Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder...
Transcript of Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder...
![Page 1: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/1.jpg)
Internet Activity Analysis
Cybercrime LabU.S. Department of Justice
Computer Crime and intellectual Property Section
![Page 2: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/2.jpg)
Internet Activity Analysis
Agenda
• How does web surfing works• Where to Find Evidence of Web Surfing Activity• Internet Activity Analysis and Tools needed.
– User computer– Web server– Internet Service Provider (ISP)
![Page 3: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/3.jpg)
How does web surfing work
Visit www.barbadospolice.gov.bb
![Page 4: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/4.jpg)
What Happens• Our browser sends a request to the web
server• The web server sends files that makes up
the webpage to our computer
User
ISPWeb Server
“give me www.barbadospolice.gov.bb”
How does web surfing work
![Page 5: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/5.jpg)
Where to Find Web Surfing Evidence
• User Computer:– Temporary Internet Files, index.dat, cookies, favorites, html
pages and images in un-allocated space.– C:\Documents and Settings\<user>\Local Settings\History– Files from web sites, ftp programs and logs
• Web Server:– Site Content, Access logs, Error Logs, FTP Logs– Log Reporting Tools: Ana-log, web-analyzer, etc.
• Intermediate Sites (ISP)– Firewall logs, Anti-virus server logs, spam filter logs, web filtering
logs (Web Sense)
![Page 6: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/6.jpg)
Evidence on user computer
– Temporary Internet Cache– History– Index.dat– Cookies– Registry
Evidence on User Computer
![Page 7: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/7.jpg)
Temporary Internet CacheC:\documents and settings\username\Local Settings\Temporary Internet Files
No special tool is needed to view Temporary Internet Cache. Use Windows Explorer.
Files from web server are saved on local drive to avoid the need of downloading until the web page is updated.
![Page 8: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/8.jpg)
IE HistoryC:\documents and settings\username\Local Settings\History
No special tool is needed to view IE History. Use Windows Explorer.
A list of web address typed or clicked-on to visit.
![Page 9: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/9.jpg)
IE History
History File
![Page 10: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/10.jpg)
History
History ofPages Viewed
& Times
![Page 11: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/11.jpg)
Index.dat
• Contain a log all files makes up all the web pages visited.
• Needs special tools to decode this file.– IE history viewer– Net Analysis
• Reside in Folder “Documents and Settings\<User>\Local settings\Temporary Internet Files\Content.IE5” for Internet Explorer, Windows XP
Evidence on User Computer
![Page 12: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/12.jpg)
Analyzing Index.dat• Special tool is needed to view
Index.dat file.
Paraben Net Analysiswww.logon-int.com
Evidence on User Computer
![Page 13: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/13.jpg)
Analyzing Index.datUsing IEhistory Viewer
![Page 14: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/14.jpg)
Analyzing Index.datUsing IEhistory Viewer
![Page 15: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/15.jpg)
Internet Tracks
Searches for words Searches for words FURNITURE PORNFURNITURE PORNClicks Google Clicks Google
Hyperlink toHyperlink towww.furnitureporn.comwww.furnitureporn.com
Clicks into CharlieClicks into Charlie’’ssAngelAngel’’s Pagess Pages
Clicks into EACH Clicks into EACH photophoto
![Page 16: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/16.jpg)
![Page 17: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/17.jpg)
Goes BackTo
HOTMAIL
Composes
An Email
Sends
The Email
![Page 18: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/18.jpg)
AfterSending
MailFolderIcons
RedrawnReturns to Surfing
FurniturePorn
![Page 19: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/19.jpg)
C:\documents and settings\username\Local Settings\Temporary Internet Files
Special tool is needed to decode and view cookie files. However, some information is in clear text.
File resides on the client computer for information a web server wants to track.
![Page 20: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/20.jpg)
IECookiesView
• IECV.exe
![Page 21: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/21.jpg)
Registry
![Page 22: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/22.jpg)
Registry
• Human Typed URL’s
Read
![Page 23: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/23.jpg)
Registry
• Also tracked by User Security Identifier (SID)
![Page 24: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/24.jpg)
Why do we care about user’s computer?
• Can be seized for evidence• Can be used as an undercover
investigation tool
![Page 25: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/25.jpg)
Evidence: Web Server
• Web access logs.• The illegal contents web server provides to
Internet users.
![Page 26: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/26.jpg)
Evidence: Web Server
199.202.74.125 - - [25/Apr/2006:09:16:23:48 -0500] “GET /index.html /HTTP/1.0” 200 6248 “http://www.catsrus.com/links.htm” “Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)
199.202.74.125 - - [25/Apr/2006:09:16:24:01 -0500] “GET /wordpress/seduction.jpg /HTTP/1.0” 200 47178 “http://www.google.com/search?hl=en&q=kitty+porn” “Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90)
Sample Web Server Logs: each entry represents a request to the sever
Date/time of request (as seen by web server)
IP of requesting computer Request (file requested)
Bytes transferredReferrer URL (the referring page)
User Agent (browser, operating system)
![Page 27: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/27.jpg)
Why do we care about web servers?
• Criminals using a web server will obtain information about the undercover computer
• If law enforcement can run the web server, we can obtain this information about targets
![Page 28: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/28.jpg)
Evidence: ISP
• ISP can provide LE account information to full content of a user’s activity
![Page 29: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/29.jpg)
Evidence: ISP
• Sample response to pen-trap order
![Page 30: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/30.jpg)
Sample of Full Content Monitoring / Capturing
Evidence: ISP
![Page 31: Internet Activity Analysis - OAS · – IE history viewer – Net Analysis • Reside in Folder “Documents and Settings\\Local settings\Temporary Internet Files\Content.IE5”](https://reader035.fdocuments.us/reader035/viewer/2022070821/5f1f886c948ed164e57f05d1/html5/thumbnails/31.jpg)
Questions
Phone: 202-514-1026Web: ww.cybercrime.gov
Cybercrime LabComputer Crime and
Intellectual Property SectionUnited States Department of Justice