CNS 320 Week9 Lecture

7/22/2019 CNS 320 Week9 Lecture

1/73

1

CNS 320 COMPUTER

FORENSICS & INCIDENTRESPONSE

Week 9 Lecture

Copyright 2012, John McCash. This work may be copied, modified, displayed anddistributed under conditions set forth in the Creative Commons Attribution-Noncommercial License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-nc/2.0/ or send a letter to CreativeCommons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/http://creativecommons.org/licenses/by-nc/2.0/


2/73

Any questions before the Quiz?

2


3/73

Final Exam Next Week

No notes

Covers material from beginning

through lecture #8 Well review tonight after I get

through the new material

No lab today because of the missedclass period due to the MemorialDay holiday

3


4/73

New Material This Week

Other Browsers

Firefox

Google Chrome Safari (in passing)

4


5/73

Firefox

Numerous versions, especiallyrecently

Major changes to forensic artifactsoccurred between version 2 and 3,which was released in June of 2008

We will primarily concern ourselves

with pre 3.0 and 3.0+ versions


6/73

Firefox Artifacts

History

Cache

Cookies

Bookmarks/Favorites

No usage of the registry. All artifacts stored

in files, mostly using complex databaseformats.


7/73

Firefox File Locations (non-cache)

XP: \ApplicationData\Mozilla\Firefox\Profiles\

Vista/Win7:\AppData\Roaming\Mozilla\Firefox\Profiles\


8/73

Firefox File Locations (cache)

XP: \Local Settings\ApplicationData\Mozilla\Firefox\Profiles\\Cache

Vista/Win7:\AppData\Local\Mozilla\Firefox\Profiles\\Cache


9/73

Firefox Version Determination

If less than 3.0, there will be no .sqlitefiles in the Firefox profile folder

Exact version can be determined by

examining prefs.js in the Forefox profilefolder for the line setting the valuenamed extensions.lastAppVersion

Example: user_pref("extensions.lastPlatformVersion", "9.0.1");


10/73

Firefox Profiles Before Version 3

History files stored using Mork format(Obscure text-based DB) history.dat

formhistory.dat

Bookmarks stored in HTML bookmarks.html

Cookies & Downloads stored as text

cookies.txt downloads.rdf

Cache references are stored in a complexdatabase, and some actual cache data is

stored in a binary format


11/73

Firefox History Before Version 3

MORK Field Names

Complete URL: URL

Page Title: Name

First Visited: FirstVisitDate

Last Visited: LastVisitData

# of times site visited: VisitCount

Whether URL was typed: Typed

Page retrieved w/o user action?: Hidden

Referring Page: Referrer


12/73

Firefox Cookies Before Version 3

Data stored in tabbed columns in Cookies.txt

(one row per cookie)

Col1: website domain

Col2: accessible by other parts of website? Col3: webserver directory path

Col4: HTTPS?

Col5: Expiration date (Unix epoch time)

Col6: cookie name

Col7: values/preferences stored


13/73

Pre Firefox 3 Cookie Example .youtube.com TRUE / FALSE 1317674985 __utma

27069237.1816673280909886200.1243093244.1253991722.1254602985.13

.youtube.com TRUE / FALSE 1276028394VISITOR_INFO1_LIVE N2Xmi-uMhTo

.youtube.com TRUE / FALSE 1306165239 __utmx

27069237.00004945564262247550:3:0-0-10 .youtube.com TRUE / FALSE 1306165239

__utmxx27069237.00004945564262247550:1243093239:2592000

.youtube.com TRUE / FALSE 1258861243 __utmz27069237.1243093244.1.1.utmcsr=(direct)|utmccn=(direct

)|utmcmd=(none) .youtube.com TRUE / FALSE 1520356702

LOCALE_PREFERENCE86d1d09eefe6b79b4068000ce05518a4dAUAAABlbl9VUw==

BTW, important note, you should be able to recognize the format ofthat last entry. Its called Base64, and sometimes it translates to

interesting values.


14/73

Useful online format translator

http://home.paulschou.net/tools/xlate/

Text Binary

Hex

Decimal

Base64

ASCII

Hash
http://home.paulschou.net/tools/xlate/http://home.paulschou.net/tools/xlate/


15/73

Firefox 2 DOM Storage

Supposedly supported

I dont think it used sqlite

Cant find further information


16/73

Firefox Cache (All Versions)

Folder Structure:

_CACHE_MAP_: Master tracking file for cache

_CACHE_###_: Cache block files. Primary

storage locations ########: (8 character hex number) Data

files which store entries too large to fit withina cache block file

Data files stored with content encoding(deflate or gzip) intact, unlike IE oftencan carve from unallocated


17/73

Pre Firefox 3 Bookmarks

Found in bookmarks.html. Sample entry:

Cascading Style

Sheets, level 2 revision 1

URL, bookmark add and last modify dates,

and page title noted in bold


18/73

Pre Firefox 3 Bookmark Backups

Stored in bookmarkbackups subfolder

Up to 5 copies, one per day

Filename: bookmarks-.html

Copies of bookmarks.html


19/73

Pre Firefox 3 Download History

XML fields in downloads.rdf:

Name: Downloaded file name

URL: Download URL

File: Save location DateStarted: Time download started

DateEnded: Time download ended

DownloadState: Successful?

Times are in local system timezone

Default download folder is users desktop

Settable via browser.download.dir in prefs.js


20/73

Pre Firefox 3 Form Autocomplete

Mork field from formhistory.dat

Name: Name of the field for which data wasentered

Value: Data entered into the form field


21/73

Firefox Session Restore (all versions)

Data found in sessionstore.js:

Open windows

Window screen positions & sizes

Scroll positions Tab history

Cookies

Form Data

Restartable failed file downloads

File is deleted on normal exit


22/73

Firefox Privacy Options

By default, FF1-3 keeps 90 days ofhistory

FF4+ dynamically determines amount of

saved history based on systemresources. (could be more)

Lots of options for controlling whatsretained and whats automatically deletedon a very granular basis

These are stored in prefs.js

Its also easy to selectively delete sites

from the collected history


23/73

Firefox Privacy Settings (10.0)


24/73

Right-Click Forget about this site

Option in History View


25/73

Clear Recent History Options


26/73

Signs of Cleared History

To clear DOM Storage, user must selectboth Cookies and Everything

Record ID numbers in SQLite assigned

sequentially, so selective deletion willleave gaps.

Selective site history deletion causesentire browser cache to be deleted


27/73

Private Browsing (Porn) Mode

Solid implementation

Protects History, Search History,Download History, Form Data, Cookies, &

Cache Data Bookmarks arent protected, & neither

(because theyre filesystem artifacts) arefiles that are actually downloaded

Only known ways to recover most of thisdata involves carving from unallocated ormemory


28/73

Recovering Deleted Firefox Artifacts

SQLite is known for the frequency withwhich it creates temporary files

Even if there are no browser artifacts still

in allocated space, odds are very goodthat there are fragments scattered allacross unallocated

Its also very possible that some of thesefiles may be intact SQLite database files


29/73

SQLite Database File Format

File begins with the magic number,SQLite format 3\000 (the \000 isactually a single null)

At offset 16 is a 2 byte quantity, thepower of 2 that represents the databasepage size in bytes (or 1, which isinterpreted as a page size of 65536)

At offset 28 is another 4 byte quantity,the size of the database file in pages

This data should make it relativelysimple to carve the file out of

unallocated space


30/73

Firefox 3+ Profiles

Most Firefix 3+ data is stored in SQLite dbformat

History, Bookmarks, Autocomplete:

places.sqlite Download History: downloads.sqlite

Form Autocomplete: formhistory.sqlite

Cookies: cookies.sqlite

Usernames & Passwords: signons.sqlite (3.5+)

DOM Storage: webappstore2.sqlite

Cache mechanism unchanged from Ver. 2


31/73

Firefox History Version 3+

SQLite Field Names

Complete URL: URL

Page Title: title

Date Visited: visit_date (all tracked) # of times site visited: visit_count

Whether URL was typed: typed

Page retrieved w/o user action?: hidden Referring Page: from_visit

Type of visit (New field see next slide):visit_type


32/73

Firefox History Visit Types

1. Link Clicked

2. URL Typed

3. Bookmark Used4. Loaded as content within a page

5. HTTP 301 Permanent Redirect

6. HTTP 302 Temporary redirect7. Non-HTML File Downloaded


33/73

Firefox 3+ Cookies

SQLite Field Names from Cookies.sqlite: host: website domain

pathmain: webserver directory path for whichcookie is valid

isSecure: HTTPS?

expiry: Expiration date

name : cookie name

value: values/preferences stored

lastAccessed: Date website last accessedcookie

id (FF3): Created date? (one reference)

creationTime (FF4+): Created date


34/73

Firefox 3+ DOM Storage

SQLite Field Names from webappstore2 tablein webappstore.sqlite:

scope: Site name, http/https, port

key: Value name

value: Value contents

secure: HTTPS Required?

owner: Not populated in my testing

Another reference claims this data issometimes found in webappstore2.sqliteinstead


35/73

Firefox 3+ Bookmarks

Found in the moz_bookmarks tablein places.sqlite


36/73

Firefox 3+ Bookmark Backups

Stored in bookmarkbackups subfolder

Up to 10 copies, one per day (F3 onlystored up to 5)

Filename: bookmarks-.json Javascript Object Notation (JSON) format

Text-based, and contains references to

the same field names as in places.sqlite Bookmarks.bak may also exist. Unclear

under what circumstances it gets created


37/73

Firefox 3+ Download History

SQLite fields in downloads.sqlite name: Name of downloaded file

mimeType: File type of downloaded file

source: Download URL

referrer: Referring URL

target: Save location

preferredApplication: Application used toopen file

startTime: Time download started

endTime: Time download ended

maxBytes: Size of download

state: Successful?


38/73

Firefox 3+ Form Autocomplete

SQLite field from formhistory.sqlite fieldname: Name of the field for which data

was entered

value: Data entered into the form field timesUsed: # of times value has been

entered

firstUsed: Time data first typed (PRTime)

lastUsed: Time data last used (PRTime)


39/73

Google Chrome

File Locations: According to Digital Forensics with Open

Source Tools:

XP: \Local Settings\ApplicationData\Google\Chrome\default

Vista/Win7:\AppData\Local\Google\Chrome\default

Folders installed by current version of

Chrome: XP: \Local Settings\Application

Data\Google\Chrome\User Data\Default

Vista/Win7:

\AppData\Local\Google\Chrome\default
http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597495868http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597495868http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597495868http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597495868http://proquestcombo.safaribooksonline.com.ezproxy1.lib.depaul.edu/book/-/9781597495868


40/73

Chrome Initial Data

Initial history & cookie data appearsto have been silently imported fromother browsers when Chrome wasinstalled


41/73

Subfolders of Chrome Default Folder

Cache

Extensions

Local Storage User Stylesheets


42/73

SQLite Database Files in Chrome

Default Folder

Archived History

Cookies

Favicons

History

History Index ####-## (year-month)

Login Data

Network Action Predictor

Shortcuts

Top Sites

Web Data


43/73

Non-SQLite Files in Chrome

Default Folder

Bookmarks (JSON)

Bookmarks.bak (JSON)

Current Session (SNSS)

Current Tabs (SNSS)

History Provider Cache (Protocol buffers)

Last Session (SNSS)

Last Tabs (SNSS)

Preferences (JSON)

Visited Links (unknown binary format)


44/73

Bookmarks (Legacy? Same data

appears in Shortcuts SQLite DB)

JSON Mostly human readable

{ "date_added": "12974427976796875","id": "4", "name": "Google", "type": "url",

"url": "http://www.google.com/" }, Dates can be converted using Dcode.exe

(Chrome Time)

ID is order in which entry appears. First three are usually default folders

Bookmark Bar, Other Bookmarks, MobileBookmarks


45/73

History Provider Cache In Protocol Buffers format

Download Protocol Buffers compiler Protoc --decode_raw < History Provider Cache > out.txt

Some extracted values will resemble2 {

1: 126

2: 03: 04: 129742121860000005:

"file:///C:/Documents%20and%20Settings/John%20McCash/Local%20Settings/Temp/rninst~0/ui_data/pages/progres

s/index.html?distcode=R71RR1&prod=RealPlayer&ver=15.0&li=en&oem=rp15_

en_us&loc=us"6: "RealNetworks"

}

Long number decodes (via dcode.exe, chrome time) to date

Note: I visited this site two days before installing Chrome!


46/73

Visited Links

Unknown binary format, but as source isonline, should be relativelystraightforward to determine

However I dont know of anyone whosdone it

Not entirely sure whats supposed to bestored in here

Name strongly suggests that it can beforensically useful


47/73

Session Restore

Files (Binary unknown format, but opensource)

Current Session (SNSS)

Current Tabs (SNSS) Last Session (SNSS)

Last Tabs (SNSS)

Tabs files can be parsed by a javascript

application designed to run within chrome

http://metgate.org/chrome-session-restore/

Complete session history can probably be

recovered from session files


48/73

Chrome History

SQLite tables in History file: downloads

presentation

urls keyword_search_terms

segment_usage

visits

meta

segments


49/73

History SQLite Fields

Fields from downloads

Id, full_path (file saved), url (string),start_time, received_bytes, total_bytes, state(verified complete?), end_time, opened

Fields from urls

Id, url (string), title, visit_count, typed_count,tast_visit_time, hidden, favicon_id

Fields from visits

Id, url (table reference), visit_time, from_visit(referrer), transition, segment_id, is_indexed


50/73

Chrome History URLs SQLite Table


51/73

History Index ####-## SQLite Tables

Info Fields: rowid, time

Pages_content

Fields: docid (ref to rowid above), c0url (urlstring), c1title (page title), c2body

Pages_segdir (looks like cache data?)

Fields: level, idx, start_block,

leaves_end_block, root

Pages_segments (looks like cache data?)

Fields: blockid, block


52/73

Chrome Cookies

Cookie Table SQLite Fields

Creation_utc, host_key, name, value,path, expires_utc, secure, httponly,

last_access_utc, has_expires,persistent


53/73

Cookies SQLite Table


54/73

Favicon

Favicon SQLite Fields

Id, url (string), last_updated,image_data (can be saved out as

.png), icon_type, sizes


55/73

Login Data

Logins SQLite Table Fields: origin_url, action_url,

username_element, username_value,password_element, password_value,

submit_element, signon_realm, ssl_valid,preferred, date_created,blacklisted_by_user, scheme


56/73

Network Action Predictor SQLite DB

Stuff the user typed, Chromesguess what he meant, and whetherit was correct

Network action predictor table

Fields: id, user_text, url,number_of_hits, number_of_misses


57/73

Shortcuts SQLite DB

Omni_box_shortcuts table

Fields: id, text, url, contents,contents_class, description (page

title), description_class,last_access_time, number_of_hits


58/73

Top Sites SQLite DB

Thumbnails table

Fields: url, url_rank, title, thumbnail(can be saved out as png), redirects,

boring_score, good_clipping, at_top,last_updated, load_completed


59/73

Chrome Form Autofill

Web Data SQLite File Contains 17 tables

Between them, over 100 fields

A number of timestamps On any case involving somebody whos used

Chrome extensively over a long period oftime, there will probably be something useful

in here somewhere


60/73

Chrome Cache

Cache folder contains One index file

Multiple (at least 4) cache data files, namedData_# Initial data files are optimized to store small

blocks of data.

When size of item to cache exceeds 16KB, itemis stored in its own file named f_######

Every piece of data stored by the cache has a

given 4 Byte cache address. These include: Cache Entry

HTTP Headers

Request Data

Entry Name (key)

Aux Info


61/73

Chrome HTML 5 Local Storage

Multiple SQLite databases in theLocal Storage subfolder

chrome-

extension_lifbcibllhkdhoafpjfnlhfpfgnpldfl_0.localstorage

http__0.localstorage

https__0.localstorage


62/73

Browser Forensics Tools

Mandiant Web Historian Browser support

Internet Explorer

Firefox

Chrome Safari

Artifacts History

Cache (including Chrome thumbnails & indexedpage content)

Cookies

Form History

Note: Weve covered more artifacts than this!


63/73

Mandiant Web Historian

Web History Fields

Firefox Chrome Internet Explorer URL X X X PageTitle X X X HostName X Hidden X X

Typed X LastVisitDate X X X LastVisitDateLocal X* VisitFrom X X VisitType X X Redirect or URL VisitCount X X FirstBookmarkDate X Thumbnail X IndexedContent X

M di W b Hi i


64/73


Cookie History Fields

Firefox Chrome Internet Explorer HostName X X CookiePath X X X CookieName X X X CookieValue X X X

IsSecure X X IsHttpOnly X X LastAccessedDate X X X ExpirationDate X X X CreationDate X X FileName X FilePath X CookieFlags X LastModifiedDate X

M di t W b Hi t i


65/73


Download History Fields (includes cache)

Firefox Chrome Internet Explorer DownloadType ManualManualAuto

Auto IE LeakAuto IE Redirect

FileName X X X SourceURL X X X TargetDirectory X X X

TemporaryPath X Referrer X MimeType X StartDate X X EndDate X State X X BytesDownloaded X X X

MaxBytes X X X AutoResume X FullHttpHeader X LastAccessedDate X LastModifiedDate X CacheFlags X CacheHitCount X

LastCheckedDate X

M di t W b Hi t i


66/73


Form History Fields

Firefox Chrome Internet Explorer FormType Login Login N/A

or Normal or Normal FormFieldName X N/A FormFieldValue X N/A UsernameFieldName X X N/A PasswordFieldName X X N/A HostName X N/A HttpRealm X X N/A FormSubmitURL X X N/A UsernameFieldValue X X N/A

EncryptedPassword X X N/A EncryptionType X X N/A FirstUsedDate X N/A LastUsedDate X N/A TimesUsed X N/A Guid X N/A CreationDate X N/A

Ni ft T l (Si l tiliti


67/73

Nirsoft Tools (Single purpose utilities.

Frequently updated, well designed.)

IECookiesView IEHistoryView

IECacheView

MozillaCookiesView

MozillaHistoryView

MozillaCacheView

OperaCacheView

ChromeCacheView

ChromeHistoryView

SafariHistoryView SafariCacheView

FavoritesView (Firefox & Internet Explorer)

FlashCookiesView

FireFoxDownloadsView


68/73

SQLite Tools

SQLite Manager Firefox plugin(newer, better)

SQLite Database Browser (old)


69/73

Foundstone DumpAutoComplete

Command line tool

Produces XML output

Works with all Firefox Versions, butonly extracts from formhistory files,not places.sqlite

The moz_inputhistory table in

places.sqlite maintains autocompletedata for the URL location bar


70/73

FoxAnalysis (free version only for FF3+)

Artifacts:

History

Bookmarks

Cookies

Downloads

Form History

Doesnt do cache

W


71/73

Woanware

Firefoxsessionstoreextractor

Extracts information from sessionstore.js

URLs

Page Titles

Cookies & values Tabs

Form Data

Referrer

Scroll Data

Cmdline Only


72/73

Archive Formats

File Headers/Magic Numbers (PK)Zip: 50 4B 03 04 [PK..] Gzip: 1F 8B 08

(PK)Zip files have size in file footer. Find hex signature 50 4B 05 06 (end of central

directory structure) At offset 12 from this is the 4 byte size of the central

directory structure At offset 16 is the 4 byte offset from the start of

archive of the central directory structure Add these two sizes and search backwards from the

beginning of the end of central directory structurethat many bytes, and you should see 50 4B 03 04,which is the beginning of the archive

At offset 20 is a 2 byte size, followed by that many

additional bytes. Thats the end of the archive.


73/73

Questions?

Date post:	10-Feb-2018
Category:	Documents
Upload:	alb3rtlin
View:	235 times
Download:	0 times