Forensics – Part III

December 3, 2011, by | Start Discussion

Hi readers

In the previous forensics issues we have seen how to use Vinetto to analyse thumbs.db files from a machine or from an image. As a continuation to the early analysis tools, we have another in this issue.

In Forensics investigation web history is the major part to gather the evidences. Web traces can be found in index.dat files and other cookies.

Using Pasco we can find evidences in index.dat files which store IE and Chrome browsed cache , where as FireFox has its own cache files

PASCO

Pasco is a Latin word which means to Browse. It is used to analyze the index.dat files to get the Internet history from an IE installed machine. It is used to reconstruct the data from an index.dat file. Pasco gives the output in CSV format and it can be extracted to a spreadsheet. We can get some information as Record type, URL, Modified time, Access time, File name, Directory, HTTP headers from the index.dat file.

index.dat :

It is a repository of information such as web URLs, search queries and recently opened files. Its purpose is to enable quick access to data used by Internet Explorer. The index.dat file is user-specific and is open as long a user is logged on in Windows. Separate index.dat files exist for the Internet Explorer history, cache, and cookies. This files are created for each and every user .A cookie is a small file containing data that the web server places on a user’s computer so it may request back at a later date.

Some of the areas where you can find index.dat files is C:documents and settingsuser directory

How it is helpful for forensic analysis:

  • To know the User internet activity.
  • To know User motto for accessing the internet

How To Use:
Command to find index.dat in a HDD : find /media/Drive –name index.dat

 

            
 Implementation

$ pasco Options  “path of the index.dat file” > path of excel file | any options to sort the data

ex :: $ pasco /home/Krypton/Desktop/index.dat > /home/Krypton/Desktop/a.xls | sort -M

 

The output is written to a excel file which is stored on Desktop , which is sorted according to the month.

Options for using
-t  Field Delimiters
-d Undelete Activity Records
Pasco is the best handy tool for Internet history analysis.

Another way of retrieving data from browser stored files.
How we can use sqlite in forensics

Using this sqlite will be a fetch while we go through sqlite databases in mozilla firefox / chrome profile folders , using this we can analyse the user browser activities.
You can find the paths of the profile folders in below mentioned locations.

Mozilla Firefox –….AppDataRoamingMozillaFirefoxProfiles*.default
Chrome –…AppDataLocalGoogle

This tool can be identified in Mantra browser Arsenal > framework >mantra
What is .SQLite?

SQLite is an embedded SQL database engine.SQLite reads and writes directly to ordinary disk files. A complete SQL database with multiple tables, indices, triggers, and views, is contained in a single disk file. The database file format is cross-platform – you can freely copy a database between 32-bit and 64-bit systems.SQLite a popular database engine choice on memory constrained gadgets such as smart phones, PDAs, and MP3 players.Its primary usage can be

●    Simple to administer
●    Simple to operate
●    Simple to embed in a larger program
●    Simple to maintain and customize

How to Use SQLite?
SQLite can be added as a add-on for FireFox , after installing the addon You can observe it in tools>SQLite Manager

Even we can use  a package of SQLite browser , can download the package from http://sourceforge.net/projects/sqlitebrowser/ It is similar as the SQLite Manager to use , but we need the dependent dll’s which is present in the folder to work.SQLite can be used to create ,add , retrieve and delete the entries in the database table.

Using SQLite

Open database files in sqlite using open option.Database of chrome can be only accessible when the browser is closed, if we are using SQLite manager for analysis we can see the database files listed in the top drop down list shown in fig.we can change the default path to our custom directories if any. Selecting the table in the left frame we can access the entries, we can add duplicates,delete and edit the entries with the options.

Using Execute SQL tab we can execute custom sql commands to create , edit , or delete the tables. we can add user defined functions by using the User-Defined Functions tab which is by default hidden, visible on clicking f(x) button .

Database can be import / export as CSV,xml and sql files from Import tab and File menu
some important files from which we can gather information includes

Firefox Chrome Description
cookies.sqlite cookies Cookies
Formhistory.sqlite Web Data Details filled in a form
 Places.sqlite  history,Top sites,Web Data  Browser activities such as bookmark , visits and keyword search
 Signons.sqlite  logindata  Uname password stored in the browser cache
 key3.db  logindata  stored passwords

Sqlite is the other good option to analyse the database files for browsers

For any further details / queries mail @

report@matruix.com

Follow us at @matriuxtig3r on twitter and http://facebook.com/matriuxtig3r

Pardhasaradhi is working as a Systems QA engineer. He is an active member of ClubHack, HackIT, null and working with Matriux Forensics team . He is also one of the moderators for null Hyderabad chapter. His interests include Forensics, Auditing, Penetration Testing and Designing.

Leave a Reply