This article is about forensic investigation of Internet Explorer. This is cover about investigating Internet Explorer history, cache, cookies, favorites. Lets take a look at index.dat file
Microsoft's Internet Explorer has two primary areas of interest. One is “index.dat” database file which is used by the web browser and the browser cache. index.dat is in the format of MSIECF (Microsoft Internet Explorer Cache File Format). The index.dat file contains information of visited URLs including the accessed and modified time, the location of cache directory, HTTP headers and so on and so fourth. Almost every software uses IExplorer for displaying information and for connecting over internet. Programs like skype, Live messenger, etc uses IE. So the history of accessed urls of those applications are also stored in index.dat.
The location of index.dat file
Now lets start investigating the index.dat file. I will use a tool name pasco by Foundstone which is very old but still used is many Live forensic distros. Here is a example
./pasco -d index.dat
As you see this will give the out put in the following format.
As this is not clear it is better to get a output to a file simple by using ./pasco > outputfile
There is another tool which we extract information in a organized manner. It is called msiecfexport.
Here is an example:
So you can clearly view the index.dat file.
Next we'll investigate the cache files. Cache files are stored locally as a result of the user's web browsing. These files are stored in
I will take an example from msiecfexport.
As you see the file “big_45fb5c22369e1c5d517f0282bd9250105f407e77.jpg
” is locally stored in cache directory “OV08Z8PA”. So the actual location is C:Users%username%AppData
LocalMicrosoftWindowsTemporary Internet FilesContent.IE5
Well of course this is the file
Here is the ouput o
f the cache by pasco:
URL temp:http://ethicalhackx.com/blog/wp-content/uploads/2013/07/big_45fb5c22369e1c5d517f0282bd9250105f407e77.jpg 02/04/2013 20:26:02 02/04/2013 20:26:07 big_45fb5c22369e1c5d517f0282bd9250105f407e77.jpg OV08Z8PA
You can again see “OV08Z8PA” is our cache sub directory.
Cookies can be found on
Cookies are normally in text format and we cannot understand anything.
I will use a tool called galleta which is a awesome tool release by McAfee labs.
Now you can nicely view the contents in the cookie file.
Investigating Favorites will also be interesting in IE. By the user’s bookmarks we can identify what kind of interests he owns.
Favorites are in different folders by default and suppose I added google.lk to favorites we can clearly see “Google.url”
Here is an example:
Even though you erase history it won’t be deleted and is still their on the index.dat file. There are third party tools which actually erase the index.dat. But remember any file can be recovered in seconds and some third party tools leave traces. So the best would be to shred the index.dat file manually.