lowmanio.co.uk title image

Internet Explorer usage

Mon, 16 Nov 2009 02:47PM

Category: Digital Forensics & Malware

Written by Sarah | With 3 comments

For one of my labs this week we had to browse a few websites using IE and then using an Internet Explorer analysis tool find out as much info as possible about what we looked at. IE logs all browser activity in index.dat files. The data stored includes the URL, data and time of last modification and access and the user.

These are hidden in all sorts of places, but there are three important ones which can be found at these three addresses:

C:\Documents and Settings\[username]\Local Settings\History\History.IE5\index.dat

C:\Documents and Settings\[username]\Local Settings\Temporary Internet Files\Content.IE5\index.dat

C:\Documents and Settings\[username]\Cookies\index.dat

The first two are difficult to access via the Windows Explorer GUI even with hidden files and system files made visible. I used the command line, which tried to fool me by telling me there were no directories inside History. Lies! Windows Explorer treats the history folder like the browser does, and lets you browse the history rather than actually showing the files and folders there. There are lots of other index.dat files inside History.IE5\MSHist[18digits] for different time periods. Start typing the directory and press tab; it’ll still find the directory even though it assures me it doesn’t exist.

There are loads of index.dat file analysers out there, but as our lecturer said, fancy GUI or not, they all boil down to outputting a list of URLs with dates and times. Pasco is the one we used, which can be downloaded here (Requires Linux/Cygwin). Very simple to use:

Pasco index.dat > results.csv

Then you can use your favourite spreadsheet to have a look. Uses for this kind of thing include proving a suspect was at home and browsing the web at the time of an incident giving an alibi, or vice versa proving they were online committing fraud / downloading something dodgy.

What I find though is that lists of URLs doesn’t help much with getting the overall feel of the users internet usage. You can sort by columns, but still I find the long lists rather visually lacking. Pretty much all the forensic tools I’ve seen so far are command line and output text files, or have a very basic GUI. You still need to process these files afterwards with egrep etc. Encase, from what I’ve seen, doesn’t visualize the data very well either. I think I’ve found an area I’d really enjoy working in because I love GUIs and HCI so much, and forensics is so interesting. And no one has come up with decent tools yet!!!

I wanted to make a quick visual graph of my IE usage in September of this year. I don’t use it as my main browser, but do use it occasionally for website testing and when Windows forces me to use it. It was quite complicated to get the data into a nice format (especially because Excel decided the dates were American style, but wanted to display them UK style), but here is the graph! Click to make bigger.

IE usage graph

Tagged with: IE, visualisation


I think the worst part of this is that it implies that, even if it's sporadic, you have used internet explorer.  You can make your excuses, but it makes you a bad person.

The issue I took with info from our lab is to do with the index.dat files that related to IE, but IE specifically (so IETldCahce and IECompatCache really, since PrivacIE is quite sensible).  Given the very minimal level of information about what these index.dat's actually are, I want to know what the firefox/chrome/opera/safari equivalents are.  IE might still be the most common browser these days, but it's not safe to assume that anyone involved in computer crime isn't tech literate.  In fact, I'd hazard to guess that most of them aren't, but maybe I overestimate the mental abilities of a nonce.  Haha, I love that word.
Mon, 16 Nov 2009 04:20PM
Your graph looks nice. How thid you manage this?
Tue, 23 Mar 2010 02:25PM
Hi Hans,

Once you have the CSV file you can load it into Excel. You'll need to format the date column into two new columns - date and time. Then I just plotted one against the other.

It takes a bit of fiddling because Excel might read the date as American, but there's a way to tell it to use UK date's instead. Also, Excel has a limit to the number of datapoints it allows on a 2D graph - so if you have huge index.dat file you might have to draw lots of graphs on top of each other and colour them the same so it looks like the same graph. 
Wed, 24 Mar 2010 05:41PM

Add a comment