For one of my labs this week we had to browse a few websites using IE and then using an Internet Explorer analysis tool find out as much info as possible about what we looked at. IE logs all browser activity in index.dat files. The data stored includes the URL, data and time of last modification and access and the user.
These are hidden in all sorts of places, but there are three important ones which can be found at these three addresses:
C:\Documents and Settings\[username]\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\[username]\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\[username]\Cookies\index.dat
The first two are difficult to access via the Windows Explorer GUI even with hidden files and system files made visible. I used the command line, which tried to fool me by telling me there were no directories inside History. Lies! Windows Explorer treats the history folder like the browser does, and lets you browse the history rather than actually showing the files and folders there. There are lots of other index.dat files inside History.IE5\MSHist[18digits] for different time periods. Start typing the directory and press tab; it’ll still find the directory even though it assures me it doesn’t exist.
There are loads of index.dat file analysers out there, but as our lecturer said, fancy GUI or not, they all boil down to outputting a list of URLs with dates and times. Pasco is the one we used, which can be downloaded here (Requires Linux/Cygwin). Very simple to use:
Pasco index.dat > results.csv
Then you can use your favourite spreadsheet to have a look. Uses for this kind of thing include proving a suspect was at home and browsing the web at the time of an incident giving an alibi, or vice versa proving they were online committing fraud / downloading something dodgy.
What I find though is that lists of URLs doesn’t help much with getting the overall feel of the users internet usage. You can sort by columns, but still I find the long lists rather visually lacking. Pretty much all the forensic tools I’ve seen so far are command line and output text files, or have a very basic GUI. You still need to process these files afterwards with egrep etc. Encase, from what I’ve seen, doesn’t visualize the data very well either. I think I’ve found an area I’d really enjoy working in because I love GUIs and HCI so much, and forensics is so interesting. And no one has come up with decent tools yet!!!
I wanted to make a quick visual graph of my IE usage in September of this year. I don’t use it as my main browser, but do use it occasionally for website testing and when Windows forces me to use it. It was quite complicated to get the data into a nice format (especially because Excel decided the dates were American style, but wanted to display them UK style), but here is the graph! Click to make bigger.