Internet Explorer

Internet Forensics

6. Internet Explorer

File Structures of Interest



 Favorites

 Cookies

 History

 Temporary Internet Files

 Web-Based E-mail

Registry Entries of Interest



 Typed URLs

 Passwords

 Protected Storage

File Structures - Favorites



 Windows 2000 & XP location:



Drive:\Documents and Settings\user\Favorites





 Use Explore tab of FTK to view file

structure

File Structures - Favorites



 Information stored includes:

– URL of site visited

– Number of visits

File Structures - Cookies



 Cookies stored in individual files

 Tracked by INDEX.DAT file

 Windows 2000/XP location:

Drive:\Documents and Settings\user\Cookies



 Format

username@wesbsite[n].txt

File Structures - Cookies



 Cookie data

– Date & time information

– Site depositing cookie

– Special information particular to site

 Identification

 Tracking



 Hard to read using OS tools

File Structures - Cookies



 Individual cookie files tracked by

INDEX.DAT

 FTK parses and decodes cookie

information

Useful in

showing

intention

File Structures - Cookies



 Cookies can be exported directly to

Excel for analysis

– Right-click in Viewer

– Select “Export to Microsoft Excel”

Selects all

cookies









Select

individual

cookie

File Structures - History



 Tracks

– Sites visited

– Date & time information

 Useful in determining user’s

– Patterns of behavior

– Culpability

File Structures - History



 Major problem with OS:

– True representation of data not available

– Contrived depiction that

 Might be easy for laypersons to read but

 Doesn’t actually show the real data



 Need to view data via a tool

– Like FTK

File Structures - History



 Windows 2000 & XP location:



Drive:\Documents and Settings\user\Local Settings\History





 OS only provides virtual representation

– Calendar icons don’t really exist

– Subfolders don’t really exist

 Today, Last Week, etc.

No such

constructs

File Structures - History



 Need a tool (FTK) to see actual folders

and their contents

 Folder name format:

MSHist01yyyymmddyyyymmdd



Start Stop

date date

File Structures - History



 Windows generates a new folder each

day

– Should see series of daily folders

 Monday at 0000

– Windows consolidates previous week’s

daily data into a new weekly folder

– Previous week’s folder becomes “Last

Week” folder

File Structures - History



 Contents of a folder is actually just

one file:

INDEX.DAT

File Structures - History



 FTK “decodes” contents of INDEX.DAT

 Presents in an HTML format

 Includes both

– URLs and

– Local files accessed

 Date, time, number of accesses shown

 Exportable to Excel

Site accessed



Windows username



Last access





Number of accesses

File Structures - History



 Includes information used during

access

– Search terms

File Structures - TIF



 Temporary Internet Files

 Windows 2000 & XP location:



Drive:\Documents and Settings\user\

Local Settings\Temporary Internet Files





 Components of Web pages cached on

user’s hard drive

File Structures - TIF



 Content.IE5 folder contains

– INDEX.DAT file

– Desktop.ini file

– Subfolders to hold cached content

 Generated in groups of four

 Randomly-named

File Structures - TIF



 Like the history files, OS shows virtual

representation of TIF

File Structures - TIF



 The files shown actually reside within

the INDEX.DAT file

 FTK “decodes” INDEX.DAT to show

true content

Where file came from

including original

filename name

Windows useron that site

logged in when file

Similar to a hash value. Filewas savedfile as saved

Used to check if file is

name header

Response of

most recent version

locally. “[n]” to

between client avoid

Last date/time entry in

duplicate entry in

Last date/time anfile names

INDEX.DAT server

and was “touched”

INDEX.DAT was modified

by the browser

in some files,

For certain sessionway

specifies expiration date/time

(most files are persistent)

File Structures - TIF



 Four step process to store a file in TIF

– Check

– Create

– Save

– Commit

File Structures - TIF



 Check

– Site and local machine determine if a file

about to be downloaded already exists

– If so, eTag and Last Synched values

determine if local file is most recent

– If not, download (and next 3 steps)

continue

File Structures - TIF



 Create

– An INDEX.DAT entry is created in RAM

for the file about to be saved

– Nothing saved on hard drive yet

 Save

– File physically saved into TIF using

normal OS procedures

File Structures - TIF



 Commit

– The INDEX.DAT entry in RAM written to

disk

 Possible problem 1

– Power fails before the INDEX.DAT entry

for a session TIF can be deleted

– File gone but INDEX.DAT entry would

remain

File Structures - TIF



 Possible problem 2

– Download stops before Commit step

completed

– File physically exists in TIF but no

INDEX.DAT entry was completed

– If user later clears TIF, only ones

“known” to INDEX.DAT are deleted

File Structures – Web Email



 If user access email via Web interface,

cached files can appear in TIF

 May include

– Containers (Inboxes)

– Content of messages

File Structures – Web Email



 Popular Email clients use various file

names when saving messages

 These may vary as changes to the

Web interface are made by ISPs

 Some clients (Outlook and AOL) only

produce these files if the Web

interface is used

File Structures – Web Email



 Hotmail

– Content (message): getmsg[x].htm

– Container (Inbox): HoTMaiL[x].htm

 AOL

– Content (message): Msgview[x].adp

– Container (Inbox): Msglist[x].adp

File Structures – Web Email



 Outlook

– Content (message): Read[x].htm

– Container (Inbox): Main[x].htm

 Yahoo

– Content (message): ShowLetter[x].htm

– Container (Inbox): ShowFolder[x].htm

Registry



 Can invoke Registry Viewer directly

from FTK via

File -> Registry Viewer

Registry



 We want the file named

NTUSER.DAT

Registry



 Navigate through keys to find

NTUSER

Software

Microsoft

Internet Explorer

Main

Registry



 Useful data in Main key

– Start Page: Page to which browser

defaults on launch

– Search Page: Default search engine page

for Web searches

– Save Directory: Last directory location to

which a file was saved using IE

Registry – Typed URLs



 Web addresses entered directly into

the Address Bar of IE are saved to

NTUSER

Software

Microsoft

Internet Explorer

Typed URLs

Registry – Typed URLs



 Addresses are listed in order

– Most recently visited address has lowest

number

– Includes both Web files and local files

accessed through the browser

 Multiple visits to same site do not

generate an additional entry, only an

update to the existing one

Registry – Clearing History



 User can set upper limit on days to

keep history via browser

Registry – Clearing History



 Can find this in Registry at

NTUSER

Software

Microsoft

Windows

Current Version

Internet Settings

URL History

Registry - PSSP



 Protected Storage System Provider

 Encrypted storage for

– User IDs

– Passwords

– Internet search terms

– Autocomplete website users & passwords

 Registry Viewer decrypts

Registry - PSSP



 PSSP key in Registry at



NTUSER

Software

Microsoft

Protected Storage System Provider

Registry - PSSP



 xxx:StringData shows the string

identified by xxx

 xxx:StringIndex shows the string

identified by xxx but with date/time