Internet Parser Update

In honor of Randy G (see this post) and the fact that I found a new browser, I have updated the Internet parser program to now include the Flock browser, which is based on the Mozilla framework. Now I have not done an extensive analysis on yet but I have done enough to know it fits right in with Firefox 3.x and Google Chrome as it uses SQLite to store its history and other files. One thing to note is that there is a new report added called Form History. This is a new database that flock uses that keeps data that was entered into any forms. That is about all I know about the forms at this point. There are quite a few new databases that Flock uses and I will have to test them out to see what data points can be pulled out.

So in honor of Randy G. here is the download.

Questions/Comments/Suggestions?

Updates Before the New Year

Here are a few updates to some of the programs I have provided this year.

Skype Log Parser:

This program will now parse the voicemail logs and report on them. It will also extract some more information about the users. The avatars will also be parsed out and saved to the report directory as well. The program can be found here. I also want to thank the University of New Orleans (Team NSSAL) for using this program in the DC3 Challenge this year, I created the program for my use in the challenge but when I got bogged down with other things I thought I would release it in hopes that someone would use it for the challenge.

Thumbnail_Html:

I do not recall if I ever released this or not but what what it will do is parse a directory and create a web page with thumbnails of graphics files in it. This program is good if you need to create a file that has graphics that you want to send to someone and be able to put it on a CD/DVD. This program will also read some of the EXIF info for the graphics and output that information as well. The program can be found here.

Internet Parser:

This is the updated google chrome parser with a few more reports and I have also added the option to include Firefox history files as well. With this program if someone had both Firefox and Google Chrome you can add both of there history files to the same database and do 1 reports instead of multiple reports. This program can be found here.

Internet History:

This program reads in the Internet Explorer index.dat, the cookie index.dat and the History index.dat files and will produce reports on them. The reports should be similar to the internet parser program. That program can be found here.

I hope you enjoy all these updated and new programs and that you get quite a bit of use out of them.

As always Questions/Comments/Suggestions/Thoughts?

Google Chrome Log Parser

Google Chrome has been out for about a week and here is my first attempt to create a program that will parse out all the chrome logs and put together some useful reports. The program can be found here.

Just like Firefox, Chrome also stores their logs into a SQLite database. Some of these logs are very similar to the Firefox logs. One thing to note is that Chrome is not very consistent with which format they use for date/time. In some logs they use Unix Epoch time (Jan 1 1970) and in others they use Microsoft Epoch time (Jan 1 1601). Chrome also stores a thumbnail of web pages in these logs as well. These thumbnails are used when you fist start chrome to show you 9 pages you have visited. With the above log parser it will pull these thumbnails out and present them in the reports as well.

As I stated above this program is a work in progress and there is still more research to be done to make it a better. I just wanted to get it out to all you guys to start to play with it.

As always Questions/Comments/Suggestions.

No This Is Not Mork From Ork.

Ok so I watched the original series when it came out, but I am not that old. What I plan to enlighten you about today is the Mork database file format. This file is mainly used in Firefox for Internet History, there are a few more files that use this format but we will concentrate on the History.dat file. Now there are numerous programs that will read this file Mandiant Web Historian, Digital Detective NetAnalysis and even a perl script by Jamie Zawinski , the problem is what if the file is broken. When the file is broken it cannot be processed by any of the above programs. A friend of mine recently had this problem and was unable to parse the history.dat file by any of the above programs. By understanding how the database worked I was able to lend him a hand.

Below is a simple file that I have of a history.dat file. I will try and take it apart and show how to hand parse the file. If anything this will allow you to eyeball the file to see if there is anything that would keep one of the above programs from parsing it. The file I will use is as follows, please note the first line is somewhat edited to make it show up in the posting.

// < !-- < mdb : mork:z v="1.4" > -->
< <(a=c)> // (f=iso-8859-1) (8A=Typed)(8B=LastPageVisited)(8C=ByteOrder) (80=ns:history:db:row:scope:history:all) (81=ns:history:db:table:kind:history)(82=URL)(83=Referrer) (84=LastVisitDate)(85=FirstVisitDate)(86=VisitCount)(87=Name) (88=Hostname)(89=Hidden)>
<(80=LE)(8B=http://redwolfcomputerforensics.com/)(9F=1166463003773295) (9A=1166448674185405)(8D=redwolfcomputerforensics.com)(8E =C$00o$00m$00p$00u$00t$00e$00r$00 $00F$00o$00r$00e$00n$00s$00i$00c$00s$00/\$00U$00n$00l$00o$00c$00k$00 $00P$00a$00s$00s$00w$00o$00r$00d$00s$00/$00E$00l$00\e$00c$00t$00r$00o$00n$00i$00c$00 $00D$00i$00s$00c$00o$00v$00e$00r$00y$00) (A0=3)(8F=http://www.certified-computer-examiner.com/)(9E =1166462906212309)(9B=1166448699473785)(91 =certified-computer-examiner.com)(92 =I$00S$00F$00C$00E$00 $00-$00 $00C$00e$00r$00t$00i$00f$00i$00e$00d$00 $00C\$00o$00m$00p$00u$00t$00e$00r$00 $00E$00x$00a$00m$00i$00n$00e$00r$00) (9D=2)>
{1:^80 {(k^81:c)(s=9)[1(^8C=LE)]} [A(^82^8B)(^84^9F)(^85^9A)(^88^8D)(^87^8E)(^86=3)] [B(^82^8F)(^84^9E)(^85^9B)(^83^8B)(^88^91)(^87^92)(^86=2)]}
@$${1{@
<(A1=1166463169292586)(A2=4)(A3=http://www.google.com/)(A4 =1166463174778175)(A5=google.com)(A6=1)(A7=G$00o$00o$00g$00l$00e$00)>
{-1:^80 {(k^81:c)(s=9)1 } [-A(^82^8B)(^84^A1)(^85^9A)(^88^8D)(^87^8E) (^86=4)]B [-C(^82^A3)(^84^A4)(^85^A4)(^88^A5)(^8A=1)(^86=2)(^87^A7)]}@$$}1}@
@$${2{@@$$}2}@

Kinda ugly when you first glance at it but once you understand it is not so bad.

File Header: // < !-- < mdb :mork:z v="1.4"> -->

Fields and Descriptions for the database, not all fields will be used

< <(a=c)> // (f=iso-8859-1) (8A=Typed)(8B=LastPageVisited)(8C=ByteOrder) (80=ns:history:db:row:scope:history:all) (81=ns:history:db:table:kind:history)(82=URL)(83=Referrer) (84=LastVisitDate)(85=FirstVisitDate)(86=VisitCount)(87=Name) (88=Hostname)(89=Hidden)>

Actual history data. Note that the last three sections are all delimited by <>

<(80=LE)(8B=http://redwolfcomputerforensics.com/)(9F=1166463003773295) (9A=1166448674185405)(8D=redwolfcomputerforensics.com)(8E =C$00o$00m$00p$00u$00t$00e$00r$00 $00F$00o$00r$00e$00n$00s$00i$00c$00s$00/\$00U$00n$00l$00o$00c$00k$00 $00P$00a$00s$00s$00w$00o$00r$00d$00s$00/$00E$00l$00\e$00c$00t$00r$00o$00n$00i$00c$00 $00D$00i$00s$00c$00o$00v$00e$00r$00y$00) (A0=3)(8F=http://www.certified-computer-examiner.com/)(9E =1166462906212309)(9B=1166448699473785)(91 =certified-computer-examiner.com)(92 =I$00S$00F$00C$00E$00 $00-$00 $00C$00e$00r$00t$00i$00f$00i$00e$00d$00 $00C\$00o$00m$00p$00u$00t$00e$00r$00 $00E$00x$00a$00m$00i$00n$00e$00r$00) (9D=2)>

Cross Reference of the actual history to the fields. Note this section is delimited by Curly Braces ({}). This is the important part and I will try and give as much detail as I have found out.

{1:^80 {(k^81:c)(s=9)[1(^8C=LE)]}
[A(^82^8B)(^84^9F)(^85^9A)(^88^8D)(^87^8E)(^86=3)]
[B(^82^8F)(^84^9E)(^85^9B)(^83^8B)(^88^91)(^87^92)(^86=2)]}

The following should always be in this section, not sure what it is but it has been in every file I have looked at : 1:^80 {(k^81:c)(s=9)[1(^8C=LE)]}.

The rest is the actual mapping in brackets ([]) for each site visited, each pair in parenthesis is a mapping of the field and the actual data, ie: ^82 = URL and ^8B = http://redwolfcomputerforensics.com. The mapping of the first record (A) would look like this

(^82^8B) = (URL=http://redwolfcomputerforensics.com)

(^84^9F) = (LastVisitDate=1166463003773295 - First 10 digits is Unix time)

(^85^9A) = (FirstVisitDate=1166448674185405 - First 10 digits is Unix time)

(^88^8D) = (Hostname=redwolfcomputerforensics)

(^87^8E) = (Name=Computer Forensics/Unlock Passwords/Electronic Discovery) - this data field actually needs to have all the $00 removed to make it readable.

(^86=3) = (VisitCount = 3)

If we look at Record B then we can see one more database field that is being used

(^82^8F) = (URL=http://www.certified-computer-examiner.com/)
(^84^9E) = (LastVisitDate=1166462906212309 - First 10 digits is Unix time)
(^85^9B) = (FirstVisitDate=1166448699473785 - First 10 digits is Unix time)
(^83^8B) = (Referrer = http://redwolfcomputerforensics.com)
(^88^91) = (Hostname=certified-computer-examiner)
(^87^92) = (Name=ISFCE - Certified Computer Examiner) - this data field actually needs to have all the $00 removed to make it readable.
(^86=2) = (VisitCount = 2)

You can now see that field ^83 was added which shows that the http://www.certified -computer-examiner.com site was referenced from a link on http://redwolfcomputerforensics.com.

2 fields that have not been mentioned above are following.

8A - Whether url was typed into address bar will have a value of 1
89 - Whether hidden data was passed in url will have a value of 1

A couple of things to note that I have observed:

When you exit firefox it may have multiple cross references sections delimited by @$${X{@ type of characters. This appears to be the last browsing session, each time the firefox program loads it reads the history.dat in and consolidates the file back into main 4 sections.

In each multiple cross reference section you may have updated data ie: (LastVisitDate or VisitCount) that appears there as well, this will get consolidated as noted above.

Hopefully this helps and I did not confuse everyone.

Questions/Comments?