Browser Cache or How Your Fault Was Proven
You have probably heard more than once the stories about how law enforcement officers, having broken into the apartment of yet another failed hacker, conduct detention, invite witnesses, draw up a protocol, seal it up and take the hacker’s workstation with them for examination. Many even ridicule the competence of our staff management “K”, citing as evidence only the fact that often with a system unit police officers take away and keyboard and monitor. The answer to this is that the equipment is seized by ordinary police officers who often have little knowledge of computers, and, as a rule, in addition to taking the hacker’s computer to the department for examination, they also have a pile of unsolved cases – so there is no need to be ceremonious with any of the hardware. The Russian mentality works: “We will take everything – and they will figure it out”. About this whole process everyone has heard, but what happens next in the examination, the most “incompetent” specialist is not known to all. This article will consider one of the aspects of the expert to extract the necessary information, which later may be attached to a criminal case, and be used against the hacker in court.
At 8.25 a.m. on August 5, 2005, M. Krasnokutskiy, an employee of the design department of Volgo-Stroy, the biggest Volgograd construction company, had just finished his design of a new nine-storey building in the center of Volgograd and decided to upload all data to the information server provided by Volgo-Host. But I couldn’t – the error message read: “The free space limit has been reached. Please contact your system administrator” which Krasnokutsky did, immediately calling to D.Ivanov who worked as a system administrator at Volgo-Host. But to Krasnokutsky’s surprise, their system administrator was not there – the answering machine in his office beeped: “Gone to Turkey on vacation. Will be back in two weeks.” After an inquiry was sent to Volgo-Host about the lack of free space and later the company director was horrified to learn that their server folder of their system administrator contained over 300 GB of music, recently released movies and programs, as well as child pornography. The company was charged with illegal possession of pirated products and a criminal case was opened. The investigation was referred to one of the offices of the “N” department.
Any investigation begins with “getting to know” the suspects. In our case, the main suspect is Ivanov, Volgo-Stroy’s system administrator. The expert will have to establish his social circle, occupation and interests. Often, the initial point in the investigation is the environment where the suspect spends the majority of his time, while for us, it is the Internet itself. In examining the suspect’s Internet activity, the expert first examines the history and cache of browsers. Internet Explorer (IE) and Mozilla FireFox (FF) were installed on Ivanov’s machine. The expert decided to start the investigation with IE.
Microsofts Internet Explorer (IE)
This browser is installed by default on all windows systems. IE caches by default (saves the web pages you view to your hard drive to prevent them from being reloaded). The cache is stored for each user in a separate profile at: C:Documents and SettingsivanovLocal SettingsTemporary Internet FilesContent.IE5 Inside the directory Content.IE5 there are additional folders with “random” generated names, which stores information about visiting one or another web resource. In addition to the cache, there are two additional repositories of information about user activity. This is History, where URL and date of your visit are stored. History is stored in: C:Documents and SettingsivanovLocal SettingsHistoryHistory.IE5 Also the browser stores user-generated cookies that contain additional information. C:Documents and SettingsivanovCookies An expert examiner will check all three directories, but it’s often the cache storage that has the most valuable information. Inside the directory Content.IE5 there is the file index.dat, which contains the information we are interested in. After decoding it we will be able to look through the same pages as Ivanov. And based on that we’ll be able to get a first idea about the suspect. The index.dat file is encrypted using a special algorithm developed by Microsoft.
Mozilla FireFox (FF)
The second browser installed on Ivanov’s system was Mozilla FireFox. Like IE it also stores the information about the user’s Internet activity. It is worth to say that FF uses a special algorithm for caching pages. The directory in which the information we are interested in is directly stored: C:Documents and SettingsApplication DataMozillaFireFoxProfilesCache For both types of browsers the process of reconstruction of cached files is the main task of the expert. For this purpose, there are several programs that analyze index.dat and history.dat files and extract the maximum useful information from them. When the reconstruction of web pages is complete, the expert will begin to analyze the information he has extracted.
Reconstruction and subsequent analysis
To reconstruct cached files, you can use the Web Historian or FTK utility. The main feature of these programs is that they support the following browsers: Internet Explorer, Mozilla FireFox, Netscape, Opera and allow you to provide a report as a text file, as well as in html. Once the final report is received, the most interesting thing starts. The expert now has a difficult task to filter out of all the heap of pages and examine those that are directly related to the case.
Analysis of cache reconstruction data in IE
Analysis of cache reconstruction data in FF
Use of information obtained in further investigation
The next day, all the employees were interviewed at Volgo-Stroy’s office and, based on their answers, it was established that: Dmitry was a student who had taken a job with the company not long before Ivanov’s leave. Dmitri’s place of residence was established. When compiling his report, the investigator took into account all the information obtained from Ivanov’s computer. The analysis of his hard drive and a detailed study of cache, browser history, ICQ logs, deleted files and additional information confirmed his involvement in the crime and established his involvement in the madwarez.com group, which used the Volgo-Stroy server as a repository of illegal information. In order to gain access to which hackers had to know not only the administrator’s login and password, but also have physical access to Ivanov’s computer, since a special key file with distributed privileges located only on the administrator’s hard drive was required for authorization on the server. All the obtained information from both computers was attached to the case file. After which the sentence was read to Dimitri.
All events described in this article are fictitious. Any coincidence of names and company names is unintentional. The only task I had in writing this text was to show you that seemingly insignificant things like the cache can give investigators a foothold for further action. Nowadays, especially on the Russian segment, there’s a belief that such information can’t be used as evidence or even disclosed in court proceedings. You may be right, and the relevant law has not yet been signed into law, but I am more than sure that its time is fast approaching. While living in the USA, I had a chance to communicate with a specialist of IT crime investigation. She told me about some methods of revealing information interesting for the investigation. To my surprised question: “And that all this is evidence and can be considered in court?” Kate smiled and calmly replied, “Is it any different in your country?” The only and necessary conclusion from all of the above is that you need to take much more seriously the information that is created without your knowledge, the things that everyone is so used to, and no one questions their reliability.
Programs mentioned in the article: Cache View – https://www.progsoc.uts.edu.au/~timj/cv/dl/cview260.zip Web Historian https://software-files . download.com/8 … d=10373157 FTK – https://www.accessdata.com/Product04m?ProductNum=04
PS^ This article has only been edited by me.
Copyright (C) 2005 MorpheuS
cvv sites list