Forensics Internet Explorer Is an application used to browse the web that majority of computer users utilize on a daily basis and the version IEEE was introduced along with windows 8 operating system. One of the many challenges for the forensic analyst is to reconstruct the web browsing habits for the subject under Investigation. In order to reconstruct this activity, one must analyze the Internal data structures of the web browser cache files for Internet Explorer.
This research was performed to give the computer forensic community an open source, reproducible, forensically sound, and commented method to reconstruct Internet Explorer activity. A forensic analyst can use the Information found in the Index-data file to reconstruct a user’s web activity. With Introduction of Internet Explorer 10, Microsoft changed the way of storing web related information. Instead of the old index. data files, Internet Explorer 10 uses an SEES database called Hebephrenic . At to maintain its web cache, history and cookies. This database contains a wealth of Information that can be of great Interest to a forensic Investigator. This thesis explores the structure of the new database, what information it contains, how it behaves in different situations, and also shows that it is possible to recover deleted database records, even when the private browsing mode has been used. The increasing number of both criminal and civil cases is developing towards relying heavily on digital evidence and Internet actively.
The ability to examine a criminals browsing history is often critical in not only high-profile criminal cases, but also in minor fraud cases. Web browser artifacts can help find offenses ranging from corporate policy violations, committed by employees of the many, to more serious crimes Like child pornography or hacking related offenses. Even If the Investigated crime Itself Isn’t a literal computer crime, the suspect may still have used a web browser to search for information related to the crime.
By retrieving the browser history, cookies, cache and downloaded files, it is possible to determine the suspect’s online activity. Kruse and Hisser define computer forensics as “the science of acquiring, retrieving, and presenting data that has been processed electronically and stored on computer media. In order to be a good forensic investigator, one also needs to understand why artifacts exist, where they are, and how they got there. That is why the focus of this thesis is about the structure of the database and Its value In a computer forensic Investigation.
The SEES database uses many different operations before writing data to the actual database file on disk. However there is even more caching handled in memory before it gets written to the . Log files. When the SEES database receives Its first operation it promptly stores this In a log buffer. These log buffers are used as a storage container In RAM for the ATA prior to the exchange to -log files on the disk. The default size for the log buffers is the same as a disk sector and the minimum amount of log buffers are 128 sectors, maximum amount being 10240 sectors approximately 5. MS. As the log buffers reaches maximum capacity, the data needs to be moved from RAM to disk and Into the log files. This mission Is carried out by the log writer. Each operation gets written to the disk from memory in a synchronous fashion and is carried out very swiftly 1 OFF failure were to happen. In order to turn the operations stored in RAM into actual data n disk the log writer uses IS buffers. The IS buffers are each 4 KGB in size and grouped together by the SEES inside RAM. The IS buffers are used to yet again cache the data before it is written to disk.
Depending on the SO used, the IS buffers used by SEES can reach different sizes, for example the Exchange 2000 Server can have it IS buffers reach a size of 900 MOB. Many forensic examiners who are faced with a system running Windows 7 would probably follow protocol and shut down the system by pulling the power cord instead of doing a clean shutdown as you would with a system running server applications. This could pose a problem since you would end up with data from the many SEES databases in Windows in log files and RAM.
However, the risk of losing important data is very small due to the crash recovery system built into SEES. II used to keep track of cached files on the system in index files called index. data. The old index. data files, which were used in Internet Explorer 1 through 9 to cache entries, were cross-process memory-mapped index files. These index files were designed for optimal performance for the most common computers of the early-mid sass. For instance, the data structure that was used in the index file as designed to fit on the on-chip cache of a 486 processor.
Because of this, the old cache index code was no longer very efficient, especially compared to operations that proper databases are good at, like running multi-condition queries. The decision to move the old cache index to a proper database helped simplify the code, improved performance and enhanced both durability and reliability of the caching process. Segments. Exe is a command-line tool built into Windows which provides database utilities for SEES and can be used to view metadata or recover an SEES database to a lean shutdown model.
Examining the Hebephrenic . data is a huge task, as apparently empty database may consist of many thousand pages. There is a vast amount of timestamps and entries, and in this section we will try to cover the most basic entries that may be of value for a forensic examiner. The SEES database stores its data in a little-Indian byte order. Little-Indian stores its values with the smallest byte first. This is important to keep in mind when reading values from the hex editor, since the data might be displayed different from how the database itself reads its data.