Internet Artifacts - UTPA Faculty Web

apatheticyogurtΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 7 μήνες)

72 εμφανίσεις

Internet Artifacts



Dr. John Abraham

Professor

UTPA

Linux and MAC


Linux and Mac artifacts are given in chapters 6
and 7


Students are encouraged to read these
chapters.+


Introduction


Bulk of the user interaction now is through the
Internet


Application specific artifacts created by web
browsers provide important evidence

Explorer (IE)


he index.dat file is a database file.


It is a repository of information such as web

URLs, search queries and
recently opened files.


Its purpose is to enable quick access to data used by Internet Explorer.


For example, every web address visited is stored in the index.dat file,
allowing Internet Explorer to quickly find Autocomplete matches as the
user types a web address.


The index.dat file is user
-
specific and is open as long a user is logged on in
Windows.


Separate index.dat files exist for the Internet Explorer history, cache, and
cookies.


The index.dat file is never resized or deleted. A large index.dat file can
impair performance.


Pasco (download) can be used to view.


Malware can make use of
WinInet

API to infect computers. Entries are
made in index.dat files for the default user or
localService

accounts.

Favorites


A user’s favorites can provide info regarding a
users movement across the Internet.

Cookies


Cookies are saved as plain text files


Galleta (download) can display formatted.


The cookie will have creation time and
expiration time, site name and other useful
information.

Cache


Cache is created as a result of a users
browsing activities. They are stored in
temporary internet files.


It will contain url location, times and file
name.

Firefox


Mozilla’s firefox is the second most widely
used browser.


Stores history in the SQLite 3 database in
Firefox profiles.


Files of interest: Formhistory.sqlite (contains
data filled out to submit forms and webmail
subject lines), downloads.sqlite, cookies.sqllite
and places.sqlite (users browsing activity).

Firefox (2)


Cache


Saved session data


if firefox is not
terminated properly, a file named
sessionstore.js is created. Used to recover
from a crash.


Bookmarks and backups

Other browsers are skipped

Mail artifacts


Personal storage table (PST)


Use Outlook to open or there are other tools
available such as
http://www.nucleustechnologies.com/pst
-
viewer.html



Mbox and maildir


Local mail storage formats used by Linux. Both
formats are plaintext. Mairix is a searching utility.