Web Web ForensicsForensics

Matthew M. KimballMatthew M. Kimball

OverviewOverview

PurposePurpose Where & How Data Is StoredWhere & How Data Is Stored Private BrowsingPrivate Browsing Where Else to LookWhere Else to Look

PurposePurpose

Reconstruct suspect’s browsingReconstruct suspect’s browsing CyberstalkingCyberstalking CyberterrorismCyberterrorism Child PornographyChild Pornography FraudFraud IP TheftIP Theft

Cracks, Patches, TorrentsCracks, Patches, Torrents

WhereWhere

ObviousObvious Cache / Temporary Internet FilesCache / Temporary Internet Files CookiesCookies FavoritesFavorites HistoryHistory

Less ObviousLess Obvious DNS CacheDNS Cache PlugInsPlugIns More to come…More to come…

ProfilesProfiles

Profiles can be moved.Profiles can be moved. Profile ‘owner’ doesn’t indicate guilt.Profile ‘owner’ doesn’t indicate guilt.

Share passwords?Share passwords?

Internet ExplorerInternet Explorer

index.dat filesindex.dat files Cookies, History, & TempCookies, History, & Temp Stores:Stores:

TimestampsTimestamps HeadersHeaders Visited URLsVisited URLs Cached pagesCached pages ……in a binary formatin a binary format

View cache…see what they sawView cache…see what they saw

Pasco (IE)Pasco (IE)

Web Historian (IE)Web Historian (IE)

FireFoxFireFox

*.sqlite*.sqlite about:cacheabout:cache

MemoryMemory DiskDisk OfflineOffline

““Deleted” favorites are recoverableDeleted” favorites are recoverable FF automatically backups favoritesFF automatically backups favorites

Not deleted when clearing dataNot deleted when clearing data

FireFoxFireFox

about:cacheabout:cache

browser.cache.disk.enablebrowser.cache.disk.enable = false…disable disk caching.= false…disable disk caching.

FireFoxFireFox

about:cacheabout:cache disk cachedisk cache

FireFoxFireFox

MozzilaCacheViewMozzilaCacheView

FireFoxFireFox

MozillaHistoryViewMozillaHistoryView

High visit count = intent = guilty

OperaOpera

cookies4.datcookies4.dat dcache4.urldcache4.url

Binary index of cacheBinary index of cache

opr*.*opr*.* Cached files in same format as originals but Cached files in same format as originals but

missing extensionmissing extension

OperaOpera

opera:cacheopera:cache

What Is What Is Really Really Meant By Meant By Private?Private?

"Incognito is designed to hide your "Incognito is designed to hide your browsing from your computer, not hide it browsing from your computer, not hide it from the Web," says Google engineer from the Web," says Google engineer Sundar Pichai.Sundar Pichai.

Incognito & InPrivateIncognito & InPrivate Still Stores on HDDStill Stores on HDD

PC Inspector File RecoveryPC Inspector File Recovery Recovered a lot but not Incognito or InPrivate Recovered a lot but not Incognito or InPrivate

data.data.

Since it’s written to the drive…it’s recoverableSince it’s written to the drive…it’s recoverable Maybe not with free software but likely with FTK.Maybe not with free software but likely with FTK.

Where Else To LookWhere Else To Look

DownloadsDownloads Not deleted after using Incognito & InPrivateNot deleted after using Incognito & InPrivate Opera manages torrentsOpera manages torrents

Mostly illegal…Mostly illegal…

ClipboardClipboard clipbrd.execlipbrd.exe

Extensions (FireFox)Extensions (FireFox)

Where Else To LookWhere Else To Look

SharedObjects / PluginsSharedObjects / Plugins Tested & failed a break.com visit.Tested & failed a break.com visit. Must disable on Macromedia’s website.Must disable on Macromedia’s website. Requires more work to delete.Requires more work to delete.

DNS CacheDNS Cache

WindowsWindows /ipconfig displaydns/ipconfig displaydns

Lists websites even after clearing info stored by Lists websites even after clearing info stored by browsers.browsers.

/ipconfig flushdns/ipconfig flushdns Clears DNS listingsClears DNS listings

MacMac dscacheutil -cachedump -entries Host dscacheutil -cachedump -entries Host dscacheutil -flushcache dscacheutil -flushcache

HOSTSHOSTS

Maps host names to IP addresses.Maps host names to IP addresses.

Redirect Redirect www.csus.edu to site containing to site containing illegal imagesillegal images

Favorites addresses may be alteredFavorites addresses may be altered Compare with HOSTS files, caches, and Compare with HOSTS files, caches, and

current content on site.current content on site.

HOSTSHOSTS

DNS CacheDNS Cache

WindowsWindows Lists entries while using InPrivate & Lists entries while using InPrivate &

IncognitoIncognito

RAM DiskRAM Disk

Allows RAM to act like a hard driveAllows RAM to act like a hard drive Simply relocate where cache is storedSimply relocate where cache is stored Erased just like RAMErased just like RAM

Much more difficult to recover, if possible at Much more difficult to recover, if possible at all!all!

Unless it’s in swapUnless it’s in swap

or slack spaceor slack space

Still Can’t Find Anything?Still Can’t Find Anything?

Recover Deleted FilesRecover Deleted Files Page filesPage files

Opera: Group ProjectOpera: Group Project

Slack spaceSlack space ISP logsISP logs Network & router logsNetwork & router logs

ToolsTools

Web HistorianWeb Historian PascoPasco IE HistorianIE Historian FTKFTK EnCaseEnCase

SummarySummary

Prevents average users using the same Prevents average users using the same computer from revealing your tracks…computer from revealing your tracks…

If it wasn’t bleached/shredded…they will If it wasn’t bleached/shredded…they will find it on the hard drive…find it on the hard drive…