Web Browser Forensics: Internet Explorer

You can use already existing case or create a new one. Open the /images/diskimg2.dd image in Autopsy (refer to Lab 5b Introduction to Autopsy). Identify the case using the name "diskimg2" (plus a descriptive description), and with host "diskimg2". Add the image as a Disk, and import as a symlink.

Select the NTFS volume and press ANALYZE.

Figure 1: Analyse

From the tabs on the next page, select FILE ANALYSIS.

Navigate through directory structure to C:\Documents and Settings\amy\Local Settings\Temporary Internet Files\Content.IE5\ and click on index.dat. If you get a dialogue box "Open this file?" just click cancel.

Figure 2: Open Link

Go to the bottom half of the window and display in Hex.

Figure 3: Display in hex

Unfortunately, you won't always be so lucky as to have an intact index.dat file to review: the file may have been purposely deleted, partially overwritten, or otherwise corrupted. When reviewing a forensic image, you may have to do a string search to locate the boundaries of the index.dat file, then "carve it out" of the data, and perhaps place it into another intact index.dat file, in order to be able to view it in one of the parsing programs. Finally, it's a good idea to know the basics of the file structure.

What is the header information at offset 0x00? (hint: look at the string). Assume the string is NULL terminated. Enter the string below. The string is case sensitive.

What is the significance of the information starting at offset 0x50?
Nothing special, just random characters Name of the cache files Encrypted names of the files or directories Randomly-named folders in which the cache files are stored

Scroll down to offset 0x6080, where the beginning of the record starts with "URL" string. 0x08 bytes away from the record start we find the first of two timestamps in the record, the Last Modified timestamp. This is the time the file referenced by the record was last modified on the web server (and, therefore, the last time the file was downloaded to the browser's cache.) In contrast, the next 0x08 bytes show the Last Accessed timestamp, or when the web page referenced by the record was last accessed by the browser (irrespective of whether it downloaded a new file or pulled it from the cache.)

The Timestamp is encoded in 64-bit little endian hex, using an epoch in 100 nanosecond intervals that have elapsed since 12:00 midnight, January 1, 1601 A.D. (C.E.) Coordinated Universal Time (UTC). Thus it is pretty unreadable. There are tools available to decode this, but the following does the job easily.

#!/usr/bin/perl

use bigint;
use strict;
use POSIX;

my $ts = "";
for (my $i=(length($ARGV[0])-2); $i>=0; $i-=2) {
  $ts .= substr($ARGV[0],$i,2);
  }

my $t = (hex($ts) - 116444735995904000)/10000000;
print strftime("%a %b %e %H:%M:%S %Y", gmtime($t))."\n";

To create the executable automatically and store it as /home/caine/decode.pl, press the setup button below.

Use the decode.pl script and take your 16 bit hex number, e.g. "0x60f347d15798c901" and run this program with the hex code as a parameter, e.g.

$ /home/caine/decode.pl 60f347d15798c901
Thu Feb 26 21:18:50 2009

What is the hex and timestamp of the Last Accessed timestamp found at offset 0x6090.
Hex (lowercase):
Timestamp (Case sensitive):

Next on our information list, 0x68 bytes from the record start, is the URL that was visited by the browser.

000060E0:  0000 0000 0000 0000 6874 7470 3A2F 2F72    ........http://r
000060F0:  756E 6F6E 6365 2E6D 736E 2E63 6F6D 2F65    unonce.msn.com/e
00006100:  6E2F 7275 6E6F 6E63 652E 6173 7000 0000    n/runonce.asp...
00006110:  7275 6E6F 6E63 655B 315D 2E68 746D 0000    runonce[1].htm..

Following the URL is the filename of the locally cached file referred to by the record. In this example there is no file cached.

Another good piece of information stored by index.dat is the entire http header of the web page the record refers to. Finally, we see beginning with a U: the name of the user operating the browser at the time the web page was retrieved.

00006120:  4854 5450 2F31 2E31 2032 3030 204F 4B0D    HTTP/1.1 200 OK.
00006130:  0A50 3350 3A43 503D 2242 5553 2043 5552    .P3P:CP="BUS CUR
00006140:  2043 4F4E 6F20 4649 4E20 4956 446F 204F     CONo FIN IVDo O
00006150:  4E4C 204F 5552 2050 4859 2053 414D 6F20    NL OUR PHY SAMo
00006160:  5445 4C6F 220D 0A43 6F6E 7465 6E74 2D4C    TELo"..Content-L
00006170:  656E 6774 683A 2031 3231 3939 0D0A 436F    ength: 12199..Co
00006180:  6E74 656E 742D 5479 7065 3A20 7465 7874    ntent-Type: text
00006190:  2F68 746D 6C0D 0A0D 0A7E 553A 636C 7964    /html....~U:clyd
000061A0:  650D 0A00 0000 0000 0000 0000 0000 0000    e...............

Go to the record starting at offset 0x60880 and provide the following information:
Last modified time:
Last accessed time:
URL Address without filename:
Locally cached file:

Within Autopsy you can search index.dat file if you know the web site address or file that was downloaded or accessed or any text. Assume that you have identified a suspicious file called "hot[1].jpg" in the browser cache. Lets search the index.dat file to see if that jpg was downloaded from the internet.

Within Autopsy press <CTRL> and <F> key. In the find window type hot[1].jpg.

Figure 4: Find window

At what offset does the record begin? (use 0x????? format)
Offset of the record:
Last modified time:
Last accessed time:
URL Address (without filename):

The other way of inspecting information inside the index.dat is to use application called PASCO which parses information inside the file and sends to delimited text files that can be imported elsewhere.

Copy the file Documents and Settings/amy/Local Settings/Temporary Internet Files/Content.IE5/index.dat to /home/caine/evidence/index.dat. You need to use ifind and icat. In ifind, use the "-n" flag with the full file pathname in quotes.

Execute the following command:

$ pasco -d /home/caine/evidence/index.dat > /home/caine/evidence/index.txt

Now have a look at /home/caine/evidence/index.txt using less.

If there is a line which starts "LEAK" in your new index.txt file, this indicates that the record has been deleted. How many records have been so marked?
LEAK records:

What does "REDR" type of the record mean?
It is an encrypted record It is a deleted record or corrupted record It is a record that automatically redirects you to other website It is unreadable record