Perform Internet Explorer Forensics for Finding Hidden Evidences
In the era of the Internet of Things, most end-user activities are dependent on internet communication in some sort. Web browsers are the mediums that allow users to connect to the web. Internet Explorer is the most familiar browser amongst users & is a default provision with Windows OS. The usage of web browsers acts as a great source of evidence during investigations. Like any other application, web browsers leave behind traces of the activities carried out by their respective users.
Similarly, the IE browser also does the same and leaves behind traces of browsing activities on the end user’s machine. This piece of information can be utile for a forensic investigator. Gainsay for a forensic analyst is to reconstruct the activities done by the criminal. IE always leaves multiple pieces of information about the browsing activities such as the history of pages visited, URLs, bookmarks, search queries, etc. This Internet Explorer Forensics content describes the application-specific artefacts created by Internet Explorer and moves deep into it for forensics analysis.
The two primary areas where the forensic experts must explore for information related to Internet Explorer are index.dat and the cache.
This file contains the record of keywords searched looked for; URLs visited, webmail accesses, etc. And saves the artefacts to the appropriate location when the user browses using IE. Users can find the ‘.dat’ file on the suspect’s machine from any of the below-specified locations.
Users can utilize various open-source tools to read the contents from the index.dat file.
The index.dat file header holds some additional information about the browsing. However, the three important sets of information related to the header portion are:
- File size
- Hash table offset
- And, Directories
The first field in the header indicates the file size in its first field. It is followed by the HASH table offset. A Hash table is an array of the data that holds the entry point to all the activities. The next information included in the header is the list of directories. Directories hold the files that are downloaded from the web using the browser. So, by using this information the investigator can recreate the visited web pages.
This is the master who took up a table for referring to the valid activities in the index.dat file. Hash Tables are implemented as the linked lists. The important fields in the hash table can be briefed as:
- Hash Table Length: Length of the hash table.
- Next Hash Table: Pointer to next hash table.
- Activity Record Flags: 4-byte field contains activity record flags.
- Pointer(Activity Records): offset from the beginning of the file.
Activity record contains the main information that an investigator needs. The three important activity records are:
- URL Activity Record: The record contains information including URL Offset, Filename Offset, local cache directory offset, HTTP Header Offset etc.
- REDR Activity Record: Holds type, length and the URL.
- LEAK Activity Record: Same as that of the URL activity record with a different value for the TYPE field.
- Deleted Activity Record: The entries that are not in the hash table can also be reconstructed from deleted or unlinked records.
Explorer stores cookies as simple text files that an investigator can inspect directly. Sometimes cookies store information that can prove to be very helpful in Internet Explorer forensic analysis. Cookies store information like; username passwords, etc. The file can be located from –
Consider the sample cookie file:
It can carry out the forensic analysis of the Internet Explorer’s cookies file artefacts using any tool. There are many open-source tools available. This shows the same cookie as in the above figure with the help of a tool.
Cookie records contain key, value, host, secure, modified date and expiry date. So a platform capable of reading cookies can be used for uncovering the stored information.
Browser Cache holder certain temporary files locally on the system of the browsing activities, i.e. of the websites visited. Cache files can be located in the Temporary Internet Files folder. The locally cached files are if any of the randomly named subdirectories. These files carry the necessary information needed to map the URLs.
For example, the above file reveals certain information like the URL and file name accessed by the user.
The best place to search and investigate is the Favorites folder that the user maintains. The favourite folder contains frequently visited URLs and the explicitly stored pages. The folder contains the links as well as the modified date. Sometimes the subfolder maintained should be investigated to reveal important aspects in the investigation. Depending on the analyst’s need to find values on MAC times, this helps in identifying when the file was created and modified/ accessed and this information may prove to be valuable in many situations.
‘InPrivate’ is a feature provided by Internet Explorer for browsing privately. If used, the browser is unable to retain any record of the respective browsing session. Still, some evidence retrieval is possible by the Forensic Investigator from the system under certain conditions. One of the ways is to collect evidence through a machine’s RAM. Collecting RAM can still give important information to the investigator as it captures live data.
Can examine the Internet Explorer browsing by the multiple pieces of information it stores in the above-explained forms. This evidence can be helpful in detecting malicious activities resulting in identity theft, theft of intellectual property, detecting execution of a crime, etc. This explanation of the Internet Explorer storage file and its significance is an attempt to offer the forensic industry a bit of additional information. On the findings examiners are usually confronts with during an investigation of the browser. Moreover, the possibility of reconstructing Internet Explorer activities is also laid out simultaneously.