Computer Forensics

Document Sample
Computer Forensics Powered By Docstoc
					                                1




Computer Forensics
          Dr. Randy M. Kaplan
                    2




Browser Forensics
                                                             3




     A Source of Evidence
      Critical Evidence can often be found in a subject’s
       browsing history
          Emails
          Sites visited
          Internet searches




Computer Forensics
                                                        4




     Browsers
      Two are dominant
          IE
          Mozilla (and its derivatives and variants)




Computer Forensics
                                                                    5




     IE
      Activity stored in –
          C:\Documents and Settings\user\Local
           Settings\Temporary Internet Files\Content.IE5

      Contains
          Cached pages
          Images

      Two other files of interest
          History without locally cached content
              C:\Documents and Settings\user\History\History.IE5
          Cookies
              C:\Documents and Settings\user\Cookies

Computer Forensics
                                                              6




     Index.dat
      In each of these directories there is a file named
       index.dat

      The relationship between cached web content and URLs
       is maintained in this file




Computer Forensics
                                                                     7




     Mozilla
      Web activity maintained in a file named history.dat

      File located in –
          C:\Documents and Settings\user\Application
           Data\Mozilla\Firefox\Profiles\<random text>\history.dat
          C:\Documents and Settings\user\Application
           Data\Mozilla\Profiles\<profile name>\<random
           text>\history.dat




Computer Forensics
                                                             8




     Mozilla
      history.dat differs from IE

      Does not link web site activity to cached web pages

      More difficult to reconstruct the activity




Computer Forensics
                                                     9




     Tools
      Web Historian
          A tool used to reconstruct web activity
          Applicable to –
              IE
              Mozilla
              Firefox
              Netscape
              Safari
              Opera




Computer Forensics
                                                                   10




     Downloading Web Historian
      Web Historian can be downloaded from –
          http://www.download.com/Red-Cliff-Web-Historian/3000-
           2653_4-10373157.html




Computer Forensics
                     11




     Web Historian




Computer Forensics
                     12




     Web Historian




Computer Forensics
                                        13




     Web Historian


                     Lots and lost of
                     information
                     produced by
                     Web Historian

Computer Forensics
                                                                14




     Web Historian
      Suppose my wife wanted to know what I have been
       doing on the Internet

      (Maybe she wants to make sure I am not spending the
       kid’s college fund)

      What evidence in the generated file would give her the
       kinds of information she is looking for?




Computer Forensics
                                15




     Web Historian
      Scan the URL addresses




Computer Forensics
                                16




     Web Historian
      Scan the URL addresses




Computer Forensics
                                     17




     Trying Firefox
      Set WH to Firefox directory

      What are the results?




Computer Forensics
                      18




     Trying Firefox




Computer Forensics
                                                    19




     Trying Firefox




                      Very odd because this is my
                      default browser


Computer Forensics
                                                            20




     Web Historian
      Not really clear why WH does not work with Firefox

      Try alternative




Computer Forensics
                                             21




     Cache View
      Cache View can be downloaded from –
          http://progsoc.org/~timj/cv/




Computer Forensics
                              22




     Cache View
      Download and install




Computer Forensics
                                                          23




     Cache View
      Need to point Cache View to the proper directory




Computer Forensics
                                       24




     Cache View
      Point to the proper directory




Computer Forensics
                     25




     Cache View




Computer Forensics
                     26




     Cache View




Computer Forensics
                     27




     Cache View




Computer Forensics
                                                                 28




     How To Use?
      Clearly having a record of someone’s web activities can
       be used to determine what they have doing

      For example if a subject was interested in learning how
       to hack a particular system then accessing web sites to
       learn how to do this would substantiate this theory




Computer Forensics
                                                                 29




     How To Use?
      If a subject uses a web interface for email then we can
       tell if he accessed it and we can also see what the
       status of the access was at that time




Computer Forensics

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:1/13/2012
language:
pages:29