Thomas Chan Thomas Chan Computer Forensic Investigator EnCE, ACE, - - PowerPoint PPT Presentation

Curriculum Vitae

• Thomas Chan

Thomas Chan

– Computer Forensic Investigator

• EnCE, ACE, CFCE, CBE, A+

– Licensed Private Detective

• 14 years in Computer Forensics

– PC Forensics – Executive Inspector General – US Postal Inspector

PCForensics@live.com

InPrivate Browsing

Not really private

PCForensics@live.com

Microsoft’s Internet Explorer 7 -

• InPrivate Browsing

is described as follows:

PCForensics@live.com

http://windows.microsoft.com/en-us/internet-explorer/products/ie-9/features/in-private

InPrivate browsing is manually invoked:

• Browsing history
• Temporary internet files
• Form data
• Cookies
• user names
• passwords

PCForensics@live.com

Why do Websites collect information?

PCForensics@live.com

Click for Profit

• Websites generate revenue

– based on the number of times a user clicks on the website’s ads – pictures – information buttons – add to cart – click to purchase, etc.

PCForensics@live.com

Data

• Websites gather visitor’s information by

pushing files to users’ computers:

• index.dat
• cookies
• Websites want unrestricted access to data

via users’ browsers:

• Number of visits by a user.
• Things of interest to user

PCForensics@live.com

PRIVACY

• Pop-up blockers
• Ad blockers
• InPrivate Browsing

– limit the amount of information the websites need to stay in business. – Block advertising from Retailers selling products

PCForensics@live.com

Are your secrets safe from your boss or significant other?

• Dating sites?
• Match.com?
• Yahoo Emails?
• Internet Surfing?
• Embarrassing pictures?

PCForensics@live.com

Embarrassing pictures?

• Cat

Scenario

• Subject contends material found on

computer was automatically downloaded by websites.

• Subject denies personal involvement or

responsibility.

PCForensics@live.com

Involuntary vs. Voluntary

• done without will or conscious control.
• independent of one's will; not by one's own

choice.

• done by intention, and not by accident.

PCForensics@live.com

Intent

• If user opens a new browser window, the

user must activate InPrivate browsing by Ctrl+Shift+P or from the menu.

• InPrivate browsing does not automatically

activate.

• InPrivate activated for each window opened.

PCForensics@live.com

What do we find?

• When In Private browsing is manually

turned on – PrivacIE folder created.

• URLs visited stored in the user’s PrivacIE

folder.

PCForensics@live.com

Data Files

• Websites gather visitor’s information by

pushing files to users’ computers:

• index.dat
• cookies

PCForensics@live.com

INDEX.DAT

• An index.dat is a database file that stores

web addresses, searches, and recently

• pened files.
• Index.dat files located on a user’s

computer contain information of Web sites visited.

PCForensics@live.com

Types of Index.dat

• Cookies
• History
• Temporary Internet
• PrivacIE

PCForensics@live.com

Windows 7 stores Index.dat files in the following locations:

• C:\Users\<Username>\AppData\Roaming

\Microsoft\Windows\Cookies\index.dat

PCForensics@live.com

Cookies

• C:\Users\<Username>\AppData\Roaming\

Microsoft\Windows\Cookies\low\index.dat

Windows Vista, Windows 7 or Windows 8

PCForensics@live.com

Cookies

• A cookie is a data file sent from a Web Page

server.

• A cookie may contain an ID number, domain

name, expiration date, tracking information, login names, and pages visited.

• A web site stores your user account information

in a cookie, so it can welcome you back.

• Cookies are text files but not for spam or pop-up

advertisements.

PCForensics@live.com

Temporary Internet files

• C:\Users\<Username>\AppData\Local\

Microsoft\Windows\Temporary Internet Files \Content.IE5\index.dat

PCForensics@live.com

History

• C:\Users\<UserName>\AppData\Local\

Microsoft\Windows\History\Content.IE5\index.dat

PCForensics@live.com

InPrivate browsing creates a folder named PrivacIE in these locations:

• C:\users\<username>\AppData\Roaming\

Microsoft\Windows\PrivacIE\index.dat

• C:\users\<username>\AppData\Roaming\

Microsoft\Windows\PrivacIE\Low\index.dat

PCForensics@live.com

Test

PCForensics@live.com

Turn on InPrivate

PCForensics@live.com

Go to Match.com

PCForensics@live.com

Create Account

Create Profile

12 matches

Opportunity?

Chemistry

Forensic software

• Search terms

What could we find?

• Rabbit

Search Terms

PCForensics@live.com

EnCase

Anyone look familiar?

Anyone we know?

• URLs visited are stored in the user’s

PrivacIE folder.

PCForensics@live.com

Mfehidin001.etl - PrivacIE

PCForensics@live.com

MFEHIDIN001

• What happens when you make a

request to a website?

PCForensics@live.com

Index.dat

• IE (Cache) Index.dat shows

HTTP/1.1 200 OK response from website to user request.

PCForensics@live.com

200 OK is the standard response for successful HTTP requests to a website.

– The actual response depends on what user wants.

• In a GET request, the response will

contain the requested resource.

• In a POST request, the response will

contain a description or result of the action.

PCForensics@live.com

EnCase

PCForensics@live.com

Results

• PrivacIE folder created using InPrivate

browsing.

• Indication of Websites responses to user

requests through browser.

PCForensics@live.com

Conclusion

• User deliberately invoked InPrivate

browsing.

• Website responses caused by deliberate

actions of user.

PCForensics@live.com

InPrivate Browsing

• How about Microsoft Edge Browser?

Microsoft Edge

Disclaimer: Neither confirm nor deny the events. Plausible deniability.