Chapter 9: Internet Artifacts

Question 1

what is a browser

Answer 1

a program/ application a user can use to access websites via the world wide web

Question 2

what are the most common browsers

Answer 2

1. chrome (55%)
2. safari (12%)
3. internet explorer (8%)
4. firefox (6%)

Question 3

where does chrome store data

Answer 3

within diff databases, allowing options to sync across multiple platforms

Question 4

what file are bookmarks (chrome)

Answer 4

• JSON Javascript object notation formatting file
• will not have a file extension

Question 5

what info can we see when you open a JSON bookmark file in a text reader

Answer 5

• date added
• last visited
• name of bookmark
• url

Question 6

what folders are found under the root directory when viewing a JSON bookmark file in a text viewer

Answer 6

• bookmark_bar additional children folders and their info
• other
• synced

Question 7

is the presence of an incriminating bookmark enough to act on

Answer 7

may or may not, typically you should show they acc visited the page

Question 8

what can be found in the chrome history database

Answer 8

• downloads (where they got it from, where it is stored, start/stop time of download, and size)
• keyword search (what terms were searched)
• URL types (what was put into the search bar)
• history (URL visited by user, number of times, and date/time of visis)

Question 9

what are cookies

Answer 9

• a dataset created by a website and stored on the user’s system
• designed to track the users activity (adding an item to cart or which pages were visited)

Question 10

is the presence of a cookie evidence the user knowingly visited the site

Answer 10

no

Question 11

what type of file are cookies in Chrome

Answer 11

• SQLite database
• no file extension

Question 12

what key thing of interest can be seen on cache

Answer 12

server IP address

Question 13

where can you find the password info saved in chrome

Answer 13

in the Logon Data file

Question 14

what type of file is the saved password info in Chrome

Answer 14

• SQLight database
• no file extension

Question 15

how are passwords saved in their SQLight database form in Chrome

Answer 15

• not the acc passwords
• stores info about the account, to encrypt passwords
• Chrome Pass will decrypt passwords

Question 16

what is the web browser of the microsoft windows OS

Answer 16

internet explorer

Question 17

how are bookmarks saved in internet explorer

Answer 17

URL format

Question 18

how long does internet explorer track users activity

Answer 18

20 days (can be changed by the user tho)

Question 19

edge and internet explorer version 10 and higher use which ESE database

Answer 19

WebCasheV01.dat

Question 20

what do you want to look at in the WebCasheV01.dat file to find info about IE history

Answer 20

• containers
• there are 16 tables, we care about 12, 14, 15, 16

Question 21

describe the naming conventions of the MSHist01 tables

Answer 21

the dates they span from (year/month/day)

Question 22

what is found in table 12 in the containers file in internet explorer

Answer 22

daily history file

Question 23

how do we find the date/time values for the files found in table 12 in the containers file in internet explorer

Answer 23

• take the decimal number
• convert it into hex
• use DCode to get the date/time

Question 24

when a user types a URL into the address bar, what happens in internet explorer

Answer 24

a record is created in the user’s NTUSER.dat file

Question 25

what do you want to look at in the WebCasheV01.dat file to find info about IE cache

Answer 25

- use Internet Explorer Cache Viewer - itll give you the filename, and URL of where it came from

Question 26

how does IE save cookie files

Answer 26

as simple text files

Question 27

which table of WebCacheV01.dat has info about cookies

Answer 27

5

Question 28

what is one unique feature offered by firefox

Answer 28

the use of multiple profiles (can segregate their activity)

Question 29

how does firefox store cache

Answer 29

under each profile

Question 30

how does firefox store cookies

Answer 30

- uses SQLite database to store info - NOT as single files - found in the Roaming folder

Question 31

how does firefox store history

Answer 31

- in the SQLite database file called *places.sqlite* - types URLs are also here

Question 32

where does firefox store passwords

Answer 32

- in two files: - **kay#.db** (can be key3 or key4) - **logins.json**

Question 33

where does firefox store bookmarks

Answer 33

in an SQLite database file

Question 34

what is social media

Answer 34

the use of apps or programs to create and share info, forms of expression, opinions, ideas, and so on through the global internet

Question 35

which locations are there for you to find digital evidence related to your investigation surrounding social media

Answer 35

- user system - service provider

Question 36

what is the important part of the facebook URL

Answer 36

the profile ID (unique set of numbers for each profile)

Question 37

what is the difference between twitter's **handle** and **UID**

Answer 37

- handles can change - UID remains the same

Question 38

what info does the service provider have on their subscriber

Answer 38

- name - age - address - usage dates/times - IP address

Question 39

how do you get info from the service providers on their subscriber

Answer 39

serve them w appropriate judicial paperwork

Question 40

what does P2P stand for

Answer 40

peer-to-peer

Question 41

how does P2P file sharing work

Answer 41

- user installs app - they designate which files/folders they want to share to the network - you can search for files on the network and if they want it, the app identifies the nodes possessing the file - the app then connects them and starts downloading pieces of the file

Question 42

what is Ares

Answer 42

an open source P2P app using decentralized network configuration

Question 43

what can you find in the Data folder of Ares

Answer 43

- two files: **ShareH.net** and **ShareL.dat** - these files track the filename, hash value, date/time stamp, and sharing status

Question 44

what is eMule

Answer 44

an open source P2P app using decentralized network configuration

Question 45

what happens when a user installs eMule

Answer 45

- created an **eMule** folder - contains 2 subfolders: **incoming** and **temp**

Question 46

what happens when files are downloaded on eMule

Answer 46

- as they are downloading, they're stored in **temp** - once it is complete, they're moved to **incoming**

Question 47

what can you find in the **config** subdirectory of eMule

Answer 47

- the **preferences.ini** file - this tells the nickname and location of incoming and temp directories

Question 48

what is found in the **prederences.dat** file

Answer 48

the unique identification number for each user

Question 49

what is found in the **AC_SearchStrings.dat** file in eMule

Answer 49

the last 30 searched terms by user

Question 50

what is found in **known.met** file in eMule

Answer 50

list of files that have been downloaded by the app and files shared by the app

Question 51

what is Shareaza

Answer 51

an open source P2P app using decentralized network configuration

Question 52

what is found in the **Shareaza** folder

Answer 52

**local** and **roaming** folders

Question 53

what is found in the **Data** folder of Shareaza

Answer 53

- file called **Profile.xml** - contains user-created and app created artifacts

Question 54

what is stored in the **IncompletePath** in shareaza

Answer 54

incomplete files

Question 55

what service models of cloud-based computing might we encounter

Answer 55

- infrastructure as a service - software as a service - platform as a service

Question 56

what are the deployment methods of cloud resources to choose from

Answer 56

- **public cloud** made available to public or specific members of a group - **private cloud** available to specific members w specific rights - **community cloud** *similar to private* users comprise multiple organizations w similar focus - **hybrid cloud** made up of 2 or more diff deployment methods

Question 57

describe **infrastructure as a service**

Answer 57

- offered to customer for use - provider maintains ownership and control - customer pays for hardware/service needed

Question 58

describe **software as a service**

Answer 58

- apps are provided to the customer via network - costumer pays subscription fee to vendor to use software - content is stored on the server and can be used/shared w other members

Question 59

describe **platform as a service**

Answer 59

- OS of the client is provided to the customer via a cloud server - user can install apps and maintain settings - provider manages hardware and OS - client is responsible for system admin

Question 60

what are the most common cloud-based storage options

Answer 60

dropbox and google drive

Question 61

which databases are of interest in dropbox

Answer 61

- **config.dbx** user ID, account email, username and path for *dropbox* folder - **filecache.dbx** *file journal table*, w info on files being synched

Question 62

which databases are of interest in google drive and why

Answer 62

- **sync_config.db** email associated, USB deviced being synced, path for folders - **snapshot.db** local_entry table w info about files being synced - **cloud_entry** contain filename, modified date/time stamps, file size etc - **device_db.db** the *external_devices* table w device ID, USB device label, upload date/time stamps, and any sync - **devices_file** contain device ID, file name, file path, date/time of sync