CNS 320 COMPUTER FORENSICS & INCIDENT RESPONSE

Week 9 Lecture

Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Any questions before the Quiz?

Final Exam Next Week

No notes Covers material from beginning through lecture #8 Well review tonight after I get through the new material No lab today because of the missed class period due to the Memorial Day holiday
3

New Material This Week

Other Browsers

Firefox Google Chrome Safari (in passing)

Firefox

Numerous versions, especially recently Major changes to forensic artifacts occurred between version 2 and 3, which was released in June of 2008 We will primarily concern ourselves with pre 3.0 and 3.0+ versions

Firefox Artifacts

History Cache Cookies Bookmarks/Favorites

No usage of the registry. All artifacts stored in files, mostly using complex database formats.

Firefox File Locations (non-cache)

XP: <profile>\Application Data\Mozilla\Firefox\Profiles\<moz_profil e> Vista/Win7: <profile>\AppData\Roaming\Mozilla\Firef ox\Profiles\<moz_profile>

Firefox File Locations (cache)

XP: <profile>\Local Settings\Application Data\Mozilla\Firefox\Profiles\<profile name>\Cache Vista/Win7: <profile>\AppData\Local\Mozilla\Firefox\ Profiles\<moz_profile>\Cache

Firefox Version Determination

If less than 3.0, there will be no .sqlite files in the Firefox profile folder Exact version can be determined by examining prefs.js in the Forefox profile folder for the line setting the value named extensions.lastAppVersion Example:

user_pref("extensions.lastPlatformVersion", "9.0.1");

Firefox Profiles Before Version 3

History files stored using Mork format (Obscure text-based DB)

history.dat formhistory.dat bookmarks.html cookies.txt downloads.rdf

Bookmarks stored in HTML

Cookies & Downloads stored as text

Cache references are stored in a complex database, and some actual cache data is stored in a binary format

Firefox History Before Version 3

MORK Field Names Complete URL: URL Page Title: Name First Visited: FirstVisitDate Last Visited: LastVisitData # of times site visited: VisitCount Whether URL was typed: Typed Page retrieved w/o user action?: Hidden Referring Page: Referrer

Firefox Cookies Before Version 3

Data stored in tabbed columns in Cookies.txt (one row per cookie)

Col1: Col2: Col3: Col4: Col5: Col6: Col7:

website domain accessible by other parts of website? webserver directory path HTTPS? Expiration date (Unix epoch time) cookie name values/preferences stored

Pre Firefox 3 Cookie Example

.youtube.com TRUE / FALSE 1317674985 __utma 27069237.1816673280909886200.1243093244.125399172 2.1254602985.13 .youtube.com TRUE / FALSE 1276028394 VISITOR_INFO1_LIVE N2Xmi-uMhTo .youtube.com TRUE / FALSE 1306165239 __utmx 27069237.00004945564262247550:3:0-0-10 .youtube.com TRUE / FALSE 1306165239 __utmxx 27069237.00004945564262247550:1243093239:2592000 .youtube.com TRUE / FALSE 1258861243 __utmz 27069237.1243093244.1.1.utmcsr=(direct)|utmccn=(direct )|utmcmd=(none) .youtube.com TRUE / FALSE 1520356702 LOCALE_PREFERENCE 86d1d09eefe6b79b4068000ce05518a4dAUAAABlbl9VUw==

BTW, important note, you should be able to recognize the format of that last entry. Its called Base64, and sometimes it translates to interesting values.

Useful online format translator

http://home.paulschou.net/tools/xlate/

Text Binary Hex Decimal Base64 ASCII Hash

Firefox 2 DOM Storage

Supposedly supported I dont think it used sqlite Cant find further information

Firefox Cache (All Versions)

Folder Structure:

_CACHE_MAP_: Master tracking file for cache _CACHE_###_: Cache block files. Primary storage locations ########: (8 character hex number) Data files which store entries too large to fit within a cache block file

Data files stored with content encoding (deflate or gzip) intact, unlike IE often can carve from unallocated

Pre Firefox 3 Bookmarks

Found in bookmarks.html. Sample entry:
<DT><A HREF=http://www.w3.org/TR/2004/C R-CSS21-20040225/ ADD_DATE="1079992089" LAST_VISIT="1132078168" LAST_CHARSET= "ISO-8859-1" ID="rdf:#$kLc2Z">Cascading Style Sheets, level 2 revision 1</A>

URL, bookmark add and last modify dates, and page title noted in bold

Pre Firefox 3 Bookmark Backups

Stored in bookmarkbackups subfolder Up to 5 copies, one per day Filename: bookmarks-<date>.html Copies of bookmarks.html

Pre Firefox 3 Download History

XML fields in downloads.rdf:

Name: Downloaded file name URL: Download URL File: Save location DateStarted: Time download started DateEnded: Time download ended DownloadState: Successful?

Times are in local system timezone Default download folder is users desktop

Settable via browser.download.dir in prefs.js

Pre Firefox 3 Form Autocomplete

Mork field from formhistory.dat

Name: Name of the field for which data was entered Value: Data entered into the form field

Firefox Session Restore (all versions)

Data found in sessionstore.js:

Open windows Window screen positions & sizes Scroll positions Tab history Cookies Form Data Restartable failed file downloads

File is deleted on normal exit

Firefox Privacy Options

By default, FF1-3 keeps 90 days of history FF4+ dynamically determines amount of saved history based on system resources. (could be more) Lots of options for controlling whats retained and whats automatically deleted on a very granular basis

These are stored in prefs.js

Its also easy to selectively delete sites from the collected history

Firefox Privacy Settings (10.0)

Right-Click Forget about this site Option in History View

Clear Recent History Options

Signs of Cleared History

To clear DOM Storage, user must select both Cookies and Everything Record ID numbers in SQLite assigned sequentially, so selective deletion will leave gaps. Selective site history deletion causes entire browser cache to be deleted

Private Browsing (Porn) Mode

Solid implementation Protects History, Search History, Download History, Form Data, Cookies, & Cache Data Bookmarks arent protected, & neither (because theyre filesystem artifacts) are files that are actually downloaded Only known ways to recover most of this data involves carving from unallocated or memory

Recovering Deleted Firefox Artifacts

SQLite is known for the frequency with which it creates temporary files Even if there are no browser artifacts still in allocated space, odds are very good that there are fragments scattered all across unallocated Its also very possible that some of these files may be intact SQLite database files

SQLite Database File Format

File begins with the magic number, SQLite format 3\000 (the \000 is actually a single null) At offset 16 is a 2 byte quantity, the power of 2 that represents the database page size in bytes (or 1, which is interpreted as a page size of 65536) At offset 28 is another 4 byte quantity, the size of the database file in pages This data should make it relatively simple to carve the file out of unallocated space

Firefox 3+ Profiles

Most Firefix 3+ data is stored in SQLite db format

History, Bookmarks, Autocomplete: places.sqlite Download History: downloads.sqlite Form Autocomplete: formhistory.sqlite Cookies: cookies.sqlite Usernames & Passwords: signons.sqlite (3.5+) DOM Storage: webappstore2.sqlite

Cache mechanism unchanged from Ver. 2

Firefox History Version 3+

SQLite Field Names Complete URL: URL Page Title: title Date Visited: visit_date (all tracked) # of times site visited: visit_count Whether URL was typed: typed Page retrieved w/o user action?: hidden Referring Page: from_visit Type of visit (New field see next slide): visit_type

Firefox History Visit Types

1.

2.
3. 4. 5. 6. 7.

Link Clicked URL Typed Bookmark Used Loaded as content within a page HTTP 301 Permanent Redirect HTTP 302 Temporary redirect Non-HTML File Downloaded

Firefox 3+ Cookies

SQLite Field Names from Cookies.sqlite:

host: website domain pathmain: webserver directory path for which cookie is valid isSecure: HTTPS? expiry: Expiration date name : cookie name value: values/preferences stored lastAccessed: Date website last accessed cookie id (FF3): Created date? (one reference) creationTime (FF4+): Created date

Firefox 3+ DOM Storage

SQLite Field Names from webappstore2 table in webappstore.sqlite:

scope: Site name, http/https, port key: Value name value: Value contents secure: HTTPS Required? owner: Not populated in my testing

Another reference claims this data is sometimes found in webappstore2.sqlite instead

Firefox 3+ Bookmarks

Found in the moz_bookmarks table in places.sqlite

Firefox 3+ Bookmark Backups

Stored in bookmarkbackups subfolder Up to 10 copies, one per day (F3 only stored up to 5) Filename: bookmarks-<date>.json Javascript Object Notation (JSON) format Text-based, and contains references to the same field names as in places.sqlite Bookmarks.bak may also exist. Unclear under what circumstances it gets created

Firefox 3+ Download History

SQLite fields in downloads.sqlite

name: Name of downloaded file mimeType: File type of downloaded file source: Download URL referrer: Referring URL target: Save location preferredApplication: Application used to open file startTime: Time download started endTime: Time download ended maxBytes: Size of download state: Successful?

Firefox 3+ Form Autocomplete

SQLite field from formhistory.sqlite

fieldname: Name of the field for which data was entered value: Data entered into the form field timesUsed: # of times value has been entered firstUsed: Time data first typed (PRTime) lastUsed: Time data last used (PRTime)

Google Chrome

File Locations:

According to Digital Forensics with Open Source Tools:

XP: <profile>\Local Settings\Application Data\Google\Chrome\default Vista/Win7: <profile>\AppData\Local\Google\Chrome\default

Folders installed by current version of Chrome:

XP: <profile>\Local Settings\Application Data\Google\Chrome\User Data\Default Vista/Win7: <profile>\AppData\Local\Google\Chrome\default

Chrome Initial Data

Initial history & cookie data appears to have been silently imported from other browsers when Chrome was installed

Subfolders of Chrome Default Folder

Cache Extensions Local Storage User Stylesheets

SQLite Database Files in Chrome Default Folder

Archived History Cookies Favicons History History Index ####-## Login Data Network Action Predictor Shortcuts Top Sites Web Data

(year-month)

Non-SQLite Files in Chrome Default Folder

Bookmarks Bookmarks.bak Current Session Current Tabs History Provider Last Session Last Tabs Preferences Visited Links

(JSON) (JSON) (SNSS) (SNSS) Cache (Protocol buffers) (SNSS) (SNSS) (JSON) (unknown binary format)

Bookmarks (Legacy? Same data appears in Shortcuts SQLite DB)

JSON Mostly human readable { "date_added": "12974427976796875", "id": "4", "name": "Google", "type": "url", "url": "http://www.google.com/" }, Dates can be converted using Dcode.exe (Chrome Time) ID is order in which entry appears. First three are usually default folders

Bookmark Bar, Other Bookmarks, Mobile Bookmarks

History Provider Cache

In Protocol Buffers format

Download Protocol Buffers compiler Protoc --decode_raw < History Provider Cache > out.txt Some extracted values will resemble

Long number decodes (via dcode.exe, chrome time) to date Note: I visited this site two days before installing Chrome!

2{ 1: 126 2: 0 3: 0 4: 12974212186000000 5: "file:///C:/Documents%20and%20Settings/John%20McCas h/Local%20Settings/Temp/rninst~0/ui_data/pages/progres s/index.html?distc ode=R71RR1&prod=RealPlayer&ver=15.0&li=en&oem=rp15_ en_us&loc=us" 6: "RealNetworks" }

Visited Links

Unknown binary format, but as source is online, should be relatively straightforward to determine However I dont know of anyone whos done it Not entirely sure whats supposed to be stored in here Name strongly suggests that it can be forensically useful

Session Restore

Files (Binary unknown format, but open source)

Current Session Current Tabs Last Session Last Tabs

(SNSS) (SNSS) (SNSS) (SNSS)

Tabs files can be parsed by a javascript application designed to run within chrome

http://metgate.org/chrome-session-restore/

Complete session history can probably be recovered from session files

Chrome History

SQLite tables in History file:

downloads presentation urls keyword_search_terms segment_usage visits meta segments

History SQLite Fields

Fields from downloads

Id, full_path (file saved), url (string), start_time, received_bytes, total_bytes, state (verified complete?), end_time, opened Id, url (string), title, visit_count, typed_count, tast_visit_time, hidden, favicon_id
Id, url (table reference), visit_time, from_visit (referrer), transition, segment_id, is_indexed

Fields from urls

Fields from visits

Chrome History URLs SQLite Table

History Index ####-## SQLite Tables

Info

Fields: rowid, time

Fields: docid (ref to rowid above), c0url (url string), c1title (page title), c2body Fields: level, idx, start_block, leaves_end_block, root Fields: blockid, block

Pages_content

Pages_segdir (looks like cache data?)

Pages_segments (looks like cache data?)

Chrome Cookies

Cookie Table SQLite Fields

Creation_utc, host_key, name, value, path, expires_utc, secure, httponly, last_access_utc, has_expires, persistent

Cookies SQLite Table

Favicon

Favicon SQLite Fields

Id, url (string), last_updated, image_data (can be saved out as .png), icon_type, sizes

Login Data

Logins SQLite Table

Fields: origin_url, action_url, username_element, username_value, password_element, password_value, submit_element, signon_realm, ssl_valid, preferred, date_created, blacklisted_by_user, scheme

Network Action Predictor SQLite DB

Stuff the user typed, Chromes guess what he meant, and whether it was correct Network action predictor table

Fields: id, user_text, url, number_of_hits, number_of_misses

Shortcuts SQLite DB

Omni_box_shortcuts table

Fields: id, text, url, contents, contents_class, description (page title), description_class, last_access_time, number_of_hits

Top Sites SQLite DB

Thumbnails table

Fields: url, url_rank, title, thumbnail (can be saved out as png), redirects, boring_score, good_clipping, at_top, last_updated, load_completed

Chrome Form Autofill

Web Data SQLite File

Contains 17 tables Between them, over 100 fields A number of timestamps On any case involving somebody whos used Chrome extensively over a long period of time, there will probably be something useful in here somewhere

Chrome Cache

Cache folder contains

One index file Multiple (at least 4) cache data files, named Data_#
Initial data files are optimized to store small blocks of data. When size of item to cache exceeds 16KB, item is stored in its own file named f_###### Every piece of data stored by the cache has a given 4 Byte cache address. These include:

Cache Entry HTTP Headers Request Data Entry Name (key) Aux Info

Chrome HTML 5 Local Storage

Multiple SQLite databases in the Local Storage subfolder

chromeextension_lifbcibllhkdhoafpjfnlhfpfgnpld fl_0.localstorage http_<site>_0.localstorage https_<site>_0.localstorage

Browser Forensics Tools

Mandiant Web Historian

Browser support
Internet Explorer Firefox Chrome Safari

Artifacts
History Cache (including Chrome thumbnails & indexed page content) Cookies Form History

Note: Weve covered more artifacts than this!

Mandiant Web Historian Web History Fields

Firefox URL X PageTitle X HostName X Hidden X Typed X LastVisitDate X LastVisitDateLocal VisitFrom X VisitType X VisitCount X FirstBookmarkDate X Thumbnail IndexedContent

Chrome Internet Explorer X X X X X X X X X X X X X* Redirect or URL

Mandiant Web Historian Cookie History Fields

HostName CookiePath CookieName CookieValue IsSecure IsHttpOnly LastAccessedDate ExpirationDate CreationDate FileName FilePath CookieFlags LastModifiedDate

Firefox X X X X X X X X

Chrome Internet Explorer X X X X X X X X X X X X X X X X X X X

Mandiant Web Historian Download History Fields (includes cache)

DownloadType FileName SourceURL TargetDirectory TemporaryPath Referrer MimeType StartDate EndDate State BytesDownloaded MaxBytes AutoResume FullHttpHeader LastAccessedDate LastModifiedDate CacheFlags CacheHitCount LastCheckedDate

Firefox Chrome Internet Explorer Manual Manual Auto Auto IE Leak Auto IE Redirect X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X

Mandiant Web Historian Form History Fields

Firefox FormType Login or Normal FormFieldName X FormFieldValue X UsernameFieldName X PasswordFieldName X HostName X HttpRealm X FormSubmitURL X UsernameFieldValue X EncryptedPassword X EncryptionType X FirstUsedDate X LastUsedDate X TimesUsed X Guid X CreationDate

Chrome Login or Normal X X X X X X X

Internet Explorer N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Nirsoft Tools (Single purpose utilities. Frequently updated, well designed.)

IECookiesView IEHistoryView IECacheView MozillaCookiesView MozillaHistoryView MozillaCacheView OperaCacheView ChromeCacheView ChromeHistoryView SafariHistoryView SafariCacheView FavoritesView (Firefox & Internet Explorer) FlashCookiesView FireFoxDownloadsView

SQLite Tools

SQLite Manager Firefox plugin (newer, better) SQLite Database Browser (old)

Foundstone DumpAutoComplete

Command line tool Produces XML output Works with all Firefox Versions, but only extracts from formhistory files, not places.sqlite

The moz_inputhistory table in places.sqlite maintains autocomplete data for the URL location bar

FoxAnalysis (free version only for FF3+)

Artifacts:

History Bookmarks Cookies Downloads Form History

Doesnt do cache

Woanware Firefoxsessionstoreextractor

Extracts information from sessionstore.js

URLs Page Titles Cookies & values Tabs Form Data Referrer Scroll Data

Cmdline Only

Archive Formats
File Headers/Magic Numbers

(PK)Zip: 50 4B 03 04 Gzip: 1F 8B 08

[PK..]

(PK)Zip files have size in file footer.

Find hex signature 50 4B 05 06 (end of central directory structure) At offset 12 from this is the 4 byte size of the central directory structure At offset 16 is the 4 byte offset from the start of archive of the central directory structure Add these two sizes and search backwards from the beginning of the end of central directory structure that many bytes, and you should see 50 4B 03 04, which is the beginning of the archive At offset 20 is a 2 byte size, followed by that many additional bytes. Thats the end of the archive.

Questions?

73