Artifacts

Archive for the ‘Browser’ Category


Facebook Artifacts

Posted by:  /  Tags: , , , ,  /  Comments: 1

Frank McClain

Metadata from Posts, Comments, and Messages

Facebook artifacts for Post, Comment, Message (not necessarily in that order):

Comment (ampersand separated):
charset_test=
fb_dtsg=AQDnBZEP
feedback_params={“actor”:”4286109357″,”target_fbid”:”8457139026″,”target_profile_id”:”4286109357″,”type_id”:”22″,”assoc_obj_id”:””,”source_app_id”:”0″,”extra_story_params”:[],”content_timestamp”:”1336396534″,”check_hash”:”BEOzzl5d9kPtd56X”,”source”:”1″}
translate_on_load=
add_comment_text_text=mmm, chocolate muffins…;)
add_comment_text=mmm, chocolate muffins…;)
link_data={“qid”:”5997325849936326255″,”mf_story_key”:”1055615292714765287″}
comment_replace=optimistic_comment_8228420818_0
comment=1
__user=1181507002
phstamp=165816811066906980789

Notes: Actor and Target_Profile_ID refers to the original post author. Target_FBID is apparently the author of the previous comment. Facebook user IDs encountered during research were 10-digit numeric. Content_Timestamp is Unix format.

Post (ampersand separated):
fb_dtsg=DGRnKTIV
xhpc_composerid=y6ud29_4
xhpc_targetid=1181507002
xhpc_context=home
xhpc_fbx=1
xhpc_timeline=
xhpc_ismeta=1
xhpc_message_text=If I can find a post cached on my system, why does it not show up in my pcap? It’s somewhat rhetorical; I *will* find it.
xhpc_message=If I can find a post cached on my system, why does it not show up in my pcap? It’s somewhat rhetorical; I *will* find it.
composertags_place=
composertags_place_name=
composer_predicted_city=
composer_session_id=3867336142
is_explicit_place=
audience[0][value]=40
composertags_city=
disable_location_sharing=false
nctr[_mod]=
pagelet_composer __user=1181507002
phstamp=165816811066906980749

Notes: XHPC_TargetID and Pagelet_Composer_User are both the post author’s Facebook ID.

Message (comma separated):
for (;;);{“__ar”:1
“payload”:{“threads”:[{“thread_id”:”id.489415769211708″
“last_action_id”:”1891362734339000000″
“participants”:[“fbid:1181507002″,”fbid:1504162673″]
“name”:null,”snippet”:”this is a test. i’m looking for forensic artifacts… :)”
“snippet_has_attachment”:false
“is_forwarded_snippet”:false
“snippet_attachments”:[]
“unread_count”:0
“image_src”:””
“timestamp_absolute”:”Sat, 05 May 2012 18:48:55 -0700″
“timestamp_relative”:”5 minutes ago”
“timestamp”:1336268935102
“is_canonical_user”:true
“is_subscribed”:true
“is_canonical_group”:false
“group_id”:null
“is_canonical_live_listen”:false
“live_listen_id”:null
“is_chatlogger_thread”:false
“root_message_threading_id”:”\u005Q9YO9TyvIIwiNeg75i3DSjanpwiI6QMqXP\u0050messages.facebook.com>”
“folder”:”inbox”
“is_archived”:false,”chat_clear_time”:-9223372036854775808
“mode”:2}]
“actions”:[{“message_id”:”id.489415769211708″
“threading_id”:”\u005Q9YO9TyvIIwiNeg75i3DSjanpwiI6QMqXP\u0050messages.facebook.com>”
“author”:”fbid:1181507002″
“timestamp”:1336268935102
“timestamp_absolute”:”Sat, 05 May 2012 18:48:55 -0700″
“timestamp_relative”:”5 minutes ago”
“is_unread”:false
“is_forward”:false
“forward_count”:0
“forward_message_ids”:null,”source”:”source:titan:web”
“folder”:”inbox”,”body”:”this is a test. i’m looking for forensic artifacts… :)”
“subject”:null
“has_attachment”:false
“attachments”:[]
“raw_attachments”:null
“is_html”:false
“thread_id”:”id.489415769211708″
“action_id”:”1891362734339000000″
“action_type”:”ma-type:user-generated-message”}]
“end_of_history”:[{“type”:”thread”,”id”:”id.489415769211708″}]
“roger”:null
“payload_source”:”server_fetch_thread_info”}}

Notes: Last_Action_ID and Action_ID are the same. Payload, Actions, Thread_ID, and End_of_History all contain the same number, referred to as a message or thread ID. Timestamp (twice) is Unix format. Root_Message_Threading_ID and Threading_ID are the same; this may refer to a profile path.

Filetype: PCAP

Applications Used:

Wireshark
tshark
DIgitalDetective DCode
Woanware Encoder

Notes: 

Evidence was collected by running Wireshark while creating user content on Facebook – Posts, Comments, and Messages. Text-searching did not always work as anticipated (ie, finding my keywords), so I also converted the pcap to text using tshark, and ended up creating additional Facebook content to extend testing.  This was all performed on a Windows system, no portable apps or devices were used.

I cleaned up the content, transforming URL encoding into ASCII, split out into individual lines, etc. The parenthetical statement for each content type indicates the separator. All metadata associated with the user content has been randomly changed (while preserving the format) to anonymize. Timestamps are the exception.

I have not tried to determine “what it all means.” My main goal was to determine the artifacts differentiating a post, message, and comment.

Google Chrome Browser Profile (Windows Vista/Windows 7)

Posted by:  /  Tags: , , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder (Windows Vista/Windows 7)

Artifact/Program Version
Windows Vista/Windows 7

Description
As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step. We see lots of articles on IE & Firefox, but what about Google’s Chrome Browser? Like Firefox before it, Chrome is steadily gaining in the browser market share. This post looks to point out where to find the Chrome user’s Profile folder. Most times, this will be saved as “Default”, but be on the look out for multiple profiles. Once you locate and extract the Chrome Profile folder (listed below) from your image, you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it. You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)

Cookies

Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HardDrive\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from forensic-software.co.uk: http://forensic-software.co.uk/chromeanalysis.aspx

ChromeForensics by Woanware: http://www.woanware.co.uk/?page_id=70

Google Chrome Browser Profile (Windows 2000, Windows XP, Windows Server 2003)

Posted by:  /  Tags: , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder

Artifact/Program Version
Windows 2000/Win XP/Windows Server 2003

Description
As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step.  We see lots of articles on IE & Firefox, but what about Google’s Chrome Browser?  Like Firefox before it, Chrome is steadily gaining in the browser market share.  This post looks to point out where to find the Chrome user’s Profile folder.  Most times, this will be saved as “Default”, but be on the look out for multiple profiles.  Once you locate and extract the Chrome Profile folder (listed below) from your image, you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it.  You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)

Cookies

Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HardDrive\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from forensic-software.co.uk: http://forensic-software.co.uk/chromeanalysis.aspx

ChromeForensics by Woanware: http://www.woanware.co.uk/?page_id=70

TypedURLs

Posted by:  /  Tags: , ,

Author Name
Joe Garcia

Artifact Name
TypedURLs

Description
This key is added and updated in the Windows Registry when a user types directly into the Address Bar in the Internet Explorer web browser.  It also updates whenever the user copy & pastes a website into the Address Bar.  It does not update when the user clicks on a link.  This means that the user would have to have intentionally

It will save a maximum of 25 entries.  When the 26th entry is made, the first entry is deleted to make room for the newly added data.  The entries are displayed (top to bottom) from most recent to earliest.

The below screenshot shows the TypedURLs parsed out side by side in Harlan Carvey’s RegRipper and AccessData’s Registry Viewer:


Registry Keys
NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs

File Locations
C:\Documents and Settings\USERPROFILE\NTUSER.DAT

Research Links
http://www.accessdata.com/downloads/media/Registry%20Quick%20Find%20Chart%20%207-22-08.pdf (Scroll to page 4 of this document)

Forensic Programs of Use
RegRipper: www.regripper.net

AccessData Registry Viewer: www.accessdata.com/downloads.html

First Post

Posted by:

This is a temporary placeholder.