Digital Evidence and Computer Crime, Second Edition

12.5 Internet Traces

Older Macintosh systems were not designed with Internet access in mind and do not retain log files of network activities. More recent versions, such as MacOS 9 and MacOS X, come with Web servers and other Internet servers that have associated log files. On all systems, Internet applications such as Netscape, Internet Explorer, and Eudora create records of activities such as Web resources accessed and e-mail sent and received.

12.5.1 Web Activity

On Macintosh systems, Netscape user profiles in "System Folder: Preferences: Netscape:Users" contain files named "Netscape History," and sometimes a second "Netscape History Old" file, which contain a history of Web sites that were accessed. These files are in Berkeley DB format and can be interpreted as detailed in previous chapters. Netscape stores cached files in each user's Cache folder along with details such as the associated URL and when they were accessed in Acachelog.txt and Ccachelog files. Each user's cookies are stored in a file named "MagicCookie."

On operating systems prior to MacOS X, Internet Explorer related files are in its installation directory, "System:Explorer:History.html," "System:Preference:Internet Prefs," and "System Preferences:MS Internet Cache: cache.waf." Rather than storing each cached item in separate files, a WAF file organizes cached content and associated information in a single Web Archive Format. MacOS X keeps most Internet Explorer files in each user's home directory under "Library/Preferences/Explorer/," and stores cached data using a Web Archive Format file in "Library/Caches/MS Internet Cache." The contents of these Web Archive Format file can be viewed using WAFInspec^[3] on MacOS X (Figure 12.4). The Export function of WAFInspec extracts cached content such as images and HTML pages from these files. Alternatively, Web content can be carved out of the "cache.wav" file.

Figure 12.4: IE Cache.waf file viewed using WAFInspec.

Internet Explorer stores cookie files in different places, depending on the version of the browser: version 2 in "System Folder:Preferences: Explorer: Cookies.txt"; version 3 in "System Folder:Preferences:Internet Preferences"; version 4 in "System Folder:Preferences:MS Preference Panels:Cookies".

Internet Explorer stores Web browser history entries in an HTML file named "History.html" with date-time stamps in UNIX numeric format as shown here (e.g. 1052078766 = Sun, 04 May 4, 2003 15:06:06 - 05:00).

<A HREF="http://www.cantenna.com/thankyou.html" LAST_VISIT="1052078766" ADD_DATE="1052078766" VISITATION_COUNT="2" OBJECT_TYPE = "LINK">Cantenna WiFi Booster <A HREF="https://www.paypal.com/cgi-bin/webscr?__track= _xclick-flow: p/xcl/pay/buy-confirm:_xclick-payment-confirm-submit" ADD_DATE="1052078378" LAST_VISIT="1052078754" VISITATION_COUNT="6" OBJECT_TYPE5"LINK''>PayPal - PayPal Website Payment <A HREF= "https://www.paypal.com/cgi-bin/webscr?__track=_xclick-flow: p/xcl/pay/buy-index-blank_reg:_xclick-user-submit" ADD_DATE=''1052078185" LAST_VISIT="1052078727" VISITATION_COUNT="5" OBJECT_TYPE= "LINK">PayPal - PayPal Website Payment <A HREF="http://www.google.com/search?hl=en&lr=&ie=ISO- 8859-1&q=human+poison+herbs" ADD_DATE="1049641841" LAST_VISlT="1049642467" VISITATION_COUNT="3" OBJECT_TYPE="LINK">

12.5.2 E-Mail

Some e-mail applications log details of incoming and outgoing messages, such as the Eudora log shown here.

Fri Jan 28 21:44:46 2000 101 1:38.27.0 mail.domain.net 9543 101 1:0.1.7 Sending John Doe, 9:44 PM -0500, What do you think?. 101 1:0.2.51 Succeeded. Fri Jan 28 21:47:46 2000 102 1:3.0.2 mail.domain.net 9543 102 1:0.1.19 Sending Janet Smith, 9:47 PM -0500, Re: Important Questions. 102 1:0.2.52 Succeeded. Fri Jan 28 21:52:57 2000 103 1:5.11.47 mail.domain.net 9543 103 1:0.0.58 Sending George Baker, 9:52 PM -0500, Re: Meeting tomorrow. 103 1:0.2.26 Succeeded. Fri Jan 28 22:03:27 2000 MAIN 8:3.14.4 eco@corpus-delicti.com MAIN 8:0.0.0 enter the 104 1:0.0.24 mail.domain.net 9543 MAIN 8:0.4.42 Dismissed with 1. 104 1:0.37.29 Sending Sam Rider, 10:03 PM -0500, What I forgot on the phone. 104 1:0.39.10 Succeeded.

Although Eudora on any operating system can be configured to log the same type of information, by default, Eudora for Macintosh records more information than Eudora for Windows. Outlook Express stores e-mail under "Documents:Microsoft User:Data:Outlook Express:Identities."

12.5.3 Network Storage

MacOS X is Unix based and has many of the same network sharing capabilities described in the previous chapter. Both MacOS 9 and MacOS X maintain a list of recently accessed file servers. MacOS 9 maintains this information in "System Folder:Apple Menu Items:Recent Servers" and MacOS X stores the list under each user's home directory as shown here.

[macosx:~/Library/Recent Servers] user13% Is -I total 0 -rw-r-r- 1 user13 staff 0 Apr 4 13:44 idisk.mac.com-user13

The iDisk is a remote file storage service, offered by Apple as part of their ".Mac" program, which is common among Macintosh users and is available from Windows systems as well.

Some third party applications enable file sharing between MacOS 8 and Windows systems on a network. For instance, the DAVE application enables Macintosh systems to communicate using NetBIOS. Although DAVE can be configured to maintain a log of basic activities, such as when a remote host started and stopped a NetBIOS session, the logs have limited use because they do not record the time of events as shown here.

Node DARA started a session on Saturday, December 1, 2001 Node OISIN started a session on Saturday, December 1, 2001 Node OISIN stopped a session on Saturday, December 1, 2001 Node PEEKER started a session on Saturday, December 1, 2001 Node PEEKER stopped a session on Saturday, December 1, 2001 Node DARA stopped a session on Saturday, December 1, 2001

Older versions of MacOS use AppleTalk to share resources on a network but do not retain logs.

^[3]http://www.executive-computing.de/MacOSX/Applications/Freeware/WAFInspec/