With the release of Internet Explorer 10, Microsoft made a radical departure from the way previous browser artifacts were stored. The perennial Index.dat records were replaced with a centralized meta-data store for the browser using the proven “JET Blue” Extensible Storage Engine (ESE) database format. While many forensic examiners have remained blissfully unaware of the ESE format, it has been increasingly used throughout Microsoft products for Exchange, NTDS.DIT, the Windows search database, Windows Live Messenger contacts, and Internet Explorer (IE). With the introduction of an enterprise-grade database hosting network artifacts, it is now time for every Windows investigator to understand how the database works and what data they may be missing. Remember that even if a user never opens Internet Explorer, there may still be valuable records in their IE database including files opened on the local system, network shares, and removable devices. It may also hold evidence of malicious activity including HTTP connections initiated on behalf of malware or suspicious sites visited via links clicked in email clients. Internet Explorer and its supporting libraries are deeply tied to the Windows operating system and WinINet API functions often interact with IE databases. Thus IE history, and the WebCache database in particular, continues to be a rich data source during many forensic examinations. Continue Reading…
Archives For Browser Forensics
It has been over six months since Edward Snowden’s unprecedented NSA leaks, and we are still a long way from being able to assess the damage. Worldwide trust in United States tech companies has undoubtedly been shaken. Cisco Systems blamed a ten percent revenue drop on fallout from the leaks. Microsoft is offering the ability for foreign customers to have their data stored outside of the United States. And Silicon Valley stalwarts from Apple to Google to Yahoo have spent considerable resources defending themselves as each new embarrassing revelation becomes public. The trickle-down effect of this is even touching the small niche of digital forensics. Personal privacy has been central to the Snowden debate, and users today are more educated than ever about how their information is stored and transmitted. Web services companies are taking notice, and we have already seen some very useful artifacts disappear. I expect the trend to continue and would like to share a few examples.
On October 1, 2013, version 30 of Google Chrome was released. Absent in this release was one of the most unique browser artifacts available: History Index files. Prior to version 30, Chrome not only stored browser history, cache and cookies but also recorded a full text index of each visited page. Since page content can change, this was a wonderful forensic artifact for proving what existed on a given page when a user viewed it. Chrome version 30 not only stopped recording this information, it also deleted any existing History Index files from the user’s profile.
While doing some browser forensics research, I stumbled upon a Chrome extension named Collusion for Chrome. This extension provides a visual representation of the tracking information shared with third party sites during web browsing . While the notion of browser tracking is hardly surprising these days, Collusion provides some of the most compelling evidence I have seen for the “Do Not Track” movement.
As an example, the image above shows my browser activity during a brief period. I selected a specific node corresponding to Wired.com and you can see the vast number of external connections a visit to Wired spawns. Information about the various contacted sites can be identified using the following key:
- Blue nodes: Sites previously visited by the user
- Gray nodes: Third party sites receiving browser data (never visited by user)
- Red nodes: Known aggregators of tracking information (the slash indicates the site was blocked by Collusion)