11.7 Internet Traces

11.7 Internet Traces

UNIX was specifically designed with networking in mind and has many applications for accessing the Internet. Most of these utilities do not keep logs, but may leave subtle traces of activities in swap space or temporary files as discussed in the previous section. However, some Internet applications create records of activities such as Web resources accessed and e-mails sent and received.

11.7.1 Web Browsing

On UNIX, Netscape stores a history of Web sites that were accessed in a Berkeley DB file called "history.dat," and stores information about cache files in a Berkeley DB file called "index.db." These files can be processed using the db_dump185 utility from the Berkeley DB software package as shown here:^[14]

Times are shown in bold here for clarification and can be converted and adjusted for the time zone. For instance, the above data represents the following:

    # db_dump185 history.dat    format=bytevalue    type=hash    h_ffactor=60    db_lorder=1234    db_pagesize=4096    HEADER=END    687474703a2f2f72722e73616e732e6f72672f61756469742f6e65746361742e6874    6d00    5a18e53d5al8e53d010000000000000000    687474703a2f2f72722e73616e732e6f72672f61756469742f7472616e7370617265    6e742e67696600    5a18e53d5al8e53d080000000000000000    687474703a2f2f7777772e6365726961732e7075726475652e6564752f686f6d6573    2f636172726965722f666f72656e736963732f00    ce37e53dd332e53d0300000001000000636172726965723a20436f6d70757465722    0466f72656e7369637300    <cut for brevity>    URL: http://rr.sans.org/audit/netcat.htm    Date Accessed: Wed Nov 27 14:09:14 2002 (GMT -0500)    Accessed: 1    URL: http://rr.sans.org/audit/transparent.gif    Date Accessed: Wed Nov 27 14:09:14 2002 (GMT -0500)    Accessed: 8    URL: http://www.cerias.purdue.edu/homes/carrier/forensics/    Last Accessed: Wed Nov 27 16:23:26 2002 (GMT -0500)    First Accessed: Wed Nov 27 16:02:11 2002 (GMT -0500)    Accessed: 3 

In this instance, the first and last visited times are equal but the "transparent.gif" file was accessed eight (8) times because it is referenced in the "netcat.htm" page eight (8) times. However, the db_dump185 utility does not display entries that have been marked for deletion but still exist in the file. Deleted entries can be seen by viewing the raw data in the format last time visited, first time visited, number of times visited, and URL.

The Netscape cache "index.db" database can also be processed using db_dump185 as shown here:

    # db_dump185 index.db    format=bytevalue    type=hash    h_ffactor=16    db_lorder=1234    db_pagesize=4096    HEADER=END    3200000026000000687474703a2f2f7777772e676f6f676c652e636f6d2f696d6167    65732f726573312e6769660000000000    a900000005000000fb75b33ddd17e53dff3dfe7fa806000000000000001c00003    1442f63616368653344453531374444303132304643372e67696600000000000010    00000000000000000000000000000000a000000696d6167652f676966000000000    00000000000a806000000000000000000000000000000000000000000000000000    000000000000000000000000000000000000000000000000000000000000000000    000000    3400000028000000687474703a2f2f7777772e61747374616b652e636f6d2f696d6    16765732f636c6561722e6769660000000000 ab00000005000000e27d6c3ae417e53d000000003100000000000000001c00000030 342f63616368653344453531374534303142304643372e67696600000000000100000 0000000000000000000000000000a000000696d6167652f6769660000000000000000 00003100000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000 4200000036000000687474703a2f2f7777772e61747374616b652e636f6d2f6e6176 696d616765732f626c616e6b5f73756273656374696f6e2e6769660000000000 b900000005000000f87d6c3ae417e53d000000006e00000000000000001c0000003 0342f63616368653344453531374534303236304643372e67696600000000000100 0000000000000000000000000000000a000000696d6167652f67696600000000000 0000000006e00000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000 3f00000033000000687474703a2f2f7777772e6c696e757867617a657474652e636f 6d2f67782f6e61766261722f74616c6b6261636b2e6a70670000000000 

Obviously, some interpretation is required - the above data represent the following:

                URL: http://www.google.com/images/res1.gif     Content Length: 1704       Content type: image/gif     Local filename: 1D/cache3DE517DD0120FC7.gif      Last Modified: Sun Oct 20 23:35:23 2002            Expires: Sun Jan 17 14:14:07 2038                URL: http://www.atstake.com/images/clear.gif     Content Length: 49       Content type: image/gif     Local filename: 04/cache3DE517E401B0FC7.gif      Last Modified: Mon Jan 22 13:37:22 2001            Expires: No expiration date sent                URL: http://www.atstake.com/navimages/blank_subsection.gif     Content Length: 110       Content type: image/gif     Local filename: 04/cache3DE517E40260FC7.gif      Last Modified: Mon Jan 22 13:37:44 2001            Expires: No expiration date sent 

The Last Modified date is when the file was changed on the server, not on the local computer.

Other information discussed in Chapter 10 such as cookies and news-group access can be found on a UNIX machine. Some UNIX utilities have been developed to extract information from Internet Explorer cookie and "index.dat" files.^[15] Information about newsgroups that have been accessed are stored in a file named ".newsrc" that is usually located in the individual's home directory.

11.7.2 E-Mail

On UNIX systems that receive e-mail, incoming messages are held in "/var/spool/mail" in separate files for each user account until a user accesses them. Outgoing messages are stored temporarily in "/var/spool/ mqueue/ mail" but are generally deleted after they are sent. Incoming and outgoing e-mail messages may also be stored in files under the home directories of each user. UNIX generally stores e-mail in text files, making them easier to process. However, there may be MIME encoded attachments that must be extracted and decoded using utilities like mimencode or mpac.^[16]

Although there some UNIX utilities are available for converting Outlook PST files to Linux readable format^[17] and other proprietary formats, they are not designed with digital evidence in mind and may not recover deleted messages. Therefore, it is advisable to process proprietary e-mail formats like Outlook and AOL using Windows systems.

11.7.3 Network Traces

UNIX systems are often configured to print, log, and store user data (e.g. files, e-mail, passwords) on remote systems. Therefore, it is vital to look for traces of connections to remote locations on a network and can lead to additional sources of digital evidence. Quickly identifying other likely sources of digital evidence on a network will increase the chances of obtaining the data before they are altered or lost.

As with Windows, individual applications like ncftp retain logs when used to transfer files from remote computers and SSH can store a list of public keys for each host that was accessed in files named "known_hosts." Similarly, ".Xauthority" files contain lists of remote systems that are accessed using X, a method of viewing remote systems via an X windows interface. Also, UNIX system logs can contain information relating to connections to remote systems and the "/etc/hosts" file often contains a list of computers that are communicated with frequently.

Shared network drives are common in UNIX environments. The file system mount table ("/etc/fstab") shows local and remote file systems that are automatically mounted when the system is booted. For instance, the last two lines of an "/etc/fstab" file from a Linux system indicate that user home directories and e-mail are stored on a remote system named central:

    # cat /etc/fstab    /dev/hda1       /            ext2      defaults         1 1    /dev/hda7       /tmp         ext2      defaults         1 2    /dev/hda5       /usr         ext2      defaults         1 2    /dev/hda6       /var         ext2      defaults         1 2    /dev/hda8       swap         swap      defaults         0 0    /dev/fd0        /mnt/floppy  ext2      user,noauto      0 0    /dev/hdc        /mnt/cdrom   iso9660   user,noauto,ro   0 0    none            /dev/pts     devpts    gid55,mode5620   0 0    none            /proc        proc      defaults         0 0    central:/home/accts   /home/accts                       nfs    bg,hard,intr,rsize=8192,wsize58192    central:/var/spool/mail  /var/spool/mail  nfs    bg,hard,intr,noac,rsize=8192,wsize=8192 

A list of currently mounted drives, including those not listed in /etc/fstab (e.g. those mounted by individual users) is kept in "/etc/mtab" ("/etc/mnttab" on Solaris 7 and later versions). Similar information is also maintained in /proc/mounts on systems like Linux that maintain a /proc file system. In addition to using NFS, remote network resources on Windows systems can be accessed from UNIX using Samba.^[18] Therefore, digital evidence examiners may be able to find remnants of Windows network file shares (e.g. "\\server\ resource") and directory listings (e.g. "C:\winnt\system32\*.exe").

UNIX computers can be configured to send logs to remote systems in the /etc/syslog.conf as shown here:

    # cat /etc/syslog.conf    *.*                                  @remote-server 

Additionally, the /etc/printcap file is used to send print jobs to remote systems as shown in the following segment:

    # cat /etc/printcap    Ip0llp:\      : sd= /var/spool/lpd/lp0:\      : mx#0:\      : sh:\      : rm=remote-server:\      : rp=lp0:\      : if =/var/spool/lpd/lp0/filter: 

As mentioned in Chapter 10, it is not advisable for digital investigators to access these remote storage locations without proper authorization. The most effective way to obtain evidence from such systems is to gain physical access to each system, following standard operating procedures to preserve and recover the data.

^[14]http://www.sleepycat.com

^[15]http://odessa.sourceforge.net/

^[16]http://www.usinglinux.org/converters/

^[17]http://www.sourceforge.net/projects/o12mbox/

^[18]http://www.samba.org