Difference between pages "Internet Explorer" and "Malware analysis"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Configuration)
 
 
Line 1: Line 1:
{{Expand}}
+
Analyzing [[malware]], or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality.
  
Microsoft Internet Explorer (MSIE) is the default [[Web Browser]] included with [[Microsoft Windows]].
+
Some common tools for malware analysis include simple programs like [[strings]]. More complex analysis can be conducted by looking at the headers of executables with programs like [[PEiD]] and [[PeExplorer]]. Finally, the most complete analysis can be done with debuggers like [[IDA Pro]] and [[OllyDbg]].  
 
+
== MSIE 4 to 9 ==
+
MSIE 4 to 9 uses the [[Internet Explorer History File Format]] (or MSIE Cache File format). The Cache Files commonly named index.dat are used to store both cache and historical information.
+
 
+
== MSIE 10 ==
+
 
+
<pre>
+
C:\Users\%USER%\AppData\Local\Microsoft\Windows\WebCache\
+
</pre>
+
 
+
To do: confirm if these files are in the [[Extensible Storage Engine (ESE) Database File (EDB) format]]
+
 
+
== Configuration ==
+
Internet Explorer will apply its setting in the following order, where the lower the order overrides settings in the higer order.
+
# Settings in Machine policy key
+
# Settings in User policy key
+
# Settings in User preference key
+
# Settings in Machine preference key
+
 
+
Machine policy key
+
<pre>
+
HKET_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
+
</pre>
+
 
+
Machine preference key
+
<pre>
+
HKET_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
+
</pre>
+
 
+
User policy key
+
<pre>
+
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
+
</pre>
+
 
+
User preference key
+
<pre>
+
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
+
</pre>
+
 
+
=== Security Zones ===
+
0 - My Computer
+
 
+
1 - Local Intranet Zone
+
 
+
2 - Trusted Sites Zone
+
 
+
3 - Internet Zone
+
 
+
4 - Restricted Sites Zone
+
 
+
5 - Custom
+
 
+
=== WPAD ===
+
  
 
== See Also ==
 
== See Also ==
* [[Internet Explorer History File Format]]
+
* [[List of Malware Analysis Tools]]
  
 
== External Links ==
 
== External Links ==
* [http://kb.digital-detective.co.uk/display/NetAnalysis1/Internet+Explorer+Cache Internet Explorer Cache]
+
* [http://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1], by Paul Ducklin on October 11, 2013
* [http://support.microsoft.com/kb/182569 Internet Explorer security zones registry entries for advanced users], by [[Microsoft]]
+
* [http://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/ Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2], by Paul Ducklin on October 25, 2013
* [http://technet.microsoft.com/en-us/library/cc302643.aspx Troubleshooting Automatic Detection], by [[Microsoft]]
+
* [http://www.microsoft.com/en-us/download/details.aspx?id=11575 Windows Virtual PC VHDs for testing websites with different Internet Explorer versions], by [[Microsoft]]
+
* [http://www.swiftforensics.com/2011/09/internet-explorer-recoverystore-aka.html Internet Explorer RecoveryStore (aka Travelog) as evidence of Internet Browsing activity], by [[Yogesh Khatri]], September 29, 2011
+
* [http://tojoswalls.blogspot.ch/2013/05/java-web-vulnerability-mitigation-on.html Java Web Vulnerability Mitigation on Windows], by Tim Johnson, May 23, 2013
+
  
[[Category:Applications]]
+
[[Category:Malware]]
[[Category:Web Browsers]]
+

Revision as of 01:32, 28 October 2013

Analyzing malware, or malicious software, is more of an art than a technique. Because of the wide nature of these products, there are limitless ways to hide functionality.

Some common tools for malware analysis include simple programs like strings. More complex analysis can be conducted by looking at the headers of executables with programs like PEiD and PeExplorer. Finally, the most complete analysis can be done with debuggers like IDA Pro and OllyDbg.

See Also

External Links