Professional Documents
Culture Documents
Week 9 Lecture
Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
No notes Covers material from beginning through lecture #8 Well review tonight after I get through the new material No lab today because of the missed class period due to the Memorial Day holiday
3
Other Browsers
Firefox
Numerous versions, especially recently Major changes to forensic artifacts occurred between version 2 and 3, which was released in June of 2008 We will primarily concern ourselves with pre 3.0 and 3.0+ versions
Firefox Artifacts
No usage of the registry. All artifacts stored in files, mostly using complex database formats.
If less than 3.0, there will be no .sqlite files in the Firefox profile folder Exact version can be determined by examining prefs.js in the Forefox profile folder for the line setting the value named extensions.lastAppVersion Example:
user_pref("extensions.lastPlatformVersion", "9.0.1");
Cache references are stored in a complex database, and some actual cache data is stored in a binary format
website domain accessible by other parts of website? webserver directory path HTTPS? Expiration date (Unix epoch time) cookie name values/preferences stored
.youtube.com TRUE / FALSE 1317674985 __utma 27069237.1816673280909886200.1243093244.125399172 2.1254602985.13 .youtube.com TRUE / FALSE 1276028394 VISITOR_INFO1_LIVE N2Xmi-uMhTo .youtube.com TRUE / FALSE 1306165239 __utmx 27069237.00004945564262247550:3:0-0-10 .youtube.com TRUE / FALSE 1306165239 __utmxx 27069237.00004945564262247550:1243093239:2592000 .youtube.com TRUE / FALSE 1258861243 __utmz 27069237.1243093244.1.1.utmcsr=(direct)|utmccn=(direct )|utmcmd=(none) .youtube.com TRUE / FALSE 1520356702 LOCALE_PREFERENCE 86d1d09eefe6b79b4068000ce05518a4dAUAAABlbl9VUw==
BTW, important note, you should be able to recognize the format of that last entry. Its called Base64, and sometimes it translates to interesting values.
http://home.paulschou.net/tools/xlate/
Supposedly supported I dont think it used sqlite Cant find further information
Folder Structure:
_CACHE_MAP_: Master tracking file for cache _CACHE_###_: Cache block files. Primary storage locations ########: (8 character hex number) Data files which store entries too large to fit within a cache block file
Data files stored with content encoding (deflate or gzip) intact, unlike IE often can carve from unallocated
URL, bookmark add and last modify dates, and page title noted in bold
Stored in bookmarkbackups subfolder Up to 5 copies, one per day Filename: bookmarks-<date>.html Copies of bookmarks.html
Name: Downloaded file name URL: Download URL File: Save location DateStarted: Time download started DateEnded: Time download ended DownloadState: Successful?
Times are in local system timezone Default download folder is users desktop
Name: Name of the field for which data was entered Value: Data entered into the form field
Open windows Window screen positions & sizes Scroll positions Tab history Cookies Form Data Restartable failed file downloads
By default, FF1-3 keeps 90 days of history FF4+ dynamically determines amount of saved history based on system resources. (could be more) Lots of options for controlling whats retained and whats automatically deleted on a very granular basis
Its also easy to selectively delete sites from the collected history
To clear DOM Storage, user must select both Cookies and Everything Record ID numbers in SQLite assigned sequentially, so selective deletion will leave gaps. Selective site history deletion causes entire browser cache to be deleted
Solid implementation Protects History, Search History, Download History, Form Data, Cookies, & Cache Data Bookmarks arent protected, & neither (because theyre filesystem artifacts) are files that are actually downloaded Only known ways to recover most of this data involves carving from unallocated or memory
SQLite is known for the frequency with which it creates temporary files Even if there are no browser artifacts still in allocated space, odds are very good that there are fragments scattered all across unallocated Its also very possible that some of these files may be intact SQLite database files
File begins with the magic number, SQLite format 3\000 (the \000 is actually a single null) At offset 16 is a 2 byte quantity, the power of 2 that represents the database page size in bytes (or 1, which is interpreted as a page size of 65536) At offset 28 is another 4 byte quantity, the size of the database file in pages This data should make it relatively simple to carve the file out of unallocated space
Firefox 3+ Profiles
History, Bookmarks, Autocomplete: places.sqlite Download History: downloads.sqlite Form Autocomplete: formhistory.sqlite Cookies: cookies.sqlite Usernames & Passwords: signons.sqlite (3.5+) DOM Storage: webappstore2.sqlite
2.
3. 4. 5. 6. 7.
Link Clicked URL Typed Bookmark Used Loaded as content within a page HTTP 301 Permanent Redirect HTTP 302 Temporary redirect Non-HTML File Downloaded
Firefox 3+ Cookies
host: website domain pathmain: webserver directory path for which cookie is valid isSecure: HTTPS? expiry: Expiration date name : cookie name value: values/preferences stored lastAccessed: Date website last accessed cookie id (FF3): Created date? (one reference) creationTime (FF4+): Created date
scope: Site name, http/https, port key: Value name value: Value contents secure: HTTPS Required? owner: Not populated in my testing
Firefox 3+ Bookmarks
Stored in bookmarkbackups subfolder Up to 10 copies, one per day (F3 only stored up to 5) Filename: bookmarks-<date>.json Javascript Object Notation (JSON) format Text-based, and contains references to the same field names as in places.sqlite Bookmarks.bak may also exist. Unclear under what circumstances it gets created
name: Name of downloaded file mimeType: File type of downloaded file source: Download URL referrer: Referring URL target: Save location preferredApplication: Application used to open file startTime: Time download started endTime: Time download ended maxBytes: Size of download state: Successful?
fieldname: Name of the field for which data was entered value: Data entered into the form field timesUsed: # of times value has been entered firstUsed: Time data first typed (PRTime) lastUsed: Time data last used (PRTime)
Google Chrome
File Locations:
Initial history & cookie data appears to have been silently imported from other browsers when Chrome was installed
Archived History Cookies Favicons History History Index ####-## Login Data Network Action Predictor Shortcuts Top Sites Web Data
(year-month)
Bookmarks Bookmarks.bak Current Session Current Tabs History Provider Last Session Last Tabs Preferences Visited Links
(JSON) (JSON) (SNSS) (SNSS) Cache (Protocol buffers) (SNSS) (SNSS) (JSON) (unknown binary format)
JSON Mostly human readable { "date_added": "12974427976796875", "id": "4", "name": "Google", "type": "url", "url": "http://www.google.com/" }, Dates can be converted using Dcode.exe (Chrome Time) ID is order in which entry appears. First three are usually default folders
Download Protocol Buffers compiler Protoc --decode_raw < History Provider Cache > out.txt Some extracted values will resemble
Long number decodes (via dcode.exe, chrome time) to date Note: I visited this site two days before installing Chrome!
Visited Links
Unknown binary format, but as source is online, should be relatively straightforward to determine However I dont know of anyone whos done it Not entirely sure whats supposed to be stored in here Name strongly suggests that it can be forensically useful
Session Restore
Tabs files can be parsed by a javascript application designed to run within chrome
http://metgate.org/chrome-session-restore/
Chrome History
Id, full_path (file saved), url (string), start_time, received_bytes, total_bytes, state (verified complete?), end_time, opened Id, url (string), title, visit_count, typed_count, tast_visit_time, hidden, favicon_id
Id, url (table reference), visit_time, from_visit (referrer), transition, segment_id, is_indexed
Info
Pages_content
Chrome Cookies
Creation_utc, host_key, name, value, path, expires_utc, secure, httponly, last_access_utc, has_expires, persistent
Favicon
Id, url (string), last_updated, image_data (can be saved out as .png), icon_type, sizes
Login Data
Fields: origin_url, action_url, username_element, username_value, password_element, password_value, submit_element, signon_realm, ssl_valid, preferred, date_created, blacklisted_by_user, scheme
Stuff the user typed, Chromes guess what he meant, and whether it was correct Network action predictor table
Shortcuts SQLite DB
Omni_box_shortcuts table
Fields: id, text, url, contents, contents_class, description (page title), description_class, last_access_time, number_of_hits
Thumbnails table
Fields: url, url_rank, title, thumbnail (can be saved out as png), redirects, boring_score, good_clipping, at_top, last_updated, load_completed
Contains 17 tables Between them, over 100 fields A number of timestamps On any case involving somebody whos used Chrome extensively over a long period of time, there will probably be something useful in here somewhere
Chrome Cache
One index file Multiple (at least 4) cache data files, named Data_#
Initial data files are optimized to store small blocks of data. When size of item to cache exceeds 16KB, item is stored in its own file named f_###### Every piece of data stored by the cache has a given 4 Byte cache address. These include:
Cache Entry HTTP Headers Request Data Entry Name (key) Aux Info
Browser support
Internet Explorer Firefox Chrome Safari
Artifacts
History Cache (including Chrome thumbnails & indexed page content) Cookies Form History
Firefox URL X PageTitle X HostName X Hidden X Typed X LastVisitDate X LastVisitDateLocal VisitFrom X VisitType X VisitCount X FirstBookmarkDate X Thumbnail IndexedContent
HostName CookiePath CookieName CookieValue IsSecure IsHttpOnly LastAccessedDate ExpirationDate CreationDate FileName FilePath CookieFlags LastModifiedDate
Firefox X X X X X X X X
DownloadType FileName SourceURL TargetDirectory TemporaryPath Referrer MimeType StartDate EndDate State BytesDownloaded MaxBytes AutoResume FullHttpHeader LastAccessedDate LastModifiedDate CacheFlags CacheHitCount LastCheckedDate
Firefox Chrome Internet Explorer Manual Manual Auto Auto IE Leak Auto IE Redirect X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X
Firefox FormType Login or Normal FormFieldName X FormFieldValue X UsernameFieldName X PasswordFieldName X HostName X HttpRealm X FormSubmitURL X UsernameFieldValue X EncryptedPassword X EncryptionType X FirstUsedDate X LastUsedDate X TimesUsed X Guid X CreationDate
Internet Explorer N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
IECookiesView IEHistoryView IECacheView MozillaCookiesView MozillaHistoryView MozillaCacheView OperaCacheView ChromeCacheView ChromeHistoryView SafariHistoryView SafariCacheView FavoritesView (Firefox & Internet Explorer) FlashCookiesView FireFoxDownloadsView
SQLite Tools
SQLite Manager Firefox plugin (newer, better) SQLite Database Browser (old)
Foundstone DumpAutoComplete
Command line tool Produces XML output Works with all Firefox Versions, but only extracts from formhistory files, not places.sqlite
The moz_inputhistory table in places.sqlite maintains autocomplete data for the URL location bar
Artifacts:
Doesnt do cache
Woanware Firefoxsessionstoreextractor
URLs Page Titles Cookies & values Tabs Form Data Referrer Scroll Data
Cmdline Only
Archive Formats
File Headers/Magic Numbers
(PK)Zip: 50 4B 03 04 Gzip: 1F 8B 08
[PK..]
Find hex signature 50 4B 05 06 (end of central directory structure) At offset 12 from this is the 4 byte size of the central directory structure At offset 16 is the 4 byte offset from the start of archive of the central directory structure Add these two sizes and search backwards from the beginning of the end of central directory structure that many bytes, and you should see 50 4B 03 04, which is the beginning of the archive At offset 20 is a 2 byte size, followed by that many additional bytes. Thats the end of the archive.
Questions?
73