October 29, 2016
Categorised in: Computer Forensic & Cyber Applications
Accessing the Internet leaves a wide variety of information on a computer including Web sites, contents viewed, and newsgroups accessed.
For instance, some Windows systems maintain a record of accounts that are used to connect to the Internet.
Additionally, some Windows systems maintain a log of when the modem was used (e.g., ModemLog.txt) and some Internet dial-up services maintain a detailed log of connections such as the AT&T/IBM Global Network Dialer “Connection Log.txt” and “Message Log.txt”
When an individual first views a Web page, the browser caches the page and associated elements such as images on disk—the creation and modification times are the same time as the page was viewed.
When the same site is accessed in the future, the cached file is accessed.
The number of times that a given page was visited is recorded in some Web browser history databases.
Look for all information related to downloaded files (e.g., in Registry, on external media, etc.) to get a better sense of how they were placed on the computer and what was done with them afterward.
Any other activities that were going on at the time the files were being placed on the computer and viewed/manipulated may give a clue as to who was performing the actions.
Firefox 3 maintains a database of Web sites visited in a SQLite file named “Places.sqlite,” and earlier versions of Firefox store this information in a database named “history.dat.”
Internet Explorer maintains similar information in files named “index.dat.” These databases can contain a wealth of information including sites accessed and search engine details. Some open source utilities have been developed to extract information from “index.dat” files and other files.
In addition to storing all of the URLs that have been accessed, Web browsers with Usenet readers keep a record of which Usenet newsgroups have been accessed.
For instance, Netscape’s newsreader stored information in a file with a “.rc” extension.
MS Internet News stores quite a bit of information about newsgroup activities in the News folder.
You will find this News folder where you installed MS Internet News (the default folder is C:/Program Files/Internet Mail and News/user/).
E-mail clients often contain messages that have been sent from and received at a given computer.
While Netscape and Eudora store e-mail in plain text files, Microsoft Outlook, Outlook Express, IBM Lotus Notes, Novell GroupWise, and America Online (AOL) use proprietary formats that require special tools to read.
Even when e-mail is stored in a non-proprietary format, it is necessary to decode MIME-encoded message attachments.
Yahoo Pager, AOL IM, and other Instant Messenger programs do not retain archives of messages by default but may be configured to log chat sessions.
Peer-to-peer file sharing programs may retain a list of hosts that were contacted or files that have been accessed but give very limited information besides this.
IRC and other online chat clients may retain more logs but only if the user saves them.
Therefore, remnants of these more transient Internet activities are more likely to be found in a swap space and other areas of the hard disk.
Therefore, the best chance of obtaining information relating to these applications is to search portions of the hard drive where data may have been stored temporarily or to monitor network traffic from the individual’s machine while these programs are in use.
An important component of any forensic examination is identifying any remote locations where digital evidence may be found.
A victim might maintain a Web site or an offender may transfer incriminating data to another computer on the Internet or a home or corporate network.
One of the most common remote storage locations is an individual’s Internet Service Provider (ISP).
In addition to storing e-mail, some ISPs give their customers storage space for Web pages and other data.
Files can be transferred to these remote systems using programs such as FTP, Secure CRT, and Secure Shell (SSH).
So, in addition to looking for information about Internet accounts in the registry as mentioned earlier, search for traces of file transfer applications.