Web Browser Forensics

• Open source browser forensics course

What question were you trying to answer? Could it be:

• Where did this malicious software come from?
• What web sites has this person been visiting?

What access do you have? Could it be:

• A single machine, and I have local access
• Multiple machines, and I have remote access

Don’t forget that you may wish to search unallocated disk space for deleted web cache information. See Digital Forensics Links.

Is this actually a Forensics examination (where you care about preserving evidence) or is this an Incident Response root cause examination, where discovery (and not legally admissible evidence) is the goal?

The answers affect the tool you choose and how you use it. For example, in a “concerned parent” scenario there is a single Windows machine using Internet Explorer, for which you have local access, and  you want to learn the web sites visited. Use Mandiant Web Historian and inspect the C:\Users\<userid>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat file. (A firewall log of successful web connections would be of more help.)

On the other hand, consider a large environment that investigates web-based malware alerts. Here the questions are: where was the threat encountered and what else arrived from that site or around that time. As part of the alert, you have the machine name and user id and the name of the malicious file.

An appropriate tool to collect web browser history and evidence would be CacheGrab and its companion interpreter CacheBack.

CacheGrab® is our standalone cache and history recovery tool that can be used on any logically mounted volume or virtual file system, including disks mounted using Physical Disk Emulation. CacheGrab does not require any purchase or licensing and may be used freely. Users should note that this version of the program only searches logical volumes at this time, and the ability to search physical disks and unallocated space will be available with the release of CacheGrab® Version 2, sometime in early 2010.

Note the features of CacheBack:

• Multiple browser support. Rebuild cached web pages and examine Internet histories for Internet Explorer (ver. 5-8), Firefox (ver. 2-3), Opera (ver. 9-10), Safari (ver. 3-4), and Google Chrome (ver. 1-4).
• View cached web pages and pictures in a single consolidated thumbnail gallery making it easy to zero in on artifacts of interest.
• Comb through complex histories and large cache repositories using the powerful multi-tabbed, multi-functional WYSIWYG interface.
• Combine the built-in Query Manager window, Quick Queries and compound query filtering options to drill down efficiently on large datasets.
• Produce visually compelling, rich HTML reports of rebuilt web pages and picture evidence with valuable metadata.
• Publish reports to any destination folder or removable media keeping the evidence intact and portable.
• Display timestamps in any selected time zone and choose to observe daylight savings for any region. Completely system independent.
• Powerful Link Analysis to identify matches between history URLs and hyperlinks found in web pages (e.g., which links might have been clicked or visited).
• Multiple tabbed views of the same evidence (Browser, Text, Hex, Picture, Audit and Links).

These features may be more that you need.

If you only need to be concerned about Internet Explorer, then grab copies of the Index.dat files, saving them with names that make them distinguishable later. Use Pasco (http://www.sourceforge.net/projects/fast) to make tab-separated text files from the dat files.

A batch file to make this task easier:

@echo off
if (%2)==() goto ERR_SYNTAX
copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5\index.dat" "%1_%2_cache_index.dat"
attrib -s -h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
"%1_%2_history_index.dat"
attrib +s +h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
copy "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
"%1_%2_history_index.dat"
pasco "%1_%2_cache_index.dat" > "%1_%2_cache_index.txt"
pasco "%1_%2_history_index.dat" > "%1_%2_history_index.txt"
GOTO EXIT
:ERR_SYNTAX
Error - requires two parameters, machine name (or IP address) and userid
:EXIT

When loading the text separated text file into Excel, some columns won’t line up. Close enough for my purposes, though.

Note that this problem in Excel is because some of the original fields in the index.dat file contain tabs; using pasco to create a tab-separated text file when some fields contain tabs is problematic. If you wish to be consistent, fields rarely contain pipe characters; creating a pipe character-separated text file will produce a more consistently formatted Excel spreadsheet.

The questions again were: Where was the threat encountered and what else arrived from that site (or around that time).

Search the resulting text file for the detected malicious file. This turns up a lot of undetected malware. A malicious site rarely sticks to only one threat. A site typically hangs on to the older, already detected threats when breaking in a new, undetected threat. Get a sample of the new, undetected threat and submit it to vendors. You will also turn up a pattern of sites and ASNs. Report sites, blacklist sites, and the count of detected threats goes down.

Related articles:

• Security Focus: Web Browser Forensics Part 1 Part 2
• GrandStreamDreams Web browser forensics
• Firefox Cache Format and Extraction

Utilities:

• Chrome Analysis Internet only, Google Chrome only utility
• Firefox 3 web browser forensics Includes description of the SQLite database, how to use sqlite3 to view the database and a PERL script to generate a report from the database. No need for Windows.
• Firefox 3 web browser forensics using f3e
• Fox Analysis Internet only, Firefox 3 only utility
• Mandiant Web Historian Internet only, Firefox and Internet Explorer utility
• Pasco (part of the Forensic Analyst’s Software Toolkit) Internet Explorer only utility
• SQLite Database Browser Public domain SQLite database browser, useful for Chrome and Firefox’s downloads.sqlite
• Elongsoft’s Computer History Viewer, a utility to examine IE and Windows history, is available from many sources but not from elongsoft.com.
• NirSoft web browser tools (NirLauncher is a package of more than 100 portable freeware utilities for Windows, all of them developed for NirSoft Web site during the last few years.)
• IEHistoryView from NirSoft examines IE history files
• MyLastSearch from NirSoft View your latest searches with major search engines.
• SkypeLogView from NirSoft View Skype Logs ( incoming/outgoing calls, chat messages, and file transfers)
• MozillaHistoryView from NirSoft View the list of visited web sites in Firefox/Mozilla/Netscape browsers
• MozillaCacheView from NirSoft View the cache files of Mozilla/Firefox browsers
• MozillaCookiesView from NirSoft Cookies Viewer/Manager For Mozilla/Firefox Browsers
• IECookiesView from NirSoft Cookies viewer/manager for Internet Explorer
• IECacheView from NirSoft Internet Explorer Cache Viewer
• IEPassView from NirSoft reveals Internet Explorer stored passwords
• PasswordFox from NirSoft reveals Firefox stored passwords
• ChromePass from Nirsoft reveals Chrome stored passwords
• Protected Storage Pass View from NirSoft reveals Internet Explorer and Outlook Express stored information
• Internet Explorer Spy read INDEX.DAT (instead of Pasco)
• Dutch Duck IE History Viewer
• Karen’s Cookie Viewer from KarenWare examines browser cookies
• FirePasswordViewer at SecurityXploded reveals Firefox stored passwords
• Web Cache Illuminator reveals web browser activity regardless of browser
• CacheBack
• IEHist, read INDEX.DAT (instead of Pasco)
• Forensic Tool Kit (FTK), read INDEX.DAT (instead of Pasco)
• Windows File Analyzer, read INDEX.DAT (instead of Pasco) and other Windows files
• Digital Detective NetAnalysis view search terms, recreate HTML pages, does not require Encase but adds value to Encase evidence file review.

Where to find browser history

Internet Explorer	C:\Documents and Settings\<windows login>\Local Settings\History\History.IE5 index.dat
Internet Explorer	C:\Documents and Settings\<windows login>\Local Settings\Temporary Internet Files index.dat
Mozilla	C:\Documents and Settings\<windows login>\Application Data\Mozilla\Profiles\default\bsczxlvc.slt\Cache\572222B7d01 history.dat
Netscape	history.dat
Firefox	C:\Documents and Settings\<windows login>\Application Data\Mozilla\Firefox\Profiles\ygeipybb.default history.dat
Safari	history.plist
Opera	global.dat

Check query history

Google toolbar

C:\Documents and Settings\[userid]\Application Data\Google\Local Search History

Where to find passwords

Firefox

C:\>C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\vyzux15h.default\signons.sqlite C:\Users\Russ\[username]\Roaming\Mozilla\Firefox\Profiles\vyzux15h.default\signons3.txt

Where to find chat logs

Trillian	C:\Program Files\Trillian\users\default\logs
MSN Messenger post version 7.0	C:\Documents and Settings\\My Documents\My Received Files\\History
AOL Messenger	C:\program files\users\default\log\AIM\Query
Yahoo Messenger 6.0	C:\Program Files\Yahoo!\Messenger\Profiles\\Archive\Messages
mIRC	C:\program files\mirc\logs
GAIM	*nix: ~/.gaim/logs Windows: \Documents and Settings\user\Application Data\.gaim\logs Look for the screenname under the protocol directory.
Miranda Messenger	C:\Program Files\Miranda IM\Logs
Exodus 0.9.x	C:\Documents and Settings\\My Documents\Exodus-Logs\<user>_<server>.html
iChat	/Users//Documents/iChats

Tim Mugherini presents NTFS MFT Timelines and Malware Analysis