Difference between pages "Internet Explorer History File Format" and "Upcoming events"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Link to IEHist corrected)
 
(Calls For Papers)
 
Line 1: Line 1:
{{Expand}}
+
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
[[Internet Explorer]] as of version 4 stores the web browsing history in files called <tt>index.dat</tt>. The files contain multiple records.
+
When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
MSIE version 3 probably uses similar records in its History (Cache) files.
+
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience. Such restrictions should be noted when known.</i>
  
== File Locations ==
+
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
  
Internet Explorer history files keep a record of URLs that the browser has visited, cookies that were created by these sites, and any temporary internet files that were downloaded by the site visit.  As a result, Internet Explorer history files are kept in several locations.  Regardless of the information stored in the file, the file is named index.dat.
+
This listing is divided into three sections (described as follows):<br>
 +
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
 +
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
 +
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
  
On Windows 95/98 these files were located in the following locations:
+
== Calls For Papers ==
<pre>
+
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
%systemdir%\Temporary Internet Files\Content.ie5
+
%systemdir%\Cookies
+
%systemdir%\History\History.ie5
+
</pre>
+
  
On Windows 2000/XP the file locations have changed:
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
<pre>
+
|- style="background:#bfbfbf; font-weight: bold"
%systemdir%\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.ie5
+
! width="30%|Title
%systemdir%\Documents and Settings\%username%\Cookies
+
! width="15%"|Due Date
%systemdir%\Documents and Settings\%username%\Local Settings\History\history.ie5
+
! width="15%"|Notification Date
</pre>
+
! width="40%"|Website
 +
|-
 +
|IEEE Symposium on Security and Privacy
 +
|Nov 13, 2013
 +
|
 +
|http://www.ieee-security.org/TC/SP2014/cfp.html
 +
|-
 +
|DFRWS-Europe 2014
 +
|Dec 01, 2013
 +
|Mar 01, 2014
 +
|http://www.dfrws.org/2014-europe/index.shtml
 +
|-
 +
|44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
 +
|Dec 01, 2013
 +
|Feb 25, 2014
 +
|http://www.dsn.org/
 +
|-
 +
|12th International Conference on Applied Cryptography and Network Security
 +
|Jan 10, 2014
 +
|Mar 14, 2014
 +
|http://acns2014.epfl.ch/callpapers.php
 +
|-
 +
|USENIX Annual Technical Conference
 +
|Jan 28, 2014
 +
|Apr 07, 2014
 +
|https://www.usenix.org/conference/atc14/call-for-papers
 +
|-
 +
|Audio Engineering Society (AES) Conference on Audio Forensics
 +
|Jan 31, 2014
 +
|Mar 15, 2014
 +
|http://www.aes.org/conferences/54/downloads/54thCallForContributions.pdf
 +
|-
 +
|}
  
Internet Explorer also keeps daily, weekly, and monthly history logs that will be located in subfolders of %systemdir%\Documents and Settings\%username%\Local Settings\History\history.ie5. The folders will be named <tt>MSHist<two-digit number><starting four-digit year><starting two-digit month><starting two-digit day><ending four-digit year><ending two-digit month><ending two-digit day></tt>.  For example, the folder containing data from March 26, 2008 to March 27, 2008 might be named <tt>MSHist012008032620080327</tt>.
+
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
  
Note that not every file named index.dat is a MSIE History (Cache) file.
+
== Conferences ==
 +
{| border="0" cellpadding="2" cellspacing="2" align="top"
 +
|- style="background:#bfbfbf; font-weight: bold"
 +
! width="40%"|Title
 +
! width="20%"|Date/Location
 +
! width="40%"|Website
 +
|-
 +
|VB2013 - the 23rd Virus Bulletin International Conference
 +
|Oct 02-04<br>Berlin, Germany
 +
|http://www.virusbtn.com/conference/vb2013/index
 +
|-
 +
|8th International Conference on Malicious and Unwanted Software
 +
|Oct 22-24<br>Fajardo, Puerto Rico, USA
 +
|http://www.malwareconference.org/index.php?option=com_frontpage&Itemid=1
 +
|-
 +
|16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
 +
|Oct 23-25<br>St. Lucia
 +
|http://www.raid2013.org/
 +
|-
 +
|5th International Workshop on Managing Insider Security Threats
 +
|Oct 24-25<br>Busan, South Korea
 +
|http://isyou.info/conf/mist13/index.htm
 +
|-
 +
|20th ACM Conference on Computer and Communications Security
 +
|Nov 04-08<br>Berlin, Germany
 +
|http://www.sigsac.org/ccs/CCS2013/
 +
|-
 +
|4th Annual Open Source Digital Forensics Conference (OSDF)
 +
|Nov 04-05<br>Chantilly, VA
 +
|http://www.basistech.com/about-us/events/open-source-forensics-conference/
 +
|-
 +
|Paraben Forensic Innovations Conference
 +
|Nov 13-15<br>Salt Lake City, UT
 +
|http://www.pfic-conference.com/
 +
|-
 +
|2013 International Conference on Information and Communications Security
 +
|Nov 20-22<br>Beijing, Chine
 +
|http://icsd.i2r.a-star.edu.sg/icics2013/index.php
 +
|-
 +
|8th International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE)
 +
|Nov 21-22<br>Hong Kong, China
 +
|http://conf.ncku.edu.tw/sadfe/sadfe13/
 +
|-
 +
|Black Hat-Regional Summit
 +
|Nov 26-27<br>Sao Paulo, Brazil
 +
|https://www.blackhat.com/sp-13
 +
|-
 +
|29th Annual Computer Security Applications Conference (ACSAC)
 +
|Dec 09-13<br>New Orleans, LA
 +
|http://www.acsac.org
 +
|-
 +
|IFIP WG 11.9 International Conference on Digital Forensics
 +
|Jan 08-10<br>Vienna, Austria
 +
|http://www.ifip119.org/Conferences/
 +
|-
 +
|AAFS 66th Annual Scientific Meeting
 +
|Feb 17-22<br>Seattle, WA
 +
|http://www.aafs.org/aafs-66th-annual-scientific-meeting
 +
|-
 +
|21st Network & Distributed System Security Symposium
 +
|Feb 23-26<br>San Diego, CA
 +
|http://www.internetsociety.org/events/ndss-symposium
 +
|-
 +
|Fourth ACM Conference on Data and Application Security and Privacy 2014
 +
|Mar 03-05<br>San Antonio, TX
 +
|http://www1.it.utsa.edu/codaspy/
 +
|-
 +
|9th International Conference on Cyber Warfare and Security (ICCWS-2014)
 +
|Mar 24-25<br>West Lafayette, IN
 +
|http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
 +
|-
 +
|DFRWS-Europe 2014
 +
|May 07-09<br>Amsterdam, Netherlands
 +
|http://dfrws.org/2014eu/index.shtml
 +
|-
 +
|2014 IEEE Symposium on Security and Privacy
 +
|May 16-23<br>Berkley, CA
 +
|http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=16517
 +
|-
 +
|Techno-Security and Forensics Conference
 +
|Jun 01-04<br>Myrtle Beach, SC
 +
|http://www.techsec.com/html/Security%20Conference%202014.html
 +
|-
 +
|Mobile Forensics World
 +
|Jun 01-04<br>Myrtle Beach, SC
 +
|http://www.techsec.com/html/MFC-2014-Spring.html
 +
|-
 +
|12th International Conference on Applied Cryptography and Network Security
 +
|Jun 10-13<br>Lausanne, Switzerland
 +
|http://acns2014.epfl.ch/
 +
|-
 +
|54th Conference on Audio Forensics
 +
|Jun 12-14<br>London, England
 +
|http://www.aes.org/conferences/54/
 +
|-
 +
|2014 USENIX Annual Technical Conference
 +
|Jun 19-20<br>Philadelphia, PA
 +
|https://www.usenix.org/conference/atc14
 +
|-
 +
|44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
 +
|Jun 23-26<br>Atlanta, GA
 +
|http://www.dsn.org/
 +
|-
 +
|Symposium On Usable Privacy and Security (SOUPS) 2014
 +
|Jul 09-11<br>Menlo Park, CA
 +
|http://cups.cs.cmu.edu/soups/2013/
 +
|-
 +
|DFRWS 2014
 +
|Aug 03-06<br>Denver, CO
 +
|http://dfrws.org/2014/index.shtml
 +
|-
 +
|23rd USENIX Security Symposium
 +
|Aug 20-22<br>San Diego, CA
 +
|https://www.usenix.org/conferences
 +
|-
 +
|}
  
== File Header ==
+
==See Also==
Every version of Internet Explorer since Internet Explorer 5 has used the same structure for the file header and the individual records.  Internet Explorer history files begin with:
+
* [[Training Courses and Providers]]
43 6c 69 65 6e 74 20 55 72 6c 43 61 63 68 65 20 4d 4d 46 20 56 65 72 20 35 2e 32
+
==References==
Which represents the ascii string "Client UrlCache MMF Ver 5.2"
+
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
 
+
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
The next field in the file header starts at byte offset 28 and is a four byte representation of the file size.  The number will be stored in [[endianness | little-endian]] format so the numbers must actually be reversed to calculate the value.
+
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
 
+
Also of interest in the file header is the location of the cache directories.  In the URL records the cache directories are given as a number, with one representing the first cache directory, two representing the second and so on.  The names of the cache directories are kept at byte offset 64 in the file.  Each directory entry is 12 bytes long of which the first eight bytes contain the directory name.
+
 
+
== Allocation bitmap ==
+
The IE History File contains an allocation bitmap starting from offset 0x250 to 0x4000.
+
 
+
== Record Formats ==
+
 
+
Every record has a similar header that consists of 8 bytes.
+
 
+
<pre>typedef struct _RECORD_HEADER {
+
  /* 000 */ char        Signature[4];
+
  /* 004 */ uint32_t    NumberOfBlocksInRecord;
+
} RECORD_HEADER;</pre>
+
 
+
The size of the record can be determined from the number of blocks in the record; per default the block size is 128 bytes. Therefore, a length of <pre>05 00 00 00</pre> would indicate five blocks (because the number is stored in little-endian format) of 128 bytes for a total record length of 640 bytes. Note that even for allocated records the number of blocks value cannot be fully relied upon.
+
 
+
The blocks that make up a record can have slack space.
+
 
+
Currently 4 types of records are known:
+
* URL
+
* REDR
+
* HASH
+
* LEAK
+
 
+
Note that the location and filename strings are stored in the local codepage, normally these strings will only use the ASCII character set. Chinese versions of Windows are known to also use extended characters as well.
+
 
+
=== URL Records ===
+
 
+
These records indicate URIs that were actually requested. They contain the location and additional data like the web server's HTTP response. They begin with the header, in hexadecimal:
+
 
+
<pre>55 52 4C 20</pre>
+
This corresponds to the string <tt>URL</tt> followed by a space.
+
 
+
The definition for the structure in C99 format:
+
 
+
<pre>typedef struct _URL_RECORD_HEADER {
+
  /* 000 */ char        Signature[4];
+
  /* 004 */ uint32_t    AmountOfBlocksInRecord;
+
  /* 008 */ FILETIME    LastModified;
+
  /* 010 */ FILETIME    LastAccessed;
+
  /* 018 */ FATTIME    Expires;
+
  /* 01c */
+
  // Not finished yet
+
} URL_RECORD_HEADER;</pre>
+
 
+
<pre>
+
typedef struct _FILETIME {
+
  /* 000 */ uint32_t    lower;
+
  /* 004 */ uint32_t    upper;
+
} FILETIME;</pre>
+
 
+
<pre>
+
typedef struct _FATTIME {
+
  /* 000 */ uint16_t    date;
+
  /* 002 */ uint16_t    time;
+
} FATTIME;</pre>
+
 
+
The actual interpretation of the "LastModified" and "LastAccessed" fields depends on the type of history file in which the record is contained. As a matter of fact, Internet Explorer uses three different types of history files, namely Daily History, Weekly History, and Main History. Other "index.dat" files are used to store cached copies of visited pages and cookies.
+
The information concerning how to intepret the dates of these different files can be found on Capt. Steve Bunting's web page at the University of Delaware Computer Forensics Lab (http://www.stevebunting.org/udpd4n6/forensics/index_dat2.htm).
+
Please be aware that most free and/or open source index.dat parsing programs, as well as quite a few commercial forensic tools, are not able to correctly interpret the above dates. More specifically, they interpret all the time and dates as if the records were contained into a Daily History file regardless of the actual type of the file they are stored in.
+
 
+
=== REDR Records ===
+
REDR records are very simple records.  They simply indicate that the browser was redirected to another site.  REDR records always start with the string REDR (0x52 45  44 52).  The next four bytes are the size of the record in little endian format.  The size will indicate the number 128 byte blocks.
+
 
+
At offset 8 from the start of the REDR record is an unknown data field.  It has been confirmed that this is not a date field.
+
 
+
16 bytes into the REDR record is the URL that was visited in a null-terminated string.  After the URL, the REDR record appears to be padded with zeros until the end of the 128 byte block.
+
 
+
=== HASH Records ===
+
 
+
=== LEAK Records ===
+
The exact purpose of LEAK records remains unknown, however research performed by Mike Murr suggests that LEAK records are created when the machine attempts to delete records from the history file while a corresponding Temporary Internet File (TIF) is held open and cannot be deleted.
+
 
+
== External Links ==
+
 
+
* [http://www.cqure.net/wp/iehist/ IEHist program for reading index.dat files]
+
* [http://www.milincorporated.com/a3_index.dat.html What is in Index.dat files]
+
* [http://www.foundstone.com/us/pdf/wp_index_dat.pdf Detailed analysis of index.dat file format]
+
* [http://downloads.sourceforge.net/sourceforge/libmsiecf/MSIE_Cache_File_format.pdf MSIE Cache File (index.dat) format specification]
+
* [http://www.forensicblog.org/2009/09/10/the-meaning-of-leak-records/ The Meaning of LEAK records]
+
* [http://www.tzworks.net/prototype_page.php?proto_id=6 Windows 'index.dat' Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
+
 
+
[[Category:File Formats]]
+

Revision as of 10:45, 25 September 2013

PLEASE READ BEFORE YOU EDIT THE LISTS BELOW
When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).
Some events may be limited to Law Enforcement Only or to a specific audience. Such restrictions should be noted when known.

This is a BY DATE listing of upcoming events relevant to digital forensics. It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic conferences page, but entries in this list have specific dates and locations for the upcoming event.

This listing is divided into three sections (described as follows):

  1. Calls For Papers - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)

  2. Conferences - Conferences relevant for Digital Forensics (Name, Date, Location, URL)

  3. Training Courses and Providers - Training

Calls For Papers

Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.

Title Due Date Notification Date Website
IEEE Symposium on Security and Privacy Nov 13, 2013 http://www.ieee-security.org/TC/SP2014/cfp.html
DFRWS-Europe 2014 Dec 01, 2013 Mar 01, 2014 http://www.dfrws.org/2014-europe/index.shtml
44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Dec 01, 2013 Feb 25, 2014 http://www.dsn.org/
12th International Conference on Applied Cryptography and Network Security Jan 10, 2014 Mar 14, 2014 http://acns2014.epfl.ch/callpapers.php
USENIX Annual Technical Conference Jan 28, 2014 Apr 07, 2014 https://www.usenix.org/conference/atc14/call-for-papers
Audio Engineering Society (AES) Conference on Audio Forensics Jan 31, 2014 Mar 15, 2014 http://www.aes.org/conferences/54/downloads/54thCallForContributions.pdf

See also WikiCFP 'Forensics'

Conferences

Title Date/Location Website
VB2013 - the 23rd Virus Bulletin International Conference Oct 02-04
Berlin, Germany
http://www.virusbtn.com/conference/vb2013/index
8th International Conference on Malicious and Unwanted Software Oct 22-24
Fajardo, Puerto Rico, USA
http://www.malwareconference.org/index.php?option=com_frontpage&Itemid=1
16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID) Oct 23-25
St. Lucia
http://www.raid2013.org/
5th International Workshop on Managing Insider Security Threats Oct 24-25
Busan, South Korea
http://isyou.info/conf/mist13/index.htm
20th ACM Conference on Computer and Communications Security Nov 04-08
Berlin, Germany
http://www.sigsac.org/ccs/CCS2013/
4th Annual Open Source Digital Forensics Conference (OSDF) Nov 04-05
Chantilly, VA
http://www.basistech.com/about-us/events/open-source-forensics-conference/
Paraben Forensic Innovations Conference Nov 13-15
Salt Lake City, UT
http://www.pfic-conference.com/
2013 International Conference on Information and Communications Security Nov 20-22
Beijing, Chine
http://icsd.i2r.a-star.edu.sg/icics2013/index.php
8th International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE) Nov 21-22
Hong Kong, China
http://conf.ncku.edu.tw/sadfe/sadfe13/
Black Hat-Regional Summit Nov 26-27
Sao Paulo, Brazil
https://www.blackhat.com/sp-13
29th Annual Computer Security Applications Conference (ACSAC) Dec 09-13
New Orleans, LA
http://www.acsac.org
IFIP WG 11.9 International Conference on Digital Forensics Jan 08-10
Vienna, Austria
http://www.ifip119.org/Conferences/
AAFS 66th Annual Scientific Meeting Feb 17-22
Seattle, WA
http://www.aafs.org/aafs-66th-annual-scientific-meeting
21st Network & Distributed System Security Symposium Feb 23-26
San Diego, CA
http://www.internetsociety.org/events/ndss-symposium
Fourth ACM Conference on Data and Application Security and Privacy 2014 Mar 03-05
San Antonio, TX
http://www1.it.utsa.edu/codaspy/
9th International Conference on Cyber Warfare and Security (ICCWS-2014) Mar 24-25
West Lafayette, IN
http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
DFRWS-Europe 2014 May 07-09
Amsterdam, Netherlands
http://dfrws.org/2014eu/index.shtml
2014 IEEE Symposium on Security and Privacy May 16-23
Berkley, CA
http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=16517
Techno-Security and Forensics Conference Jun 01-04
Myrtle Beach, SC
http://www.techsec.com/html/Security%20Conference%202014.html
Mobile Forensics World Jun 01-04
Myrtle Beach, SC
http://www.techsec.com/html/MFC-2014-Spring.html
12th International Conference on Applied Cryptography and Network Security Jun 10-13
Lausanne, Switzerland
http://acns2014.epfl.ch/
54th Conference on Audio Forensics Jun 12-14
London, England
http://www.aes.org/conferences/54/
2014 USENIX Annual Technical Conference Jun 19-20
Philadelphia, PA
https://www.usenix.org/conference/atc14
44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Jun 23-26
Atlanta, GA
http://www.dsn.org/
Symposium On Usable Privacy and Security (SOUPS) 2014 Jul 09-11
Menlo Park, CA
http://cups.cs.cmu.edu/soups/2013/
DFRWS 2014 Aug 03-06
Denver, CO
http://dfrws.org/2014/index.shtml
23rd USENIX Security Symposium Aug 20-22
San Diego, CA
https://www.usenix.org/conferences

See Also

References