![Page 1: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/1.jpg)
1
Computer ForensicsDr. Randy M. Kaplan
![Page 2: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/2.jpg)
2
Browser Forensics
![Page 3: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/3.jpg)
A Source of Evidence
Critical Evidence can often be found in a subject’s browsing historyEmailsSites visited Internet searches
Computer Forensics
3
![Page 4: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/4.jpg)
Browsers
Two are dominant IEMozilla (and its derivatives and variants)
Computer Forensics
4
![Page 5: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/5.jpg)
IE
Activity stored in –C:\Documents and Settings\user\Local Settings\
Temporary Internet Files\Content.IE5
ContainsCached pagesImages
Two other files of interestHistory without locally cached content
C:\Documents and Settings\user\History\History.IE5Cookies
C:\Documents and Settings\user\Cookies
Computer Forensics
5
![Page 6: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/6.jpg)
Index.dat
In each of these directories there is a file named index.dat
The relationship between cached web content and URLs is maintained in this file
Computer Forensics
6
![Page 7: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/7.jpg)
Mozilla
Web activity maintained in a file named history.dat
File located in –C:\Documents and Settings\user\Application Data\
Mozilla\Firefox\Profiles\<random text>\history.datC:\Documents and Settings\user\Application Data\
Mozilla\Profiles\<profile name>\<random text>\history.dat
Computer Forensics
7
![Page 8: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/8.jpg)
Mozilla
history.dat differs from IE
Does not link web site activity to cached web pages
More difficult to reconstruct the activity
Computer Forensics
8
![Page 9: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/9.jpg)
Tools
Web HistorianA tool used to reconstruct web activityApplicable to –
IE Mozilla Firefox Netscape Safari Opera
Computer Forensics
9
![Page 10: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/10.jpg)
Downloading Web Historian
Web Historian can be downloaded from –http://www.download.com/Red-Cliff-Web-Historian/
3000-2653_4-10373157.html
Computer Forensics
10
![Page 11: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/11.jpg)
Web Historian
Computer Forensics
11
![Page 12: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/12.jpg)
Web Historian
Computer Forensics
12
![Page 13: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/13.jpg)
Web Historian
Computer Forensics
13
Lots and lost of information produced by Web Historian
![Page 14: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/14.jpg)
Web Historian
Suppose my wife wanted to know what I have been doing on the Internet
(Maybe she wants to make sure I am not spending the kid’s college fund)
What evidence in the generated file would give her the kinds of information she is looking for?
Computer Forensics
14
![Page 15: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/15.jpg)
Web Historian
Scan the URL addresses
Computer Forensics
15
![Page 16: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/16.jpg)
Web Historian
Scan the URL addresses
Computer Forensics
16
![Page 17: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/17.jpg)
Trying Firefox
Set WH to Firefox directory
What are the results?
Computer Forensics
17
![Page 18: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/18.jpg)
Trying Firefox
Computer Forensics
18
![Page 19: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/19.jpg)
Trying Firefox
Computer Forensics
19
Very odd because this is mydefault browser
![Page 20: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/20.jpg)
Web Historian
Not really clear why WH does not work with Firefox
Try alternative
Computer Forensics
20
![Page 21: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/21.jpg)
Cache View
Cache View can be downloaded from –http://progsoc.org/~timj/cv/
Computer Forensics
21
![Page 22: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/22.jpg)
Cache View
Download and install
Computer Forensics
22
![Page 23: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/23.jpg)
Cache View
Need to point Cache View to the proper directory
Computer Forensics
23
![Page 24: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/24.jpg)
Cache View
Point to the proper directory
Computer Forensics
24
![Page 25: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/25.jpg)
Cache View
Computer Forensics
25
![Page 26: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/26.jpg)
Cache View
Computer Forensics
26
![Page 27: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/27.jpg)
Cache View
Computer Forensics
27
![Page 28: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/28.jpg)
How To Use?
Clearly having a record of someone’s web activities can be used to determine what they have doing
For example if a subject was interested in learning how to hack a particular system then accessing web sites to learn how to do this would substantiate this theory
Computer Forensics
28
![Page 29: 1 Computer Forensics Dr. Randy M. Kaplan. 2 Browser Forensics](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf791a28abf838c82347/html5/thumbnails/29.jpg)
How To Use?
If a subject uses a web interface for email then we can tell if he accessed it and we can also see what the status of the access was at that time
Computer Forensics
29