If you can see this check that

Main Page

Internet Explorer Forensics

Web Browser Forensics: Internet Explorer



This lab deals with inspecting web browser history, cache and cookie files. This information is stored in a range of files in a number of different directories, dependent on the web browser and the operating system used.

In modern Windows operating systems, Internet Explorer stores information about the pages viewed by the browser in a number of files, all called called index.dat. One index.dat also points to other files used in the browsing session. Windows has 3 types of index.dat files, one each for the cache, history, and cookie files respectively. Getting to these files may not be easy - Windows, trying to be "friendly" (and protect users from accidentally destroying operating system files), hides some of these files from Windows Explorer, the Search function, and even straight directory browsing from the command line. In this lab we will use Autopsy to inspect the index.dat files. Plus we will you PASCO and GALLETA applications to parse through index.dat to present information in more readable manner.

Question 1: Viewing index.dat file with Autopsy

You can use already existing case or create a new one. Open the /images/diskimg2.dd image in Autopsy (refer to Lab 5b Introduction to Autopsy). Identify the case using the name "diskimg2" (plus a descriptive description), and with host "diskimg2". Add the image as a Disk, and import as a symlink.

Select the NTFS volume and press ANALYZE.

Select a Volume
Figure 1: Analyse

From the tabs on the next page, select FILE ANALYSIS.

Navigate through directory structure to C:\Documents and Settings\amy\Local Settings\Temporary Internet Files\Content.IE5\ and click on index.dat. If you get a dialogue box "Open this file?" just click cancel.

Select a Volume
Figure 2: Open Link

Go to the bottom half of the window and display in Hex.

Select a Volume
Figure 3: Display in hex

Unfortunately, you won't always be so lucky as to have an intact index.dat file to review: the file may have been purposely deleted, partially overwritten, or otherwise corrupted. When reviewing a forensic image, you may have to do a string search to locate the boundaries of the index.dat file, then "carve it out" of the data, and perhaps place it into another intact index.dat file, in order to be able to view it in one of the parsing programs. Finally, it's a good idea to know the basics of the file structure.

What is the header information at offset 0x00? (hint: look at the string). Assume the string is NULL terminated. Enter the string below. The string is case sensitive.

Tests - not attempted
First string UNTESTED

What is the significance of the information starting at offset 0x50?

Tests - not attempted
Data at 0x50 UNTESTED

Scroll down to offset 0x6080, where the beginning of the record starts with "URL" string. 0x08 bytes away from the record start we find the first of two timestamps in the record, the Last Modified timestamp. This is the time the file referenced by the record was last modified on the web server (and, therefore, the last time the file was downloaded to the browser's cache.) In contrast, the next 0x08 bytes show the Last Accessed timestamp, or when the web page referenced by the record was last accessed by the browser (irrespective of whether it downloaded a new file or pulled it from the cache.)

The Timestamp is encoded in 64-bit little endian hex, using an epoch in 100 nanosecond intervals that have elapsed since 12:00 midnight, January 1, 1601 A.D. (C.E.) Coordinated Universal Time (UTC). Thus it is pretty unreadable. There are tools available to decode this, but the following does the job easily.


use bigint;
use strict;
use POSIX;

my $ts = "";
for (my $i=(length($ARGV[0])-2); $i>=0; $i-=2) {
  $ts .= substr($ARGV[0],$i,2);

my $t = (hex($ts) - 116444735995904000)/10000000;
print strftime("%a %b %e %H:%M:%S %Y", gmtime($t))."\n";

To create the executable automatically and store it as /home/caine/decode.pl, press the setup button below.

Tests - not attempted
Setup decode.pl UNTESTED

Use the decode.pl script and take your 16 bit hex number, e.g. "0x60f347d15798c901" and run this program with the hex code as a parameter, e.g.

$ /home/caine/decode.pl 60f347d15798c901
Thu Feb 26 21:18:50 2009

What is the hex and timestamp of the Last Accessed timestamp found at offset 0x6090.
Hex (lowercase):
Timestamp (Case sensitive):

Tests - not attempted
Hex is right UNTESTED
Timestamp is right UNTESTED

Next on our information list, 0x68 bytes from the record start, is the URL that was visited by the browser.

000060E0:  0000 0000 0000 0000 6874 7470 3A2F 2F72    ........http://r
000060F0:  756E 6F6E 6365 2E6D 736E 2E63 6F6D 2F65    unonce.msn.com/e
00006100:  6E2F 7275 6E6F 6E63 652E 6173 7000 0000    n/runonce.asp...
00006110:  7275 6E6F 6E63 655B 315D 2E68 746D 0000    runonce[1].htm..

Following the URL is the filename of the locally cached file referred to by the record. In this example there is no file cached.

Another good piece of information stored by index.dat is the entire http header of the web page the record refers to. Finally, we see beginning with a U: the name of the user operating the browser at the time the web page was retrieved.

00006120:  4854 5450 2F31 2E31 2032 3030 204F 4B0D    HTTP/1.1 200 OK.
00006130:  0A50 3350 3A43 503D 2242 5553 2043 5552    .P3P:CP="BUS CUR
00006140:  2043 4F4E 6F20 4649 4E20 4956 446F 204F     CONo FIN IVDo O
00006150:  4E4C 204F 5552 2050 4859 2053 414D 6F20    NL OUR PHY SAMo
00006160:  5445 4C6F 220D 0A43 6F6E 7465 6E74 2D4C    TELo"..Content-L
00006170:  656E 6774 683A 2031 3231 3939 0D0A 436F    ength: 12199..Co
00006180:  6E74 656E 742D 5479 7065 3A20 7465 7874    ntent-Type: text
00006190:  2F68 746D 6C0D 0A0D 0A7E 553A 636C 7964    /html....~U:clyd
000061A0:  650D 0A00 0000 0000 0000 0000 0000 0000    e...............

Go to the record starting at offset 0x60880 and provide the following information:
Last modified time:
Last accessed time:
URL Address without filename:
Locally cached file:

For the URL address it should include the trailing "/", the "http://", just exclude the final filename. So "http://blah.com/a/b/file.html" is "http://blah.com/a/b/".
Tests - not attempted
Cache is right UNTESTED

Within Autopsy you can search index.dat file if you know the web site address or file that was downloaded or accessed or any text. Assume that you have identified a suspicious file called "hot[1].jpg" in the browser cache. Lets search the index.dat file to see if that jpg was downloaded from the internet.

Within Autopsy press <CTRL> and <F> key. In the find window type hot[1].jpg.

Select a Volume
Figure 4: Find window

At what offset does the record begin? (use 0x????? format)
Offset of the record:
Last modified time:
Last accessed time:
URL Address (without filename):

Tests - not attempted
Offset is right UNTESTED

Question 2: Pasco

The other way of inspecting information inside the index.dat is to use application called PASCO which parses information inside the file and sends to delimited text files that can be imported elsewhere.

Copy the file Documents and Settings/amy/Local Settings/Temporary Internet Files/Content.IE5/index.dat to /home/caine/evidence/index.dat. You need to use ifind and icat. In ifind, use the "-n" flag with the full file pathname in quotes.

Tests - not attempted
index.dat correct UNTESTED

Execute the following command:

$ pasco -d /home/caine/evidence/index.dat > /home/caine/evidence/index.txt

Now have a look at /home/caine/evidence/index.txt using less.

Tests - not attempted
index.txt correct UNTESTED

If there is a line which starts "LEAK" in your new index.txt file, this indicates that the record has been deleted. How many records have been so marked?
LEAK records:

Tests - not attempted

What does "REDR" type of the record mean?

Tests - not attempted

Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7 | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2014 Gordon Russell. All rights reserved.