Difference between pages "Internet Explorer History File Format" and "Training Courses and Providers"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(On-going / Continuous Training)
 
Line 1: Line 1:
{{Expand}}
+
This is the list of Training Providers, who offer training courses of interest to practitioners and researchers in the field of Digital Forensics.  Conferences which may include training are located on the [[Upcoming_events]] page.
[[Internet Explorer]] as of version 4 stores the web browsing history in files called <tt>index.dat</tt>. The files contain multiple records.
+
MSIE version 3 probably uses similar records in its History (Cache) files.
+
  
== File Locations ==
+
<b>PLEASE READ BEFORE YOU EDIT THE LIST BELOW</b><br>
 +
Some training providers offer on-going training courses that are available in an on-line "any time" format. Others have regularly scheduled training that is the same time each month.  Others have recurring training but are scheduled at various times throughout the year. Providers training courses should be listed in alphabetical order, and should be listed in the appropriate section.  Non-Commercial training is typically offered by governmental agencies or organizations that directly support law enforcement.  Tool Vendor training is training offered directly by a specific tool vendor, which may apply broadly, but generally is oriented to the vendor's specific tool (or tool suite).  Commercial Training is training offered by commercial companies which may or may not be oriented to a specific tool/tool suite, but is offered by a company other than a tool vendor.
  
Internet Explorer history files keep a record of URLs that the browser has visited, cookies that were created by these sites, and any temporary internet files that were downloaded by the site visitAs a result, Internet Explorer history files are kept in several locations. Regardless of the information stored in the file, the file is named index.dat.
+
<i>Some training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audienceSuch restrictions should be noted when known.</i>
 +
== On-going / Continuous Training ==
 +
{| border="0" cellpadding="2" cellspacing="2" align="top"
 +
|- style="background:#bfbfbf; font-weight: bold"
 +
! width="40%"|Title
 +
! width="20%"|Date/Location
 +
! width="40%"|Website
 +
|-
 +
|- style="background:pink;align:left"
 +
! DISTANCE LEARNING
 +
|-
 +
|Basic Computer Examiner Course - Computer Forensic Training Online
 +
|Distance Learning Format
 +
|http://www.cftco.com
 +
|-
 +
|Linux Data Forensics Training
 +
|Distance Learning Format
 +
|http://www.onlineforensictraining.com/courses.html
 +
|-
 +
|SANS On-Demand Training
 +
|Distance Learning Format
 +
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
 +
|-
 +
|Champlain College - CCE Course
 +
|Online / Distance Learning Format
 +
|http://extra.champlain.edu/cps/wdc/alliances/cce/landing/
 +
|-
 +
|Las Positas College
 +
|Online Computer Forensics Courses
 +
|http://www.laspositascollege.edu
 +
|-
 +
|National Center for Media Forensics
 +
|Distance and Concentrated Audio/Video/Image Forensics
 +
|http://cam.ucdenver.edu/ncmf
 +
|-
 +
|- style="background:pink;align:left"
 +
!RECURRING TRAINING
 +
|-
 +
|Evidence Recovery for Windows 7&reg; operating system;
 +
|First full week every month<br>Brunswick, GA
 +
|http://www.internetcrimes.net
 +
|-
 +
|Evidence Recovery for Windows 8&reg;
 +
|Second full week every month<br>Brunswick, GA
 +
|http://www.internetcrimes.net
 +
|-
 +
|Evidence Recovery for Windows Server&reg; 2008 and 2012
 +
|Third full week every month<br>Brunswick, GA
 +
|http://www.internetcrimes.net
 +
|-
 +
|}
  
On Windows 95/98 these files were located in the following locations:
+
==Non-Commercial Training==
<pre>
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
%systemdir%\Temporary Internet Files\Content.ie5
+
|- style="background:#bfbfbf; font-weight: bold"
%systemdir%\Cookies
+
! width="40%"|Title
%systemdir%\History\History.ie5
+
! width="40%"|Website
</pre>
+
! width="20%"|Limitation
 +
|-
 +
|Defense Cyber Investigations Training Academy (DCITA)
 +
|http://www.dc3.mil/dcita/dcitaAbout.php
 +
|Limited To Certain Roles within US Government Agencies[http://www.dc3.mil/dcita/dcitaRegistration.php (1)]
 +
|-
 +
|Federal Law Enforcement Training Center
 +
|http://www.fletc.gov/training/programs/technical-operations-division
 +
|Limited To Law Enforcement
 +
|-
 +
|MSU National Forensics Training Center
 +
|http://www.security.cse.msstate.edu/ftc
 +
|Limited To Law Enforcement
 +
|-
 +
|IACIS
 +
|http://www.iacis.com/training/course_listings
 +
|Limited To Law Enforcement and Affiliate Members of IACIS
 +
|-
 +
|SEARCH
 +
|http://www.search.org/programs/hightech/courses/
 +
|Limited To Law Enforcement
 +
|-
 +
|National White Collar Crime Center
 +
|http://www.nw3c.org/ocr/courses_desc.cfm
 +
|Limited To Law Enforcement
 +
|-
 +
|}
  
On Windows 2000/XP the file locations have changed:
+
==Tool Vendor Training==
<pre>
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
%systemdir%\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.ie5
+
|- style="background:#bfbfbf; font-weight: bold"
%systemdir%\Documents and Settings\%username%\Cookies
+
! width="40%"|Title
%systemdir%\Documents and Settings\%username%\Local Settings\History\history.ie5
+
! width="40%"|Website
</pre>
+
! width="20%"|Limitation
 +
|-
 +
|AccessData (Forensic Tool Kit FTK)
 +
|http://accessdata.com/training
 +
|-
 +
|ASR Data (SMART)
 +
|http://www.asrdata.com/forensic-training/overview/
 +
|-
 +
|ATC-NY (P2P Marshal, Mac Marshal)
 +
|http://p2pmarshal.atc-nycorp.com/index.php/training http://macmarshal.atc-nycorp.com/index.php/training
 +
|-
 +
|BlackBag Technologies (Mac Forensic Tools- BlackLight and SoftBlock)
 +
|https://www.blackbagtech.com/training.html
 +
|-
 +
|Cellebrite (UFED)
 +
|http://cellebrite.com/mobile-forensics-products/ufed-training.html
 +
|-
 +
|CPR Tools (Data Recovery)
 +
|http://www.cprtools.net/training.php
 +
|-
 +
|Digital Intelligence (FRED Forensics Platform)
 +
|http://www.digitalintelligence.com/forensictraining.php
 +
|-
 +
|e-fense, Inc. (Helix3 Pro)
 +
|http://www.e-fense.com/training/index.php
 +
|-
 +
|Guidance Software (EnCase)
 +
|http://www.guidancesoftware.com/computer-forensics-training-courses.htm
 +
|-
 +
|Micro Systemation (XRY)
 +
|http://www.msab.com/training/schedule
 +
|-
 +
|Nuix (eDiscovery)
 +
|http://www.nuix.com.au/eDiscovery.asp?active_page_id=147
 +
|-
 +
|Paraben (Paraben Suite)
 +
|http://www.paraben-training.com/schedule.html
 +
|-
 +
|Software Analysis & Forensic Engineering (CodeSuite)
 +
|http://www.safe-corp.biz/training.htm
 +
|-
 +
|Technology Pathways(ProDiscover)
 +
|http://www.techpathways.com/DesktopDefault.aspx?tabindex=6&tabid=9
 +
|-
 +
|SubRosaSoft (MacForensicsLab)
 +
|http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=index&cPath=2
 +
|-
 +
|Volatility Labs (Volatility Framework)
 +
|http://volatility-labs.blogspot.com/search/label/training
 +
|-
 +
|WetStone Technologies (Gargoyle, Stego Suite, LiveWire Investigator)
 +
|https://www.wetstonetech.com/trainings.html
 +
|-
 +
|X-Ways Forensics (X-Ways Forensics)
 +
|http://www.x-ways.net/training/
 +
|-
 +
|}
  
Internet Explorer also keeps daily, weekly, and monthly history logs that will be located in subfolders of %systemdir%\Documents and Settings\%username%\Local Settings\History\history.ie5.  The folders will be named <tt>MSHist<two-digit number><starting four-digit year><starting two-digit month><starting two-digit day><ending four-digit year><ending two-digit month><ending two-digit day></tt>.  For example, the folder containing data from March 26, 2008 to March 27, 2008 might be named <tt>MSHist012008032620080327</tt>.
+
==Commercial Training (Non-Tool Vendor)==
 
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
Note that not every file named index.dat is a MSIE History (Cache) file.
+
|- style="background:#bfbfbf; font-weight: bold"
 
+
! width="40%"|Title
== File Header ==
+
! width="40%"|Website
Every version of Internet Explorer since Internet Explorer 5 has used the same structure for the file header and the individual records.  Internet Explorer history files begin with:
+
! width="20%"|Limitation
43 6c 69 65 6e 74 20 55 72 6c 43 61 63 68 65 20 4d 4d 46 20 56 65 72 20 35 2e 32
+
|-
Which represents the ascii string "Client UrlCache MMF Ver 5.2"
+
|Applied Security (Digital Forensics Training)
 
+
|http://www.appliedsec.com/forensics/training.html
The next field in the file header starts at byte offset 28 and is a four byte representation of the file size.  The number will be stored in [[endianness | little-endian]] format so the numbers must actually be reversed to calculate the value.
+
|-
 
+
|BerlaCorp iOS and GPS Forensics Training
Also of interest in the file header is the location of the cache directories. In the URL records the cache directories are given as a number, with one representing the first cache directory, two representing the second and so on. The names of the cache directories are kept at byte offset 64 in the file.  Each directory entry is 12 bytes long of which the first eight bytes contain the directory name.
+
|http://www.berlacorp.com/training.html
 
+
|-
== Allocation bitmap ==
+
|Computer Forensic Training Center Online (CFTCO)
The IE History File contains an allocation bitmap starting from offset 0x250 to 0x4000.
+
|http://www.cftco.com/
 
+
|-
== Record Formats ==
+
|CCE Bootcamp
 
+
|http://www.cce-bootcamp.com/
Every record has a similar header that consists of 8 bytes.
+
|-
 
+
|Cyber Security Academy
<pre>typedef struct _RECORD_HEADER {
+
|http://www.cybersecurityacademy.com/
  /* 000 */ char        Signature[4];
+
|-
  /* 004 */ uint32_t    NumberOfBlocksInRecord;
+
|Dera Forensics Group
} RECORD_HEADER;</pre>
+
|http://www.deraforensicgroup.com/courses.htm
 
+
|-
The size of the record can be determined from the number of blocks in the record; per default the block size is 128 bytes. Therefore, a length of <pre>05 00 00 00</pre> would indicate five blocks (because the number is stored in little-endian format) of 128 bytes for a total record length of 640 bytes. Note that even for allocated records the number of blocks value cannot be fully relied upon.
+
|e-fense Training
 
+
|http://www.e-fense.com/training/index.php
The blocks that make up a record can have slack space.
+
|-
 
+
|Forward Discovery, Inc.
Currently 4 types of records are known:
+
|http://www.forwarddiscovery.com
* URL
+
|-
* REDR
+
|H-11 Digital Forensics
* HASH
+
|http://www.h11-digital-forensics.com/training/viewclasses.php
* LEAK
+
|-
 
+
|High Tech Crime Institute
Note that the location and filename strings are stored in the local codepage, normally these strings will only use the ASCII character set. Chinese versions of Windows are known to also use extended characters as well.
+
|http://www.gohtci.com
 
+
|-
=== URL Records ===
+
|Infosec Institute
 
+
|http://www.infosecinstitute.com/courses/security_training_courses.html
These records indicate URIs that were actually requested. They contain the location and additional data like the web server's HTTP response. They begin with the header, in hexadecimal:
+
|-
 
+
|Intense School (a subsidiary of Infosec Institute)
<pre>55 52 4C 20</pre>
+
|http://www.intenseschool.com/schedules
This corresponds to the string <tt>URL</tt> followed by a space.
+
|-
 
+
|MD5 Group (Computer Forensics and E-Discovery courses)(Dallas, TX)
The definition for the structure in C99 format:
+
|http://www.md5group.com
 
+
|-
<pre>typedef struct _URL_RECORD_HEADER {
+
|Mile 2 (Security and Forensics Certification Training)
  /* 000 */ char        Signature[4];
+
|https://www.mile2.com/mile2-online-estore/classess.html
  /* 004 */ uint32_t    AmountOfBlocksInRecord;
+
|-
  /* 008 */ FILETIME    LastModified;
+
|Mobile Forensics, Inc
  /* 010 */ FILETIME    LastAccessed;
+
|http://mobileforensicsinc.com/
  /* 018 */ FATTIME    Expires;
+
|-
  /* 01c */  
+
|NetSecurity
  // Not finished yet
+
|http://www.netsecurity.com/training/registration_schedule.html
} URL_RECORD_HEADER;</pre>
+
|-
 
+
|NID Forensics Academy (Certified Digital Forensic Investigator - CDFI Program)
<pre>
+
|http://www.nidforensics.com.br/
typedef struct _FILETIME {
+
|-
  /* 000 */ uint32_t    lower;
+
|NTI (an Armor Forensics Company) APPEARS DEFUNCT
  /* 004 */ uint32_t    upper;
+
|http://www.forensics-intl.com/training.html
} FILETIME;</pre>
+
|-
 
+
|Security University
<pre>
+
|http://www.securityuniversity.net/classes.php
typedef struct _FATTIME {
+
|-
  /* 000 */ uint16_t    date;
+
|Steganography Analysis and Research Center (SARC)
  /* 002 */ uint16_t    time;
+
|http://www.sarc-wv.com/training
} FATTIME;</pre>
+
|-
 
+
|Sumuri, LLC - Mac, Mobile, iLook Training
The actual interpretation of the "LastModified" and "LastAccessed" fields depends on the type of history file in which the record is contained. As a matter of fact, Internet Explorer uses three different types of history files, namely Daily History, Weekly History, and Main History. Other "index.dat" files are used to store cached copies of visited pages and cookies.
+
|http://www.sumuri.com/index.php/features/training-and-events-calendar
The information concerning how to intepret the dates of these different files can be found on Capt. Steve Bunting's web page at the University of Delaware Computer Forensics Lab (http://www.stevebunting.org/udpd4n6/forensics/index_dat2.htm).
+
|-
Please be aware that most free and/or open source index.dat parsing programs, as well as quite a few commercial forensic tools, are not able to correctly interpret the above dates. More specifically, they interpret all the time and dates as if the records were contained into a Daily History file regardless of the actual type of the file they are stored in.
+
|SysAdmin, Audit, Network, Security Institute (SANS)
 
+
|http://computer-forensics.sans.org/courses/
=== REDR Records ===
+
|-
REDR records are very simple records. They simply indicate that the browser was redirected to another site. REDR records always start with the string REDR (0x52 45  44 52). The next four bytes are the size of the record in little endian format. The size will indicate the number 128 byte blocks.
+
|Teel Technologies Mobile Device Forensics Training
 
+
|http://www.teeltech.com/tt3/training.asp
At offset 8 from the start of the REDR record is an unknown data field.  It has been confirmed that this is not a date field.
+
|-
 
+
|viaForensics Advanced Mobile Forensics Training
16 bytes into the REDR record is the URL that was visited in a null-terminated string. After the URL, the REDR record appears to be padded with zeros until the end of the 128 byte block.
+
|http://viaforensics.com/education/calendar/
 
+
|-
=== HASH Records ===
+
|Zeidman Consulting (MCLE)
 
+
|http://www.zeidmanconsulting.com/speaking.htm
=== LEAK Records ===
+
|-
The exact purpose of LEAK records remains unknown, however research performed by Mike Murr suggests that LEAK records are created when the machine attempts to delete records from the history file while a corresponding Temporary Internet File (TIF) is held open and cannot be deleted.
+
|}
 
+
== External Links ==
+
 
+
* [http://www.cqure.net/wp/?page_id=18 IEHist program for reading index.dat files]
+
* [http://www.milincorporated.com/a3_index.dat.html What is in Index.dat files]
+
* [http://www.foundstone.com/us/pdf/wp_index_dat.pdf Detailed analysis of index.dat file format]
+
* [http://downloads.sourceforge.net/sourceforge/libmsiecf/MSIE_Cache_File_format.pdf MSIE Cache File (index.dat) format specification]
+
* [http://www.forensicblog.org/2009/09/10/the-meaning-of-leak-records/ The Meaning of LEAK records]
+
* [http://www.tzworks.net/prototype_page.php?proto_id=6 Windows 'index.dat' Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
+
 
+
[[Category:File Formats]]
+

Revision as of 15:57, 10 April 2013

This is the list of Training Providers, who offer training courses of interest to practitioners and researchers in the field of Digital Forensics. Conferences which may include training are located on the Upcoming_events page.

PLEASE READ BEFORE YOU EDIT THE LIST BELOW
Some training providers offer on-going training courses that are available in an on-line "any time" format. Others have regularly scheduled training that is the same time each month. Others have recurring training but are scheduled at various times throughout the year. Providers training courses should be listed in alphabetical order, and should be listed in the appropriate section. Non-Commercial training is typically offered by governmental agencies or organizations that directly support law enforcement. Tool Vendor training is training offered directly by a specific tool vendor, which may apply broadly, but generally is oriented to the vendor's specific tool (or tool suite). Commercial Training is training offered by commercial companies which may or may not be oriented to a specific tool/tool suite, but is offered by a company other than a tool vendor.

Some training opportunities may be limited to Law Enforcement Only or to a specific audience. Such restrictions should be noted when known.

On-going / Continuous Training

Title Date/Location Website
DISTANCE LEARNING
Basic Computer Examiner Course - Computer Forensic Training Online Distance Learning Format http://www.cftco.com
Linux Data Forensics Training Distance Learning Format http://www.onlineforensictraining.com/courses.html
SANS On-Demand Training Distance Learning Format http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
Champlain College - CCE Course Online / Distance Learning Format http://extra.champlain.edu/cps/wdc/alliances/cce/landing/
Las Positas College Online Computer Forensics Courses http://www.laspositascollege.edu
National Center for Media Forensics Distance and Concentrated Audio/Video/Image Forensics http://cam.ucdenver.edu/ncmf
RECURRING TRAINING
Evidence Recovery for Windows 7® operating system; First full week every month
Brunswick, GA
http://www.internetcrimes.net
Evidence Recovery for Windows 8® Second full week every month
Brunswick, GA
http://www.internetcrimes.net
Evidence Recovery for Windows Server® 2008 and 2012 Third full week every month
Brunswick, GA
http://www.internetcrimes.net

Non-Commercial Training

Title Website Limitation
Defense Cyber Investigations Training Academy (DCITA) http://www.dc3.mil/dcita/dcitaAbout.php Limited To Certain Roles within US Government Agencies(1)
Federal Law Enforcement Training Center http://www.fletc.gov/training/programs/technical-operations-division Limited To Law Enforcement
MSU National Forensics Training Center http://www.security.cse.msstate.edu/ftc Limited To Law Enforcement
IACIS http://www.iacis.com/training/course_listings Limited To Law Enforcement and Affiliate Members of IACIS
SEARCH http://www.search.org/programs/hightech/courses/ Limited To Law Enforcement
National White Collar Crime Center http://www.nw3c.org/ocr/courses_desc.cfm Limited To Law Enforcement

Tool Vendor Training

Title Website Limitation
AccessData (Forensic Tool Kit FTK) http://accessdata.com/training
ASR Data (SMART) http://www.asrdata.com/forensic-training/overview/
ATC-NY (P2P Marshal, Mac Marshal) http://p2pmarshal.atc-nycorp.com/index.php/training http://macmarshal.atc-nycorp.com/index.php/training
BlackBag Technologies (Mac Forensic Tools- BlackLight and SoftBlock) https://www.blackbagtech.com/training.html
Cellebrite (UFED) http://cellebrite.com/mobile-forensics-products/ufed-training.html
CPR Tools (Data Recovery) http://www.cprtools.net/training.php
Digital Intelligence (FRED Forensics Platform) http://www.digitalintelligence.com/forensictraining.php
e-fense, Inc. (Helix3 Pro) http://www.e-fense.com/training/index.php
Guidance Software (EnCase) http://www.guidancesoftware.com/computer-forensics-training-courses.htm
Micro Systemation (XRY) http://www.msab.com/training/schedule
Nuix (eDiscovery) http://www.nuix.com.au/eDiscovery.asp?active_page_id=147
Paraben (Paraben Suite) http://www.paraben-training.com/schedule.html
Software Analysis & Forensic Engineering (CodeSuite) http://www.safe-corp.biz/training.htm
Technology Pathways(ProDiscover) http://www.techpathways.com/DesktopDefault.aspx?tabindex=6&tabid=9
SubRosaSoft (MacForensicsLab) http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=index&cPath=2
Volatility Labs (Volatility Framework) http://volatility-labs.blogspot.com/search/label/training
WetStone Technologies (Gargoyle, Stego Suite, LiveWire Investigator) https://www.wetstonetech.com/trainings.html
X-Ways Forensics (X-Ways Forensics) http://www.x-ways.net/training/

Commercial Training (Non-Tool Vendor)

Title Website Limitation
Applied Security (Digital Forensics Training) http://www.appliedsec.com/forensics/training.html
BerlaCorp iOS and GPS Forensics Training http://www.berlacorp.com/training.html
Computer Forensic Training Center Online (CFTCO) http://www.cftco.com/
CCE Bootcamp http://www.cce-bootcamp.com/
Cyber Security Academy http://www.cybersecurityacademy.com/
Dera Forensics Group http://www.deraforensicgroup.com/courses.htm
e-fense Training http://www.e-fense.com/training/index.php
Forward Discovery, Inc. http://www.forwarddiscovery.com
H-11 Digital Forensics http://www.h11-digital-forensics.com/training/viewclasses.php
High Tech Crime Institute http://www.gohtci.com
Infosec Institute http://www.infosecinstitute.com/courses/security_training_courses.html
Intense School (a subsidiary of Infosec Institute) http://www.intenseschool.com/schedules
MD5 Group (Computer Forensics and E-Discovery courses)(Dallas, TX) http://www.md5group.com
Mile 2 (Security and Forensics Certification Training) https://www.mile2.com/mile2-online-estore/classess.html
Mobile Forensics, Inc http://mobileforensicsinc.com/
NetSecurity http://www.netsecurity.com/training/registration_schedule.html
NID Forensics Academy (Certified Digital Forensic Investigator - CDFI Program) http://www.nidforensics.com.br/
NTI (an Armor Forensics Company) APPEARS DEFUNCT http://www.forensics-intl.com/training.html
Security University http://www.securityuniversity.net/classes.php
Steganography Analysis and Research Center (SARC) http://www.sarc-wv.com/training
Sumuri, LLC - Mac, Mobile, iLook Training http://www.sumuri.com/index.php/features/training-and-events-calendar
SysAdmin, Audit, Network, Security Institute (SANS) http://computer-forensics.sans.org/courses/
Teel Technologies Mobile Device Forensics Training http://www.teeltech.com/tt3/training.asp
viaForensics Advanced Mobile Forensics Training http://viaforensics.com/education/calendar/
Zeidman Consulting (MCLE) http://www.zeidmanconsulting.com/speaking.htm