Difference between pages "Forensic corpora" and "Internet Explorer"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
 
Line 1: Line 1:
This page describes large-scale corpora of forensically interesting information that are available for those involved in forensic research.
+
{{Expand}}
  
= Disk Images =
+
Microsoft Internet Explorer (MSIE) is the default [[Web Browser]] included with [[Microsoft Windows]].
+
;The Real Data Corpus.
+
: Between 1998 and 2006, [[Simson Garfinkel|Garfinkel]] acquired 1250+ hard drives on the secondary market. These hard drive images have proven invaluable in performing a range of studies such as the  developing of new forensic techniques and the sanitization practices of computer users.
+
  
: Garfinkel, S. and Shelat, A., [http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf "Remembrance of Data Passed: A Study of Disk Sanitization Practices,"] IEEE Security and Privacy, January/February 2003.
+
== MSIE 4 to 9 ==
 +
MSIE 4 to 9 uses the [[Internet Explorer History File Format]] (or MSIE Cache File format). The Cache Files commonly named index.dat are used to store both cache and historical information.
  
;The Honeynet Project Forensic Challenge.
+
== MSIE 10 ==
: In 2001 the Honeynet project distributed a set of disk images and asked participants to conduct a forensic analysis of a compromised computer. Entries were judged and posted for all to see. The drive and writeups are still available online.
+
: http://www.honeynet.org/challenge/index.html
+
: Other challenges were released in 2010 and 2011, and two contained partial disk images.
+
: [https://www.honeynet.org/challenges/2011_7_compromised_server Challenge 7: Compromised Server]
+
: [https://www.honeynet.org/node/751 Challenge 9: Mobile Malware]
+
  
;Honeynet Project Scans of the Month
+
<pre>
: The Honeynet Project provided network scans in the majority of its Scan of the Month challenges.  Some of the challenges provided disk images instead.  The Sleuth Kit's Wiki lists Brian Carrier's responses to those challenges.
+
C:\Users\%USER%\AppData\Local\Microsoft\Windows\WebCache\
: http://wiki.sleuthkit.org/index.php?title=Case_Studies
+
</pre>
  
;The [http://www.cfreds.nist.gov/ Computer Forensic Reference Data Sets] project from [[National Institute of Standards and Technology|NIST]] hosts a few sample cases that may be useful for examiners to practice with:
+
To do: confirm if these files are in the [[Extensible Storage Engine (ESE) Database File (EDB) format]]
: http://www.cfreds.nist.gov/Hacking_Case.html
+
  
; Digital Forensics Tool Testing Images can be downloaded from Sourceforge
+
== Security Zones ==
: http://dftt.sourceforge.net/
+
0 - My Computer
 +
1 - Local Intranet Zone
 +
2 - Trusted Sites Zone
 +
3 - Internet Zone
 +
4 - Restricted Sites Zone
 +
5 - Custom
  
; Shortinfosec: computer forensics competition
+
== WPAD ==
: http://www.shortinfosec.net/2008/07/competition-computer-forensic.html
+
: In the competition, you will have to analyze a submitted disk image for incriminating evidence.
+
: (Note: Unfortunately, when checked in October, 2011, the disk image seemed unavailable.)
+
  
; Lance Mueller has created some disk images; they can be downloaded from his blog
+
== See Also ==
: http://www.forensickb.com/search?q=practical
+
* [[Internet Explorer History File Format]]
  
; Barry Grundy created some disk images as parts of a Linux-based forensics tutorial
+
== External Links ==
: http://linuxleo.com
+
* [http://kb.digital-detective.co.uk/display/NetAnalysis1/Internet+Explorer+Cache Internet Explorer Cache]
 +
* [http://support.microsoft.com/kb/182569 Internet Explorer security zones registry entries for advanced users], by [[Microsoft]]
 +
* [http://technet.microsoft.com/en-us/library/cc302643.aspx Troubleshooting Automatic Detection], by [[Microsoft]]
 +
* [http://www.microsoft.com/en-us/download/details.aspx?id=11575 Windows Virtual PC VHDs for testing websites with different Internet Explorer versions], by [[Microsoft]]
 +
* [http://www.swiftforensics.com/2011/09/internet-explorer-recoverystore-aka.html Internet Explorer RecoveryStore (aka Travelog) as evidence of Internet Browsing activity], by [[Yogesh Khatri]], September 29, 2011
 +
* [http://tojoswalls.blogspot.ch/2013/05/java-web-vulnerability-mitigation-on.html Java Web Vulnerability Mitigation on Windows], by Tim Johnson, May 23, 2013
  
;The PyFlag standard test image set
+
[[Category:Applications]]
: http://pyflag.sourceforge.net/Documentation/tutorials/howtos/test_image.html
+
[[Category:Web Browsers]]
 
+
;The Digital Forensic Research Workshop's Rodeos and Challenges
+
: Several of the Rodeos and Challenges from DFRWS released their data and scenario writeups. The following had disk images as parts of their scenario:
+
* [http://www.cfreds.nist.gov/dfrws/Rhino_Hunt.html 2005 Rodeo] (Hosted on CFReDS)
+
* [http://dfrws.org/2008/rodeo.shtml 2008 Rodeo]
+
* [http://dfrws.org/2009/rodeo.shtml 2009 Rodeo]
+
* [http://dfrws.org/2009/challenge/index.shtml 2009 Challenge]
+
* [http://dfrws.org/2011/challenge/index.shtml 2011 Challenge]
+
 
+
= Memory Images =
+
 
+
The [https://www.volatilesystems.com/default/volatility Volatility] FAQ provides a listing of openly-available [https://code.google.com/p/volatility/wiki/FAQ#Are_there_any_public_memory_samples_available_that_I_can_use_for memory images].
+
 
+
= Network Packets and Traces =
+
 
+
== DARPA ID Eval ==
+
 
+
''The DARPA Intrusion Detection Evaluation.'' In 1998, 1999 and 2000 the Information Systems Technology Group at MIT Lincoln Laboratory created a test network complete with simulated servers, clients, clerical workers, programmers, and system managers. Baseline traffic was collected. The systems on the network were then “attacked” by simulated hackers. Some of the attacks were well-known at the time, while others were developed for the purpose of the evaluation.
+
 
+
* [http://www.ll.mit.edu/IST/ideval/data/1998/1998_data_index.html 1998 DARPA Intrusion Detection Evaluation]
+
* [http://www.ll.mit.edu/IST/ideval/data/1999/1999_data_index.html 1999 DARPA Intrusion Detection Evaluation]
+
* [http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html 2000 DARPA Intrusion Detection Scenario Specific]
+
 
+
== WIDE==
+
''The [http://www.wide.ad.jp/project/wg/mawi.html MAWI Working Group] of the [http://www.wide.ad.jp/ WIDE Project]'' maintains a [http://tracer.csl.sony.co.jp/mawi/ Traffic Archive]. In it you will find:
+
* daily trace of a trans-Pacific T1 line;
+
* daily trace at an IPv6 line connected to 6Bone;
+
* daily trace at another trans-Pacific line (100Mbps link) in operation since 2006/07/01.
+
 
+
Traffic traces are made by tcpdump, and then, IP addresses in the traces are scrambled by a modified version of [[tcpdpriv]].
+
 
+
==Wireshark==
+
The open source Wireshark project (formerly known as Ethereal) has a website with many network packet captures:
+
* http://wiki.wireshark.org/SampleCaptures
+
 
+
==NFS Packets==
+
The Storage Networking Industry Association has a set of network file system traces that can be downloaded from:
+
* http://iotta.snia.org/traces
+
* http://tesla.hpl.hp.com/public_software/
+
 
+
==Other==
+
Github user "markofu" has aggregated several other network captures into a Git repository.
+
* https://github.com/markofu/pcaps
+
 
+
=Email messages=
+
 
+
''The Enron Corpus'' of email messages that were seized by the Federal Energy Regulatory Commission during its investigation of Enron.
+
 
+
* http://www.cs.cmu.edu/~enron
+
* http://www.enronemail.com/
+
 
+
The NIST '''TextREtrieval Conference 2007''' has released a public Spam corpus:
+
* http://plg.uwaterloo.ca/~gvcormac/spam/
+
 
+
Email Messages Corpus Parsed from W3C Lists (for TRECENT 2005)
+
* http://tides.umiacs.umd.edu/webtrec/trecent/parsed_w3c_corpus.html
+
 
+
=Text Files=
+
 
+
==Log files==
+
[http://crawdad.cs.dartmouth.edu/index.php CRAWDAD] is a community archive for wireless data.
+
 
+
[http://www.caida.org/data/ CAIDA] collects a wide variety of data.
+
 
+
[http://www.dshield.org/howto.html DShield] asks users to submit firewall logs.
+
 
+
==Text for Text Retrieval==
+
The [http://trec.nist.gov Text REtrieval Conference (TREC)] has made available a series of [http://trec.nist.gov/data.html text collections].
+
 
+
==American National Corpus==
+
The [http://www.americannationalcorpus.org/ American National Corpus (ANC) project] is creating a massive collection of American english from 1990 onward. The goal is to create a corpus of at least 100 million words that is comparable to the British National Corpus.
+
 
+
==British National Corpus==
+
The [http://www.natcorp.ox.ac.uk/ British National Corpus (100)] is a 100 million word collection of written and spoken english from a variety of sources.
+
 
+
==IEEE VAST Challenges==
+
IEEE Visual Analytics Science & Technology Challenges
+
* [http://hcil.cs.umd.edu/localphp/hcil/vast/index.php 2009 Challenge]
+
* [http://hcil.cs.umd.edu/localphp/hcil/vast10/index.php 2010 Challenge]
+
* [http://hcil.cs.umd.edu/localphp/hcil/vast11/ 2011 Challenge]
+
 
+
=Images=
+
; [http://www.cs.washington.edu/research/imagedatabase] UW Image Database
+
: A set of freely redistributable images from all over the world, used for content-based image retrieval.
+
 
+
=Voice=
+
==CALLFRIEND==
+
CALLFRIEND is a database of recorded English conversations. A total of 60 recorded conversations are available from the University of Pennsylvania at a cost of $600.
+
 
+
==TalkBank==
+
TalkBank in an online database of spoken language. The project was originally funded between 1999 and 2004 by two National Science Foundation grants; ongoing support is provided by two NSF grants and one NIH grant.
+
 
+
==Augmented Multi-Party Interaction Corpus==
+
The [http://corpus.amiproject.org/ AMI Meeting Corpus] has 100 hours of meeting recordings.
+
 
+
==Other Corpora==
+
* Under an NSF grant, Kam Woods and [[Simson Garfinkel]] created a website for digital corpora [http://digitalcorpora.org]. The site includes a complete training scenario, including disk images, packet captures and exercises.
+
 
+
* The [http://corpus.canterbury.ac.nz/ Canterbury Corpus] is a set of files used for testing lossless compression algorithms. The corpus consists of 11 natural files, 4 artificial files, 3 large files, and a file with the first million digits of pi.  You can also find a copyof the Calgaruy Corpus at the website, which was the defacto standard for testing lossless compression algorithms in the 1990s.
+
 
+
* The [http://traces.cs.umass.edu/index.php/Main/HomePage UMass Trace Repository] provides network, storage, and other traces to the research community for analysis. The UMass Trace Repository is supported by grant #CNS-323597 from the National Science Foundation.
+
 
+
* [http://arstechnica.com/science/news/2009/02/aaas-60tb-of-behavioral-data-the-everquest-2-server-logs.ars Sony has made 60TB of Everquest 2 logs available to researchers.]  What's there? "everything."
+
 
+
* UCI's [http://networkdata.ics.uci.edu/resources.php Network Data Repository] provides data sets of a diverse set of networks.  Some of the networks are related to computers, some aren't.
+
 
+
= External Links =
+
* [http://articles.forensicfocus.com/2013/10/18/forge-computer-forensic-test-image-generator/ ForGe – Computer Forensic Test Image Generator], by Hunnu Visti, October 18, 2013
+

Revision as of 01:34, 25 October 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Microsoft Internet Explorer (MSIE) is the default Web Browser included with Microsoft Windows.

Contents

MSIE 4 to 9

MSIE 4 to 9 uses the Internet Explorer History File Format (or MSIE Cache File format). The Cache Files commonly named index.dat are used to store both cache and historical information.

MSIE 10

C:\Users\%USER%\AppData\Local\Microsoft\Windows\WebCache\

To do: confirm if these files are in the Extensible Storage Engine (ESE) Database File (EDB) format

Security Zones

0 - My Computer 1 - Local Intranet Zone 2 - Trusted Sites Zone 3 - Internet Zone 4 - Restricted Sites Zone 5 - Custom

WPAD

See Also

External Links