X-Ways Trace

X-Ways Trace can parse the data records in MS Internet Explorer’s history/cache files index.dat and in MS Windows Recycle Bin’s internal info2 file. When parsing in index.dat, it outputs complete URLs, date and time of the last visit, usernames, filenames, file sizes, and the location of the listed record. For info2, it outputs date and time of deletion, original path, filename, size, and record location. X-Ways Trace offers a native list output and exports to a tab-delimited text file that can be imported by MS Excel, any text editor, or a database. X-Ways Trace is available at http://www.x-ways.net/trace/.

Implementation

X-Ways Trace gives you the option of examining an individual file, a folder (with an option to include subfolders), or the entire disk (which may still contain remnants of previously existing index.dat and info2 files in unallocated space and slack space). When choosing to examine the entire disk, it is preferable that you open a logical drive instead of a physical disk. When opening physical disks, X-Ways Trace will not search for info2 files, only for index.dat file records. You would open the physical disk only if you want to search several partitions of a hard disk at the same time or if a partition is damaged.

In this example, we will search a suspect’s hard drive for information relating to potential International travel.

Choose File | Open Disk and select the drive letter of the logical disk you want to examine.

The output will look something like this:

X-Ways Trace provides multiple options for searching, as shown next. It can also search through all open files at the same time.

Any URL displayed in the list can be copied to the clipboard or looked up directly on the Internet using the default browser. By default, date and time information will be translated to the analyst’s local time zone as set in MS Windows.

You are a forensic examiner for the CIA tasked with analyzing an alleged terrorist's computers. The agency informs you that the suspect's laptop and desktop were seized from his hotel room just after he disappeared. It was believed that the suspect intended to hijack a plane destined from Belgium to the United States with an outcome yet unknown.

The agency would like to know all the suspect's recent contacts and motives and/or possible outcomes of this situation. Furthermore, any online communication between the suspect and any others could indicate future acts of terrorism attempts and could help save innocent lives. After examining a forensic duplication of the suspect's machines, you find the following programs installed and in use:

• Laptop (Windows 98):

  • Netscape browser (and associated e-mail programs)

• Desktop (Windows 2000 and Linux):

  • Internet Explorer (and hence Outlook Express)

  • A large file that appears to be a Unix mailbox on the Linux partition

Using standard forensic analysis techniques, you decide the best evidence is typically found in e-mail and web browsing history, so you decide to reconstruct the e-mail first and then examine the sites visited on the Web. The order of this reconstruction is arbitrary. You will compare and correlate the results once you have completed the reconstruction phase.

Outlook Express   Since Outlook Express e-mail was discovered in the forensic duplications acquired from the suspect's machines, you decide (arbitrarily) that you will reconstruct this e-mail first. After importing the discovered files, the following e-mails are revealed:

Investigators have obtained a lead indicating that the e-mail address belonging to highflyer21060@yahoo.com may provide more information into the suspect's disappearance. Furthermore, this information may supply an investigative lead that could direct you to another potential coconspirator. Beware, however, that this information may be available only with the proper legal documentation and only to law enforcement officials. Without proper analysis of the e-mail, this information could be lost, as the e-mail files formatted with Outlook Express are typically difficult to search without the original application.

Netscape Mail   Next, you locate an e-mail storage directory for Netscape e-mail. (The locations of these files are discussed in the “Netscape Navigator/Communicator” section in this chapter.) Using the reconstruction techniques described earlier in this chapter, you discover the following e-mails:

Reconstructing the Netscape e-mail from the suspect's computer provides more insight into the investigation. An additional e-mail address, highflyer@toughguy.net, was used by the suspect to communicate with the Yahoo! mail account, highflyer21060@yahoo.com. In addition, if the contents of the e-mail are credible, it seems that the plan may have been aborted. You should be wary of this information, however, as it could be just as false and unscrupulous as the sender. Nevertheless, it is plain to see that this information would not have been discovered without reconstructing the Netscape e-mail located on the subject computer.

Unix Mailboxes   The following illustrations demonstrate how the e-mail file found on the suspect's computer is presented after reconstructing it in the manner presented in “Unix Mailboxes” earlier in this chapter.

You now have an additional lead! If the suspect is not known to use the e-mail address bossman@toughguy.net, you can draw one of two conclusions:

• The e-mail address belongs to an additional e-mail account the suspect may own. The proper legal documentation may lead to more investigative leads when seizing that computer.

• The suspect does not actually own the bossman@toughguy.net e-mail account but has gained unauthorized access (an illegal activity in the United States) to acquire this file.

Either way, the investigation now has more leads.

IE History   To examine the web browsing habits of the suspect, you will examine the index.dat Internet Explorer files and the history.dat Netscape files discovered in the seized evidence.

Using Table 24-2 in the “IE History” section, you locate the index.dat files, which contain the URLs and dates the suspect visited them. When entering the Content.IE5 directory, you locate an index.dat file and open it using IE History. You notice, after scanning the list of web sites the suspect visited, that he was definitely using this computer to arrange his airline travel itinerary. The suspect was searching for tickets from Brussels to Baltimore around March 20, 2002. You view the same itineraries the suspect browsed by right-clicking on the URLs and selecting Go To URL.

You would need to repeat this process on other web sites visited by the suspect's machine to get a complete picture of his Internet activity. Additionally, you see the suspect was attempting to book a room at the Hilton Hotel in Old Town Alexandria, VA, just outside of Washington DC.

In conclusion, you observed that the subject was searching for travel information with an origin in Brussels and a destination in the greater Washington DC area. Without your being able to reconstruct the Internet history, this information would have been lost. Now the investigators can begin a manhunt in those areas and beef up security on international flights.