by Keith J. Jones, Rohyt Belani
Electronic evidence has often shaped the outcome of high-profile civil law suits and criminal investigations ranging from theft of intellectual property and insider trading that violates SEC regulations to proving employee misconduct resulting in termination of employment under unfavorable circumstances. Critical electronic evidence is often found in the suspect's web browsing history in the form of received emails, sites visited and attempted Internet searches. This two-part article presents the techniques and tools commonly used by computer forensics experts to uncover such evidence, through a fictitious investigation that closely mimics real-world scenarios.
While you read this article, you may follow along with the investigation and actually analyze case data. To actively participate in the investigation, you need to download the associated Internet activity data from the SecurityFocus archives [data].
At 8.25pm on March 18, 2005, a Senior Associate at a prestigious law firm had just finished a draft of a property-sale contract for his client but was unable to upload the document to the law firm's centralized document storage server hosted by Docustodian, Inc. His attempts to upload the document met with the following error message: "You have reached the storage limit. Please call your system administrator". The Senior Associate did just that, calling Joe Schmo, the firm's IT administrator. But, Joe's voicemail indicated that he was on vacation from March 7-21, 2005.
This was not an isolated occurrence. An internal review revealed that over 500 GB of MP3s, pirated software, and newly released movies were stored on the system under the profile for Joe Schmo. After finding that a potential intrusion had occurred, the law firm quickly concluded that an investigation of a potential violation of internal policy or an intrusion was beyond their core IT competency and brought in a professional security firm to lead the investigation.
During most investigations, an individual's web browsing activity often provides investigative leads. In this investigation, we will begin our analysis by reconstructing the web browsing activity in order to help prove or disprove our suspicions about Joe Schmo, the law firm's system administrator. Our investigation will utilize a combination of commercial and open source tools that you can use to analyze the data provided for this incident. We will walk through their capabilities, how they are used, and what information they will provide us to analyze web browsing activity in this investigation.
Internet Activity File Formats
The predominant two web browsers we encounter during computer related investigations are Microsoft's Internet Explorer (IE) and the Firefox/Mozilla/Netscape family. Each of these browsers saves the web browsing activity (also known as web browsing history) in their own unique formats. We will outline the file formats and the relevant file paths for both IE and Firefox/Mozilla/Netscape's Internet activity files to enhance our investigative leads.
Microsoft's Internet Explorer (IE)
IE is typically installed by default on new Windows-based computers and is used by most private and business computer owners. IE stores the Internet activity for each user under their Windows profile. In Joe's case, since he was using a Microsoft Windows operating system newer than Windows 2000, his IE activity was stored in the following directory:
C:\Documents and Settings\jschmo\Local Settings\Temporary Internet Files\Content.IE5\
The directory listed above stores the cached pages and images Joe reviewed on his computer. Inside the
We want to point out that there are two additional IE activity directories that may be of interest. The first directory contains the Internet history activity without locally cached web content:
C:\Documents and Settings\jschmo\Local Settings\History\History.IE5\
Under the directory above, there will be additional subdirectories signifying the date ranges where IE had saved the history. The last directory stores the cookie files for IE:
C:\Documents and Settings\jschmo\Cookies\
An investigator will typically check all three information stores for Internet activity data. Note that an individual can consciously clear these files for many reasons. In addition, several types of software are routinely installed on computers that periodically purge these files. But that does not mean that the information is not available. In part 2, we'll discuss what to do to find these files if they do not immediately appear available. For now, we'll assume that the data and files exists. Then, if we enter any of the directories presented above, you will find a file named
Firefox/Mozilla/Netscape Based Web Browsers
Firefox/Mozilla/Netscape and other related browsers also save the Internet activity using a similar method to IE. Mozilla/Netscape/Firefox save the web activity in a file named
Firefox files are located in the following directory:
\Documents and Settings\<user name>\Application Data\Mozilla\Firefox\Profiles\<random text>\history.dat
Mozilla/Netscape history files are found in the following directory:
\Documents and Settings\<user name>\Application Data\Mozilla\Profiles\<profile name>\<random text>\history.dat
The process of reconstructing web activity manually can be quite tedious. Fortunately, there are several tools, both free and commercial, that streamline this process considerably. The following sections present some of these tools. Please follow along with the web activity data you downloaded in the introduction to this article, and use the tools mentioned in this article to reconstruct the analysis.
Web browsing analysis - open source tools
Pasco (the Latin word for "Browse") is a command line tool that runs on Unix or Windows and can reconstruct the internal structures for IE Index.dat files. Pasco accepts an Index.dat file, reconstructs the data, and outputs the information in a delimited text file format. This format is useful when you need to import the data into a spreadsheet such as Microsoft Excel. Figure 1 shows Pasco in action.
Pasco shows that IE saves the following fields from a single web site visit in the Index.dat file:
For each row listed in the spreadsheet, you can retrieve the file listed in "Filename" in Joe's local directory named "Directory" to recreate what Joe saw on the web at the time listed in "Access Time."
Although Pasco works well with IE Internet activity files, it does not reconstruct web activity from other web browsers such as Firefox/Mozilla/Netscape. The output of Pasco as used for this article can be downloaded from the SecurityFocus archives [report].
Red Cliff's freeware tool, Web Historian, has the ability to crawl a directory structure and identify Internet activity files for all of the following web browsers:
What this means is that the investigator no longer has to memorize the paths for Internet activity files for each web browser. Web Historian also has the ability to output the reconstructed data into the following formats:
A screenshot of Web Historian in use is shown below in Figure 2.
Analysis of the web history
Now that we have the output for Joe's IE Internet activity, we can begin reviewing the websites he visited. During this analysis, we will only present the activity that is relevant to the investigation since there are numerous instances of irrelevant web browsing events that can slow down an investigator. The output from Web Historian is shown below in Figure 3.
In the above output we see that Joe visited Hotmail.com. Web Historian shows that the visit to Hotmail created the file named
At the top of the web page shown in Figure 4, we see that Joe's Hotmail account is
We see above in Figure 5 that Joe visited Barnes and Noble. It appears as though he is interested in books related to hacking and cracking. There are also other instances of Joe searching for similar material at hacking related websites. In Figure 6 and Figure 7 you will see Joe accessing sites known to have hacking related material. You will also see that Joe is searching for cracks specific to Docustodian, the application that was overloaded with unauthorized material.
As you have seen in the last section, we were able to show that Joe, or someone using Joe's account, was interested in information that would allow him to crack the licensing for Docustodian. However, the time that most of the websites were visited was approximately at 5:50:58 PM on March 10, 2005. It's important to remember that Joe was on vacation from March 7, 2005 through March 21, 2005. It would be highly unlikely that Joe visited these websites from a sunny beach in Florida. We would have to look harder at Joe's computer to see how these websites were accessed.
You can download the output of Web Historian, as previously mentioned in the article.
Internet activity analysis - commercial tools
There are several commercial tools that will examine web related activity similar to the freely available tools we presented above. Although we already examined interesting activity in the last section, we will present some of the differences and other interesting web sites Joe's account visited with commercially available tools in this section.
IE History was one of the first commercial tools developed for web activity reconstruction. IE History is a Windows application that opens several types of web browser history files including IE and Firefox/Netscape/Mozilla. IE History is a lightweight tool that can easily export the web browsing history to spreadsheets and text delimited files.
Within IE History, you can open an
Once IE History parses the information in the
IE History is a lightweight, inexpensive tool that allows you to investigate most web based Internet activity.
Forensic Tool Kit (FTK)
FTK combines some of the functionality from all of the tools we presented in this article. As commercial tools go, this receives our highest recommendation for the ease of use alone. With FTK, you can browse the cached web pages and see them in a web browser-like interface. For example, Figure 10 shows one of the cracking sites Joe's account visited.
Figure 11 and Figure 12 show that Joe was interested in Hotels in the Sao Paulo area. Since we know that Joe is currently in Florida on vacation with his family, it is highly unlikely he was the individual responsible for this activity.
FTK reconstructs the visited web pages very well. The drawback when using FTK is the reconstruction of the
Concluding part one
Our conclusion at this point is that Joe was probably not the individual using his account when unauthorized activity was performed against Docustodian. This is based on the fact that most of the potentially malicious activity occurred when Joe was on vacation with his family in Florida. However, the Internet searches for books related to hacking and license cracks are indicative of the fact that his machine may have been used by an unknown suspect. Who could it be? Who had access to Joe's machine when he was away on vacation? For the next article in this series we will examine additional investigative leads by performing an in-depth review of Joe's hard drive and the web activity of all other browsers installed on the system.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.