Forensic Internet History Analysis
Total Page:16
File Type:pdf, Size:1020Kb
FORENSIC INTERNET HISTORY ANALYSIS SOFTWARE Copyright © 2004-09 Digital Detective Written by Craig Wilson Revision: 1.37.0.9018 Date: 02 March 2009 NetAnalysis Forensic Internet History Analysis Page 2 of 109 Table of Contents Table of Contents ............................................................................................................................... 2 Introduction......................................................................................................................................... 5 Welcome to NetAnalysis..................................................................................................................................................5 Feature List......................................................................................................................................... 6 NetAnalysis Key Features ...............................................................................................................................................6 Understanding the User Interface....................................................................................................... 7 Getting to know NetAnalysis............................................................................................................................................7 The Toolbar .....................................................................................................................................................................8 Shortcut Keys ................................................................................................................................................................10 Status Bar......................................................................................................................................................................11 Configuring NetAnalysis ................................................................................................................... 12 Setting properties ..........................................................................................................................................................12 Identification of Suspect Computer Time Zone ................................................................................ 15 Establishing a Time Zone Basis ....................................................................................................................................15 Examining the Registry..................................................................................................................................................15 Calculating Signed Integer Bias Values ........................................................................................................................17 ActiveTimeBias..............................................................................................................................................................20 Working out when Daylight Saving or Standard Time Commences..............................................................................21 Microsoft Internet Explorer ............................................................................................................... 23 History of a Web Browser..............................................................................................................................................23 MSIE Browser Data .......................................................................................................................... 25 Forensic Analysis of MS Internet Explorer ....................................................................................................................25 Internet Explorer History List .........................................................................................................................................26 A More Detailed Look ....................................................................................................................................................27 Daily INDEX.DAT Files..................................................................................................................................................28 Weekly INDEX.DAT Files ..............................................................................................................................................29 Master INDEX.DAT File.................................................................................................................................................29 Filtering Master, Daily & Weekly....................................................................................................................................31 Temporary Internet Files ...............................................................................................................................................31 Registry Artefacts ............................................................................................................................. 34 Introduction to Registry..................................................................................................................................................34 SHELL Folders ..............................................................................................................................................................34 Days to Keep .................................................................................................................................................................35 Cache Size ....................................................................................................................................................................35 Typed URLS ..................................................................................................................................................................37 Internet Explorer Start Page ..........................................................................................................................................38 MS Internet Explorer Cookies........................................................................................................... 39 Introduction to Cookies..................................................................................................................................................39 Persistent & Session Cookies .......................................................................................................................................39 Cookie Transport Security.............................................................................................................................................39 First & Third Party Cookies............................................................................................................................................40 How do cookies work?...................................................................................................................................................40 Forensic Analysis of Cookie Data..................................................................................................................................42 Manual Decoding of Cookie Dates................................................................................................................................44 Cookie Myths & Defences .............................................................................................................................................46 Copyright © 2004-2009 by Digital Detective Craig Wilson NetAnalysis Forensic Internet History Analysis Page 3 of 109 Forensic Benefit of Cookies...........................................................................................................................................46 MSIE Browser Forensic Analysis ..................................................................................................... 47 Data Extraction ..............................................................................................................................................................47 Exporting Data...............................................................................................................................................................47 Netscape Browser ............................................................................................................................ 50 Netscape History ...........................................................................................................................................................50 Netscape Browser Data.................................................................................................................... 52 Forensic Analysis of Netscape ......................................................................................................................................52 Netscape Communicator/Navigator Version 4.8 ...........................................................................................................52 Extraction of Netscape 4.8 ............................................................................................................................................53 Netscape Version 6 - 8 ..................................................................................................................................................54 Netscape Browser Data Files ........................................................................................................................................54