IE HISTORY

The examiner 's ability to search, organize, and analyze Internet usage logs can become crucial to making or breaking a case. IE History is a tool you can use to process the data files associated with web browsers. IE History can be obtained by e-mailing its author, Scott Ponder, at support@phillipsponder.com. IE History's purpose is to parse the binary history files for the analyst so that you can analyze each web visit. Without using a tool such as this, tracking web browser usage would be much more difficult because a general-purpose file viewer cannot fully read the content of the binary history files.

Implementation

Upon starting IE History, you should see an Internet History Viewer screen similar to the illustration at right:

To open a file, click the Open History File button to open a browsing window similar to that shown in the next illustration. Notice that this browsing window is different from typical Windows file browsing windows , in that it does not translate all the files according to the specifications in the desktop.ini file. This makes it possible for the user to browse the local disk's history files, which are usually translated into history file pages by Windows Explorer.

IE History can handle many types of files, including Internet Explorer and Netscape web activity history files. Table 24-2 summarizes where these files are typically located.

Table 24-2: Locations of History Files

Operating System

Web Browser

File Path(s)

Windows 95/98/Me

Internet Explorer

\Windows\Temporary Internet Files\ Content.IE5\
\Windows\Cookies\
\Windows\History\History.IE5\
Any index.dat file is a history file .

Windows NT

Internet Explorer

\Winnt\Profiles\< username> \Local Settings\Temporary Internet Files\ Content.IE5\
\Winnt\Profiles\< username> \ Cookies\
\Winnt\Profiles\< username> \Local Settings\History\History.IE5\
Any index.dat file is a history file .

Windows 2000/XP/2003

Internet Explorer

\Documents and Settings\ < username> \Local Settings\ Temporary Internet Files\ Content.IE5\
\Documents and Settings\ < username> \Cookies\
\Document and Settings\ < username> \Local Settings\ History\History.IE5\
Any index.dat file is a history file.

Windows 95/98/Me

Netscape

\Windows\Application Data\
Mozilla\Profiles\< profile name > \ <profile directory> \
Any history.dat file is a history file .

Windows 2000/XP/2003

Netscape

\Documents and Settings\
< username >\Application Data\ Mozilla\Profiles\ <profile name> \ <profile directory> \
Any history.dat file is a history file.

Windows NT

Netscape

\Winnt\Profiles\ <username> \Application Data\Mozilla\Profiles\ <profile name> \ <profile directory> \
Any history.dat file is a history file.

Unix (Linux, BSD, etc.)

Netscape

~< username> /.netscape/
Any history.dat file is a history file.

Another function of IE History is its ability to sort by the URL or date visited. Furthermore, by right-clicking an individual line and selecting Go To URL, you can load the URL in the default browser on the forensic workstation.

The last type of file IE History can translate is Recycle Bin records for the Windows operating system. Because Windows is known to store deleted files in the Recycle Bin before true deletion from the disk, this record may provide more clues into what the suspect was deleting before the evidence was acquired . The following table summarizes where the INFO2 records are located for Windows operating systems.

Operating System

Location of INFO2 Recycle Bin Records

Windows 95/98/Me

\RECYCLED\INFO2

Windows NT/200x/XP

\RECYCLER\< User's SID> \INFO2

After copying the Recycle Bin record from a suspect's computer, load the INFO2 file in IE History in the same manner used for the index.dat or history.db files. The following illustration shows an example Recycle Bin record after it is loaded into IE History:

Table 24-3: Breakdown of File Entries in Windows XP

Filename

Description

C:\Documents and Settings\ <username> \ Cookies\index.dat

The audit trail for the cookies that are installed on the system. Useful in locating cookies that are intentionally misnamed and obfuscated .

C:\Documents and Settings\ <username> \ Local Settings\History\ History.IE5\index.dat

The history for the last calendar day that the browser was in use. Files older than one day roll into a separate folder.

C:\Documents and Settings\ <username> \ Local Settings\History\ History.IE5\MSHistXXXXXXXXXXX\ index.dat

Where the history data rolls to after it expires from the above index.dat. Each installation will have several of these directories, indicating yesterday , last week, two weeks ago, last month, and so on.

C:\Documents and Settings\ <username> \Local Settings\Temporary Internet Files\Content.IE5\index.dat

The audit trail for supporting files such as pictures and includes on the web site. Look here to help reconstruct documents.

C:\Documents and Settings\ <username> \ UserData\index.dat

This index.dat holds information about automatic Windows accesses to the Internet, such as Windows update and other utilities.

Table 24-3 shows a breakdown of .dat files that exist in Windows XP, their location, and what each one does.



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net