1 / 10

f10-Web Browsing Activity Reconstruction

f10-Web Browsing Activity Reconstruction. Dr. John P. Abraham Professor UTPA. Web activity. We con reconstruct a detailed history of a computer’s use by examining a handful of files that contain the web browser’s history. Internet explorer uses three facilities where we can find evidence:

walden
Télécharger la présentation

f10-Web Browsing Activity Reconstruction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. f10-Web Browsing Activity Reconstruction Dr. John P. Abraham Professor UTPA

  2. Web activity • We con reconstruct a detailed history of a computer’s use by examining a handful of files that contain the web browser’s history. Internet explorer uses three facilities where we can find evidence: • Web browsing history, cookies, and temp internet files

  3. Open source solutions • Pasco – and index.dat file parsing utility available from sourceforge.net • Galleta – a cookie file parsing utility. http://sourceforge.net/projects/fast/files/Galleta/

  4. Pasco • Pasco is a Internet Explorer activity forensic analysis tool that was developed by Keith J. Jones, a Principal Computer Forensic Consultant at Foundstone, Inc. • Many computer crime investigations require the reconstruction of a subject's internet activity. Pasco, the latin word meaning "browse", was developed to examine the contents of Internet Explorer's cache files. The foundation of Pasco's examination is based upon parsing the information in an index.dat file and outputting the results in a field delimited manner so that it may be imported into a spreadsheet program. • Internet Explorer saves numerous files named “index.dat” within each user’s home directory on the computer system. • A forensic investigator may use the information found in the index.dat file to retrace the web activity of a suspect. The structures identified during forensic analysis of Index.dat that are relevant to constructing internet activity include the following types of Internet Explorer activity records: • REDR – The REDR type of activity record indicates when the subject’s browser was redirected to another site.URL – The URL activity record is a set of data that represents a URL, or website, a user visited. • LEAK - The LEAK activity record also indicates the website that the user visited.

  5. Sample of Pasco

  6. Galleta • Spanish word for cookie • A cookie is a small file containing data that the web server places on a user’s computer so it may request back at a later date. During forensic analysis it is often relevant to parse the information in Internet Explorer’s cookie files into a human readable format. Cookies aid forensic analysts during the investigation by providing insight to a suspect’s internet activity. • But why are cookies necessary for browsing the internet? Cookies are necessary because HTTP is a stateless protocol therefore websites must place information on a user’s computer if it needs to save information about a web session. For instance, whenever a person purchases a book from amazon.com and adds it to his shopping cart, the information can be saved on the clients computer.

  7. A cookie contains: • the variable name. • the value for the variable. • the website that issued the cookie. • Flags • the expiration time for the cookie. • the creation time for the cookie. • An * since it is the record delimiter

  8. Commercial Forensic Tools (pg248) • Encase • FTK • IE History http://www.phillipsponder.com • All three above include built-in functionality to examine a user’s Web browsing activity. • Encase – utilizes a script referred to as an E-Script, to parse the web browsing information found in the evidence and present it to the investigator. Escript takes care of the logic of parsing potentially unknown file formats and presents it in an easy to browse web page and spreadsheet.

  9. Three main directories: • C:\documents and settings\<<profilename>>\cookies • Contains an index.dat file that links each cookie to a domain on the Internet where it was downloaded • C:\documents and settings\<<profilename>>\Local Settings\History\History.IE5\ • Contains an index.dat file that summarizes the Web browsing history for the suspect named <<profilename>> • C:\documents and settings\<<profilename>>\Temporary Internet Files\Content.IE5 • Contains an index.dat file that links all the cached files in the subdirectories to sites on the Internet where they were downloaded.

  10. REGISTRY • Regedit • HKEY_CURRENT_USER • SOFTWARE • MICROSOFT • INTERNET EXPLORER • TYPED URLS

More Related