SANS Digital Forensics and Incident Response Blog: Category - Browser Forensics

Facebook Memory Forensics

OK, like everyone I joined facebook just to get updates on my high school reunion. (Who knew you could also use it as a possible alibi.)

But then, after writing pdgmail and pdymail and seeing all the neat personal information in facebook...tada pdfbook! Memory parsing to grab facebook info.

Like it's predecessors pdgmail and pdymail, I'm following the simple construct that memory strings are easy to get to and yield a treasure of information given today's

Is Your index.dat File LEAKing?

One of the projects that I've been working on, has required me to become intimately familiar with index.dat files. These files (index.dat) are usually associated with Internet Explorer's browser history. If you've ever worked with index.dat files before, you've probably encountered the mysterious "LEAK" record. After some analysis, I think I've finally figured out what LEAK records are used for.

Essentially, a LEAK record is created when a cached URL entry is deleted (by calling DeleteUrlCacheEntry) and the cached file associated with the entry (a.k.a. "temporary internet file" or TIF) can not be deleted.

You can easily test this on your own system:

  1. Open Internet Explorer and surf to a web page. Ideally a page with a unique and easily identifiable name (e.g.

Artifact Timeline Creation and Analysis - part 2

In the last post I talked about the tool log2timeline, and mentioned a hypothetical case that we are working on. Let's explore in further detail how we can use the tool to assist us in our analysis.

How do we go about collecting all the data that we need for the case? In this case we know that the we were called to investigate the case only hours after the alleged policy violation, so timeline can be a very valuable source. Therefore we decide to construct a timeline, using artifacts found in the system to start our investigation, so that we can examine the evidence with respect to time. By doing that we both get a better picture of the events that occured as well as to possibly lead us to other artifacts that we need to examine closer using other tools and techniques.

To begin with you start by imaging the drive. You take an image of the C drive (first partition) and start working


Artifact Timeline Creation and Analysis - Tool Release: log2timeline

Using timeline analysis during investigations can be extremely useful yet it sometimes misses important events that are stored inside files on the suspect system (log files, OS artifacts). By solely depending on traditional filesystem timeline you may miss some context that is necessary to get a complete picture of what really happened. So to get "the big picture", or a complete and accurate description we need to dig deeper and incorporate information found inside artifacts or log files into our timeline analysis. These artifacts or log files could reside on the suspect system itself or in another device, such as a firewall or a proxy (or any other device that logs down information that might be relevant to the investigation).

Unfortunately there are few tools out there that can parse and produce body files from the various artifacts found on different operating systems to include with the traditional filesystem analysis. A version of mactime first appeared in The

... Continue reading Artifact Timeline Creation and Analysis - Tool Release: log2timeline

Firefox 3 History

Analysis of a browser history almost always comes up, no matter what is being investigated. And despite Firefox being one of the most popular browsers currently used there aren't many tools out there that can read and display browser history (at least in a human readable format). There are tools out there, such as f3e from ( however that tool, just as others that I've found, is only distrubuted as an EXE, running on Windows (and no source code is provided).

Traditionally Firefox stored the history file as a Mork file format, which could be easily read using any standard editor. The new version, that is version 3 which has been out for quite some time now, uses a different method of storing user history. The history file is stored in a MozStorage format, as a