Internet Explorer10 Forensics
Internet Explorer10 Forensics
Internet Explorer is an application used to browse the web that majority of computer users utilize on a daily basis and the version IE10 was introduced along with windows 8 operating system. One of the many challenges for the forensic analyst is to reconstruct the web browsing habits for the subject under investigation. In order to reconstruct this activity, one must analyze the internal data structures of the web browser cache files for Internet Explorer. This research was performed to give the computer forensic community an open source, reproducible, forensically sound, and documented method to reconstruct Internet Explorer activity. A forensic analyst can use the information found in the index.dat file to reconstruct a user’s web activity. With introduction of Internet Explorer 10, Microsoft changed the way of storing web related information. Instead of the old index.dat files, Internet Explorer 10 uses an ESE database called WebCacheV01.dat to maintain its web cache, history and cookies. This database contains a wealth of information that can be of great interest to a forensic investigator. This thesis explores the structure of the new database, what information it contains, how it behaves in different situations, and also shows that it is possible to recover deleted database records, even when the private browsing mode has been used.
The increasing number of both criminal and civil cases is developing towards relying heavily on digital evidence and Internet activity. The ability to examine a criminals browsing history is often critical in not only high-profile criminal cases, but also in minor fraud cases. Web browser artifacts can help find offenses ranging from corporate policy violations, committed by employees of the company, to more serious crimes like child pornography or hacking related offenses. Even if the investigated crime itself isn’t a literal computer crime, the suspect may still have used a web browser to search
Internet Explorer is an application used to browse the web that majority of computer users utilize on a daily basis and the version IE10 was introduced along with windows 8 operating system. One of the many challenges for the forensic analyst is to reconstruct the web browsing habits for the subject under investigation. In order to reconstruct this activity, one must analyze the internal data structures of the web browser cache files for Internet Explorer. This research was performed to give the computer forensic community an open source, reproducible, forensically sound, and documented method to reconstruct Internet Explorer activity. A forensic analyst can use the information found in the index.dat file to reconstruct a user’s web activity. With introduction of Internet Explorer 10, Microsoft changed the way of storing web related information. Instead of the old index.dat files, Internet Explorer 10 uses an ESE database called WebCacheV01.dat to maintain its web cache, history and cookies. This database contains a wealth of information that can be of great interest to a forensic investigator. This thesis explores the structure of the new database, what information it contains, how it behaves in different situations, and also shows that it is possible to recover deleted database records, even when the private browsing mode has been used.
The increasing number of both criminal and civil cases is developing towards relying heavily on digital evidence and Internet activity. The ability to examine a criminals browsing history is often critical in not only high-profile criminal cases, but also in minor fraud cases. Web browser artifacts can help find offenses ranging from corporate policy violations, committed by employees of the company, to more serious crimes like child pornography or hacking related offenses. Even if the investigated crime itself isn’t a literal computer crime, the suspect may still have used a web browser to search