Browsing Reconstruction

May 25, 2006

We are all weary about people who invades our privacy, mostly when it comes to our browsing habits. Most people using IE just clears the cookies, temporary internet files and the browsing history under Tools -> Internet Options. But does that really clears off everything. Answer is NO. It does not.

Welcome to Index.dat
IE maintains index.dat files for your temporary internet files, cookies and browser history. The location are as below:

  • \Documents and Settings\\Local Settings\Temporary Internet Files\Content.IE5\

  • \Documents and Settings\\Cookies\

  • \Document and Settings\\Local Settings\History\History.IE5\

Index.dat is a binary (non-human readable) file. These files indexes your temp inet files and cookies to the urls you visited. The format is proprietary to Msoft, but there are some tools out there that can help you parse it and put it in human readable form. The best open source tool in the market is pasco which is developed by Keith Jones, author of Real Digital Forensics.  In this blog, we will take a closer look at format of index.dat and how to use the successor of pasco, Web Historian.

Index.dat: Header
The header consists of the following:

  • First 27 bytes: Client UrlCache MMF Ver 5.2

  • 28th byte: 0×00 (NULL terminated string)

  • 29-32th byte is the file size ( you need to convert it to little endian)

  • 32-36th byte is the offset for the HASH table (more on that later)

  • directory listing of all the directories containing the temp inet files. Offset 0×50. 12 bytes in size

As an example, look at the picture below:

The first 28 bytes is the null terminated string Client UrlCache MMF Ver 5.2
The next four bytes is the hex string 00C0 0100, which when converted to little endian gives 0001 C000 equivalent to 114688 bytes.
The next four is the offset to the hash table which is 0050 000 which gives 0×5000

The comes the directory names: N2L6K2BN, 0PE341MV, CD1JKLMN, S9MJSH6B

Index.dat: Hash table
to be continued…

References: Whitepaper from Keith jones,

Posted by dono3vil
Filed in security
Leave a Comment »

Kixtart – a newbie perspective

May 25, 2006

Recently i discovered that where i’m working, the administrators runs a software and hardware asset management script every time i log in to my system.  Upon logon, i could see a folder being created under C:\sam containing a few files:

  • SAMHW.exe
  • Kixtart.exe
  • samv3.kix
  • and other dll files

After some investigation i managed to find out that

  1. SAMHW.exe is a hardware asset management tool.  It will scan your PC for new or suspicious hardware
  2. Kixtart is an executable that is run upon logon but before the desktop is launched.  This means that it is the first thing that runs on your PC whenever you log on to your domain.  You cannot stop it from running else you will be log out of your system due to the BREAK command.
  3. samv3.kix is the a software auditing script that is run by Kixtart.exe

What the script usually does is to scan your registry for new / suspicious / pirated softwares, and log those in a file stored in a shared / networked directory name after your machine id / user name / computer name.

How to stop it from running? You can’t.  By design kixtart cannot be stopped from running the moment you log on to your domain. 

So what can you do?

  1. Delete the folder c:\sam
  2. Before bootup, remove all network connections from your laptop
  3. Bootup up and log in as per normal
  4. If you need to access domain folders etc, you should still be able to access since your IP address will reflect that you are eligible to access
  5. Remove network connections before you log off.

Reference: www.kixtart.org, ars technica forum

Posted by dono3vil
Filed in security
Leave a Comment »

How to surf securely in a wifi hotspot

May 24, 2006

We all know that our wifi packets can be easily sniffed by people, thereby making our surfing not private. So how do we surf in privacy without much hassle in a wifi hotspot. Easy. First you need:

  1. A server where openssh is running
  2. putty
  3. Firefox

Step 1: Configure putty for an ssh session to your server
<Image N/A>

Step 2: Configure a secure tunnel
a. Click tunnels
b. Under “Add new forwarded port” type 7070 (or any port number)
c. Click Add Button
<Image N/A>
Step 3: Connect to your remote host
Just double click your connection profile

<Image N/A>
Step 4: Confifure firefox to use your proxy

<Image N/A>
Step 5: Ensure that your DNS request also goes through your proxy
In firefox open the about:config page
Change network.proxy.socks_remote_dns to true

On a linux host you could to the following: ssh -qTfnN -D 7070 remotehost instead of using putty. Thanks to thinkhole for this great article

Posted by dono3vil
Filed in HowTo, security
7 Comments »