Forensic Analysis of Internet Explorer Activity Files
by Keith J. Jones
keith.jones@foundstone.com
3/19/03
(revised 5/6/03)
2
Table of Contents
1. Introduction _________________________________________________________ 4
2. The Index.dat File Header______________________________________________ 6
3. The HASH Table ____________________________________________________ 10
4. The Activity Records _________________________________________________ 15
4.1. The URL Activity Record ________________________________________________ 16
4.2. The REDR Activity Record _______________________________________________ 24
4.3. The LEAK Activity Record _______________________________________________ 27
5. Deleted Activity Records ______________________________________________ 28
6. Pasco – The IE Internet Activity Parser __________________________________ 29
3
Table of Figures
Figure 1 – One location for an Index.dat file....................................................................5
Figure 2 – The Index.dat File Size...................................................................................6
Figure 3 – The HASH Table Offset .................................................................................7
Figure 4 – The Beginning of the HASH Table................................................................. 7
Figure 5 – The Index.dat Directories ...............................................................................8
Figure 6 – The HASH Table Linked List....................................................................... 10
Figure 7 – The Second Hash Table................................................................................ 11
Figure 8 – A Valid Activity Record in the HASH Table ................................................ 12
Figure 9 – A Valid Activity Record............................................................................... 13
Figure 10 – A URL Activity Record.............................................................................. 16
Figure 11 – The URL Activity Record Web Site Offset................................................. 17
Figure 12 – The URL Activity Record Filename Data ................................................... 17
Figure 13 – The URL Activity Record Filename Data Offset......................................... 18
Figure 14 – The URL Activity Record HTTP Header Data............................................ 19
Figure 15 – The URL HTTP Header Data Offset........................................................... 19
Figure 16 – The URL Activity Record Last Modified Time Stamp................................ 20
Figure 17 – The URL Activity Record Last Accessed Time Stamp................................ 21
Figure 18 - Location of the Directory Number............................................................... 22
Figure 19 – A REDR Activity Record ........................................................................... 24
Figure 20 – The REDR Activity Record Length ............................................................ 25
Figure 21 – The URL in a REDR Activity Record......................................................... 25
Figure 22 – A LEAK Activity Record ........................................................................... 27
Figure 23 - Pasco's Output............................................................................................. 30
Listing of Tables
Table 1 - Common Index.dat File Locations for Internet Explorer ...................................5
Table 2 - Relevant Fields in the Index.dat File Header.....................................................9
Table 3 - Relevant Fields in the HASH Table Header.................................................... 13
Table 4 - Relevant Fields in the URL Activity Record................................................... 23
Table 5 - Relevant Fields in the REDR Activity Record ................................................ 26
4
1. Introduction
There are many types of investigations that you may conduct as a computer forensic
specialist. During many of these investigations, you may want to obtain compelling
evidence to suggest a predisposition to conduct some action, implying intent. One of the
potential sources of information that helps you prove an event occured, or to determine
the predisposition of a computer user is to review the Web sites that individual visited.
Nearly every computer user is familiar with Web browsers such as Internet Explorer and
the Netscape. Both of these Web browsers maintain history files that reveal the Web
Sites (or Uniform Resource Locators -URLs) visited by users of the system. Since these
browser history files are in binary form, special tools are required to review them. Since
Internet Explorer is the most popular application used to browse the Web, we have first
created a tool, called Pasco, to reconstruct the history files that Internet Explorer
maintains.
Internet Explorer caches URLs that a user visits. When a user visits any Web Site,
Internet Explorer checks to see if it has already stored (cached) a local copy of that Web
Site on the hard drive first. If a local copy exists, Internet Explorer uses the local cached
file instead of downloading the information from the Internet. Internet Explorer stores
cached files in the Temporary Internet Folders on the local hard drive. It also assigns
each cached file with an alphanumeric name, and maps the new filenames to the actual
filenames in system files. The system files used to map the cached alphanumeric names
to the actual URLs and filenames is the Index.dat files. These Index.dat files
record the URL, the date the Web page was last modified by the server and the date that
the URL was last accessed by the user. Internet Explorer maintains many of these
Index.dat files, which are binary (not humanly readable) files. Unfortunately, the
internal structures for the Internet Explorer history files (really cache files) are not well
known. This White Paper reverse engineers the structure of these files using a basic hex
editor.
5
Figure 1 – One location for an Index.dat file
The following table lists additional areas of the file system other index.dat files may
be located:
Table 1 - Common Index.dat File Locations for Internet Explorer
Operating
System
File Path(s)
Windows
95/98/Me
\Windows\Temporary Internet Files\Content.IE5\
\Windows\Cookies\
\Windows\History\History.IE5\
Windows NT
\Winnt\Profiles\<username>\Local Settings\Temporary Internet
Files\Content.IE5\
\Winnt\Profiles\<username>\Cookies\
\Winnt\Profiles\<username>\Local Settings\History\History.IE5\
Windows 2K/XP
\Documents and Settings\<username>\Local Settings\Temporary
Internet Files\Content.IE5\
\Documents and Settings\<username>\Cookies\
\Document and Settings\<username>\Local
Settings\History\History.IE5\
This research was performed to give the computer forensic community an open source,
reproducible, forensically sound, and documented method to reconstruct Internet
Explorer activity. The relevant data introduced in this paper was discovered while
analyzing the internal structures for a cache file and comparing the results to known
output generated from IE History (www.phillipsponder.com), a popular commercial tool
to reconstruct Internet Explorer activity, on the same file.
评论0