IE

IE (version 9 and below) uses a file called index.dat; this is a database file used to improve the overall performance of IE by indexing various contents (e.g., store all the URLs you have visited using IE in addition to search queries, cookies, and recently opened files) in one place to offer a more customized experience for the user. For example, when a user wants to access a previously visited web page, IE can autocomplete the web address as the user types it in the browser address bar by retrieving browsing history from a particular index.dat file.

Other locations of index.dat files in various Windows versions can be found at www.milincorporated.com/a2_index.dat.html .

Microsoft Edge Web Browser

Microsoft Edge (code name Spartan) is the replacement of the IE browser and the default browser for Windows 10. This is a lightweight web browser that integrates with the Cortana feature available in Windows 10, allowing a user to complete many tasks (e.g., open web pages, conduct online searches) using voice commands only.

From a forensics perspective, we can expect more users to use Microsoft Edge instead of IE, so knowing where this browser stores its data is essential for our forensics work.

We can use the ESEDatabaseView from Nirsoft ( www.nirsoft.net/utils/ese_database_view.html ) to display data within the Spartan.edb database (see Figure 8-2).

Further analysis of Edge artifacts can reveal valuable forensics information; as we already saw, the valuable information is located in the Edge databases named spartan.edb and WebCacheV01.dat and in various locations inside its main folder, located at:Users<UserName>AppDataLocalPackagesMicrosoft.MicrosoftEdge_*****

Firefox

In the search box, your Firefox profile will appear in the search result as a folder; click to access it.

What we care about in our forensic search are the files surrounded with squares, as shown in Figure 8-3. We’ll describe each one briefly and suggest tools to automate our search:

History

Google Chrome store user browsing history, downloads, keywords, and search terms in the “History” database file are located under the Chrome user’s profile. This file can be examined using DB Browser for SQLite (see Figure 8-7). Note that there are 12 tables in this file and 11 indices.

To know when a particular file has been downloaded in addition to much information related to download history, go to the “Downloads” table under the “Browse Data” tab (see Figure 8-8). The DB Browser for SQLite displays time information using Google Chrome values stamps (also known as the Webkit format, which points to the number of microseconds passed since 00:00:00 UTC of Jan 1, 1601). To convert it into a readable form, use the DCode tool.

Nirsoft offers a tool to reveal Chrome history; it is called ChromeHistoryView ( www.nirsoft.net/utils/chrome_history_view.html ). This tool reads the “History” file of the Google Chrome web browser.

Cookies

Google Chrome stores cookies information in the “Cookies” file located under the Chrome user’s profile; we can view “Cookies” file contents using DB Browser for SQLite, as we did with the “History” file before, to show detailed information about saved Chrome cookies (see Figure 8-9).

Top Sites

This database file stores top web sites visited by Google Chrome. It holds two tables, meta and thumbnails, and the information is stored in the thumbnail table.

Shortcuts

This database is responsible for supporting the autocomplete feature of Google Chrome when typing (e.g., a search keyword in the address bar and in web forms). It contains two tables: meta and omni_box_shortcuts. The second table holds the autocomplete text and URLs.

Login Data

This database file holds three tables: login, meta, and stats. The “login” table holds usernames and passwords (sometimes encrypted), in addition to other related attributes, for various web sites.

A portable tool by Nirsoft can reveal all usernames and passwords (in clear text) stored by the Google Chrome Web browser. It’s called ChromePass (see Figure 8-10) and can be downloaded from www.nirsoft.net/utils/chromepass.html .

Web Data

This function stores the login credentials of users (without passwords, as Chrome moved the login passwords to another file “Login Data” in newer Google Chrome versions), so when a user fills in a login form next time, searches keywords, and so on, Google Chrome will offer its autocomplete suggestions while typing.

Bookmarks

A browser bookmark (also known as a “favorite”) is a URL that points to a web site address stored by a user for later retrieval. The “Bookmarks database” file in Google Chrome holds a user’s current bookmarks. To view the contents of this file, we can open it using Windows Notepad. To check the date/time when a particular bookmark was added to Chrome, we need to convert the associated "date_added" value into a readable format; we can use the DCode tool as we did many times before (see Figure 8-11).

Bookmarks.bak

This database file holds recent backups of the Chrome bookmarks; please note that this file will get overwritten periodically, each time Google Chrome launches. The forensic value of this file is that if a suspect deletes a particular bookmark(s) before closing his/her Chrome browser, we can find the deleted bookmark(s) here in this file (we should not launch Google Chrome till we have a copy of this file in a safe location to avoid overwriting it as we have already described).

Cache Folder

This folder holds frequently accessed static contents like images and parts of HTML files, so the next time a user visits the same web site, the browser loads it faster because it loads parts of contents from a local cache folder instead of downloading it again from the origin server housing the web site.

We can automate the extraction process of Google Chrome cache by using a tool from Nirsoft called ChromeCacheView ( www.nirsoft.net/utils/chrome_cache_view.html ). This tool reads the contents of the cache folder (see Figure 8-12) of the Google Chrome web browser, which is located in

Users<UserName>AppDataLocalGoogleChromeUser DatadefaultCache.

As we saw, Google Chrome stores quite a lot of personal information about its user. Investigating all these artifacts can help examiners to draw a complete timeline of a user’s activities online in addition to understanding his/her intentions or interests by analyzing browsing history.

To conclude the last section of web browser forensics, we are going to give additional tools that can prove useful for digital examiners when investigating the three most widely used web browsers mentioned in this section.

Steps in E-mail Communications

To demonstrate how e-mail delivery works (see Figure 8-14), let us give this simple example:

1. 1.

   Susan composes an e-mail ([email protected]) using her computer for Nihad ([email protected]); the message needs to be sent to her sending SMTP server (smtp.​apress.​org) using the SMTP protocol.

    
2. 2.

   The sending server performs a lookup to find the mail exchange record of the receiving server (darknessgate.​com) through DNS protocol on DNS mx.​darknessgate.​com for the domain darknessgate.​com.

    
3. 3.

   The DNS server responds and gives the mail exchange server mx.​darknessgate.​com for the domain darknessgate.​com.

    
4. 4.

   Now, the sending server will establish an SMTP connection with the receiving server and send the e-mail to Nihad’s mailbox on the receiving server.

    
5. 5.

   The receiving server will receive the incoming e-mail and store it in Nihad’s mailbox.

    
6. 6.

   Nihad can either download the e-mail message from his mailbox on the receiving sever into his e-mail client (e.g., Mozilla Thunderbird) on local machine using POP3 or IMAP protocols or he can use webmail (through a web browser) to read the e-mail directly on the receiving server.

    

List of E-mail Protocols

E-mail Header Examination

When examining e-mails for forensic information, (e.g., to see where the e-mail come from), the needed information is already stored within it, specifically in the e-mail header section. An E-mail header stores a wealth of forensically useful information about an e-mail under investigation, like the path it took over the Internet to arrive, stop points/delays made during e-mail delivery, and the IP address of the machine that sent this e-mail, in addition to the client (e.g., e-mail program) who sent this e-mail and the type of OS used (in some cases).

Please note that most of the information (including the technical information) in the e-mail header can be forged! Tech-savvy criminals can conceal the origin of their e-mails and even make it similar to an original e-mail that they are trying to reproduce (e.g., phishing e-mails); however, the role of a forensic examiner is to gather the information in the e-mail header and examine it thoroughly, as it can lead to something useful for solving the case at hand.

Reveal Full E-mail Header Information

Before we begin examining the e-mail header, let us give some examples of how to view e-mail headers using popular webmail services (Gmail and Microsoft Outlook mail) and e-mail clients (Thunderbird and MS Outlook).

View Full Gmail Headers

To display Gmail headers, follow these steps:

1. 1.

   Access the target Gmail account using your preferred browser

    
2. 2.

   Open the e-mail whose header you want to view

    
3. 3.
   Next to Reply, click the down arrow (see Figure 8-15)

   

    
4. 4.

   Click “Show original”

    

View E-mail Header Using Outlook Mail

To display Outlook web mail header , follow these steps:

1. 1.

   Access Outlook mail account using your preferred browser

    
2. 2.

   Open the e-mail whose header you want to view

    
3. 3.

   Next to Reply, click the down arrow in the top right-hand corner of the e-mail

    
4. 4.

   Click “View message source” (see Figure 8-16)

    

View Full E-mail Headers in Mozilla Thunderbird

To display e-mail headers using the Mozilla Thunderbird e-mail client , follow these steps:

1. 1.

   Open Thunderbird, then open the message whose header you want to investigate in a new window by double-clicking over it.

    
2. 2.

   Got to View ➤ Headers ➤ All.

    
3. 3.

   Another option to view the header is to open the message in a new window, and then go to the “More” button on the top right message window and select “View Source” (see Figure 8-17).

    

View Full E-mail Header in Outlook Mail Client

To display a full e-mail header using Microsoft Outlook mail client , follow these steps:

1. 1.

   Open MS Outlook and go to the e-mail whose header information you want to view. Double-click this e-mail to open it in a new window.

    
2. 2.

   Click File ➤ Properties; the header info is located in the “Internet headers” box (see Figure 8-18).

    

Analyzing E-mail Headers

Now that we know how to reveal an e-mail header, we can begin analyzing it. Keep in mind that the preferred method to read an e-mail header is from bottom to top. Figure 8-19 is a sample e-mail header from a message received using Gmail service.

In Figure 8-19, The number [1] points to Message-ID; this is a unique number assigned by the sending e-mail server. The number [2] points to the e-mail address of the sender (this can also be false, as anyone can adjust the sender’s “e-mail address” from his/her end). Number [3] points to the originating IP address (IP address of the sender); keep in mind that this IP address can be forged or spoofed. Expect to see more than one “Received” line. However, always read the e-mail header from bottom to top; this makes the first “Received” line highly probably point to the sender itself. Number [4] is the recipient IP address. Number [5] is the e-mail address of the recipient.

Lines starting with “X” in the e-mail header are comments written by the sending software (e.g., e-mail clients), by the SMTP servers, and even by the antivirus/spam servers found along the path the e-mail traveled.

E-mail Headers

When an e-mail travels through the Internet, each mail server the e-mail passes through will add a piece of information to the header, so the preceding e-mail header screen capture can contain more information like e-mail client and OS used to send the message. See Figure 8-20 for a partial e-mail header sent from Mozilla Thunderbird e-mail client using a Windows 10 machine.

Analyzing e-mail headers manually can be a daunting task for beginners, but many tools and online services are available to extract useful information from e-mail headers automatically. Let us begin with a simple online tool developed by Google named “Message header” ( https://toolbox.googleapps.com/apps/messageheader ).

To use this tool:

1. 1.

   Copy the target e-mail header as we did previously.

    
2. 2.

   Paste the contents into the box “Paste email header here”.

    
3. 3.

   Finally, click “Analyze the header above”.

    

The tool will analyze the supplied message header and show (in addition to who sent the message) the names of all attachments and the path the message took to reach from sender to receiver (see Figure 8-21) in addition to any delay that may have happened during delivery.

There are various tools to analyze e-mail headers. The following are some popular one:

E-mail Header Analyzer ( https://mxtoolbox.com/EmailHeaders.aspx )

This is an online tool for parsing e-mail headers, making them human readable. To use this tool, just go to the web site and paste the target e-mail header info. The result will show—among other info—the path this e-mail took over the Internet in addition to any delays that may have happened.

eMailTrackerPro ( www.emailtrackerpro.com )

This is a commercial tool (it offers a 15-day fully functional trial version) for tracking e-mails using e-mail headers. To use this tool to track a particular e-mail header, do the following:

1. 1.

   Go to the tool web site, and download and install the tool as you do with any Windows app.

    
2. 2.
   Launch the program and click the “Trace Headers” button in the main tool window (see Figure 8-22).

   

    
3. 3.

   A new window appears, in which you can paste the target e-mail header and press the “Trace” button to begin tracing.

    
4. 4.

   When tracing finish, click the “My Trace Reports” button in the main program window to show a detailed tracing report (see Figure 8-23).

    

From Figure 8-23 we note the following:

1. 1.

   Sender originating IP address: keep in mind that this address can be internal (private IP address) or simply a fake/spoofed IP address.

    
2. 2.

   Information about the network responsible for sending this e-mail.

    
3. 3.

   Sender e-mail address.

    
4. 4.

   Internet route that the target e-mail follows to reach its final destination .

    

Determining a Sender’s Geographic Location

As we have seen, the sender’s IP address can be extracted from the e-mail header (go to the line that begins with “Received: from” beginning from the bottom header); then we can use this IP address to determine the geographical location of the sender. There are already many online services that can be used to map IP addresses to geographical locations like Wolfram Alpha ( www.wolframalpha.com ) or Ipfingerprints ( www.ipfingerprints.com ) (see Figure 8-24).

To find more information about any IP address or domain name, check these free services:

1. 1.

   IPverse ( http://ipverse.net ): This shows the IPv4 and IPv6 address block lists by country code.

    
2. 2.

   IP2Location ( www.ip2location.com/demo.aspx ): This is a free IP location service.

    
3. 3.

   DB-IP ( https://db-ip.com ): This shows the IP geolocation and network intelligence.

    
4. 4.

   IPINTEL ( https://ipintel.io ): This shows the IP address on a map and shows the ISP.

    
5. 5.

   IP Location ( www.iplocation.net ): This shows IP geolocation data.

    
6. 6.

   UTrace ( http://en.utrace.de ): Locate IP address and domain names.

    
7. 7.

   Onyphe ( www.onyphe.io ): This is a search engine for open source and cyberthreat intelligence data. You can use it to find more info about any IP address.

    
8. 8.

   IP to ASN ( https://iptoasn.com ): This shows the IP address to the ASN database; updated hourly.

    
9. 9.

   Reverse DNS Lookup ( https://hackertarget.com/reverse-dns-lookup ): This shows reverse DNS entries for a target IP address.

    
10. 10.

    Reverse IP lookup ( https://dnslytics.com/reverse-ip ): Find domains sharing the same IP address or subnet.

     
11. 11.

    Same IP ( www.sameip.org ): This shows sites hosted on the same IP address.

     
12. 12.

    IP Address Tools ( www.ipvoid.com ): Offers various IP address online tools.

     
13. 13.

    ExoneraTor ( https://exonerator.torproject.org ): Here you can check whether a particular IP address was used as a Tor relay before.

     

Determine Sender Geographic Location Using Sender’s Time Zone

In some cases, the sender IP address can be missed or not included in the message header. This is true when the sender uses a webmail service like Gmail to send e-mails. In this case, we can determine the sender’s location by checking the sender’s computer time zone information. To learn this piece of information, we can use https://toolbox.googleapps.com/apps/messageheader/ (already used) and check the “Created at:” field (see Figure 8-25).

Investigating E-mail Clients

Many users rely on e-mail clients to send/receive e-mails; for instance, the most two popular e-mail programs are MS Outlook and Mozilla Thunderbird.

Autopsy has a default ingest module to investigate e-mail messages (Thunderbird and Outlook e-mail clients) found within the supplied data source (e.g., forensic image or e-mail client folder when performing analysis of logical files).

Thunderbird is a free, open source e-mail client by Mozilla; it stores its e-mails and attachments using the MBOX extension. Thunderbird files can be found at

Users<UserName>AppDataRoamingThunderbirdProfiles.

The following steps will guide you on how to use Autopsy for investigating e-mail messages stored by the Thunderbird e-mail client :

1. 1.

   We already covered how to create a new case using Autopsy; in this experiment, we will create a case as we did previously. However, we will change the data source to include only the Thunderbird profile folder instead of a whole hard drive image as we did previously.

    
2. 2.
   We will not demonstrate all steps of creating a new case from the beginning, so begin the wizard, and when you reach the “Add Data Source” window, select “Logical Files” (see Figure 8-26) and then click “Next” to continue.

   

    
3. 3.
   Now, click the “Add” button to select the Thunderbird profile folder; make sure the option “Local files and folders” is selected (see Figure 8-27). Click “Next” to continue.

   

    
4. 4.
   Now, you need to configure the ingest modules; for instance, we are concerned with e-mail forensics only, so we will select two ingest modules only: Email Parse and Keyword Search (see Figure 8-28). Click “Next” to continue.

   

    
5. 5.

   The final window in the wizard appears, announcing that the data source has been added successfully. Click “Finish” to continue.

    

Now, Autopsy will begin analyzing files; this takes some time to finish. When Autopsy finishes processing the supplied data source, we can see collected e-mail messages in the “Data Explorer” pane on the left side of the window under the “Email messages” section (see Figure 8-29).