Digital Forensic Data Recovery & Analysis

Microsoft Internet Explorer PrivacIE Entries

April 29th, 2010 Posted in NetAnalysis, Web Browser Forensics
Apr, 29 2010
Comments Off

Internet Explorer introduced a number of new security and privacy features in version 8.  One of these new features was InPrivate Filtering.  InPrivate Filtering helps prevent the web sites a user visits from automatically sending details about the visit to other content providers.

PrivacIE_Warning

When a user visits a web site, it automatically shares standard computer information with that web site.  If the web site contains content provided by a third-party web site (for example a map, advertisement, or web measurement tools such as a web bug or scripts) some information about the user may be automatically sent to the content provider.

This type of arrangement can have several benefits. It lets the user conveniently access third-party content.  The presence of advertising on a web site may let the web site provide access to premium content at no charge.  However, there can be an impact on user privacy as a result because it is possible for the content providers to track the user across multiple web sites.

When InPrivate Filtering is used, some web sites might be prevented from automatically sharing details about the visit with the providers whose content is displayed.  As a result, some content might be automatically blocked (such as weather information or advertisements).  The user can manually allow blocked content by adjusting the InPrivate Filtering settings.

PrivacIE INDEX.DAT Entries

When performing a forensic examination of INDEX entries from Internet Explorer, you may come across numerous PrivacIE Type entries.  These entries are URL records for third-party content providers.

If the user has InPrivate filtering on, the PrivacIE INDEX.DAT stores the URLs to third party content.  They are not InPrivate browsing records.  InPrivate Filtering helps prevent website content providers from collecting information about sites the user has visited.

For example, the Digital Detective web sites use Google Analytics to track information about visitors to our sites.  Google tracks the data and provides webmasters with analytical tools to review the results.

If you switch InPrivate filtering on and visit the Digital Detective Website, you will find two entries in the PrivacIE INDEX which get generated from the visit.

PrivacIE_Google_Entries

The first entry is a web bug which takes the Google Analytic information as a command line paramter.  The second entry is a Google Analytic script.

Removing InPrivate Filter Entries

The user can remove the (PrivacIE) entries relating to InPrivate Filtering in the same way as clearing the History or Cache.  In the Delete Browsing History dialogue, there is an entry for InPrivate Filtering as shown below.
 
Remove_InPrivate_Filtering_Data
 
Internet Explorer can also be configured not to record this information, even if the functionality is active.
 
InPrivate_Don_Not_Collect_Data
 
 
Recovering Evidence of InPrivate Browsing
 
I will post an article at a later date regarding InPrivate browsing and the recovery of InPrivate history.
 
The original KB Article is here:  KB80054 What are Internet Explorer PrivacIE Entries
, , , ,
Read More

Mini Survey on Malware

April 26th, 2010 Posted in Not Categorised
Apr, 26 2010
Comments Off

A friend of mine is currently doing research towards his PhD in Malware Analysis with regards to forensic computer investigations.  He has a short survey seeking responses from practitioners regarding the impact Malware has to our line of work.

If you have 30 seconds to answer three multiples choice questions, he would be most grateful: Malware Mini Survey

Read More

Understanding Redirects

April 23rd, 2010 Posted in NetAnalysis, Web Browser Forensics
Apr, 23 2010
Comments Off

Redirects provide a way to transport the browser from one point on a web site to another.  Redirects are most commonly used to translate references to outdated web pages to new, updated ones.  They can be instigated either by the browser, in which case they are referred to as client-side redirect, or by the server, in which case they are referred to as server-side redirects.

Virtually all webmasters at some point will discover that not all links to their site end up where they were intended.  For example, if the author of another web site places a link to your site, but misspells the hyperlink, the result will be a 404 error every time that link is selected.

Another common occurrence is site reorganisations.  As you move files around, rename them or even delete them entirely, you will find visitors will receive 404 errors.  This is because other sites, search engines and directories often link to those pages.  It is an impossible task to be able to change all the hyperlinks to your site.

If the webmaster determines that someone has linked to a non-existent page, there are ways of redirecting the user to the correct page.

Browser / Client Side Redirects

If you are a webmaster and you wish to recapture the traffic from the lost/moved/deleted pages, there are several things that can be done.  One of the easiest ways to add a redirect is through a special Meta tag called “refresh” to direct their visitors to the new page.

To do this they create a blank page which contains the tag as shown below (it is placed in the header). The tag simply says “wait some time then go to a named page”.  In this example, the browser will wait one second.

Meta_Refresh_Tag

If you wish to use ASP, then the following code inside an ASP page will perform the same function.

ASP_Redirect

Server Side Redirects

There are many ways to implement server-side redirects depending on the web server being used.  One of the most common is to use the .htaccess file, which is supported by the Apache web server.  .htaccess supports a directive called redirect.  This directive transparently changes the URL to a new URL.   However, this is not the usual method for implementing Server-Side redirects as not all hosts support this.

In IIS7, creating server side redirect is a simple task.  Log on to the Internet Information Services (IIS) Manager and select the file or folder you wish to create a redirect for.  Clicking on the HTTP Redirect button will launch the screen shown below.  This allows the webmaster to select the URL to be redirected to, and also which type of redirect is required.

IIS7_Redirect

This information is then saved to a web.config file in the folder where the redirect is to be launched from.

Redirect Evidence in Microsoft Internet Explorer

Embedded within the CACHE INDEX.DAT file are numerous Internet records that have REDR as the record header.  This header is a REDIRECT entry and is evidence of a SERVER-SIDE redirect.  Client Side redirects are NOT recorded within the INDEX.DAT files as REDR records.  The REDR entry is a URL that has been visited and the server has responded with an HTTP 300 response which tells the browser the page is in a different location.  This entry reflects the URL which caused the redirection.  In NetAnalysis, the entries are marked as Type: Redirect as shown below.

NetAnalysis_Redirect_Entry

In previous versions of NetAnalysis, we were not able to show where the user was redirected to.  Following research and testing, we identified a methodology for resolving redirect entries.  However, it is only possible to show the resulting redirected URL if the data still exists within the INDEX.DAT record.  There is a marker to indicate whether the entry is live or deleted.  It is also only possible to show resulting redirect entries from live INDEX.DAT files.  It is not possible to do this with the data recovered by HstEx.

This is a significant development in the analysis of Internet browser artefacts as previously, the invetigator did not have this information.  At the time of writing this Article, NetAnalysis v1.50+ is the only software available to extract this important evidence.

In addition to identifying the URL where the user was redirected to, it is also possible to identify the date/time this action occurred.  This also was not previously possible.  The status column informs the examiner whether the redirect entry is intact or not.  If it is intact and from a live INDEX.DAT file, there will be date/time information.  As mentioned previously, this data is not available for overwritten or deleted redirect entries.

Redirect_Entries_In_NetAnalysis

The image above shows NetAnalysis and two Server Side Redirect entries.  In this case, item number one is the original URL which caused the server to respond with a server side redirect HTPP response.  This is the standard URL record which is shown in the URL column.  In addition, as this is a REDR record which is intact, NetAnalysis has the Redirect URL (item number two) in the corresponding column.  The Type column reflects the fact it is a redirect entry, as does the IE Type column (Internet Explorer Record Type).

As this Redirect entry is intact, the Last Visited time stamp can be extracted. 

Original Digital Detective KB Article

KB80053 Understanding Redirects

, ,
Read More

ACPO Guidlines for Computer-Based Electronic Evidence to be updated

April 21st, 2010 Posted in Forensic Standards
Apr, 21 2010
Comments Off

It looks like the ACPO Good Practice Guide for Computer-Based Electronic Evidence is about to get a long overdue update.    

 

An editorial panel has been convened and is seeking views from interested parties from law enforcement, private sector, service providers, IT industry and academia.

 

Whilst it is not currently clear who the editorial panel consists of, their apparent remit is to update the content to ensure it is current and relevant and to explore whether there are any areas of Digital Forensics practice that is not currently included in the document.

 

To assist them in this review, a survey has been compiled and is available for completion at the following URL:  http://www.surveymonkey.com/s/YTZVX2W

 

The deadline for completion is 30th April 2010.

Read More

EnCase E01 Segment Files > 2 GiB

April 5th, 2010 Posted in Blade, Forensic Data Recovery, HstEx
Apr, 05 2010
Comments Off
In EnCase 6.7, a change was made to the structure of the e01 evidence file so that segment files greater than 2 GiB could be employed.
 
To allow the data beyond this limit to be addressable, a 64 bit base offset is added to each table section thereby increasing the maximum addressable offset. This has the added benefit of increasing the potential segment file size to 64 bits whilst not actually making any significant changes to the structure of the tables.
 
Prior to 6.7, the maximum permissible segment size was 2 GiB. This was due to an addressing limitation in the segment files. Each segment file maintains a number of tables which contain an array of 32 bit integers. Each 32 bit integer points to a location within the segment file where the data is located.
 
The most significant bit of each integer is used to flag whether the data block is Zlib compressed or not, which limits the maximum addressable data offset to 2^31, hence the 2 GiB segment size limit.
 
HstEx v3.4 has now been updated to support single segment e01 image files which are greater than 2 GiB.  A new version of Blade will be released shortly which will also support these extended segment images.
, ,
Read More

Blade v1 Supported Source Image Formats

April 2nd, 2010 Posted in Blade
Apr, 02 2010
Comments Off

Blade v3 supports a number of forensic image and output file formats.  Table 1 contains a summary of the file formats.

 

 

Supported Forensic Image Formats

EnCase®  v1-6 Image File (EVF / Expert Witness Format)

*.e01

AccessData®  FTK Image Files

*.e01, *.001, *.s01

SMART/Expert Witness Image File

*.s01

X-Ways Forensics Image File

*.e01

VMWare Virtual Disk File

*.vhd

Segmented Image Unix / Linux DD / Raw Image Files

*.000, *.001

Single Image  Unix / Linux DD/Raw Image Files

*.dd; *.img; *.ima; *.raw

Virtual Hard Disk File

*.vhd

Binary / Memory Dumps

*.bin; *.dat; *.dmp; *.mem; *.dump; *.crash

Micro Systemation extraction file

*.xry

 

Table 1

 

 

Sector Level Access to Physical / Logical Devices

 

Blade v3 can search any binary file for the supported file formats.  It also supports direct sector level access to Physical and Logical devices.  This allows the user to employ hardware / software write blockers and to recover data directly from a disk or external media.

, , , , , ,
Read More
Google Analytics integration offered by Wordpress Google Analytics Plugin