Techniques that can be used to discover evidence in support of an assets physical location, network connectivity and web browser history post-breach. More useful in investigation relating to insider threat or more commonly during the COVID Pandemic, attacks originating from employees working away from the office.
Windows
Timezone
Identification of the systems timezone can grant information that could indicate the an assets physical locale.
WIN: XP+
SRV: 2003+
Location
1
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Interpretation and Investigative Notes
- Internal logs and DTG stamps will be based on the control set saved in the registry key.
- Other network sourced logs will need to be correlated for any time difference/skew.
Tools
Sources
Browser Cookies
Cookies give insight into which sites have been visited and the activities that occurred on the site.
WIN: XP+
SRV: 2003+
Location
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# INTERNET EXPLORER
# Versions 6-10
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies
# Version 11
%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookies
# MOZILLA FIREFOX
# WINDOWS XP
%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\cookies.sqlite
# WINDOWS 7+
%USERPROFILE%\AppData\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\cookies.sqlite
# GOOGLE CHROME
# WINDOWS XP
%USERPROFILE%\Local Settings\ApplicationData\Google\Chrome\User Data\Default\Local Storage
# WINDOWS 7+
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Interpretation and Investigative Notes
- Google Analytics (GA) has developed an extremely sophisticated methodology for tracking site visits, user activity, and paid search. Since GA is largely free, it has a commanding share of the market, estimated at over 80% of sites using traffic analysis and over 50% of all sites.
- _utma (Unique Visitors)
- Domain Hash
- Visitor ID
- Cookie Creation Time
- Time of 2nd most recent visit
- Time of most recent visit
- Number of visits
- _utmb (Session Tracking)
- Domain Hash
- Page views in current session
- Outbound link clicks
- Time current session started
- _utmz (Traffic Sources)
- Domain Hash
- last Update Time
- Number of visits
- Number of different types of visits
- Source used to access site
- Google AdWords campaign name
- Access Method (organic, referral, cpc, email, direct)
- Keyword used to find site (non-SSL only)
- _utma (Unique Visitors)
Tools
Sources
- Hacking Articles - Beginner Guide to Understanding Cookies Session Management
- Acquire Forensics - Google Chrome Browser Forensics
- Google - Analytics
- Hats Off Security - Google Analytic Cookies
WLAN Event Log
Determine what wireless connections have been established, displays SSID.
WIN: 7+
SRV: Not Tested
Location
1
Microsoft-Windows-WLAN-AutoConfig Operational.evtx
Interpretation and Investigative Notes
- Event IDs
- 11000: Wireless network association started
- 8001: Successful connection to wireless network
- 8002: Failed connection to wireless network
- 8003: Disconnect from wireless network
- 6100: Network diagnostics (
System.evtx)
Tools
- Event Log Explorer
- Event Log Parser (EvtxECmd)
- Native Event Viewer
Sources
Browser Search Times
Records websites visited by date and time. Details are stored for each local user account. Records the number of times visited (frequency) and also tracks access of local system files. Includes the website history of search terms in search engines.
WIN: XP+
SRV: Not Tested
Location
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# INTERNET EXPLORER
# Versions 6-7
%USERPROFILE%\Local Settings\History\History.IE5
# Versions 8-9
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5
# Versions 10-11
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
# MOZILLA FIREFOX
# WINDOWS XP
%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\places.sqlite
# WINDOWS 7/8/10
%USERPROFILE%\AppData\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\places.sqlite
Interpretation and Investigative Notes
Tools
Sources
System Resource Usage Monitor (SRUM)
Records 30 to 60 days of historical system performance. Applications run, user account responsible for each, and application and bytes sent/received per application per hour.
WIN: 8+
SRV: Not Tested
Location
1
2
3
4
5
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions
SOFTWARE\Microsoft\WlanSvc\Interfaces
C:\Windows\System32\SRU\
Interpretation and Investigative Notes
- SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions
- Windows Network Data Usage Monitor
{973F5D5C-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
- Windows Network Connectivity Usage Monitor
{DD6636C4-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
- Windows Network Data Usage Monitor
Tools
Sources
Browser Cache
The Browser cache is where web page components can be stored locally to speed up subsequent visits. It can be used to glean further information on what a user was actively looking at online. Providing the following information:
- Websites visited
- Files viewed on a website visited (caches files are linked to specific local accounts)
- Timestamps indicate when site was first saved and last accessed.
WIN: XP+
SRV: Not Tested
Location
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# INTERNET EXPLORER
# Versions 8-10
%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
# Version 11
%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache\IE
# Edge
%USERPROFILE%\AppData\Local\Packages\microsoft.micosoftedge_<APP ID>\AC\MicrosoftEdge\Cache
# MOZILLA FIREFOX
# WINDOWS XP
%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\cache
# WINDOWS 7+
%USERPROFILE%\AppData\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\cache
# GOOGLE CHROME
# WINDOWS XP
%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\ - data_# and f_######
# WINDOWS 7+
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Cache- data_# and f_######
Interpretation and Investigative Notes
Tools
Sources
Flash and Super Cookies
Local Stored Objects (LSO’s), or Flash Cookies, have become ubiquitous on most systems due to the extremely high penetration of Flash applications across the internet. They tend to be much more persistent because they do not expire, and there is no built-in mechanisms within the browser to remove them. In fact, many sites have begun using LSOs for their tracking mechanisms because they rarely get cleared like traditional cookies.
Provides the following information:
- Websites visited
- User account used to visit the site
- When cookie was created and last accessed
WIN: 7+
SRV: Not Tested
Location
1
%APPDATA%\Roaming\Macromedia\FlashPlayer#SharedObjects<random_profile_id>
Interpretation and Investigative Notes
Tools
Sources
- Nasbench - Web Browser Forensics
- Forensics From the Sausage Factory - Adobe Flash Player Local Shared Objects
Session Restore
Automatic Crash Recovery features built into the browser.
WIN: 7+
SRV: Not Tested
Location
1
2
3
4
5
6
7
8
# INTERNET EXPLORER
%USERPROFILE%\AppData\Local\Microsoft\Internet Explorer\Recovery
# MOZILLA FIREFOX
%USERPROFILE%\AppData\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\sessionstore.js
# GOOGLE CHROME
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\
Interpretation and Investigative Notes
- Historical Websites viewed in each tab
- Referring Websites
- Time session ended
- Modified time of .dat files in LastActive folder
- Time each tab opened (only when crash occurred)
- Creation time of .dat files in Active Folder