In the previous forensics issues we have seen how to use Vinetto to analyse thumbs.db files from a machine or from an image. As a continuation to the early analysis tools, we have another in this issue.
In Forensics investigation web history is the major part to gather the evidences. Web traces can be found in index.dat files and other cookies.
Using Pasco we can find evidences in index.dat files which store IE and Chrome browsed cache , where as FireFox has its own cache files
Pasco is a Latin word which means to Browse. It is used to analyze the index.dat files to get the Internet history from an IE installed machine. It is used to reconstruct the data from an index.dat file. Pasco gives the output in CSV format and it can be extracted to a spreadsheet. We can get some information as Record type, URL, Modified time, Access time, File name, Directory, HTTP headers from the index.dat file.
It is a repository of information such as web URLs, search queries and recently opened files. Its purpose is to enable quick access to data used by Internet Explorer. The index.dat file is user-specific and is open as long a user is logged on in Windows. Separate index.dat files exist for the Internet Explorer history, cache, and cookies. This files are created for each and every user .A cookie is a small file containing data that the web server places on a user’s computer so it may request back at a later date.
Some of the areas where you can find index.dat files is C:documents and settingsuser directory
How it is helpful for forensic analysis:
- To know the User internet activity.
- To know User motto for accessing the internet
How To Use:
Command to find index.dat in a HDD : find /media/Drive –name index.dat
$ pasco Options “path of the index.dat file” > path of excel file | any options to sort the data
ex :: $ pasco /home/Krypton/Desktop/index.dat > /home/Krypton/Desktop/a.xls | sort -M
The output is written to a excel file which is stored on Desktop , which is sorted according to the month.
Options for using
-t Field Delimiters
-d Undelete Activity Records
Pasco is the best handy tool for Internet history analysis.
Another way of retrieving data from browser stored files.
How we can use sqlite in forensics
Using this sqlite will be a fetch while we go through sqlite databases in mozilla firefox / chrome profile folders , using this we can analyse the user browser activities.
You can find the paths of the profile folders in below mentioned locations.
Mozilla Firefox –….AppDataRoamingMozillaFirefoxProfiles*.default
This tool can be identified in Mantra browser Arsenal > framework >mantra
What is .SQLite?
SQLite is an embedded SQL database engine.SQLite reads and writes directly to ordinary disk files. A complete SQL database with multiple tables, indices, triggers, and views, is contained in a single disk file. The database file format is cross-platform – you can freely copy a database between 32-bit and 64-bit systems.SQLite a popular database engine choice on memory constrained gadgets such as smart phones, PDAs, and MP3 players.Its primary usage can be
● Simple to administer
● Simple to operate
● Simple to embed in a larger program
● Simple to maintain and customize
How to Use SQLite?
SQLite can be added as a add-on for FireFox , after installing the addon You can observe it in tools>SQLite Manager
Even we can use a package of SQLite browser , can download the package from http://sourceforge.net/projects/sqlitebrowser/ It is similar as the SQLite Manager to use , but we need the dependent dll’s which is present in the folder to work.SQLite can be used to create ,add , retrieve and delete the entries in the database table.
Open database files in sqlite using open option.Database of chrome can be only accessible when the browser is closed, if we are using SQLite manager for analysis we can see the database files listed in the top drop down list shown in fig.we can change the default path to our custom directories if any. Selecting the table in the left frame we can access the entries, we can add duplicates,delete and edit the entries with the options.
Database can be import / export as CSV,xml and sql files from Import tab and File menu
some important files from which we can gather information includes
|Formhistory.sqlite||Web Data||Details filled in a form|
|Places.sqlite||history,Top sites,Web Data||Browser activities such as bookmark , visits and keyword search|
|Signons.sqlite||logindata||Uname password stored in the browser cache|
Sqlite is the other good option to analyse the database files for browsers
For any further details / queries mail @
Follow us at @matriuxtig3r on twitter and http://facebook.com/matriuxtig3r