Internet Artifacts
Dr. John Abraham
Professor
UTPA
Linux and MAC
•
Linux and Mac artifacts are given in chapters 6
and 7
•
Students are encouraged to read these
chapters.+
Introduction
•
Bulk of the user interaction now is through the
Internet
•
Application specific artifacts created by web
browsers provide important evidence
Explorer (IE)
•
he index.dat file is a database file.
•
It is a repository of information such as web
URLs, search queries and
recently opened files.
•
Its purpose is to enable quick access to data used by Internet Explorer.
•
For example, every web address visited is stored in the index.dat file,
allowing Internet Explorer to quickly find Autocomplete matches as the
user types a web address.
•
The index.dat file is user
-
specific and is open as long a user is logged on in
Windows.
•
Separate index.dat files exist for the Internet Explorer history, cache, and
cookies.
•
The index.dat file is never resized or deleted. A large index.dat file can
impair performance.
•
Pasco (download) can be used to view.
•
Malware can make use of
WinInet
API to infect computers. Entries are
made in index.dat files for the default user or
localService
accounts.
Favorites
•
A user’s favorites can provide info regarding a
users movement across the Internet.
Cookies
•
Cookies are saved as plain text files
•
Galleta (download) can display formatted.
•
The cookie will have creation time and
expiration time, site name and other useful
information.
Cache
•
Cache is created as a result of a users
browsing activities. They are stored in
temporary internet files.
•
It will contain url location, times and file
name.
Firefox
•
Mozilla’s firefox is the second most widely
used browser.
•
Stores history in the SQLite 3 database in
Firefox profiles.
•
Files of interest: Formhistory.sqlite (contains
data filled out to submit forms and webmail
subject lines), downloads.sqlite, cookies.sqllite
and places.sqlite (users browsing activity).
Firefox (2)
•
Cache
•
Saved session data
–
if firefox is not
terminated properly, a file named
sessionstore.js is created. Used to recover
from a crash.
•
Bookmarks and backups
Other browsers are skipped
Mail artifacts
•
Personal storage table (PST)
–
Use Outlook to open or there are other tools
available such as
http://www.nucleustechnologies.com/pst
-
viewer.html
•
Mbox and maildir
–
Local mail storage formats used by Linux. Both
formats are plaintext. Mairix is a searching utility.
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο