Web Browser Forensics

What question were you trying to answer? Could it be:

  • Where did this malicious software come from?
  • What web sites has this person been visiting?

What access do you have? Could it be:

  • A single machine, and I have local access
  • Multiple machines, and I have remote access

Don’t forget that you may wish to search unallocated disk space for deleted web cache information. See Digital Forensics Links.

Is this actually a Forensics examination (where you care about preserving evidence) or is this an Incident Response root cause examination, where discovery (and not legally admissible evidence) is the goal?

The answers affect the tool you choose and how you use it. For example, in a “concerned parent” scenario there is a single Windows machine using Internet Explorer, for which you have local access, and  you want to learn the web sites visited. Use Mandiant Web Historian and inspect the C:\Users\<userid>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat file. (A firewall log of successful web connections would be of more help.)

On the other hand, consider a large environment that investigates web-based malware alerts. Here the questions are: where was the threat encountered and what else arrived from that site or around that time. As part of the alert, you have the machine name and user id and the name of the malicious file.

An appropriate tool to collect web browser history and evidence would be CacheGrab and its companion interpreter CacheBack.

CacheGrab® is our standalone cache and history recovery tool that can be used on any logically mounted volume or virtual file system, including disks mounted using Physical Disk Emulation. CacheGrab does not require any purchase or licensing and may be used freely. Users should note that this version of the program only searches logical volumes at this time, and the ability to search physical disks and unallocated space will be available with the release of CacheGrab® Version 2, sometime in early 2010.

Note the features of CacheBack:

  • Multiple browser support. Rebuild cached web pages and examine Internet histories for Internet Explorer (ver. 5-8), Firefox (ver. 2-3), Opera (ver. 9-10), Safari (ver. 3-4), and Google Chrome (ver. 1-4).
  • View cached web pages and pictures in a single consolidated thumbnail gallery making it easy to zero in on artifacts of interest.
  • Comb through complex histories and large cache repositories using the powerful multi-tabbed, multi-functional WYSIWYG interface.
  • Combine the built-in Query Manager window, Quick Queries and compound query filtering options to drill down efficiently on large datasets.
  • Produce visually compelling, rich HTML reports of rebuilt web pages and picture evidence with valuable metadata.
  • Publish reports to any destination folder or removable media keeping the evidence intact and portable.
  • Display timestamps in any selected time zone and choose to observe daylight savings for any region. Completely system independent.
  • Powerful Link Analysis to identify matches between history URLs and hyperlinks found in web pages (e.g., which links might have been clicked or visited).
  • Multiple tabbed views of the same evidence (Browser, Text, Hex, Picture, Audit and Links).

These features may be more that you need.

If you only need to be concerned about Internet Explorer, then grab copies of the Index.dat files, saving them with names that make them distinguishable later. Use Pasco (http://www.sourceforge.net/projects/fast) to make tab-separated text files from the dat files.

A batch file to make this task easier:

@echo off
if (%2)==() goto ERR_SYNTAX
copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\Temporary
Internet Files\Content.IE5\index.dat" "%1_%2_cache_index.dat"
attrib -s -h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
attrib +s +h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
copy "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
pasco "%1_%2_cache_index.dat" > "%1_%2_cache_index.txt"
pasco "%1_%2_history_index.dat" > "%1_%2_history_index.txt"
Error - requires two parameters, machine name (or IP address) and userid

When loading the text separated text file into Excel, some columns won’t line up. Close enough for my purposes, though.

Note that this problem in Excel is because some of the original fields in the index.dat file contain tabs; using pasco to create a tab-separated text file when some fields contain tabs is problematic. If you wish to be consistent, fields rarely contain pipe characters; creating a pipe character-separated text file will produce a more consistently formatted Excel spreadsheet.

The questions again were: Where was the threat encountered and what else arrived from that site (or around that time).

Search the resulting text file for the detected malicious file. This turns up a lot of undetected malware. A malicious site rarely sticks to only one threat. A site typically hangs on to the older, already detected threats when breaking in a new, undetected threat. Get a sample of the new, undetected threat and submit it to vendors. You will also turn up a pattern of sites and ASNs. Report sites, blacklist sites, and the count of detected threats goes down.

Related articles:


Where to find browser history

Internet Explorer C:\Documents and Settings\<windows login>\Local Settings\History\History.IE5
Internet Explorer C:\Documents and Settings\<windows login>\Local Settings\Temporary Internet Files
Mozilla C:\Documents and Settings\<windows login>\Application Data\Mozilla\Profiles\default\bsczxlvc.slt\Cache\572222B7d01
Netscape history.dat
Firefox C:\Documents and Settings\<windows login>\Application Data\Mozilla\Firefox\Profiles\ygeipybb.default
Safari history.plist
Opera global.dat

Check query history

Google toolbar C:\Documents and Settings\[userid]\Application Data\Google\Local Search History

Where to find passwords

Firefox C:\>C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\vyzux15h.default\signons.sqlite

Where to find chat logs

Trillian C:\Program Files\Trillian\users\default\logs
MSN Messenger post version 7.0 C:\Documents and Settings\\My Documents\My Received Files\\History
AOL Messenger C:\program files\users\default\log\AIM\Query
Yahoo Messenger 6.0 C:\Program Files\Yahoo!\Messenger\Profiles\\Archive\Messages
mIRC C:\program files\mirc\logs
GAIM *nix: ~/.gaim/logs
Windows: \Documents and Settings\user\Application Data\.gaim\logs
Look for the screenname under the protocol directory.
Miranda Messenger C:\Program Files\Miranda IM\Logs
Exodus 0.9.x C:\Documents and Settings\\My Documents\Exodus-Logs\<user>_<server>.html
iChat /Users//Documents/iChats

Tim Mugherini presents NTFS MFT Timelines and Malware Analysis

3 Responses to Web Browser Forensics

  1. […] Web browser utilities are in Web Browser Forensics. […]

  2. R. Jetson says:

    Hi, I was wondering where this paragraph about Cacheback came from:

    Multiple browser support. Rebuild cached web pages and examine Internet histories for Internet Explorer (ver. 5-8), Firefox (ver. 2-3), Opera (ver. 9-10), Safari (ver. 3-4), and Google Chrome (ver. 1-4).

    Did it come from Cacheback website by any chance? Any idea which version of cacheback that was? If it was whatever version was available at the time of your posting (Oct. ’09) I can figure out what was available then. I am having a hard time trying to figure out which versions of various browsers were covered by the different versions of cacheback.
    thanks! R.

    • rklanke says:

      Yes, that would be information copied from the Cacheback website reflecting an earlier version of their software.