I've finally finished the first draft of my thesis, I now have a week and a few days to edit and finish it- which is plenty of time since I'm fairly happy with it as it stands.

Read full article

Some index.dat files record not only websites visited, but also the files on the computer (and any other devices) which have been opened. This gives an accurate account of what files have been viewed and possibly edited. Using the registry, any files accessed that are not on the C: drive can be linked to a USB stick / DVD / CD etc.

Read full article

I've nearly finished Webscavator, my visualisation application for the forensic analysis of user web history! The next series of blog posts will describe some of the visualisations I've used and how to code them. They are all written in server-side Python and client-side Javascript using jQuery. First on the list are heatmaps. These visualisations show the data using colour. For example low values go blue and higher values go red to visualise a temperature scale. A couple of examples can be found at heatmapapi.com, Google Visualization API and GraphUp. I found the Google Visualization API too limiting to work with for this particular visualisation, and GraphUp is not free or open source, so I made my own, described below.

Read full article

Internet Explorer stores files downloaded from the internet in a cache called Temporary Internet Files (e.g. html pages, images, CSS files). Each cached file is assigned an alphanumeric cache name. Some index.dat files serve to map the cached name with the filename and URL it came from. Other index.dat files store the user’s cookies or web browser history (by default 20 days’ worth). index.dat files are in binary format, and need to be viewed using a hex editor.

Read full article

Out of all the popular browsers, Opera leaves behind the least amount of useful information for investigators. Not only is the data stored in plain text format, but it does not record every URL visited, only the latest one. Therefore it is impossible to tell how often someone has visited a particular website. Even when viewing web history from within the browser only the latest entries are shown, giving a false impression of the actual history. For example if someone went to exactly the same websites two days in a row, the first day would have no history associated with it, since each entry would be overridden by the latest visit.

Read full article

Safari has a very simple method of storing browser history compared to those that use SQLite databases.

Read full article

In 2008 Google released most of Chrome’s source code as a project called Chromium under a BSD license. Chromium is essentially the same browser as Chrome, but lacks built-in automatic updates and Google branding [Chromium Developer Website].

Read full article

Firefox version 3 (first released in 2008) employs a different system of storing browser history than its predecessor Firefox 2. Since only 2.75% of Firefox users still use version 2 or smaller, only Firefox version 3 will be explored here and will hence just been known as Firefox.

Read full article

So I started my thesis 'officially' yesterday, after being told we all were allowed to proceed to masters following the exam board meeting. No actual results posted up yet, but hopefully I did well!

Read full article

2 weeks ago I mentioned I was writing an essay on the Open Computer Forensics Architecture (OCFA). I gave up trying to get OCFA to work in the end as it was just a total pain. The documentation is awful, and the error messages it spews out are not useful. Steven spent a few hours looking at their source code to figure out why it kept segfaulting, but it wasn't worth it. I chose to do my essay on file encryption and full disk encryption (FDE) and the effect of these on digital forensics. You can read all 5000 words if you are interested.

Read full article

Great little tool on FirefoxForensics to do the same sort of thing as with IE. Firefox stores its cache of URLs etc in sqlite databases, which can be found in this folder:

Read full article

For one of my labs this week we had to browse a few websites using IE and then using an Internet Explorer analysis tool find out as much info as possible about what we looked at. IE logs all browser activity in index.dat files. The data stored includes the URL, data and time of last modification and access and the user.

Read full article

Steganography is the art of hiding something in something else in plain sight. Usually images or text are hidden within other images or sound files. For example, in the image below of trees there is an image of a cat hidden inside it. Wikipedia explains that for each component of each RGB value, if you take just the last 2 bits of it and then turn the brightness up 85%, you get a picture of the cat. The whole point is so the image of the trees looks identical to an image of the trees without an image hidden inside to the human eye.

Read full article

Most Windows XP users aren't aware of the Thumbs.db file that sits in every folder that contains at least one image, because it is a hidden file that by default is not shown. By going to any folder in explorer and going to Tools > Folder Options > View and choosing 'show hidden files and folders' suddenly Thumbs.db files appear everywhere.

Read full article