Chapter 2. Index.dat

Similar documents
Chapter 3. Shortcuts

Legal Notices. AccessData Corp.

TxEIS on Internet Explorer 8

Part 2 Uploading and Working with WebCT's File Manager and Student Management INDEX

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

Mission Guide: Dropbox

ACCESSDATA SUPPLEMENTAL APPENDIX

Windows version involved: Windows 7, Windows Server 2008 R2.

Mission Guide: OneDrive

24) Type a note then click the OK button to save the note. This is a good way to keep notes on items of interest.

Restoring data from a backup

Workshare Client Extranet. Getting Started Guide. for Mac

WebsitePanel User Guide

Drupal 7 guide CONTENTS. p. 2 Logging In

8 MANAGING SHARED FOLDERS & DATA

How to configure the Matlab interface

AccessData Advanced Forensics

UC Export Folders Version 3.5 for Worksite 8.x, 9.x x86

How to make a Work Profile for Windows 10

Perceptive Data Transfer

Wireshark HTTP. Introduction. The Basic HTTP GET/response interaction

Mission Guide: Google Drive

CYB 610 Project 6 Workspace Exercise

More Skills 11 Export Queries to Other File Formats

WebSTAR Cache Information

Microsoft Office 2007, 2010 Registry Artifacts Dustin Hurlbut September 16, 2010

Mission Guide: Google Mail

User Guide. Kronodoc Kronodoc Oy. Intelligent methods for process improvement and project execution

1. Open any browser (e.g. Internet Explorer, Firefox, Chrome or Safari) and go to

ACCESSDATA FTK RELEASE NOTES

PST for Outlook Admin Guide

LiveNX Upgrade Guide from v5.1.2 to v Windows

AccessData FTK Imager

Kean University. System Guide. cougar.kean.edu. Your window to the world

IT Essentials v6.0 Windows 10 Software Labs

Bell County. E-Discovery Portal. Training Guide. 1/8/2014 Version 1.0

Identifying Updated Metadata and Images from a Content Provider

Upgrading Software and Firmware

Stellar Phoenix Outlook PST Repair - Technician User Guide

Tool reviewdwinhex. Eoghan Casey a,b, ) PRODUCT REVIEW. Introduction

Cloud Compute. Backup Portal User Guide

Ektron Advanced. Learning Objectives. Getting Started

GIAC Introduction to Security Fundamentals. Laptop and External Drive Configuration Guide Version 1.1 SEC301

ithenticate User Guide Getting Started Folders Managing your Documents The Similarity Report Settings Account Information

BVA LLP Web Portal User Guide

Microsoft Outlook Live

Administration Guide - NetApp File Archiver

Mission Guide: Dropbox

UMHS Financial Systems Workspace & Smart View Templates

2 Spreadsheet Considerations 3 Zip Code and... Tax ID Issues 4 Using The Format... Cells Dialog 5 Creating The Source... File

EN Engineering s File Transfer System Client User Manual

umapps Using umapps 6/14/2017 Brought to you by: umtech & The Center for Teaching & Learning

Contact Information. Contact Center Operating Hours. Other Contact Information. Contact Monday through Thursday Friday

BDM Hyperion Workspace Basics

Obtaining a login and password to the Online Application

RECOMMENDED PROCEDURE

ROC Site Instructions for using Medtronic CODE STAT software

Quick Start Guide for Kwik Quotation System

Café Soylent Green Chapter 12

Working with Mailbox Manager

Accessing Flamingo 1.1 Libraries Located on a Removable Disk

Student User Guide (updated )

Windows Core Forensics Forensic Toolkit / Password Recovery Toolkit /

Chapter 2. Passwords, Access, and Logon

Institutional Records & Archives March 2017 ACCESSIONING FILES FROM 5.25 FLOPPY DISKS

See Types of Data Supported for information about the types of files that you can import into Datameer.

Author A.Kishore/Sachin WinSCP

CAL 9-2: Café Soylent Green Chapter 12

Enterprise Reporting -- APEX

TeleFlash. Internal Research Notes and Custom Data Publisher

Document Management System User Guide

Overview. Top. Welcome to SysTools MailXaminer

WinSCP. Author A.Kishore/Sachin

Outlook tips for road warriors

AccessData Forensic Toolkit 5.5 Release Notes

Variable Data Printing in Fiery Controllers. Exercise 1: Fiery FreeForm 1

Computer Setup Guide for SEC301

DO NOT POWER ON THE ZEBRA PRINTER OR CONNECT THE USB CABLE UNTIL INSTRUCTED TO DO SO!

Security Explorer 9.1. User Guide

CIS Business Computer Forensics and Incident Response. Lab Protocol 02: FileSystems/VM

DOCUMENTUM D2. User Guide

Context-sensitive Help

Office 365 Business and Office 365 Pro Plus Deployment Guide V 1.0

MyFloridaNet-2 (MFN-2) Customer Portal/Password Management Reference Guide

NQF ONLINE MEASURE SUBMISSION FORM USERS GUIDE

Source:

Overview of Web Interface to CenturyLink B2B Gateway

@Michener Learning Resource Centre

File Reputation Filtering and File Analysis

WebDAV elockers Using WebDAV in Studywiz

OUTLOOK WEB APP (OWA): MAIL

Setting Up Scan to CIFS on MB400/MC300/C Series

HPCC Preflight and Certification. Boca Raton Documentation Team

Managing Your Website with Convert Community. My MU Health and My MU Health Nursing

Module 3: Working with C/C++

JUN / 04 VERSION 7.1 FOUNDATION P V I E W G A L M E

The QuickCalc BASIC User Interface

LEVEL 1 Site Administrator Grants permissions and manages access, manages main homepage.

Accession Procedures Born-Digital Materials Workflow

Optimizing GRITS. In this chapter:

Transcription:

Chapter 2 Index.dat

Internet History Practical Exercise Anatomy of a MSIE / History.IE5\Index.dat File 1. Use WinHEX to open up the file named: \Student Files\02_Internet_History\Index.dat. 2. Let s examine this file structure. 2.1. First, let s determine the location of the HASH section of the file. The HASH section is not generally of forensic use but we will find it so that we can locate another jump code. Determine the DWORD value file offsets 32-35. This value is a jump code that points to the HASH section. What is the 32-bit value? 16384 2.2. Next, jump 16,384 bytes from the beginning of the file.

2.3. Next, determine the multiplier for 128-byte blocks that is used to determine the location of the first record entry beyond the HASH section. Get the value of the DWORD following HASH. 32 The calculation is 32 X 128 = 4096. 2.4. Start the jump from the H in HASH. 2.5. After jumping 4096 bytes we land on the first record. What type of record did we land on? (Note the 4-byte record header.) in ASCII URL

2.6. The record size is determined by the value of the DWORD following the 4-byte record header multiplied by 128. What is the value of this DWORD for this record?2 What is the size of this record? 2x128=256 2.7. Confirm the record size is 256 bytes and located at file offsets 20480 thru 20735 using WinHex to highlight data area. Note that another URL record begins after this data block.

3. Now let s look at a different record further down in the file. Jump to file offset 29696. 3.1. Note that this is another URL record. 3.2. What is the record size? Determine the value of the DWORD following the record identifier. 4 So then, what is the size of this record size? 4x128=512 3.3. Let s visually confirm the record size by highlighting 512 bytes starting at the beginning of the record. (29696 thru 30207)

3.4. Now let s examine this particular record. Note that there are two 64-bit date and time values in this record, one is the QWORD following the multiplier mentioned in the previous step and the second is the second QWORD following the multiplier. We will focus on the second 64-bit date code that is located at record offsets 17-24, however, it just so happens that in this type of index.dat file the two dates are the same. (This is not true for index.dat files located in other areas.) This second date denotes the LAST ACCESS DATE AND TIME (last visit to the address listed in the record). What is the 64-bit date code found at record offsets 17-24? 5/13/2005 09:44:07 Note that WinHex reports the time in GMT. 3.5. Now let s determine the beginning of the URL string for this record. Place the cursor on the first byte of the record (55h in this case) and move ahead 53 bytes. 3.6. With the cursor now on the 53 rd byte note the value of the DWORD at record offsets 53-56? 104 This DWORD value determines the jump size from the beginning of the record to the beginning of the URL string.

3.7. So, jump 104 bytes from the beginning of the record and find the following nullterminated string. Note that records found in this type of index.dat file begin with Visited: 3.8. Now let s determine the end of the data block assigned to the URL string. Locate the DWORD located at record offsets 69-72. 236 This DWORD value determines the jump size from the beginning of the record to the end of the data block that contains the null-terminated URL string. It might be that the data block is larger than the null-terminated string. 3.9. Now jump 236 bytes from the beginning of the record to the end of this data block.

3.10. Next, determine the start of the page title, if present. From the beginning of the record, jump the previous value and then skip [jump over] the next 20 bytes (20 is a static number and note the following Unicode value. Note if there is no page title, no Unicode is present.

Internet History Practical Exercise Anatomy of a MSIE Content.IE5\Index.dat File 1. Use WinHEX to open up the file named: \Student Files\02_Internet_History\TIF_Cache_Index.dat. 2. Let s examine this file structure. 2.1. First, let s determine the location of the HASH section of the file. The HASH section is not generally of forensic use but we will find it so that we can locate another jump code. Determine the DWORD value file offsets 32-35. This value is a jump code that points to the HASH section. What is the 32-bit value? 20480 Make the jump 20480 bytes from beginning of the file. 2.2. Next, determine a multiplier for 128-byte blocks that is used to determine the location of the first record entry beyond the HASH section. Determine the value of the DWORD following HASH. 32 The calculation is 32 X 128 = 4096.

2.3. Start the jump from the H in HASH. 2.4. After jumping 4096 bytes we land on the first record. What type of record did we land on? (Note the 4-byte record header.) in ASCII LEAK A LEAK record is an incomplete record; no forensic value, no date and times. 2.5. The record size is determined by the value of the DWORD following the 4-byte record header multiplied by 128. What is the value of this DWORD for this record? 4 What is the size of this record? 4x128=512

2.6. Confirm the record size is 512 bytes and located at file offsets 24576 thru 25087 using WinHex to highlight data area. 3. Next, let s examine a different record, a URL record that begins at file offset 25344. (Use WinHex to jump 25344 bytes from the beginning of the file.) 3.1. Note the ASCII character string URL<space> at record offsets 1-4. (Don t confuse these offsets with file offsets.) (Note that URL Recovery Tool in Datalifter_V2 carves only URL records but the URL Tool in Bonus Tools also carves REDR. Re-direct records might reveal exculpatory information. Neither tool carves LEAK records these are incomplete records that do not contain dates and times.) 3.2. What is the value of the DWORD at record offsets 5-8 used to determine the multiplier of 128-bytes chucks assigned to this record entry? 3 3.3. What is the record size? 3x128=384

3.4. Confirm the record size is 384 bytes and located at file offsets 25344 thru 25727 using WinHex to highlight data area. 3.5. Now let s determine the Last Access Date and time that this particular record was accessed. Again, note that there are two 64-bit date values in this record. In this index.dat file the last access date and time is the seconds date code. Recall that WinHex reports the time in GMT and that no time zone bias is calculated. What is the 64-bit date code found at record offsets 17-24? 9/26/2003 19:43:07

3.6. Now let s determine the file size of the referenced file at the time of the last visit. Determine the value of the QWORD at record offsets 33-40. 7893 3.7. Now let s determines the jump value from the beginning of the record to the beginning of the null-terminated URL string. What is the value of the DWORD at record offsets 53-56? 104 In this case the file name is IUIDENT.CAB and was 7,893 bytes in size when last accessed. 3.8. Server response code.

3.9. Determine the hit rate count from the DWORD record offsets 85-88 (a static position). What is the hit rate for this record? 4 Note, this count appears to be relative to the current cache contents and resets when the browser is requested to empty the temporary Internet files. 3.10. Determine the active user name (profile) when the cache entry was created. Search the record entry for the hex values 7E 55 3A or the ASCII string ~U: What is the user name for this record entry? dispatch2

Internet History Practical Exercise Decoding Internet History Index.dat File Using DataLifter 1. Start DataLifter s Internet History module. 2. (#1) Click on the Browse Folder button. (#2) Navigate to the \Student Files\ 02_Internet_History\Index. dat file. (#3) Click on the Open button. 3. Once the path has been selected click on the Finish button to let DataLifter carve the data.

4. Once the results are returned click on File then Export to save out a tab-delimited text file. 5. Enter a filename for the file to be saved, such as history-1.txt and select the folder in which to save it, such as, c:\temp.

Internet History Practical Exercise Decoding Internet Cache Index.dat File Using DataLifter 1. Start DataLifter s Internet History module. 2. (#1) Click on the Browse Folder button. (#2) Navigate to the \Student Files\ 02_Internet_History\TI F_Cache_Index.dat file. (#3) Click on the Open button. 3. Once the path has been selected click on the Finish button to let DataLifter carve the data.

Internet History Practical Exercise Anatomy of a MSIE History.IE5\date-ranged\Index.dat File 1. Start WinHEX & open \Student Files\02_Internet_History\History_DateRange_Index.dat. 2. Let s examine this file structure. 2.1. First, let s determine the location of the HASH section of the file. The HASH section is not generally of forensic use but we will find it so that we can locate another jump code. Determine the DWORD value file offsets 32-35. This value is a jump code that points to the HASH section. What is the 32-bit value? 16384 2.2. Next, jump 16,384 bytes from the beginning of the file.

2.3. Next, determine the multiplier for 128-byte blocks that is used to determine the location of the first record entry beyond the HASH section. Determine the value of the DWORD following HASH. 32 The calculation is 32 X 128 = 4096.. 2.4. Next, jump 4096 starting the jump from the H in HASH. 2.5. What is the file offset for the first record entry? 20480 2.6. What type of record did we land on? (Note the 4-byte record header.) in ASCII URL

2.7. The record size is determined by the value of the DWORD following the record header multiplied by 128. What is the value of this DWORD for this record? 2 What is the size of this record? 2x128=256 2.8. Confirm the record size is 256 bytes and located at file offsets 20480 thru 20735 using WinHex to highlight data area. Note that another URL record begins after this data block.

2.9. Note the date-ranged folder name is embedded at the beginning of the URL string. This can differentiate between history root folder record and a date-ranged record. 3. Search the data for the character string password (without the quotes). Use the F3 key to advance through subsequent hits. Note that some Websites pass the login information in plain text.

4. Search the data for the character string q= (without the quotes). Use the F3 key to advance through subsequent hits. You can see some search strings

Internet History Practical Exercise Carving Browsing History Artifacts from Unallocated Space Using DataLifter Bonus Tools 1. Delete all files in C:\Temp 2. Start the CleanUSB program from the Desktop to zero-out the logical volume on thumb drive. (Note that CleanUSB only reads removable media.) Confirm the check mark in the accept agreement box and then click on the Next button. 3. Next, choose the correct path for your thumb drive and then click on the Next button. 4. Next, choose Delete all files in device and then clean it. Then click on the Next button.

5. Next, type OK in the confirmation box and then click on the Clean Now button. 6. Next, wait for the process to compete. 7. Copy the three sample index.dat files from \Student Files\02_Internet_History to the thumb drive. 8. Then delete all of the index.dat files on the thumb drive.

9. Start FTK Imager and select to Create Disk Image. 10. Select the source as a Logical Drive. 11. Select the appropriate location for the thumb drive. Then click on finish to acquire the thumb drive.

12. Click on the Add button so you can choose the type of image to create. 13. Select the Raw(dd) as the image type. Click on Next to continue. 14. We will leave these dialog boxes blank for the purposes of this exercise. Click on Next to continue.

15. Enter c:\temp as the destination folder and enter URL_Unall as the file name. Accept the default fragment size. Do not activate compression. Click Finish. 16. After confirming the parameters are set as shown here click on the Start button. 17. A progress bar will keep you notified as the image is being acquired. 18. The Status box indicates when finished.

19. Start DataLifter Bonus Tools and run the URL Recovery Module. Suggestion: Click on (to activate) the URL Recovery workspace tab. 20. Click on the Browse Folder button and then navigate to the file URL_Unall.001 in the c:\temp folder. 21. After confirming the parameters are correct click on the Finish button.

22. If the URL Recovery workspace tab was not the active, as suggested above, this message will be displayed. 23. The results shown above provide the following information about browser history records (history and cache) found in the source file. Type: The type of hit found by Bonus Tools. URL indicates a valid Microsoft Internet Browser Index.dat record. If another browser hit, such as Netscape, is found, the code ORPH (orphaned) will be displayed in this field. This field could also contain the code REDR; which indicates a redirected visit. In other words, the user visits a URL that in turns points them to a different URL. URL/REDR: The complete URL that was listed in the Index.dat record. Record entries beginning with "Visited:" followed by a profile name that was active during the visit indicate a root history.ie5 as the origin. (Note, Visited is the default setting but this can be changed with a registry edit.) Record entries beginning with a date ranged value such as 2005041020050425 followed by a profile name that was active during the visit indicate a date-ranged subfolder of the root history.ie5 as the origin. Record entries beginning with http:// followed by the address indicate a temporary Internet folder [cache] as the origin.

FQDN: Fully qualified domain name. This is the domain name for the URL. If the hit is a record for a visit to a web site then this field does not contain the header "Visited" and the profile name, if the record is from a history index.dat file. If the record is from a cache index.dat file then this field does not contain the name of the cache file that is referenced in the URL field. Hit Rate: Depending upon the version of the browser that is being used, the hit rate may or may not be reported. The hit rate is the number of times this site (if history record) has been visited or the number of times the file (if cache record) has been accessed. Last Visited: The last date and time the URL (if history record) was visited or file (if cache record) was accessed. User Name: Only applicable if the origin was a cache URL record entry. Other record types history (root & date-ranged) and cache REDR do not include the user name field so DataLifter displays Unknown. File Name: If the record [hit] is from a cache index.dat file then this field contains the name of the file that was accessed by the browser. Normally, this is a file that would have, at one time, been contained in one of the cache folders. If the record is from a history index.dat file then most likely this field will contain "unknown" due to a history entry not pointing to a specific file. File Size: If the record [hit] is from a cache index.dat file then this field contains the size of the file mentioned in the 'File Name' field. If the record is from a history index.dat file then most likely this field will contain "0". Parent Name: The name of the file that the URL tool obtained this information from. Parent Path: The path for the file mentioned in the "Parent Name" field. 24. You have the capability to filter the records based upon field type and condition.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback