Difference between pages "Internet Explorer History File Format" and "Proxy server"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m (removed category: Encryption :))
 
Line 1: Line 1:
{{Expand}}
+
{{expand}}
[[Internet Explorer]] as of version 4 stores the web browsing history in files called <tt>index.dat</tt>. The files contain multiple records.
+
MSIE version 3 probably uses similar records in its History (Cache) files.
+
  
== File Locations ==
+
'''Proxy server''' is a server which services the requests of its clients by forwarding requests to other servers.
  
Internet Explorer history files keep a record of URLs that the browser has visited, cookies that were created by these sites, and any temporary internet files that were downloaded by the site visit.  As a result, Internet Explorer history files are kept in several locations.  Regardless of the information stored in the file, the file is named index.dat.
+
== Overview ==
  
On Windows 95/98 these files were located in the following locations:
+
Proxy servers are widely used by organizations and individuals for different purposes:
<tt>%systemdir%\Temporary Internet Files\Content.ie5
+
%systemdir%\Cookies
+
%systemdir%\History\History.ie5</tt>
+
  
On Windows 2000/XP the file locations have changed:
+
* Internet sharing (like [[NAT]]);
<tt>%systemdir%\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.ie5
+
* Traffic compression;
%systemdir%\Documents and Settings\%username%\Cookies
+
* Accelerating service requests by retrieving content from cache;
%systemdir%\Documents and Settings\%username%\Local Settings\History\history.ie5</tt>
+
* and many others.
  
Internet Explorer also keeps daily, weekly, and monthly history logs that will be located in subfolders of %systemdir%\Documents and Settings\%username%\Local Settings\History\history.ie5.  The folders will be named <tt>MSHist<two-digit number><starting four-digit year><starting two-digit month><starting two-digit day><ending four-digit year><ending two-digit month><ending two-digit day></tt>.  For example, the folder containing data from March 26, 2008 to March 27, 2008 might be named <tt>MSHist012008032620080327</tt>.
+
Proxy servers are often used for malicious purposes (such as fraud).
  
Note that not every file named index.dat is a IE History file.
+
== HTTP proxies ==
  
== File Header ==
+
''These proxy servers are using HTTP.''
Every version of Internet Explorer since Internet Explorer 5 has used the same structure for the file header and the individual records. Internet Explorer history files begin with:
+
43 6c 69 65 6e 74 20 55 72 6c 43 61 63 68 65 20 4d 4d 46 20 56 65 72 20 35 2e 32
+
Which represents the ascii string "Client UrlCache MMF Ver 5.2"
+
  
The next field in the file header starts at byte offset 28 and is a four byte representation of the file size. The number will be stored in [[endianness | little-endian]] format so the numbers must actually be reversed to calculate the value.
+
Example request (direct; with relative URI):
 +
<pre>
 +
GET / HTTP/1.1
 +
Host: cryptome.org
 +
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
 +
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 +
Accept-Encoding: gzip,deflate
 +
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 +
Keep-Alive: 300
 +
Connection: keep-alive
 +
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
 +
If-None-Match: "e01922-62e9-45937059ec2de"
 +
Cache-Control: max-age=0
 +
</pre>
 +
Example request (using proxy; with absolute URI):
 +
<pre>
 +
GET http://cryptome.org/ HTTP/1.1
 +
Host: cryptome.org
 +
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
 +
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 +
Accept-Encoding: gzip,deflate
 +
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 +
Keep-Alive: 300
 +
Proxy-Connection: keep-alive
 +
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
 +
If-None-Match: "e01922-62e9-45937059ec2de"
 +
Cache-Control: max-age=0
 +
</pre>
 +
''Note:'' this HTTP request was intercepted on the way to proxy server.
  
Also of interest in the file header is the location of the cache directories. In the URL records the cache directories are given as a number, with one representing the first cache directory, two representing the second and so on. The names of the cache directories are kept at byte offset 64 in the file.  Each directory entry is 12 bytes long of which the first eight bytes contain the directory name.
+
According to RFC 2068 (section 5.1.2):
 +
<pre>
 +
The absoluteURI form is required when the request is being made to a proxy.
 +
</pre>
  
== Allocation bitmap ==
+
== HTTPS proxies ==
The IE History File contains an allocation bitmap starting from offset 0x250 to 0x4000.
+
  
== Record Formats ==
+
''The same as above, but using HTTPS (HTTP over SSL/TLS).''
  
Every record has a similar header that consists of 8 bytes.
+
Sometimes HTTP proxies that support CONNECT method are called ''"HTTPS proxies"''. These HTTP proxies can tunnel almost every TCP-based protocol.
 
+
<pre>typedef struct _RECORD_HEADER {
+
  /* 000 */ char        Signature[4];
+
  /* 004 */ uint32_t    AmountOfBlocksInRecord;
+
} RECORD_HEADER;</pre>
+
 
+
The size of the record can be determined from the amount of blocks in the record; per default the block size is 128 bytes. Therefore, a length of <pre>05 00 00 00</pre> would indicate five blocks (because the number is stored in little-endian format) of 128 bytes for a total record length of 640 bytes.
+
 
+
The blocks that make up a record can have slack space.
+
 
+
Currently 4 types of records are known:
+
* URL
+
* REDR
+
* HASH
+
* LEAK
+
 
+
=== URL Records ===
+
 
+
These records indicate URIs that were actually requested. They contain the location and additional data like the web server's HTTP response. They begin with the header, in hexadecimal:
+
 
+
<pre>55 52 4C 20</pre>
+
This corresponds to the string <tt>URL</tt> followed by a space.
+
 
+
The definition for the structure in C99 format:
+
 
+
<pre>typedef struct _URL_RECORD_HEADER {
+
  /* 000 */ char        Signature[4];
+
  /* 004 */ uint32_t    AmountOfBlocksInRecord;
+
  /* 008 */ FILETIME    LastModified;
+
  /* 010 */ FILETIME    LastAccessed;
+
  /* 018 */ FATTIME    Expires;
+
  /* 01c */
+
  // Not finished yet
+
} URL_RECORD_HEADER;</pre>
+
  
 +
Example request:
 
<pre>
 
<pre>
typedef struct _FILETIME {
+
CONNECT home.netscape.com:443 HTTP/1.0
  /* 000 */ uint32_t    lower;
+
User-agent: Mozilla/1.1N
  /* 004 */ uint32_t    upper;
+
</pre>
} FILETIME;</pre>
+
 
+
<pre>
+
typedef struct _FATTIME {
+
  /* 000 */ uint16_t    date;
+
  /* 002 */ uint16_t    time;
+
} FATTIME;</pre>
+
 
+
The actual interpretation of the "LastModified" and "LastAccessed" fields depends on the type of history file in which the record is contained. As a matter of fact, Internet Explorer uses three different types of history files, namely Daily History, Weekly History, and Main History. Other "index.dat" files are used to store cached copies of visited pages and cookies.
+
The information concerning how to intepret the dates of these different files can be found on Capt. Steve Bunting's web page at the University of Delaware Computer Forensics Lab (http://128.175.24.251/forensics/default.htm).
+
Please be aware that most free and/or open source index.dat parsing programs, as well as quite a few commercial forensic tools, are not able to correctly interpret the above dates. More specifically, they interpret all the time and dates as if the records were contained into a Daily History file regardless of the actual type of the file they are stored in.
+
 
+
=== REDR Records ===
+
REDR records are very simple records.  They simply indicate that the browser was redirected to another site.  REDR records always start with the string REDR (0x52 45  44 52).  The next four bytes are the size of the record in little endian format.  The size will indicate the number 128 byte blocks.
+
 
+
At offset 8 from the start of the REDR record is an unknown data field.  It has been confirmed that this is not a date field.
+
  
16 bytes into the REDR record is the URL that was visited in a null-terminated string.  After the URL, the REDR record appears to be padded with zeros until the end of the 128 byte block.
+
== SOCKS proxies ==
  
=== HASH Records ===
+
SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.
  
=== LEAK Records ===
+
== Web proxies (CGI proxies) ==
  
== External Links ==
+
These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.
  
* [http://www.cqure.net/wp/?page_id=18 IEHist program for reading index.dat files]
+
== Proxy detection ==
* [http://www.milincorporated.com/a3_index.dat.html What is in Index.dat files]
+
* [http://www.foundstone.com/us/pdf/wp_index_dat.pdf Detailed analysis of index.dat file format]
+
* [http://downloads.sourceforge.net/sourceforge/libmsiecf/MSIE_Cache_File_format.pdf MSIE Cache File (index.dat) format specification]
+
  
[[Category:File Formats]]
+
[[Category:Anti-Forensics]]
 +
[[Category:Network Forensics]]

Revision as of 15:06, 15 October 2008

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Proxy server is a server which services the requests of its clients by forwarding requests to other servers.

Overview

Proxy servers are widely used by organizations and individuals for different purposes:

  • Internet sharing (like NAT);
  • Traffic compression;
  • Accelerating service requests by retrieving content from cache;
  • and many others.

Proxy servers are often used for malicious purposes (such as fraud).

HTTP proxies

These proxy servers are using HTTP.

Example request (direct; with relative URI): 

GET / HTTP/1.1
Host: cryptome.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
If-None-Match: "e01922-62e9-45937059ec2de"
Cache-Control: max-age=0

Example request (using proxy; with absolute URI): 

GET http://cryptome.org/ HTTP/1.1
Host: cryptome.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
If-None-Match: "e01922-62e9-45937059ec2de"
Cache-Control: max-age=0

Note: this HTTP request was intercepted on the way to proxy server.

According to RFC 2068 (section 5.1.2): 

The absoluteURI form is required when the request is being made to a proxy.

HTTPS proxies

The same as above, but using HTTPS (HTTP over SSL/TLS).

Sometimes HTTP proxies that support CONNECT method are called "HTTPS proxies". These HTTP proxies can tunnel almost every TCP-based protocol.

Example request: 

CONNECT home.netscape.com:443 HTTP/1.0
User-agent: Mozilla/1.1N

SOCKS proxies

SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.

Web proxies (CGI proxies)

These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.

Proxy detection

Retrieved from "http://forensicswiki.org/index.php?title=Internet_Explorer_History_File_Format&oldid=8585"