Browser Artifacts

Hi ,

      Firstly, I want to thank HackIT team for providing some good stuff to complete this post. this interesting post is about browser artifacts , the main reason behind this post is to explain the entries which we can retrieve while working on a browser , I found many tools which will discover passwords,installed addons ,dowloads cookies and more from a browser ( mostly FireFox ), Here in this post i am trying to explain the methods / places to retrieve those details manually without any self prepared scripts but of course using a little handy tool.

What all are browsers are mostly used , and why ?

    A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. Some of the web browsers are  Mozilla,chrome,IE and many more

What kind of Activities we can find from the browser artifacts ?

       Internet browsing history,keyword search,uname ,passwords,mail id’s and downloads ,user details from forms ,profile based user login and add-on installed.

How it helps in Forensics investigations ?

    We can judge the suspect’s ideology / usage of the target machine. Using History,Keyword search / chat history and more.

Where we can find them ?

      By default when we install the programme it makes entry in program files and every user have their own profile in the user directories ,we can find some kind of database entries in user profile directories.

Different browsers different directories ?

Mozilla Firefox –….\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\
Chrome –…\AppData\Local\Google\
IE — index.dat,temp ,cookies,and history

What sort of data can be retrieved ?

Firefox Chrome Description
addons.sqlite installed addons listed
Chromeappstore.sqlite mostly used snippets
cookies.sqlite cookies cookies
Downloads.sqlite history Downloads done by the browser
Extensions.sqlite Extensions installed (ad-dons, plug-ins..)
Formhistory.sqlite Web Data Details filled in a form
Permissions.sqlite Quota Manager Permissions for ad-dons, plug-ins and password remembering
Places.sqlite history,Top sites,Web Data Browser activities such as bookmark , visits and keyword search
search.sqlite Search engine prefernce history
Signons.sqlite logindata Uname password stored in the browser cache
cert8.db Stores security certificates
key3.db logindata Key value for the stored passwords
localstore.rdf Stores the customizations of browsers if any
mimetype.rdf Stores default actions with the known file types
Favicons Web favicons (can be observed on saving a shortcut / web page)
Topsites Stores thumbnails and redirections of thumbnails
Bookmark backups Bookmarks,bookmarks.bak Bookmarks backup
extensions webdata Extensions installed
minidumps on browser crash dumps will be generated (most of the times these are empty 🙂
cache,media cache,local storage Works as history entries

for index.dat ,history  and other file analysis we can use third party toosl like Pasco you can check it in coming articles

What is .SQLite?

          SQLite is an embedded SQL database engine.SQLite reads and writes directly to ordinary disk files. A complete SQL database with multiple tables, indices, triggers, and views, is contained in a single disk file. The database file format is cross-platform – you can freely copy a database between 32-bit and 64-bit systems.SQLite a popular database engine choice on memory constrained gadgets such as smart phones, PDAs, and MP3 players.Its primary usage can be

  • Simple to administer
  • Simple to operate
  • Simple to embed in a larger program
  • Simple to maintain and customize

For more details please visit

https://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/

http://www.sqlite.org/

http://devzone.zend.com/article/760

What is BLOB ?

    While Working with Chrome files in sqlite i found that they had declared BLOB as a data type for password , BLOB is a short form of Binary Large OBjects . BLOB is a data type which is used to declare the objects in images, audio or other multimedia objects.Originally “blob” was used as a term for moving large amounts of data from one database to another without filters or error correction.

For More details Visit
    http://wiki.gxtechnical.com/commwiki/servlet/hwiki?Blob+Data+Type,
    http://dev.mysql.com/doc/refman/5.0/en/blob.html

What is .Db

       Don’t get confused with .db extension because it is implemented for four types here we talk about generic database file that stores data in a structured format, typically with an arrangement of tables, table fields, field data types, and field values can be created by various database programs and exported into different formats, such as .CSV files may also be imported by multiple database programs.

For More details Visit
     http://www.fileinfo.com/extension/db

What is .dat

     Generic data file created by a specific application, typically accessed only by the application that created the file; may contain data in text or binary format, text-based DAT files can be viewed in a text editor.

http://filext.com/file-extension/DAT

Pasco is a tool which we can use to retrieve data from .dat files

What is .json ?

         Data interchange format used for representing simple data structures and objects; saved in a lightweight, text-based, human-readable format; originally based on a subset of JavaScript, but is considered a language-independent format. JSON files are often used in Ajax Web application programming. They may also be used by other applications as an alternative to .XML files.

To know more about Json
            http://www.json.org/

Different tools used to determine the traces from the above mentioned file types ?

    There are many tools to retrieve the information but as of know i used the below listed tools

  • SQLite
  • notepad
  • Pasco
  • SQLite Database Browser

How to Use SQLite ?

    SQLite can be added as a add-on for FireFox , after installing the addon You can observe it in tools>SQLite Manager

               

    Even we can use  a package of SQLite browser , can download the package from Here
It is similar as the SQLite Manager to use , but we need the dependent dll’s which is present in the folder to work 🙂      SQLite can be used to create ,add , retrieve and delete the entries in the database table.You can check more details and usage of SQLite in my coming posts.

Using SQLite

    Open database files in sqlite using open option , Database can be accessed when the browser is closed , if we are using SQLite manager for analysis we can see the database files listed in the top drop down list shown in fig.we can change the default path to our custom directories if any. Selecting the table in the left frame we can access the entries,We can add duplicates,delete and edit the entries with the options.

Using Execute SQL tab we can execute custom sql commands to create , edit , or delete the tables. we can add user defined functions by using the User-Defined Functions tab which is by default hidden, visible on clicking f(x) button .

    Database can be import / export as CSV,xml and sql files from Import tab and File menu               
Justifying the activity.

         For justifying any activity with in the evidence one most important way we follow is MAC table(Modified ,access and Created time) and event check. Compare the time stamps for the form history, url visited and Login record , we can justify with the time schedules in this case. where as some time we cannot retrieve the time stamp for form history / other , in that case we can go for local system activity.

Backup / delete of a profile data

            Users can always backup there entries(Bookmarks, stored passwords and video files from cache) ,User can copy the respective files from the profiles and restore them afterwards.Just need to restart the browser once replaced . Loss of data is for sure if user data folder is deleted while User is deleted.

How to backup a user profile

chrome — http://www.chromium.org/developers/creating-and-using-profiles
FireFox — Copy the files from user profile path and restore them when needed

How this works for a normal user

    This methods can be used to get stuff from your administrator profile / user profile which you are  restricted to login , sometime admins usually store Router WebUI passwords in the history.

We have some tools which provide you this details in a single click one of them are Firepassword from security exploded

Comments and suggestions accepted, any new points to be included please comment

Posted in Forensics | Tagged , , , | Leave a comment

Explore Ghost .

 

In this Virtualization world anything is possible. We most of the times work on Virtualization software’s and Ghost images, to image and clone the Hard disks. Why to work double time when we can reduce our work load by just working one time. We can take a ghost image and we can convert it to VMDK and even we can analyze it with some forensics tools by converting GHO image to a dd raw image for this we can again use Symantec ghost command line switches like –iA and -iR .

How can we take a Ghost image?

We can use Hiren Boot Cd which is a collection of some basic and advanced utilities used in system handling, or we can use Symantec Ghost software to image the HDD.

How to use Ghost?

I will be explaining, how to use ghost utility from a Hiren CD, You can find it under Backup menu as Ghost32 (if you are booting from the CD then it is like Menu > Backup and recovery >Ghost32 to clone or imaging using 8 option I.e Ghost )

after accepting all warnings and messages ( Read before u act) you can see a screen same as below.

For Imaging a partition to a image ( Local à Partition à To Image ) , if you want to image partition to partition ( Local à Partition à To Partition),If You want to image total disk rather than a partition (Local à Disk à To Disk / To Image)

For Cloning the image to a partition(Local à Partition à From Image),If you want to clone the disk from a image (Local à Disk à From Image)

To check the integrity of the image we can use another option called Check (Local à Check à disk / image)

How to use Ghost Command line switches?

To use command line switch once we quit from Ghost application it displays a boot screen

 

To access Ghost application and its switches

>Cd Tools

>ghost.exe –help (To Access the man page for ghost options)

>ghost.exe –clone, mode=create, src=1, dst=d:\mydisk.vmdk –vmdk –sure ( To Create a vmdk from a machine)

Mode is a switch to justify the operation you want to perform, this are various kinds like Copy, Load, Restore, Dump, and Create. Operation mode will differ from user to user J

To learn more about Mode refer http://bit.ly/tunfDX

>ghost.exe ID –clone, mode=create, src=D:\example.vmdk, dst=D:\example.iso

To create entire copy of a disk including unpartitioned space (used for forensics investigations)

and more can be used to use efficiently check the help documentations from Symantec and Ghost help

Using Ghost images:

We can always explore the contents of a Ghost images using Ghost explorer another utility from Symantec, which can be found in Hiren Cd.

How to Use Ghost Explorer?

As we earlier discussed to explore the contents, add contents and extract the contents of a ghost image this ghost explorer is used. It’s easy to use we just need a ghost image of a partition / disk to explore . You can find this utility in Hiren cd (Backup à Ghost explorer) .Open images from File menu and add / delete / extract the contents and save them.Ghost as a Forensic utility:

Ghost images can be used as evidence in Forensics analysis, sometimes this may fail. Hash value may not be matched for some images, that would be changed we cannot totally assure the integrity of the files. Something is better than nothing in such cases we can rely on this images. GHO can be accessed as dd raw images which are accepted by all the forensics examination tools.

Using .gho as a raw dump

Using Symantec ghost which is available in Hiren Cd, we can convert .gho file to dd for a forensics analysis

As mentioned earlier using switch –Ir / -ID. To avoid mistakes use

>ghost.exe –ID For a UI J

>ghost.exe –ID|-Ir –clone,mode=create,src=C:\,dst=D:\mydisk.dd

To create a disk image for forensic analysis (as a raw dump )

What is a .vmdk file?

Vmdk is an extension of a VMware virtual disk image, which stores the data of a virtual machine it can be described as HDD for virtual machine. This can be set of two types fixed and custom size .In fixed size once we give any size of the image it would be utilized from the physical HDD. For example if my fixed HDD size I mention as 30 GB, 30GB of space would be utilized from the physical HDD at a time. Where as in the custom configuration disk space would be assigned as a single file and data from the HDD would be utilized according to the usage of VM machine.

How this VMDK can be used.

This file can be used in Malware analysis, forensics analysis and as a data backup.

How to Convert GHO to VMDK?

>ghost.exe -clone, mode=restore, src=example.gho, dst=example.vmdk –batch –sure

To convert a ghost image to VMDK

How to convert Vmdk to GHO?

>ghost32 -clone, mode=create, src=exampl1.vmdk, dst=example1.gho -batch -sure

Using VMDK to Deploy on HDD directly

To clone a image to HDD from VMDK , boot the Hiren CD and select Ghost as earlier mentioned and select partition from image then in place of GHO image mention VMDK file this will work for one vmdk file , if multiple vmdk file is created for the same machine the process of cloning may get failed.

Reference:http://www.symantec.com/connect/articles/

Any comments /suggestions is accepted 🙂

Posted in Forensics | Tagged , , , | Leave a comment

My articles in Chmag

Hi


Well its a late announcement phir bhi
My articles have been posted in Chmag on forensics for Matriux Vibhag, More to come yet


Forensics Part-I — Introduction and Acquisition
Foreniscs Part-II — Analysis
Forensics Part-III – Analysis -Part II


Your Comments and suggestion will make my articles more interesting and knowledge sharing stuff . Please give the feed back after go through them :).

First Indian Security and Hacking Magazine
Posted in Forensics | Tagged , , , , , | Leave a comment