Internet History Reconstruction

Internet History Reconstruction

When we visit websites, a digital footprint is left on our computer system by the web browser. We can use tools and techniques to uncover this valuable information that is left behind. We can then use that information as evidence to put a timeline together of when certain events occurred or what events may have taken place on a computer system. Information that is left behind is the Internet Activity or the browsing history. We can reconstruct the details of internet history from a computer by examining a handful of files that contain the web browsers history. Internet Explorer, which is a popular web browser on Microsoft Windows computers, has a by itself, three different areas where we can find evidence. These areas include web browsing history, cookies, and temporary internet files.

We can choose from several web browsers, Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. All of which offer slightly different services, interfaces, and even speed. From a forensic standpoint, they all have at least some similar properties for extracting data and collecting evidence.

Internet Explorer is a Windows based web browser. Most commonly found on computer systems running Microsoft Windows. Mozilla Firefox is common on all three operating systems to include Microsoft Windows, Mac OS X, and Linux. Google Chrome web browser, is most common on Windows and Mac OS X. Safari is most commonly found on Mac OS X based computer systems, however, Safari is available on Windows computer systems as well.

When revisiting a website, web browsers create files called cache files that are downloaded website data. These cache files remain available on the computer even when the browser is closed or the computer is shut down. Cache files are used so that web pages can be loaded more quickly when revisiting a website. These files are also referred to as Internet History or Temporary Internet Files. Depending on the operating system of the computer and the browser application, they are stored in different locations.

Internet Explorer stores temporary internet files in the following folder: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\

Mozilla Firefox stores its browsing history in SQLite format database tables located in:
C:\Users\\AppData\Roaming\Mozilla\FireFox\Profiles\

Google Chrome is similar to FireFox and stores cache file information in:
C:\Users\\AppData\Local\Google\User Data\Default

Safari is part of Apple Mac OS X but can be found on computers running Microsoft Windows operating system. Safari browser history is stored in Apples property list file format. (History.plist) C:\Users\\AppData\Roaming\Apple Computer\Safari

Another important file is the browser cookie file or simply referred to as a cookie. A cookie is a small file containing data that the web server places on the users’ computer so that it may request quickly information again later. During a forensic analysis, it is often relevant to parse the information in Internet Explorer’s cookie files into a human-readable format. Cookies can provide insight into a suspect’s internet activity. Cookies are necessary because HTTP is a stateless protocol, therefore, websites must place information on a user’s computer if it needs to save information about a web session. For instance, whenever a person purchases a book from amazon.com and adds it to their shopping cart, the information can be saved on the client’s computer. Information that can be found in a browser cookie file include:

• The variable name
• The value of the variable
• The website that issued the cookie
• Flags
• The creation and expiration time for the cookie
• An * since it is the record delimiter

Web browsing history can also be found in the Windows Registry. Evidence of URLs that are typed into the address bar of Internet Explorer can be found in the Windows Registry under the HKEY_CURRENT_USER. This information is displayed showing the first visited website as url6 and the last visited website is listed as url1 as shown in the figure below.