Digital Forensic Data Recovery & Analysis

Userdata History Type in Internet Explorer

January 18th, 2011 Posted in Forensic Examinations, NetAnalysis, Web Browser Forensics, Windows Analysis
Jan, 18 2011
1 Comment »

Internet Explorer 8+ user data persistence is a function which allows online forms to save a small file to the system with information about values entered in a particular form.  This allows the user to retrieve a half filled web based form when they revisit. 

Persistence creates new opportunities for website authors.  Information that persists beyond a single page without support from the server, or within the finite scope of cookies, can increase the speed of navigation and content authoring.

The folder structure where the data is actually stored is very much like the standard IE cache folder with a single INDEX.DAT file.  Inside the cache folder you will find the files containing data attributed to the associated website.

UserData Path

Figure 1

To demonstrate how this works, we have created a page which allows you to save a string to the local drive. 

Once you have saved some string data using the above page, open the UserData INDEX.DAT file in NetAnalysis and review the entries.  Selecting F8 will bring up the search/filter dialogue.  Change the field name to ‘Type’ and enter ‘userdata’ in the filter text box.  When this is executed, you should find an entry as shown below:

 

Digital Detective NetAnalysis Userdata Type

Figure 2

If you navigate to the corresponding folder, you will find an XML file which contains the string you entered into the website.  This is shown below.

Userdata File

Figure 3

Read More

Internet Explorer INTERNET_CACHE_ENTRY_INFO Structure

January 12th, 2011 Posted in Forensic Data Recovery, NetAnalysis, Web Browser Forensics
Jan, 12 2011
No Comments »
This structure (Figure 1) is used by the Microsoft Windows API and contains information about an entry in the Internet cache.
 
INTERNET_CACHE_ENTRY_INFO
 
Figure 1
 
 
Explanation of Members
 
dwStructSize
Size of this structure, in bytes. This value can be used to help determine the version of the cache system.
lpszSourceUrlName
Pointer to a null-terminated string that contains the URL name. The string occupies the memory area at the end of this structure.
lpszLocalFileName
Pointer to a null-terminated string that contains the local file name. The string occupies the memory area at the end of this structure.
CacheEntryType
A bitmask indicating the type of cache entry and its properties. The cache entry types include: history entries (URLHISTORY_CACHE_ENTRY), cookie entries (COOKIE_CACHE_ENTRY), and normal cached content (NORMAL_CACHE_ENTRY).
 
 
This member can be zero or more of the following property flags, and cache type flags listed below.
 
Internet Explorer Cache Property Flags
 
Figure 2
 
 
The following list contains the cache type flags.
 
Internet Explorer Cache Type Flags
 
Figure  3
 
dwUseCount
Current user count of the cache entry.
dwHitRate
Number of times the cache entry was retrieved.
dwSizeLow
Low-order portion of the file size.
dwSizeHigh
High-order portion of the file size.
LastModifiedTime
FILETIME structure that contains the last modified time of this URL, in Greenwich mean time format.
ExpireTime
FILETIME structure that contains the expiration time of this file, in Greenwich mean time format.
LastAccessTime
FILETIME structure that contains the last accessed time, in Greenwich mean time format.
LastSyncTime
FILETIME structure that contains the last time the cache was synchronized.
lpHeaderInfo
Pointer to a buffer that contains the header information. The buffer occupies the memory at the end of this structure.
dwHeaderInfoSize
Size of the lpHeaderInfo buffer.
lpszFileExtension
Pointer to a string that contains the file name extension used to retrieve the data as a file. The string occupies the memory area at the end of this structure.
dwReserved
Reserved. Must be zero.
dwExemptDelta
Exemption time from the last accessed time, in seconds.
 
 
References
Read More
Google Analytics integration offered by Wordpress Google Analytics Plugin