Difference between pages "Internet Explorer History File Format" and "Training Courses and Providers"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(LEAK Records: added some information about what they are.)
 
(NON-COMMERCIAL TRAINING)
 
Line 1: Line 1:
{{Expand}}
+
This is the list of Training Course Providers, who offer training courses at specific dates/times and locations (referred to by [[Upcoming_events]]).
[[Internet Explorer]] as of version 4 stores the web browsing history in files called <tt>index.dat</tt>. The files contain multiple records.
+
MSIE version 3 probably uses similar records in its History (Cache) files.
+
  
== File Locations ==
+
<b>PLEASE READ BEFORE YOU EDIT THE LIST BELOW</b><br>
 +
Providers of scheduled training courses should be listed in alphabetical order, and should be listed in only one section.  Non-Commercial training is typically offered by governmental agencies or organizations that directly support law enforcement.  Tool Vendor training is training offered directly by a specific tool vendor, which may apply broadly, but generally is oriented to the vendor's specific tool (or tool suite).  Commercial Training is training offered by commercial companies which may or may not be oriented to a specific tool/tool suite, but is offered by a company other than a tool vendor.
  
Internet Explorer history files keep a record of URLs that the browser has visited, cookies that were created by these sites, and any temporary internet files that were downloaded by the site visitAs a result, Internet Explorer history files are kept in several locations.  Regardless of the information stored in the file, the file is named index.dat.
+
<i>Some training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audienceSuch restrictions should be noted when known.</i>
  
On Windows 95/98 these files were located in the following locations:
+
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv. 
<tt>%systemdir%\Temporary Internet Files\Content.ie5
+
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
%systemdir%\Cookies
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
%systemdir%\History\History.ie5</tt>
+
  
On Windows 2000/XP the file locations have changed:
+
==NON-COMMERCIAL TRAINING==
<tt>%systemdir%\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.ie5
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
%systemdir%\Documents and Settings\%username%\Cookies
+
|- style="background:#bfbfbf; font-weight: bold"
%systemdir%\Documents and Settings\%username%\Local Settings\History\history.ie5</tt>
+
! width="40%"|Title
 +
! width="40%"|Website
 +
! width="20%"|Limitation
 +
|-
 +
|Defense Cyber Investigations Training Academy (DCITA)
 +
|http://www.dc3.mil/dcita/dcitaAbout.php
 +
|Limited To Certain Roles within US Government Agencies[http://www.dc3.mil/dcita/dcitaRegistration.php (1)]
 +
|-
 +
|Federal Law Enforcement Training Center
 +
|http://www.fletc.gov/training/programs/computer-financial-intelligence/technical-operations
 +
|Limited To Law Enforcement
 +
|-
 +
|MSU National Forensics Training Center
 +
|http://www.security.cse.msstate.edu/ftc
 +
|Limited To Law Enforcement
 +
|-
 +
|IACIS
 +
|http://www.cops.org/training
 +
|Limited To Law Enforcement and Affiliate Members of IACIS
 +
|-
 +
|SEARCH
 +
|http://www.search.org/programs/hightech/calendar.asp
 +
|Limited To Law Enforcement
 +
|-
 +
|National White Collar Crime Center
 +
|http://www.nw3c.org/ocr/courses_desc.cfm
 +
|Limited To Law Enforcement
 +
|-
 +
|}
  
Internet Explorer also keeps daily, weekly, and monthly history logs that will be located in subfolders of %systemdir%\Documents and Settings\%username%\Local Settings\History\history.ie5. The folders will be named <tt>MSHist<two-digit number><starting four-digit year><starting two-digit month><starting two-digit day><ending four-digit year><ending two-digit month><ending two-digit day></tt>. For example, the folder containing data from March 26, 2008 to March 27, 2008 might be named <tt>MSHist012008032620080327</tt>.
+
==TOOL VENDOR TRAINING==
 +
{| border="0" cellpadding="2" cellspacing="2" align="top"
 +
|- style="background:#bfbfbf; font-weight: bold"
 +
! width="40%"|Title
 +
! width="40%"|Website
 +
! width="20%"|Limitation
 +
|-
 +
|AccessData (Forensic Tool Kit FTK)
 +
|http://www.accessdata.com/courses.html
 +
|-
 +
|ASR Data (SMART)
 +
|http://www.asrdata.com/training/
 +
|-
 +
|BlackBag Technologies (Macintosh Forensic Suite and MacQuisition Boot Disk)
 +
|http://www.blackbagtech.com/products/training.htm
 +
|-
 +
|CPR Tools (Data Recovery)
 +
|http://www.cprtools.net/training.php
 +
|-
 +
|Guidance Software (EnCase)
 +
|http://www.guidancesoftware.com/training/course_schedule.aspx
 +
|-
 +
|Nuix (eDiscovery)
 +
|http://www.nuix.com.au/eDiscovery.asp?active_page_id=147
 +
|-
 +
|Paraben (Paraben Suite)
 +
|http://www.paraben-training.com/training.html
 +
|-
 +
|Technology Pathways(ProDiscover)
 +
|http://www.techpathways.com/DesktopDefault.aspx?tabindex=6&tabid=9
 +
|-
 +
|SubRosaSoft (MacForensicsLab)
 +
|http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=index&cPath=2
 +
|-
 +
|WetStone Technologies (Gargoyle, Stego Suite, LiveWire Investigator)
 +
|https://www.wetstonetech.com/trainings.html
 +
|-
 +
|X-Ways Forensics (X-Ways Forensics)
 +
|http://www.x-ways.net/training/
 +
|-
 +
|}
  
Note that not every file named index.dat is a IE History file.
+
==COMMERCIAL TRAINING==
 
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
== File Header ==
+
|- style="background:#bfbfbf; font-weight: bold"
Every version of Internet Explorer since Internet Explorer 5 has used the same structure for the file header and the individual records.  Internet Explorer history files begin with:
+
! width="40%"|Title
43 6c 69 65 6e 74 20 55 72 6c 43 61 63 68 65 20 4d 4d 46 20 56 65 72 20 35 2e 32
+
! width="40%"|Website
Which represents the ascii string "Client UrlCache MMF Ver 5.2"
+
! width="20%"|Limitation
 
+
|-
The next field in the file header starts at byte offset 28 and is a four byte representation of the file size.  The number will be stored in [[endianness | little-endian]] format so the numbers must actually be reversed to calculate the value.
+
|Computer Forensic Training Center Online (CFTCO)
 
+
|http://www.cftco.com/
Also of interest in the file header is the location of the cache directories.  In the URL records the cache directories are given as a number, with one representing the first cache directory, two representing the second and so on.  The names of the cache directories are kept at byte offset 64 in the file.  Each directory entry is 12 bytes long of which the first eight bytes contain the directory name.
+
|-
 
+
|CCE Bootcamp
== Allocation bitmap ==
+
|http://www.cce-bootcamp.com/
The IE History File contains an allocation bitmap starting from offset 0x250 to 0x4000.
+
|-
 
+
|e-fense Training
== Record Formats ==
+
|http://www.e-fense.com/training.php
 
+
|-
Every record has a similar header that consists of 8 bytes.
+
|H-11 Digital Forensics
 
+
|http://www.h11-digital-forensics.com/training/viewclasses.php
<pre>typedef struct _RECORD_HEADER {
+
|-
  /* 000 */ char        Signature[4];
+
|High Tech Crime Institute
  /* 004 */ uint32_t    AmountOfBlocksInRecord;
+
|http://www.gohtci.com
} RECORD_HEADER;</pre>
+
|-
 
+
|Infosec Institute
The size of the record can be determined from the amount of blocks in the record; per default the block size is 128 bytes. Therefore, a length of <pre>05 00 00 00</pre> would indicate five blocks (because the number is stored in little-endian format) of 128 bytes for a total record length of 640 bytes.
+
|http://www.infosecinstitute.com/courses/security_training_courses.html
 
+
|-
The blocks that make up a record can have slack space.
+
|ManTech Computer Security Training
 
+
|http://www.mantech.com/msma/isso.asp
Currently 4 types of records are known:
+
|-
* URL
+
|Mobile Forensics, Inc
* REDR
+
|http://mobileforensicsinc.com/
* HASH
+
|-
* LEAK
+
|NTI (an Armor Forensics Company)
 
+
|http://www.forensics-intl.com/training.html
=== URL Records ===
+
|-
 
+
|Security University
These records indicate URIs that were actually requested. They contain the location and additional data like the web server's HTTP response. They begin with the header, in hexadecimal:
+
|http://www.securityuniversity.net/classes.php
 
+
|-
<pre>55 52 4C 20</pre>
+
|Steganography Analysis and Research Center (SARC)
This corresponds to the string <tt>URL</tt> followed by a space.
+
|http://www.sarc-wv.com/training.aspx
 
+
|-
The definition for the structure in C99 format:
+
|SysAdmin, Audit, Network, Security Institute (SANS)
 
+
|http://www.sans.org/training/courses.php
<pre>typedef struct _URL_RECORD_HEADER {
+
|-
  /* 000 */ char        Signature[4];
+
|Vigilar
  /* 004 */ uint32_t    AmountOfBlocksInRecord;
+
|http://www.vigilar.com/training/
  /* 008 */ FILETIME    LastModified;
+
|-
  /* 010 */ FILETIME    LastAccessed;
+
|}
  /* 018 */ FATTIME    Expires;
+
  /* 01c */
+
  // Not finished yet
+
} URL_RECORD_HEADER;</pre>
+
 
+
<pre>
+
typedef struct _FILETIME {
+
  /* 000 */ uint32_t    lower;
+
  /* 004 */ uint32_t    upper;
+
} FILETIME;</pre>
+
 
+
<pre>
+
typedef struct _FATTIME {
+
  /* 000 */ uint16_t    date;
+
  /* 002 */ uint16_t    time;
+
} FATTIME;</pre>
+
 
+
The actual interpretation of the "LastModified" and "LastAccessed" fields depends on the type of history file in which the record is contained. As a matter of fact, Internet Explorer uses three different types of history files, namely Daily History, Weekly History, and Main History. Other "index.dat" files are used to store cached copies of visited pages and cookies.
+
The information concerning how to intepret the dates of these different files can be found on Capt. Steve Bunting's web page at the University of Delaware Computer Forensics Lab (http://128.175.24.251/forensics/default.htm).
+
Please be aware that most free and/or open source index.dat parsing programs, as well as quite a few commercial forensic tools, are not able to correctly interpret the above dates. More specifically, they interpret all the time and dates as if the records were contained into a Daily History file regardless of the actual type of the file they are stored in.
+
 
+
=== REDR Records ===
+
REDR records are very simple records.  They simply indicate that the browser was redirected to another site.  REDR records always start with the string REDR (0x52 45  44 52).  The next four bytes are the size of the record in little endian format.  The size will indicate the number 128 byte blocks.
+
 
+
At offset 8 from the start of the REDR record is an unknown data field. It has been confirmed that this is not a date field.
+
 
+
16 bytes into the REDR record is the URL that was visited in a null-terminated string. After the URL, the REDR record appears to be padded with zeros until the end of the 128 byte block.
+
 
+
=== HASH Records ===
+
 
+
=== LEAK Records ===
+
The exact purpose of LEAK records remains unknown, however research performed by Mike Murr suggests that LEAK records are created when the machine attempts to delete records from the history file while a corresponding Temporary Internet File (TIF) is held open and cannot be deleted.
+
 
+
== External Links ==
+
 
+
* [http://www.cqure.net/wp/?page_id=18 IEHist program for reading index.dat files]
+
* [http://www.milincorporated.com/a3_index.dat.html What is in Index.dat files]
+
* [http://www.foundstone.com/us/pdf/wp_index_dat.pdf Detailed analysis of index.dat file format]
+
* [http://downloads.sourceforge.net/sourceforge/libmsiecf/MSIE_Cache_File_format.pdf MSIE Cache File (index.dat) format specification]
+
 
+
[[Category:File Formats]]
+

Revision as of 12:22, 6 March 2009

This is the list of Training Course Providers, who offer training courses at specific dates/times and locations (referred to by Upcoming_events).

PLEASE READ BEFORE YOU EDIT THE LIST BELOW
Providers of scheduled training courses should be listed in alphabetical order, and should be listed in only one section. Non-Commercial training is typically offered by governmental agencies or organizations that directly support law enforcement. Tool Vendor training is training offered directly by a specific tool vendor, which may apply broadly, but generally is oriented to the vendor's specific tool (or tool suite). Commercial Training is training offered by commercial companies which may or may not be oriented to a specific tool/tool suite, but is offered by a company other than a tool vendor.

Some training opportunities may be limited to Law Enforcement Only or to a specific audience. Such restrictions should be noted when known.

The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv. (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST) Requests for additions, deletions or corrections to this list may be sent by email to David Baker (bakerd AT mitre.org).

NON-COMMERCIAL TRAINING

Title Website Limitation
Defense Cyber Investigations Training Academy (DCITA) http://www.dc3.mil/dcita/dcitaAbout.php Limited To Certain Roles within US Government Agencies(1)
Federal Law Enforcement Training Center http://www.fletc.gov/training/programs/computer-financial-intelligence/technical-operations Limited To Law Enforcement
MSU National Forensics Training Center http://www.security.cse.msstate.edu/ftc Limited To Law Enforcement
IACIS http://www.cops.org/training Limited To Law Enforcement and Affiliate Members of IACIS
SEARCH http://www.search.org/programs/hightech/calendar.asp Limited To Law Enforcement
National White Collar Crime Center http://www.nw3c.org/ocr/courses_desc.cfm Limited To Law Enforcement

TOOL VENDOR TRAINING

Title Website Limitation
AccessData (Forensic Tool Kit FTK) http://www.accessdata.com/courses.html
ASR Data (SMART) http://www.asrdata.com/training/
BlackBag Technologies (Macintosh Forensic Suite and MacQuisition Boot Disk) http://www.blackbagtech.com/products/training.htm
CPR Tools (Data Recovery) http://www.cprtools.net/training.php
Guidance Software (EnCase) http://www.guidancesoftware.com/training/course_schedule.aspx
Nuix (eDiscovery) http://www.nuix.com.au/eDiscovery.asp?active_page_id=147
Paraben (Paraben Suite) http://www.paraben-training.com/training.html
Technology Pathways(ProDiscover) http://www.techpathways.com/DesktopDefault.aspx?tabindex=6&tabid=9
SubRosaSoft (MacForensicsLab) http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=index&cPath=2
WetStone Technologies (Gargoyle, Stego Suite, LiveWire Investigator) https://www.wetstonetech.com/trainings.html
X-Ways Forensics (X-Ways Forensics) http://www.x-ways.net/training/

COMMERCIAL TRAINING

Title Website Limitation
Computer Forensic Training Center Online (CFTCO) http://www.cftco.com/
CCE Bootcamp http://www.cce-bootcamp.com/
e-fense Training http://www.e-fense.com/training.php
H-11 Digital Forensics http://www.h11-digital-forensics.com/training/viewclasses.php
High Tech Crime Institute http://www.gohtci.com
Infosec Institute http://www.infosecinstitute.com/courses/security_training_courses.html
ManTech Computer Security Training http://www.mantech.com/msma/isso.asp
Mobile Forensics, Inc http://mobileforensicsinc.com/
NTI (an Armor Forensics Company) http://www.forensics-intl.com/training.html
Security University http://www.securityuniversity.net/classes.php
Steganography Analysis and Research Center (SARC) http://www.sarc-wv.com/training.aspx
SysAdmin, Audit, Network, Security Institute (SANS) http://www.sans.org/training/courses.php
Vigilar http://www.vigilar.com/training/