Perform Internet Explorer Forensics for Finding Hidden Evidences
In the era of Internet of Things, most end user activities are dependent on internet communication in some sort. Web browsers are the mediums that allow users to connect to the web. Internet Explorer is the most familiar browsers amongst users & is a default provision with Windows OS. The usage of web browsers acts as a great source of evidence during investigations. Like any other application, web browsers leave behind traces of the activities carried out by their respective users.
Similarly, IE browser also does the same and leaves behind traces of browsing activities on the end user’s machine. This piece of information can be utile for a forensic investigator. Gainsay for a forensic analyst is to reconstruct the activities done by the criminal. IE always leaves multiple piece of information about the browsing activities such as history of pages visited, URLs, bookmarks, search queries, etc. This Internet Explorer Forensics content describes about the application specific artifacts created by Internet Explorer and moves deep into it for forensics analysis.
Most of the important files can be found in the Internet Explorer folder located on the user system. The default location of files is:
The two primary areas where the forensic experts must explore for information related to Internet Explorer are index.dat and the cache.
This file contains the record of keywords searched looked for; URLs visited, web mail accesses, etc. The artifacts are saved to the appropriate location when the user browses using IE. This ‘.dat’ file can be found on the suspect’s machine from any of the below specified location.
Various open source tools can be used to read the contents from the index.dat file.
The index.dat file header holds some additional information about the browsing. However, the three important set of information related to the header portion are:
- File size
- Hash table offset
- And, Directories
The first field in header indicates the file size in its first field. It is followed by the HASH table offset. Hash table is an array of the data that holds the entry point to all the activities. The next information included in header is the list of directories. Directories hold the files that are downloaded from the web using the browser. Using this information the investigator can recreate the visited web pages.
This is the master took up table for referring the valid activities in the index.dat file. Hash Tables are implemented as the linked lists. The important fields in the hash table can be briefed as:
- Hash Table Length: Length of hash table.
- Next Hash Table: Pointer to next hash table.
- Activity Record Flags: 4-byte field contains activity record flags.
- Activity Record Pointer: offset from the beginning of the file.
Activity record contains the main information that an investigator needs. The three important activity records are:
- URL Activity Record: The record contains information including URL Offset, Filename Offset, local cache directory offset, HTTP Header Offset etc.
- REDR Activity Record: Holds type, length and the URL.
- LEAK Activity Record: Same as that of the URL activity record with different value for the TYPE field.
- Deleted Activity Record: The entries that are not in the hash table can also be reconstructed from deleted or unlinked records.
Explorer stores cookies as simple text files that can be inspected directly by an investigator. Sometimes cookies store information that can prove to be very helpful in Internet Explorer forensic analysis. Cookies store information like; username passwords, etc. The file can be located from –
Consider the sample cookie file:
The forensic analysis of the Internet Explorer’s cookies file artifacts can be carried out using any tool. There are many open source tool available. This shows the same cookie as in above figure with the help of a tool.
Cookie records contain key, value, host, secure, modified date and expiry date. So a platform capable of reading cookies can be used for uncovering the stored information.
Browser Cache holder certain temporary files locally on the system of the browsing activities, i.e. of the websites visited. Cache files can be located in the Temporary Internet Files folder. The locally cached files are if any of the randomly named sub directories. These files carry necessary information needed to map the URLs.
For example, the above file reveals certain information like URL and file name accessed by the user.
The best place to search and investigate is the Favorites folder maintained by the user. The favorite folder contains frequently visited URLs and the explicitly stored pages. The folder contains the links as well as the modified date. Sometimes the subfolder maintained should be investigated to reveal important aspects in investigation. Depending on the analyst need to find values on MAC times, this helps in identifying when file was created and modified/ accessed and these information may prove to be valuable in many situations.
‘InPrivate’ is a feature provided by Internet Explorer for browsing privately. If used, the browser is unable to retain any record of the respective browsing session. Still some evidences can be retrieved by the Forensic Investigator from the system in certain conditions. One of the ways is to collect evidence through a machine’s RAM. Collecting RAM can still give the important information to the investigator as it captures live data.
Internet Explorer browsing can be examined by the multiple pieces of information it stores in above explained forms. This evidence can be helpful in detecting malicious activities resulting in identity theft, theft of intellectual property, or detecting execution of a crime, etc. This explanation of the Internet Explorer storage file and its significance is an attempt to offer the forensic industry a bit of additional information on the findings examiners are usually confronted with during an investigation of the browser. Moreover, the possibility of reconstructing Internet Explorer activities is also laid out simultaneously.