10.8 Internet Traces

10.8 Internet Traces

Accessing the Internet leaves a wide variety of information on a computer including Web sites, contents viewed, and newsgroups accessed. For instance, Windows systems maintain a record of accounts that are used to connect to the Internet as shown in Figure 10.9.^[28]

Figure 10.9: Internet Account Manager.

Additionally, some Windows systems maintain a log of when the modem was used (e.g. ModemLog.txt) and some Internet dial-up services maintain a detailed log of connections such as the AT&T/IBM Global Network Dialer "Connection Log.txt" and "Message Log.txt" files shown here:^[29]

    ----------------------------------------------------------------------------    Dialer Connection Log    ----------------------------------------------------------------------------    2000101112         15:22:39             usinet janedoe dialed 06-3365-3946    2000/01/12         15:41:48             Disconnected after 00:19:04    2000/01/12         17:03:10             ----------------------------------    2000/01/12         17:03:10             usinet janedoe dialed 06-3365-3946    2000/02/29         23:05:34             ----------------------------------    2000/02/29         23:05:34             usinet janedoe dialed 06-3365-3946    2000/02/29         23:09:26             Disconnected after 00:03:49    2000/04/18         20:53:09             ----------------------------------    2000/04/18         20:53:09             usinet janedoe dialed 06-3365-3946    2000/04/18         20:58:17             Disconnected after 00:05:08    ----------------------------------------------------------------------------    Dialer Message Log    ----------------------------------------------------------------------------    The date is Tuesday, February 29, 2000.    The time is 11:04:56 PM.    <cut for brevity>    Modem is 3Com (3C562D-3C563D) EL III LAN+336 Modem PC Card.    Modem log file truncated.    Set up Dial-Up Networking entry IBM Global Network.    Login profile is "johndoe".    The login ID is login.Internet.usinet.johndoe.    Connecting with the IBM Global Network entry.    Opened c:\windows\ModemLog.txt.    RAS dial connect state is 0 (0).    RAS dial connect state is 1 (0).    Initializing the serial port...    Initializing the modem and dialing 06-3365-3946...    <cut for brevity>    02-29-2000 23:05:21.65 - Recv: <cr><lf>CONNECT 115200<cr><lf>    Modem-to-modem speed is 115200 bps.    02-29-2000 23:05:21.65 - Interpreted response: Connect    Setting up the network link...    02-29-2000       23:05:21.65 - Connection established at 31200bps.    02-29-2000       23:05:21.65 - Error-control on.    02-29-2000       23:05:21.65 - Data compression on.    RAS dial connect state is 14 (0).    RAS dial connect state is 8192 (0).    Local IP address is 139.92.104.85.    Gateway IP address is 152.158.45.46.    <cut for brevity> 

10.8.1 Web Browsing

When an individual first views a Web page the browser caches the page and associated elements such as images on disk - the creation and modification times are the same time as the page was viewed. When the same site is accessed in the future, the cached file is accessed. The number of times that a given page was visited is recorded in some Web browser history databases. Look for all information related to downloaded files (e.g. in registry, on external media, etc.) to get a better sense of how they were placed on the computer and what was done with them afterwards. Any other activities that were going on at the time the files were being placed on the computer and viewed/manipulated may give a clue as to who was performing the actions.

As mentioned in Chapter 9, Netscape maintains a database of Web sites visited in a file named "netscape.hst."^[30] Entries that have been marked as deleted by Netscape can be recovered using programs such an EnCase E-Script as shown here:

    # of Times Visited, First Accessed, Last Accessed, Link    4, 01/13/02 05:13:54PM, 01/13/02 06:04:37PM DELETED http://www./paraben-foren    3, 01/13/02 06:08:32PM, 01/13/02 06:08:43PM, DELETED DE101: Introduction to    Digital Evidence    6, 01/13/02 05:51:56PM, 01/13/02 06:11:32PM, DELETED    http://accessdata.com/images2000/ftk_scrn_graph_sm.jpg    3, 01/13/02, 06:08:32PM 01/13/02 06:08:43PM, DELETED DE101: Introduction to    Digital Evidence 

Internet Explorer maintains similar information in files named "index.dat." These databases can contain a wealth of information including sites accessed and search engine details. Some open source utilities have been developed to extract information from "index.dat" files and other files.^[31]

CASE EXAMPLE

Prosecutors upgraded the charge against Robert Durall, 40, to first-degree murder based on what they described as evidence of premeditation found on his office computer. He had been charged with second-degree murder. A co-worker told police he had discovered a number of temporary files on Durall's office computer that showed he had used Internet search engines to find Web sites with key words including "kill + spouse," "accidental + deaths," smothering, poison, homicides and murder, according to court documents. A plus sign tells the search engine to only pull up sites that use both terms as key words. (September 4, 1998, Associated Press)

It can be tedious to examine each entry in a Web browser history file but the results are often worth the effort. To facilitate analysis, attempt to group them by time or web site to help interpretation but do not assume that an entry implies intent to view page. Some Web sites redirect browsers to different locations and even make unauthorized changes to a system (Microsoft 2002).

Web browsers also store temporary files in a cache folder to enable quicker access to frequently visited pages. Cache folders contain fragments of pages that were recently viewed, including images and text. Recent versions of Internet Explorer maintain information about these files in another index.dat database and earlier versions used files named MM256.DAT and MM2048.DAT. Netscape maintains this information in a Berkeley DB file named fat.db. Interestingly, Mozilla maintains a file named "_CACHE_001_" that shows HTTP responses containing the current date and time according to the Web sever clock which may be more accurate than the local system clock.

In addition to caching files on disk, Web browsers cache a small amount of files in memory. For instance, files being held in memory by Netscape can be listed using about:image-cache and about:memory-cache, To view a list of files cached on disk by Netscape, use about:cache and to list the global history, use about:global.

Even after these temporary files are deleted, they can be recovered to reveal a significant amount of information such as Web-based e-mail (e.g. Hushmail.com), purchases (e.g. E-bay.com, Amazon.com), financial transactions (e.g. online banking, Paypal.com), travel itineraries (e.g. Expedia.com), and information from private databases.

Some Web sites keep track of an individual's visits and interests by placing information in cookie files associated with the Web browser. For example, Amazon.com uses cookie files to keep track of the purchases and get a better idea of an individual's interests, enabling them to recommend other books that may be of interest. Netscape stores cookies in a cookies.txt file and Internet Explorer maintains cookies in the Windows\Cookies directory, along with an associated index.dat file (Handbook). Each cookie entry contains information that may be useful in an investigation. For instance, Figure 10.10 depicts the contents of a cookie file created by Mapquest, showing recent searches that may be useful when trying to determine where an individual went.

Figure 10.10: A cookie created by MS Internet Explorer showing recent Mapquest searches viewed using CookieView (http://www.digitaldetective.co.uk)

Notably, the presence of a cookie does not necessarily prove that an individual intentionally accessed a given Web site. For instance, some advertisements on Web pages use cookies, creating references to the advertised site even though the user did not actually view Web pages on that site. Also, in some situations, a Web browser may be automatically redirected to multiple sites, creating files in disk cache and entries in the history database even though the user did not intend to visit any of the sites.

10.8.2 Usenet Access

As well as storing all of the URLs that have been accessed, Web browsers with Usenet readers keep a record of which Usenet newsgroups have been accessed. For instance, Netscape's newsreader stored information in a file with a ".rc" extension. MS Internet News stores quite a bit of information about newsgroup activities in the News directory. You will find this News directory where you installed MS Internet News (the default directory is C:/Program Files/Internet Mail and News/user/).

The following contents of a "news.rc" file shows newsgroups that were subscribed to and which messages were read:

    alt.binaries.cracks! 1-271871,271884,271887,271915,271992    alt.binaries.hacking.utilities! 1-8905,8912,8921,8924,8926,8929,8930,8932    alt.binaries.hacking.computers! 1-1651,1653,1659    alt.binaries.mp3! 1-5441,5443,5445    alt.teens.advice: 1-4244, 4256, 4257 

The exclamation point after the name of the newsgroup indicates that the user was once subscribed to that newsgroup but has since unsubscribed. A colon after the name indicates that the user is currently subscribed to that newsgroup (e.g. alt.teens.advice). The numbers are reference numbers that a news server uses to keep track of which articles have been downloaded and read. The first range of numbers on each line refer to old messages — the news server will only deliver newer messages. The remaining numbers tell you which articles were read the last time the user looked at the newsgroup. For instance, the last time the user looked at alt.teens.advice, he read two messages. You could look in his newsreader to determine which messages they were - the reference number is contained in the Xref: line of the header (e.g. Xref: news.server.com alt.teens.advice:4256). It is important to realize that these reference numbers are unique to the server used, they do not refer to all of Usenet.

This information can help investigators narrow their search of Usenet to a selection of groups.

10.8.3 E-Mail

E-mail clients often contain messages that have been sent from and received at a given computer. While Netscape and Eudora store e-mail in plain text files, Outlook, Outlook Express, and AOL use proprietary formats that require special tools to read. Even when e-mail is stored in a non-proprietary format, it is necessary to decode MIME encoded message attachments.

Figure 10.11 shows FTK being used to view a file containing e-mail with Word document attachments. FTK can interpret a variety of proprietary formats, including Outlook. EnCase can also interpret some of these proprietary formats using the View File Structure feature. Another approach to viewing proprietary formats, such as America Online (AOL), is to restore them to a disk and view them via the AOL client. In some cases it is possible to recover messages that have been deleted but have not been purged from e-mail files. For additional details about recovering and examining e-mail from Microsoft Exchange server, see Chapter 9 of the Handbook of Computer Crime Investigation.

Figure 10.11: FTK showing Word document as e-mail attachments (base 64 encoded).

10.8.4 Other Applications

Yahoo Pager, AOL IM, and other Instant Messenger programs do not retain archives of messages by default but may be configured to log chat sessions. Peer-to-peer file sharing programs may retain a list of hosts that were contacted or files that have been accessed but give very limited information besides this. IRC and other online chat clients may retain more logs but only if the user saves them. Therefore, remnants of these more transient Internet activities are more likely to be found in swap space and other areas of the hard disk. Therefore, the best chance of obtaining information relating to these applications is to search portions of the hard drive where data may have been stored temporarily or to monitor network traffic from the individual's machine while these programs are in use.

10.8.5 Network Storage

An important component of any forensic examination is identifying any remote locations where digital evidence may be found. A victim might maintain a Web site or an offender may transfer incriminating data to another computer on the Internet or a home or corporate network. One of the most common remote storage locations is an individual's Internet Service Provider (ISP). In addition to storing e-mail, some ISPs give their customers storage space for Web pages and other data. Files can be transferred to these remote systems using programs such as FTP, Secure CRT, and Secure Shell (SSH). So, in addition to looking for information about Internet accounts in the registry as mentioned earlier, search for traces of file transfer applications.

For instance, WS-FTP creates small log files each time it is used to transfer files, showing file locations, FTP server names, and times of transfer. Secure CRT and SSH can be configured to maintain individual configuration files for each computer that a user connects to frequently. A list of systems that have been accessed may also be available if the user opted to save a copy of each server's public encryption key. Other programs use the Registry to record the names or IP addresses of remote systems that have been accessed. For instance, the Telnet program on some Windows systems maintains a list of recently accessed systems as shown in Figure 10.12. This can also be useful in computer intrusion investigations - showing a connection between the intruder's computer and the compromised systems.

Figure 10.12: Registry showing remote systems recently accessed using Telnet.

Another common form of remote storage is a shared network drive. Most Windows machines can make all or part of their hard drives available on a network. Many organizations use Windows file servers to provide their users with this type of file storage space. Home users also use this network file sharing capability to transfer data between computers rather than using removable media as shown in Figure 10.13.

Figure 10.13: Network Neighbourhood on a Windows XP computer connected to a home network.

A list of active network shares can be found in the HKEY-USERS/ < sid > /Network/ Registry key as shown in Figure 10.14. Notably, an ability to mount a network share does not necessarily imply that the account could access data on that drive. Therefore, examine access control lists to determine if the account could write to or even read from a given network share.

Figure 10.14: Active network file shares.

Remnants of network file sharing can also be found in various Registry keys under "HKEY_Users\< sid > \Software\Microsoft\Windows\CurrentVersion\ Explorer\". Some of the Explorer subkeys that may contain relevant entries are: RecentDocs, RecentDocs\Nethood, MountPoints, StreamMRU, and RunMRU. The data in these registry keys may be in hexadecimal form that can be converted manually or automatically using the "Save Subtree As" feature of the Registry Editor in Windows NT/2000 (regedt32). Additionally, in some cases it may be fruitful to search for remnants of network file shares scattered around the system (e.g. in registry slack, user.dmp, swap, unallocated space) using a grep expression like "\\\\[A - Z] +\\[A - Z] +."

This is by no means a definitive guide for locating remote storage locations. There are many other remote storage options, including free disk space (e.g. www.freedrive.com, www.filesanywhere.com), the Briefcase feature on Yahoo!, and compromised systems used by intruders to squirrel away files. Most remote storage options require users to enter passwords. It is not advisable for digital investigators to access these remote storage locations without proper authorization, even if they know the password. For instance, a computer may be configured automatically to connect to a remote file storage area. Although it may be possible to access the associated data over the network, doing so might alter evidence and exceed the scope of a search warrant.

^[28]The Internet Account Manager section in the registry often contains default accounts that were not added by the user, such as the Bigfoot and Infospace accounts in Figure 10.9.

^[29]The AT&T/IBM Global Network Dialer creates other logs containing useful information, such as ErrorLog.txt and ARLOG.TXT. File names and contents may differ in different versions of the dialer software.

^[30]The date-time stamps in these history databases are obtained from the local computer, not the remote server.

^[31]UNIX versions available at http://odessa.sourceforge.net/ and Windows versions available at http://www.foundstone.com