Difference between pages "Internet Explorer History File Format" and "Masterkey Linux"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
 
Line 1: Line 1:
{{Expand}}
+
{{Infobox_Software |
[[Internet Explorer]] as of version 4 up to version 9 stores the web browsing history in files named <tt>index.dat</tt>. The files contain multiple records.
+
  name = Masterkey Linux |
MSIE version 3 probably uses similar records in its History (Cache) files.
+
  maintainer = Dr. Q. Zhou - Coventry University |
 +
  os = {{Linux}} |
 +
  genre = {{Live CD}}, {{Incident response}} |
 +
  license = {{GPL}} |
 +
  website = [http://masterkeylinux.com masterkeylinux.com]
 +
}}
  
== File Locations ==
+
'''Masterkey Linux''' (or simply Masterkey) is a [[Live CD]] based on [[Slackware]] developed by Dr. Qin Zhou of Coventry University. It focuses on [[Incident Response|incident response]] and [[computer forensics]].
  
Internet Explorer history files keep a record of URLs that the browser has visited, cookies that were created by these sites, and any temporary internet files that were downloaded by the site visit.  As a result, Internet Explorer history files are kept in several locations.  Regardless of the information stored in the file, the file is named index.dat.
+
Whilst designed for use by students entering the field of Computer Forensics, Masterkey contains a diverse range of free and open source tools that both students, computer forensics professionals and system administrators alike can use.
  
On Windows 95/98 these files were located in the following locations:
+
== Tools Included ==
<pre>
+
%systemdir%\Temporary Internet Files\Content.ie5
+
%systemdir%\Cookies
+
%systemdir%\History\History.ie5
+
</pre>
+
  
On Windows 2000/XP the file locations have changed:
+
In addition to standard unix/linux tools, a suite of editors, office applications and multimedia tools have been included, as well as the following specialised tools in the Masterkey Linux distribution:
<pre>
+
%systemdir%\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.ie5
+
%systemdir%\Documents and Settings\%username%\Cookies
+
%systemdir%\Documents and Settings\%username%\Local Settings\History\history.ie5
+
</pre>
+
  
On Windows Vista/7
+
* '''[[AIR]]''' 1.2.8
<pre>
+
%systemdir%\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\
+
%systemdir%\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\
+
</pre>
+
  
Internet Explorer also keeps daily, weekly, and monthly history logs that will be located in subfolders of %systemdir%\Documents and Settings\%username%\Local Settings\History\history.ie5.  The folders will be named <tt>MSHist<two-digit number><starting four-digit year><starting two-digit month><starting two-digit day><ending four-digit year><ending two-digit month><ending two-digit day></tt>.  For example, the folder containing data from March 26, 2008 to March 27, 2008 might be named <tt>MSHist012008032620080327</tt>.
+
AIR is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images.
  
Note that not every file named index.dat is a MSIE History (Cache) file.
+
* '''[[Autopsy]]''' 2.21
  
== File Header ==
+
The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit.
Every version of Internet Explorer since Internet Explorer 5 has used the same structure for the file header and the individual records.  Internet Explorer history files begin with:
+
43 6c 69 65 6e 74 20 55 72 6c 43 61 63 68 65 20 4d 4d 46 20 56 65 72 20 35 2e 32
+
Which represents the ascii string "Client UrlCache MMF Ver 5.2"
+
  
The next field in the file header starts at byte offset 28 and is a four byte representation of the file size.  The number will be stored in [[endianness | little-endian]] format so the numbers must actually be reversed to calculate the value.
+
* '''[[ClamAV]]''' for Unix 0.91.2
  
Also of interest in the file header is the location of the cache directories.  In the URL records the cache directories are given as a number, with one representing the first cache directory, two representing the second and so on.  The names of the cache directories are kept at byte offset 64 in the file.  Each directory entry is 12 bytes long of which the first eight bytes contain the directory name.
+
Clam AntiVirus is an anti-virus toolkit for UNIX
  
== Allocation bitmap ==
+
* '''[[chkrootkit]]''' 0.47
The IE History File contains an allocation bitmap starting from offset 0x250 to 0x4000.
+
  
== Record Formats ==
+
chkrootkit is a tool to locally check for signs of a rootkit.
  
Every record has a similar header that consists of 8 bytes.
+
* '''[[chntpw]]''' 070923
  
<pre>typedef struct _RECORD_HEADER {
+
chntpw is an Offline password and Registry Editor
  /* 000 */ char        Signature[4];
+
  /* 004 */ uint32_t    NumberOfBlocksInRecord;
+
} RECORD_HEADER;</pre>
+
  
The size of the record can be determined from the number of blocks in the record; per default the block size is 128 bytes. Therefore, a length of <pre>05 00 00 00</pre> would indicate five blocks (because the number is stored in little-endian format) of 128 bytes for a total record length of 640 bytes. Note that even for allocated records the number of blocks value cannot be fully relied upon.
+
* '''[[dcfldd]]''' 1.3.4-1
  
The blocks that make up a record can have slack space.
+
dcfldd is an enhanced version of GNU dd (also included in this distribution) with features useful for forensics and security
  
Currently 4 types of records are known:
+
* '''[[dd_rescue]]''' 1.14
* URL
+
* REDR
+
* HASH
+
* LEAK
+
  
Note that the location and filename strings are stored in the local codepage, normally these strings will only use the ASCII character set. Chinese versions of Windows are known to also use extended characters as well.
+
dd_rescue copies data from one file or block device to another. It is intended for error recovery.
  
=== URL Records ===
+
* '''[[GParted]]''' 0.3.3
  
These records indicate URIs that were actually requested. They contain the location and additional data like the web server's HTTP response. They begin with the header, in hexadecimal:
+
GParted is the Gnome Partition Editor application
  
<pre>55 52 4C 20</pre>
+
* '''[[Foremost]]''' 1.5
This corresponds to the string <tt>URL</tt> followed by a space.
+
  
The definition for the structure in C99 format:
+
Foremost is a console program to recover files based on their headers, footers, and internal data structures. It is a data carving tool.
  
<pre>typedef struct _URL_RECORD_HEADER {
+
* '''[[mac-robber]]''' 1.00
  /* 000 */ char        Signature[4];
+
  /* 004 */ uint32_t    AmountOfBlocksInRecord;
+
  /* 008 */ FILETIME    LastModified;
+
  /* 010 */ FILETIME    LastAccessed;
+
  /* 018 */ FATTIME    Expires;
+
  /* 01c */
+
  // Not finished yet
+
} URL_RECORD_HEADER;</pre>
+
  
<pre>
+
mac-robber is a digital investigation tool that collects data from allocated files in a mounted file system.
typedef struct _FILETIME {
+
  /* 000 */ uint32_t    lower;
+
  /* 004 */ uint32_t    upper;
+
} FILETIME;</pre>
+
  
<pre>
+
* '''[[md5deep]]''' 1.12
typedef struct _FATTIME {
+
  /* 000 */ uint16_t    date;
+
  /* 002 */ uint16_t    time;
+
} FATTIME;</pre>
+
  
The actual interpretation of the "LastModified" and "LastAccessed" fields depends on the type of history file in which the record is contained. As a matter of fact, Internet Explorer uses three different types of history files, namely Daily History, Weekly History, and Main History. Other "index.dat" files are used to store cached copies of visited pages and cookies.
+
md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files.
The information concerning how to intepret the dates of these different files can be found on Capt. Steve Bunting's web page at the University of Delaware Computer Forensics Lab (http://www.stevebunting.org/udpd4n6/forensics/index_dat2.htm).
+
Please be aware that most free and/or open source index.dat parsing programs, as well as quite a few commercial forensic tools, are not able to correctly interpret the above dates. More specifically, they interpret all the time and dates as if the records were contained into a Daily History file regardless of the actual type of the file they are stored in.
+
  
=== REDR Records ===
+
* '''[[memdump]]''' 1.01
REDR records are very simple records.  They simply indicate that the browser was redirected to another site.  REDR records always start with the string REDR (0x52 45  44 52).  The next four bytes are the size of the record in little endian format.  The size will indicate the number 128 byte blocks.
+
  
At offset 8 from the start of the REDR record is an unknown data field.  It has been confirmed that this is not a date field.
+
memory dumper for UNIX-like systems
  
16 bytes into the REDR record is the URL that was visited in a null-terminated string. After the URL, the REDR record appears to be padded with zeros until the end of the 128 byte block.
+
* '''[[Rootkit Hunter]]''' 1.3.0
  
=== HASH Records ===
+
Rootkit Hunter is a rootkit scanner.
  
=== LEAK Records ===
+
* '''[[Scalpel]]''' 1.60
The exact purpose of LEAK records remains unknown, however research performed by Mike Murr suggests that LEAK records are created when the machine attempts to delete records from the history file while a corresponding Temporary Internet File (TIF) is held open and cannot be deleted.
+
  
== See Also ==
+
Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files.
  
* [[Internet Explorer]]
+
* '''[[The Sleuth Kit]]''' 3.01
  
== External Links ==
+
The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file and volume system forensic analysis tools.
  
* [http://www.milincorporated.com/a3_index.dat.html What is in Index.dat files]
+
* '''[[Stegdetect]]''' 0.6-4
* [http://web.archive.org/web/20090824054415/http://www.foundstone.com/us/pdf/wp_index_dat.pdf Detailed analysis of index.dat file format]
+
* [http://code.google.com/p/libmsiecf/downloads/detail?name=MSIE%20Cache%20File%20%28index.dat%29%20format.pdf MSIE Cache File (index.dat) format specification], by the [[libmsiecf|libmsiecf project]]
+
* [http://kb.digital-detective.co.uk/display/NetAnalysis1/Internet+Explorer Digital Detective Knowledge Base: Internet Explorer]
+
* [http://www.forensicblog.org/2009/09/10/the-meaning-of-leak-records/ The Meaning of LEAK records], [[Mike Murr]], September 10, 2009
+
* [http://blog.digital-detective.co.uk/2010/04/microsoft-internet-explorer-privacie.html Microsoft Internet Explorer PrivacIE Entries], by Digital Detective, April 29, 2010
+
* [http://blogs.msdn.com/b/ieinternals/archive/2011/03/19/wininet-temporary-internet-files-cache-and-explorer-folder-view.aspx A Primer on Temporary Internet Files], by Eric Law, March 19, 2011
+
  
== Tools ==
+
Stegdetect is an automated tool for detecting steganographic content in images.
* [http://www.cqure.net/wp/iehist/ IEHist]
+
 
* [[libmsiecf]]
+
* '''[[Wipe]]''' 2005-05-09
* [https://sourceforge.net/projects/odessa/ pacso], note this tool has not been updates since 2004 and is considered deprecated
+
 
* [https://sourceforge.net/projects/pasco2/ pasco2]
+
Wipe is a file and block device wiping utility.
* [http://www.tzworks.net/prototype_page.php?proto_id=6 Windows 'index.dat' Parser (id)], by [[TZWorks LLC]]
+
 
 +
* '''[[Wireshark]]''' 0.99.6
 +
 
 +
Wireshark is a network protocol analyzer.
 +
 
 +
== Forensic Features ==
 +
 
 +
* Disk partitions and USB storage devices found by Masterkey are mounted read-only automatically. Icons for these mounted devices are displayed on the user's Desktop. This facilitates access and prevents a user from accidentally writing to the devices and contaminating evidence.
 +
 
 +
* Mounting and use of swap partitions is not allowed. This prevents a user from destroying any evidence present on swap partitions.
 +
 
 +
* Root privilege. The user works with the system as a super user (administrator) so that tools requiring root privilege can be used straightaway.  
 +
 
 +
* Console login. The Desktop environment (graphic user interface) does not start automatically during bootup. This makes it possible to work with Masterkey on older computers. The user can choose to start either the KDE or Fluxbox desktops if they wish.
 +
 
 +
== Forensic Issues ==
 +
 
 +
* Masterkey Linux relies on "-o ro" mount option to provide forensically sound mounts. Unfortunately, this option is not enough to provide real read-only access to media.
 +
 
 +
== External Links ==
  
[[Category:File Formats]]
+
* [http://masterkeylinux.com Masterkey Web Site]
 +
* [http://masterkeylinux.com/community Masterkey Community Forum]
 +
* [http://masterkeylinux.com/index.php/lft Live Forensic Toolkit]

Latest revision as of 05:42, 18 January 2014

Masterkey Linux
Maintainer: Dr. Q. Zhou - Coventry University
OS: Linux
Genre: Live CD,Incident Response
License: GPL
Website: masterkeylinux.com

Masterkey Linux (or simply Masterkey) is a Live CD based on Slackware developed by Dr. Qin Zhou of Coventry University. It focuses on incident response and computer forensics.

Whilst designed for use by students entering the field of Computer Forensics, Masterkey contains a diverse range of free and open source tools that both students, computer forensics professionals and system administrators alike can use.

Tools Included

In addition to standard unix/linux tools, a suite of editors, office applications and multimedia tools have been included, as well as the following specialised tools in the Masterkey Linux distribution:

AIR is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images.

The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit.

Clam AntiVirus is an anti-virus toolkit for UNIX

chkrootkit is a tool to locally check for signs of a rootkit.

chntpw is an Offline password and Registry Editor

dcfldd is an enhanced version of GNU dd (also included in this distribution) with features useful for forensics and security

dd_rescue copies data from one file or block device to another. It is intended for error recovery.

GParted is the Gnome Partition Editor application

Foremost is a console program to recover files based on their headers, footers, and internal data structures. It is a data carving tool.

mac-robber is a digital investigation tool that collects data from allocated files in a mounted file system.

md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files.

memory dumper for UNIX-like systems

Rootkit Hunter is a rootkit scanner.

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files.

The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file and volume system forensic analysis tools.

Stegdetect is an automated tool for detecting steganographic content in images.

Wipe is a file and block device wiping utility.

Wireshark is a network protocol analyzer.

Forensic Features

  • Disk partitions and USB storage devices found by Masterkey are mounted read-only automatically. Icons for these mounted devices are displayed on the user's Desktop. This facilitates access and prevents a user from accidentally writing to the devices and contaminating evidence.
  • Mounting and use of swap partitions is not allowed. This prevents a user from destroying any evidence present on swap partitions.
  • Root privilege. The user works with the system as a super user (administrator) so that tools requiring root privilege can be used straightaway.
  • Console login. The Desktop environment (graphic user interface) does not start automatically during bootup. This makes it possible to work with Masterkey on older computers. The user can choose to start either the KDE or Fluxbox desktops if they wish.

Forensic Issues

  • Masterkey Linux relies on "-o ro" mount option to provide forensically sound mounts. Unfortunately, this option is not enough to provide real read-only access to media.

External Links