internet artifacts dr. john abraham professor utpa
TRANSCRIPT
![Page 1: Internet Artifacts Dr. John Abraham Professor UTPA](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649cfb5503460f949ccea5/html5/thumbnails/1.jpg)
Internet Artifacts
Dr. John AbrahamProfessor
UTPA
![Page 2: Internet Artifacts Dr. John Abraham Professor UTPA](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649cfb5503460f949ccea5/html5/thumbnails/2.jpg)
Linux and MAC
• Linux and Mac artifacts are given in chapters 6 and 7
• Students are encouraged to read these chapters.+
![Page 3: Internet Artifacts Dr. John Abraham Professor UTPA](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649cfb5503460f949ccea5/html5/thumbnails/3.jpg)
Introduction
• Bulk of the user interaction now is through the Internet
• Application specific artifacts created by web browsers provide important evidence
![Page 4: Internet Artifacts Dr. John Abraham Professor UTPA](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649cfb5503460f949ccea5/html5/thumbnails/4.jpg)
Explorer (IE)• he index.dat file is a database file. • It is a repository of information such as web URLs, search queries and
recently opened files. • Its purpose is to enable quick access to data used by Internet Explorer. • For example, every web address visited is stored in the index.dat file,
allowing Internet Explorer to quickly find Autocomplete matches as the user types a web address.
• The index.dat file is user-specific and is open as long a user is logged on in Windows.
• Separate index.dat files exist for the Internet Explorer history, cache, and cookies.
• The index.dat file is never resized or deleted. A large index.dat file can impair performance.
• Pasco (download) can be used to view.• Malware can make use of WinInet API to infect computers. Entries are
made in index.dat files for the default user or localService accounts.
![Page 5: Internet Artifacts Dr. John Abraham Professor UTPA](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649cfb5503460f949ccea5/html5/thumbnails/5.jpg)
Favorites
• A user’s favorites can provide info regarding a users movement across the Internet.
![Page 6: Internet Artifacts Dr. John Abraham Professor UTPA](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649cfb5503460f949ccea5/html5/thumbnails/6.jpg)
Cookies
• Cookies are saved as plain text files• Galleta (download) can display formatted.• The cookie will have creation time and
expiration time, site name and other useful information.
![Page 7: Internet Artifacts Dr. John Abraham Professor UTPA](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649cfb5503460f949ccea5/html5/thumbnails/7.jpg)
Cache
• Cache is created as a result of a users browsing activities. They are stored in temporary internet files.
• It will contain url location, times and file name.
![Page 8: Internet Artifacts Dr. John Abraham Professor UTPA](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649cfb5503460f949ccea5/html5/thumbnails/8.jpg)
Firefox
• Mozilla’s firefox is the second most widely used browser.
• Stores history in the SQLite 3 database in Firefox profiles.
• Files of interest: Formhistory.sqlite (contains data filled out to submit forms and webmail subject lines), downloads.sqlite, cookies.sqllite and places.sqlite (users browsing activity).
![Page 9: Internet Artifacts Dr. John Abraham Professor UTPA](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649cfb5503460f949ccea5/html5/thumbnails/9.jpg)
Firefox (2)
• Cache• Saved session data – if firefox is not
terminated properly, a file named sessionstore.js is created. Used to recover from a crash.
• Bookmarks and backups
![Page 10: Internet Artifacts Dr. John Abraham Professor UTPA](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649cfb5503460f949ccea5/html5/thumbnails/10.jpg)
Other browsers are skipped
![Page 11: Internet Artifacts Dr. John Abraham Professor UTPA](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649cfb5503460f949ccea5/html5/thumbnails/11.jpg)
Mail artifacts
• Personal storage table (PST)– Use Outlook to open or there are other tools
available such as http://www.nucleustechnologies.com/pst-viewer.html
• Mbox and maildir– Local mail storage formats used by Linux. Both
formats are plaintext. Mairix is a searching utility.