Wednesday, 14 January 2009

Encase v6 Comprehensive Internet History Search and Firefox Mork Databases

Encase version 6 now includes considerable functionality in recovering Internet History records for a number of browsers.

In a recent case using v6.12.1 I ran a search for internet history with the Comprehensive search option selected. My results included relevant hits in unallocated clusters which Encase attributed to Mozilla History/Forms. The results are recorded within the Encase Records tab and when highlighting a record some data was highlighted in the view pane which made me scratch my head - and luckily loosen some cobwebs in a long ago abandoned area of my brain. What was Encase showing me - I wasn't sure but my brain was telling me it was something to do with Mork.

Click on screenshot 1 to see a larger image



My suspect was using Firefox version 1.8. Firefox can save (subject to user configuration) information entered into web forms and the search bar to make form filling and searching faster. This information is saved in a file known as formhistory.dat. Encase had found data within unallocated that was a fragment of a deleted formhistory.dat file. In this version of Firefox formhistory.dat contained a Mork database. Encase had highlighted in the view pane what I will loosely refer to as the address of the data that it had parsed out.

[8(^83^83)(^82^8A)]

To understand this better we need to look more closely at all the data in the database. Because the hit was in unallocated I needed to find the start of the deleted formhistory.dat file. The file signature of the file is highlighted in the screenshot below

Click on screenshot 2 to see a larger image










so I scrolled up in the view pane, found this header and swept down to the footer (which is the } after the last address) and exported out the data as a file

Click on screenshot 3 to see a larger image


























Open the file with Notepad and find/replace all the $00 strings with an empty string. The file now looks a lot more readable

Click on screenshot 4 to see a larger image



































In the example we are working through the address we are interested in is

[8(^83^83)(^82^8A)]

which can be seen shown in red at the bottom of Screenshot 4 above. This address is a row within the Mork database. The row is delimited with open and close square brackets [] and is made up of a Row Object ID followed by a series of cells delimited by open and close brackets (). The cells contain a column name and a value.

The column names are defined within a dict delimited with <> shown in green at the start of Screenshot 4 above. It can be seen that two column names are relevant here name and value, given object ids of 83 and 82 respectively.

The values are defined within the next dict down. The one relevant to our address are shown in red.

[8(^83^83)(^82^8A)]

decodes to

[8(^Name^searchbar-history)(^Value^vmware fusion)]

The Name column contains the type of record - searchbar-history means what it says on the tin, other values may relate to various fields found on web page forms. The query field on the Google Firefox start page is represented by q .

Encase does not report these records particularly well. I chose to export relevant records into a spreadsheet and manually add the physical sector and sector offset of each row.

References
https://support.guidancesoftware.com/forum/showpost.php?p=115379&postcount=2
http://www.mozilla.org/mailnews/arch/mork/primer.txt
https://developer.mozilla.org/en/Mork_Structure



No comments: