Internet Explorer Forensic Investigation

Introduction

This article is about forensic investigation of Internet Explorer. This is cover about investigating Internet Explorer history, cache, cookies, favorites. Lets take a look at index.dat file

Index.dat

Microsoft's Internet Explorer has two primary areas of interest. One is “index.dat” database file which is used by the web browser and the browser cache. index.dat is in the format of MSIECF (Microsoft Internet Explorer Cache File Format). The index.dat file contains information of visited URLs including the accessed and modified time, the location of cache directory, HTTP headers and so on and so fourth. Almost every software uses IExplorer for displaying information and for connecting over internet. Programs like skype, Live messenger, etc uses IE. So the history of accessed urls of those applications are also stored in index.dat.

The location of index.dat file

Code:

Windows XP systems:
C:Documents and Settings%username%Local SettingsTemporary Internet FilesContent.IE5


Windows vista and 7:
C:Users%username% AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5

Now lets start investigating the index.dat file. I will use a tool name pasco by Foundstone which is very old but still used is many Live forensic distros. Here is a example

./pasco -d index.dat

As you see this will give the out put in the following format.

Code:

TYPE URL MODIFIED TIME ACCESS TIME FILENAME DIRECTORY HTTP HEADERS

As this is not clear it is better to get a output to a file simple by using ./pasco > outputfile

There is another tool which we extract information in a organized manner. It is called msiecfexport.
Here is an example:


So you can clearly view the index.dat file.

Cache

Next we'll investigate the cache files. Cache files are stored locally as a result of the user's web browsing. These files are stored in

Code:

Windows XP :
C:Documents and Settings%username%Local SettingsTemporary Internet FilesContent.IE5


Windows vista and 7:
C:Users%username%AppData LocalMicrosoftWindowsTemporary Internet FilesContent.IE5

I will take an example from msiecfexport.

Code:

Record type : URL
Offset range : 67968 - 68224 (256)
Location : temp:http://thepaperwall.com/wallpapers/girls/big/big_45fb5c22369e1c5d517f0282bd9250105f407e77.jpg
Primary time : Feb 05, 2013 04:26:07.030000000
Secondary time : Feb 05, 2013 04:26:02.830616500
Filename : big_45fb5c22369e1c5d517f0282bd9250105f407e77[1].jpg
Cache directory index : 1 (0x01)(OV08Z8PA)

As you see the file “big_45fb5c22369e1c5d517f0282bd9250105f407e77[1].jpg
” is locally stored in cache directory “OV08Z8PA”. So the actual location is C:Users%username%AppData
LocalMicrosoftWindowsTemporary Internet FilesContent.IE5
/OV08Z8PA/big_45fb5c22369e1c5d517f0282bd9250105f407e77[1].jpg

Well of course this is the file 


Here is the ouput o
f the cache by pasco:
URL temp:http://ethicalhackx.com/blog/wp-content/uploads/2013/07/big_45fb5c22369e1c5d517f0282bd9250105f407e77.jpg 02/04/2013 20:26:02 02/04/2013 20:26:07 big_45fb5c22369e1c5d517f0282bd9250105f407e77[1].jpg OV08Z8PA

You can again see “OV08Z8PA” is our cache sub directory.

Cookies

Cookies can be found on

Code:

Windows XP
C:Documents and Settings%username% Cookies


Windows Vista and 7:
C:Users%username%AppDataRoamingMicrosoftWindowsCookies

Cookies are normally in text format and we cannot understand anything.

Code:

s_vsn_skypeallprod_1
3876974264756
s
kype.com/
1600
2798871808
31012227
2587949280
30277570
*
s_vi
[CS]v1|288542BB05010F82-4000012C80000C57[CE]
skype.com/
1024
505403008
30645652
3108158896
30278524
*
SC
CC=:CCY=:LC=en:TM=1359888053:TS=1359888053:TZ=:VER=0/6.1.0.129/272
skype.com/
1536
1767549056
30351564
3897935152
30278138
*

I will use a tool called galleta which is a awesome tool release by McAfee labs.

Code:

Cookie File: C:UsersOsandaAppDataRoamingMicrosoftWindowsCookiesun0wn@skype[2].txt
SITE VARIABLE VALUE CREATION TIME EXPIRE TIME FLAGS
skype.com/ s_vsn_skypeallprod_1 3876974264756 Thu Jan 31 14:52:34 2013 Tue Jan 31 14:52:34 2023 1600
skype.com/ s_vi [CS]v1|288542BB05010F82-4000012C80000C57[CE] Tue Feb 5 08:42:25 2013 Sun Feb 4 08:42:41 2018 1024
skype.com/ SC CC=:CCY=:LC=en:TM=1359888053:TS=1359888053:TZ=:VER=0/6.1.0.129/272 Sun Feb 3 10:40:39 2013 Mon Feb 3 10:40:53 2014 1536

Now you can nicely view the contents in the cookie file.

Favorites

Investigating Favorites will also be interesting in IE. By the user’s bookmarks we can identify what kind of interests he owns.

Code:

In windows XP
C:Documents and Settings%username%Favorites


Windows vista and 7:
C:Users%username%FavoritesIn windows XP
C:Documents and Settings%username%Favorites

Windows vista and 7:
C:Users%username%Favorites

Favorites are in different folders by default and suppose I added google.lk to favorites we can clearly see “Google.url”
Here is an example:

Code:

[DEFAULT]
BASEURL=http://www.google.lk/
[{000214A0-0000-0000-C000-000000000046}]
Prop3=19,2
[InternetShortcut]
URL=http://www.google.lk/
IDList=
IconFile=http://www.google.lk/favicon.ico
IconIndex=1

Conclusion

Even though you erase history it won’t be deleted and is still their on the index.dat file. There are third party tools which actually erase the index.dat. But remember any file can be recovered in seconds and some third party tools leave traces. So the best would be to shred the index.dat file manually.