This experiment was part of class assignments performed at computer laboratory of CIS Strathclyde. Surprisingly in this laboratory, all machines run Ubuntu as the operating system, so that all forensic activities carried out under Ubuntu. All applications used during the activities are free and flexible, even some of them are more powerful than commercial applications running under Ms Windows.
The most computer users in the world use Microsoft Windows as their operating system especially Windows XP because most applications either commercial or freeware are compatible with it. Based on this, the forensics investigators have to consider it because the most frequent evidence come from Windows XP machine including the evidence of Internet Explorer which is default installation from Microsoft. The Internet Explorer is often used by the users for browsing the internet, accessing emails and so on.
In this experiment, it was carried out the analysis of Internet Explorer traces under Ubuntu 8.10 in order to get the activity history of Internet Explorer. The tools used are pasco command under Ubuntu 8.10.
For this experiment, the directory of 'Local Settings' containing temporary internet files such as index.dat from experimental machine was copied for the object of examination, after that the command of 'pasco index.dat > IEAnalysis.txt' was run, then the result of this command is IEAnalysis.txt file. If the investigators open this file using vi command, so it will display the content irregularly therefore they have to use spreadsheet applications such as OpenOffice Spreadsheet, Gnumeric Spreadsheet and so on, so that they can analyse the use of Internet Explorer easily with more details.
Figure 1
The result of pasco command is displayed regularly using spreadsheet application
The result of pasco command is displayed regularly using spreadsheet application
From pasco command, it was found the list of Internet Explorer activities with time stamps (modified and access), file name and http headers of websites which had ever been visited by the user. Below is some of the websites :
http://www.liputan6.com, http://www.forensicfocus.com, http://www.jsfce.com, http://certified-computer-examiner.com, http://www.utica.edu, http://en.wikipedia.org and so on which were clicked by the user on 17 December 2008 from 7.35am till 8am.
No comments:
Post a Comment