2.1
Web browser history files
(Internet Explorer, Netscape, Opera, Mozilla)
2.5 Chat clients - chat logs (Instant Messenger, ICQ, mIRC)
2.6 Web based chat - chat logs
2.7 Tracking activities using the Windows Start Menu
2.8 Peer to Peer (P2P) program downloads (Kazaa, BitTorrent, Gnutella, Morpheus)
2.9 Movie players (Real Player, QuickTime, Windows Media Player)
2.1. Web browser history files (Internet Explorer, click here to jump to Mozilla Firefox) ( Netscape, Opera, other browsers, upon request)
http://www.techzoom.net/publications/insecurity-iceberg/index.en
Internet Explorer accounts for 90% of all web browsers, so I will focus on recent versions of IE.
Internet
Explorer version 6
Internet
Explorer version 7
Web browsers keep a record of all websites visited. There are three places that a web browser stores this information: in the History Folder, Temporary Internet Files folder and Address Bar history. I recently came across a nice video showing a few of these steps at: http://www.ikeepsafe.org/assets/videos/?vid=aol_regina.
If you are running Windows 98 or
earlier, you are probably using Internet Explorer version 5.
Your history icons will be located in the navigation toolbar and look like
the one of the following:
or
,
depending on your icon size and text settings. In Internet Explorer
version 6, the history icons will look like this:
or
.
In Internet
Explorer version 7, they did away with the History toolbar button! There
is a yellow star in the upper left hand corner of the browser. This
opens the "Favorites Center" (you can also press "Alt +
C" to open it.) Then select the History tab inside the Favorites
Center.
If you don't see the history icons in your Internet Explorer (version 6 and earlier) toolbar, follow these steps to create it:
Right click in the Menu bar and select Customize. The Customize menu will then appear.
If you've opened your History folder and it is empty, then ensure that this feature is turned ON (i.e. the number of "Days to keep pages in history" is greater than zero). Often times crafty cheaters have disabled this feature to avoid trouble.
In the Menu bar, select Tools --> Internet Options. The Internet Options menu will then appear.
Internet Explorer version 6
Ensure that the number of days to keep pages in history is greater than zero. The maximum is 999 days, but that is probably an excessive use of hard drive space. If you are going to be checking the history folder on a regular basis, then 21-30 days of history is plenty.
Note also the Clear History button. This is a well known "panic" button for spouses that have something serious to hide. As its name implies, it will completely delete all records in the History folder and Address bar history. So, if your History feature is turned on, but there are no records, something is amiss! We will revisit the Internet Options menu later to examine the effects of tampering with the Temporary Internet Files settings. Internet Explorer version 7, in particular, has the made-for-the-cheating-spouse "Delete all" button to make quick work of erasing evidence in one fell swoop! Previously, it was a chore to go to each and every folder to delete things. Often, you could forget to delete something in the heat of the moment.
Internet
Explorer version 7
Here's what the help file says about the "Delete Browsing History" feature:
"Delete webpage history
"As you browse the web, Internet Explorer stores information about the websites you visit and information that you're frequently asked to provide (for example, your name and address). The following is a list of the type of information that Internet Explorer stores:
- Temporary Internet files
- Cookies
- A history of the websites you've visited
- Information that you've entered into websites or the Address bar (this is referred to as saved form data and it includes things such as your name, address, and the website addresses that you've visited before)
- Passwords
- Temporary information stored by browser add-ons
"Usually, it's helpful to have this information stored on your computer because it can improve web browsing speed or automatically provide information so you don't have to type it in over and over. You might want to delete that information if you're cleaning up your computer or are using a public computer and do not want any of your personal information to be left behind."
Now, just because all your IE History records are in place and look innocent does not guarantee that a sly spouse isn't deleting individual history records. You can still right-click a hyperlink in the History folder and select Delete to only remove that one record. After my spouse caught on that I was monitoring the History folder, he simply erased select indecent web sites and left the other records untouched.
There are basically three categories of data recorded in the History folder:
1) Pop-ups - these are sneaky windows that you have no control over and force you to visit a website. The web URL is still recorded in your History folder even though you didn't intentionally visit the website. This is an excuse behind which many cheaters hide. What do you do when you find your partner trolling the personals ads and he says "It popped up on its own?" First of all, most web browsers these days come with the pop-up blocker turned on and I can't imagine why anyone would turn it off. How to check if popup blocker on.
2) Clicked links - this is generally what you do when surfing the 'net; you click links that take you from site to site. For example, you probably navigate around your favorite news site by clicking on headlines and using the 'back' button to return to the front page.
3) Manually entered URLs - these are the ones where you have to type the URL into the Address bar. For example, when you see an interesting website advertised on TV, you copy down the URL and have to type out the whole address in order to get there. So what?! This deliberate course of action triggers a URL to be recorded in the Address History bar in addition to the History folder. To access the Address History, click the down arrow at the end of the Address bar. Any URL showing up here is the result of a conscious effort and does not come from a pop-up window.
Even with my spouse continually trying to stay one step ahead of my forensics investigation by deleting individual records in the History folder, I could still check the Address History and see the web addresses that he hand typed.
But wait, there's still a way around that! This is Newton's Third Law of Cheating Spouses: for every action there is an equal and opposite reaction. That is to say, for every method of uncovering secrets there is another way to hide them. Just as the cheater can erase individual records in the History folder, the same can be done for the Address History entries. Since erasing the entire browser history raises red flags, erasing individual records is less noticeable. However, erasing individual Address History records is an advanced technique. To do this, one must edit the enigmatic "Windows Registry". Typically, a Windows user should never in their life need to visit this mystifying place. One wrong move in the Registry maze and your computer could be paralyzed for life. Therefore everything you need to know is outlined here and it is not necessary to explore the Registry, except at your own risk! Some people will go to great lengths to hide things, no? Since there is no need to go into the Registry, you should check to see if "regedit" shows up in the history of the Windows Start->Run menu (click the drop-down arrow to view previously executed commands):
At the Start-->Run menu, type 'regedit' (without the quotes) to open the Registry.
Navigate to the path: My Computer\HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs. (Beginning with the top level, "My Computer", click the plus sign next to each folder to uncover the successive directories until you get down to the "TypedURLs" folder.) This path is the same for all versions of Windows. All the URLs in the Address History are stored in this folder. An individual record can still be erased by right-clicking on the numbered URL next to the web address and selecting 'delete', just like you can for the Internet History folder.
By now you should be waiting for me to tell you how the cunning cons avoid the Address History. Very good! For to investigate your computer exhaustively, you must think like the adversary. Here is the catch to the Address History records--there are two places in Internet Explorer to manually input a URL--the Address bar and by using the File--> Open (or Ctrl+O) option. Hand typed URLs are only recorded in the Address History if typed into the Address bar. If typed into the File-->Open box, it is not recorded anywhere else but the History folder. With this method the con artist can avoid the tedious task of editing the Windows Registry.
If you are running Mozilla
Firefox, your history icons will look like this:
or
.
If you don't see the history icons in your Firefox toolbar, follow these steps to create it:
Right click in the Menu bar and select Customize. The Customize menu will then appear.
Note the Clear Private Data option under the Tools menu in Firefox. This is the Firefox version of the "panic" button used by sneaky spouses. Furthermore, Firefox makes it extra easy for anyone to erase all history records with the simple combination keystroke Ctrl+Shift+Delete. Again, if your History feature is turned on, but there are no records, something is amiss! Be sure to change your Clear Private Data settings to match those in the example I've given. This will slow down your suspect and perhaps buy enough time to catch him or her in the act of erasing history files. Yes, the clear authenticated sessions option is still enabled because at least one option must remain enabled in order to make the changes to the settings. Fret not, because leaving this option enabled will not cause you to miss anything major.
Firefox keeps the Address History in a similar way to IE, but there is no way to delete individual Address History records. Like IE, you can manually enter URLs in either the Address bar or using the File--> Open Location (or Ctrl+L) option. Unlike IE, the Address History is recorded either way with no way to subvert it because there is no corresponding entry in the Windows Registry.
I know this isn't exciting stuff, but stay with me and it will pay off.
2.2
Web browser cookie files –
come to the dark side, we have cookies…
Depending on your security settings, you may find many or only a few cookies on your hard drive. The default privacy level is "Medium"–your web browser accepts cookies meeting certain privacy criteria. If your privacy settings are set to "Block All Cookies" from all websites, chances are you will know it because it will be a chore to surf the Internet. If all cookies are blocked, you will frequently run into login errors and the warning, "Cookies are not enabled on your browser. Please adjust this in your security preferences before continuing." This is rather alerting, so cheaters are more likely to just erase their cookie files after they're finished browsing. At the default setting of Medium privacy, your personal information is safe. No one needs to block all cookies–unless they have something to hide. If it is set to Block All Cookies, click the Default button to reset the security to medium. Cookies are a good tracking alternative like viewing the browser history.
Cookies are stored on your
computer in the Cookies folder. Typical
locations of this folder are:
Windows XP:
C:\Documents
and Settings\Owner\Local Settings\Temp\Cookies. There may be more
cookies in other folders, as well. The
best way to find them all in Win XP is to do a search on the word “Cookie”
(Start menu -> Search -> For Files or Folders -> All Files and Folders
-> All or part of the file name: cookies -> Search.) If you have
multiple Windows user accounts, there will be cookies stored in each
user's folder.
Windows Vista: Cookies are located in a hidden folder, so you will only see it if your computer is set to “Show Hidden Files and Folders.” To enable this setting, open Windows Explorer and go to the Tools menu (hit F10 if you don't see the menu bar) -> Folder Options -> View. Select the radio button under Files and Folders -> Hidden Files and Folders.
Then you will be able to view the cookie files, typically located in: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies -and- C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies\Low
Cookies collect basic information about you. This folder shows you websites that have collected some kind of information about you. Some folders will contain cookies, and some will not. However, if all cookies folders are empty (and your security system is not set to Block All Cookies), you should be suspicious. Here is an example of what you can find in the Cookies folder:
Open this file and you’ll
see some nonsense computer-speak:
2.3 Index.dat files
This is an important concept to be aware of. I have pilfered this explanation of Index.dat files from Steven R. Gould, author of Index Dat Spy (http://www.stevengould.org/index.php?option=com_content&task=view&id=47&Itemid=88 ). Index Dat Spy is free, easy to use, and will give you valuable insight into worlds of hidden information.
Copyright (c) Steven Gould, 2003-2004:
