:\Documents and Settings\user\Local
Settings\Temporary Internet Files\Content.IE5
Contains
Cached pages
Images
Two other files of interest
History without locally cached content
C:\Documents and Settings\user\History\History.IE5
Cookies
C:\Documents and Settings\user\Cookies
Computer Forensics
6
Index.dat
In each of these directories there is a file named
index.dat
The relationship between cached web content and URLs
is maintained in this file
Computer Forensics
7
Mozilla
Web activity maintained in a file named history.dat
File located in –
C:\Documents and Settings\user\Application
Data\Mozilla\Firefox\Profiles\<random text>\history.dat
C:\Documents and Settings\user\Application
Data\Mozilla\Profiles\<profile name>\<random
text>\history.dat
Computer Forensics
8
Mozilla
history.dat differs from IE
Does not link web site activity to cached web pages
More difficult to reconstruct the activity
Computer Forensics
9
Tools
Web Historian
A tool used to reconstruct web activity
Applicable to –
IE
Mozilla
Firefox
Netscape
Safari
Opera
Computer Forensics
10
Downloading Web Historian
Web Historian can be downloaded from –
http://www.download.com/Red-Cliff-Web-Historian/30002653_4-10373157.html
Computer Forensics
11
Web Historian
Computer Forensics
12
Web Historian
Computer Forensics
13
Web Historian
Lots and lost of
information
produced by
Web Historian
Computer Forensics
14
Web Historian
Suppose my wife wanted to know what I have been
doing on the Internet
(Maybe she wants to make sure I am not spending the
kid’s college fund)
What evidence in the generated file would give her the
kinds of information she is looking for?
Computer Forensics
15
Web Historian
Scan the URL addresses
Computer Forensics
16
Web Historian
Scan the URL addresses
Computer Forensics
17
Trying Firefox
Set WH to Firefox directory
What are the results?
Computer Forensics
18
Trying Firefox
Computer Forensics
19
Trying Firefox
Very odd because this is my
default browser
Computer Forensics
20
Web Historian
Not really clear why WH does not work with Firefox
Try alternative
Computer Forensics
21
Cache View
Cache View can be downloaded from –
http://progsoc.org/~timj/cv/
Computer Forensics
22
Cache View
Download and install
Computer Forensics
23
Cache View
Need to point Cache View to the proper directory
Computer Forensics
24
Cache View
Point to the proper directory
Computer Forensics
25
Cache View
Computer Forensics
26
Cache View
Computer Forensics
27
Cache View
Computer Forensics
28
How To Use?
Clearly having a record of someone’s web activities can
be used to determine what they have doing
For example if a subject was interested in learning how
to hack a particular system then accessing web sites to
learn how to do this would substantiate this theory
Computer Forensics
29
How To Use?
If a subject uses a web interface for email then we can
tell if he accessed it and we can also see what the
status of the access was at that time
Computer Forensics