CNS 320 COMPUTER FORENSICS & INCIDENT RESPONSE

Week 8

Copyright 2012, John McCash. This work may be copied, modified, displayed and distributed under conditions set forth in the Creative Commons AttributionNoncommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Announcements

We will be spending some of the last class period (Week 10) reviewing for the final

Quiz #2 Review

1: 6 Phases of Incident Response (99%)

Preparation Identification Containment Eradication Recovery Follow-Up & Lessons Learned

2: Most Important IR Phases (100%)

Preparation Follow-Up & Lessons Learned

Without doing these phases properly, theres generally no improvement over time IR is a continuous process, not an isolated event
5

3: LfLe Signature (62%)

Windows Event Log Record Also the magic value for the file

Windows Event Logs

NT/2K/XP/2K3

Vista/7/2K8

.evt files %systemroot%\System32\config SecEvent.evt, Appevent.evt, Sysevent.evt, sometimes others File Header/Magic Number in bytes 4-8 LfLe Header in 2nd 4 bytes of each record LfLe (same as file header) 2 timestamps per record (generated & recorded) UNIX Epoch time format .evtx files %systemroot%\System32\winevt\logs SecEvent.evtx, Appevent.evtx, Sysevent.evtx, many others Header in 1st 4 bytes: 0x2a, 0x2a, 0x00, 0x00 (two asterisks followed by two null bytes) Logs can be sent to a remote log collector Binary XML format

File locations can be changed in the registry UNIX Epoch time = #seconds since 00:00 Jan 1st, 1970 GMT

4: Std Office Metadata (77%)

You should know, at least vaguely, what sorts of metadata information may be available in various common document formats I might have asked about other file types

PDF Portable Executable (.sys, .dll, .exe, .scr) JPEG

You might go back and take another look at this section in week 4
8

Office Default Metadata Values

Title Subject Author Keywords Comments Template Last author Revision number Application name Last print date Creation date Last save time Total editing time Number of pages Number of words Number of characters

Security Category Format Manager Company Number of bytes Number of lines Number of paragraphs Number of slides Number of notes Number of hidden Slides Number of multimedia clips Hyperlink base Number of characters (with spaces)

5: Thumbnail Files (100%)

10

6: Outlook Files (85%

Personal Archive Folder .PST Local Cache Folder .OST

These two formats are closely related to one another Various utilities can convert OST to PST These are the most common Windows mail formats in corporate examinations
11

7: File type with magic number ending in SCCA (54%)

Prefetch file

12

Data in .pf file

File Signature (beginning of file)

XP \x11\x00\x00\x00\x53\x43\x43\x41 (.SCCA) Vista/7 \x17\x00\x00\x00\x53\x43\x43\x41 (.SCCA)

Contains paths of all files & folders accessed by the program in the first 10 seconds Create time indicates when executable was first run Mod date & internal FILETIME indicate last time Run Count Volume path & serial # for all files referenced Prefetch\Layout.ini contains path information File Size: 4-byte quantity at offset 0x000c

8: Jumplist Contents

Shortcut files (.LNK)

14

Windows 7 Jump Lists

Custom Destinations

Automatic Destinations

<profile>\AppData\Roaming\Microsoft\Windows\Re cent\CustomDestinations\ <AppID>.customDestinations-ms File contains embedded .LNK files which can be carved out, (Begins with LNK header: \x4c\x00\x00\x00\x01\x14\x02, size is 4 bytes at offset 34h) and analyzed
<profile>\AppData\Roaming\Microsoft\Windows\Re cent\AutomaticDestinations\ <AppID>.automaticDestinations-ms Contained data is stored using Structured Storage Format, and can be parsed using MiTeCs Structured Storage Viewer, from which .LNK files can be exported directly

Lists may contain up to several hundred items, though user only sees a few

9[Bonus]: Sector/byte offset (8%)

512 is the sector size (not the Cluster size a bunch of people made this mistake) Whats a sector (anybody?)

Sector is minimum disk access/allocation unit Cluster is minimum filesystem access/allocation unit

Whats a cluster (anybody?)

Mmls returns volume/partition offset in sectors from beginning of disk Mount command requires volume/partition offset in bytes from beginning of disk 16

Material for this week

A few more words about Volume Shadow Copies Internet Explorer Browser Forensics

Volume Shadow Copy Service

When a VSC is created, all Windows does is allocate a place to save overwritten disk clusters Subsequently, whenever a cluster is written (but only if it hasnt been written to since the VSC was created) that cluster is first copied into this VSC area by the VSCS So the VSC will always contain an old copy of all clusters that have been written at least once since the VSC was created 18

Viewing VSCs

When we do the mklink to point at the VSC, were doing a virtual mount trick similar to what we do to examine images in the SIFT Kit Windows virtually substitutes back all the old copies of overwritten clusters in that view So the disk (except for the VSC area itself?) now appears exactly as it did when the VSC was created Consider though: What happens if the VSCS is disabled for some period of time?
19

Browser Forensics

Internet Explorer (6-9)

Includes anything that uses WinInet API Technically goes back to version 3, but Im not going to torture you with Windows 3.1, 95, or NT

FireFox (1.5-10) Safari (3-5) [older versions Mac only] Chrome (1-18) Opera (2-11)

Market share as of January 2012

Internet Explorer 20.1% Firefox 37.1% Chrome 35.3% Safari 4.3% Opera 2.4%

Historically, IE & Firefox have dominated

21

Displayed Media Types

Text HTML (3-5) Images (GIF, JPG, PNG, BMP) Video (MPEG, Flash) Plugins for virtually anything

22

Common Artifacts (Implemented Differently)

Opaque to most people

Cache Cookies Auto-Complete

History Bookmarks

Well known (and so likely to be removed)

Download Folders Recovery Data Suggested Sites

23

Questions we may be able to answer

What sites were visited? How many times? When? (last, others) What sites were saved by the user? What files were downloaded ? What usernames & credentials were used? What searches did the user run? What information did the user exchange with the site? 24

Viewing Hidden Files

There are lots of hidden files and folder structures in Windows Like with the registry, monkeying around in these locations can break things To view these:

Open Folder Options Control Panel Select Show Hidden files and folders Uncheck Hide protected OS files
25

Dont forget and accidentally delete

Internet Explorer
6.0 Released with XP. Well past its sellby date, yet still encountered frequently, especially in corporate environments 7.0 Released on Vista (wont run on Win2K) 8.0 Released on Win7 9.0 Wont run on XP. Last to use common db (index.dat) format 10.0 Released on Win8. Whole new ballgame Later versions have significant differences 26

Artifact Locations for IE (XP)

Bookmarks/Favorites

<profile>\Favorites
<profile>\Local Settings\History\History.IE5 <profile>\Local Settings\Temporary Internet Files\ Content.IE5 <profile>\Cookies

History

Cache

Cookies

Downloads

<profile>\Downloads

27

Artifact Locations for IE (Vista/Win7)

Bookmarks/Favorites

Cookies:

<profile>\Favorites

History:

<profile>\AppData\Roaming\Microsoft\Windows\Cookies <profile>\AppData\Roaming\Microsoft\Windows\Cookies\Low

Cache:

<profile>\AppData\Local\Microsoft\Windows\History\History. IE5 <profile>\AppData\Local\Microsoft\Windows\History\Low\His tory.IE5

<profile>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 <profile>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Low <profile>\Downloads

Downloads

A word about profile locations

Not always in C:\Documents and Settings Registry configurable default profile locations. Check the following values

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
Default Public ProfilesDirectory

Builtin account profiles such as System are under various %Windir% folders

Windows\System32\Config

Index.dat Files

Binary format unchanged since IE 4 Different files use same name & format, but store different data Index.dat files exist in multiple places for tracking of: History Cookies Cache Data Difficult to remove because always locked, but IE settings can clear entries File Signature: Client UrlCache MMF Ver 5.2 30 Four byte file size starting at byte 28

Index.dat Record Types

Four types of record are known

URL - Indicate URIs that were actually requested REDR - Indicate browser was redirected to another site HASH - Hash indexes of the contents of the index.dat file (not useful) LEAK Result of attempt to delete entry while associated cache file is open (other mechanisms possible)
31

Index.dat Record Header Format

Offset 0 4

Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record

32

Index.dat Timestamps

According to some sources:

Modified time should be when web server last updated file Accessed time should be when file last downloaded

However actual timestamp usage varies depending on exactly what kind of index.dat file the data is contained within

IE History
XP Location:

<profile>\Local Settings\History\History.IE5
<profile>\AppData\Local\Microsoft\Windows\ History\History.IE5 <profile>\AppData\Local\Microsoft\Windows\ History\Low\History.IE5

Vista/Win7 Location:

(well get to why you cant see this folder normally in a minute)
34

IE History

Designed for URL autocompletion Tracks all user browsing history for last 20 days by default If browsing history set to 0 days, still kept, but deleted on system shutdown or next day Also tracks Explorer access to local files For each URL or file, tracks last access timestamp & number of times accessed

Apparent History Folder is Actually a Windows Construct

Virtual History Folder

Shows Human-Readable Content Folders or individual entries can be manipulated/deleted directly Changes made here are propagated to the underlying index.dat files by Windows Last Accessed time shown is in local system timezone

Virtual History Subfolders

The Real History Folder

Under the History Folder

Actual History Contents

Master index.dat file under History.IE5 Daily, Weekly, or (potentially) Monthly index.dat files under other folders Folders are named according to the date span covered by the contained file After the 6th day, aggregate daily history content is rolled up into a weekly file Actual files and folders cannot be seen in Windows GUI on live system, but can from the command line using dir /a

Index.dat Record (URL History)

Offset 0 4 8 16

Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record 8 LastModified FILETIME (URL) 8 LastAccessed FILETIME (URL)

42

History Record Timestamp Meanings

Location of Index.dat History.IE5 Daily History Weekly History 1st Date (Record offset 9) Last visited time (GMT) Last visited time (LOCAL TIME) Last visited time (LOCAL TIME) 2nd Date (Record offset 17 Last Visited time (GMT) Last visited time (GMT) Index.dat File created time (GMT)

IE Cache
XP Location:

<profile>\Local Settings\Temporary Internet Files\ Content.IE5 <profile>\AppData\Local\Microsoft\Windows\ Temporary Internet Files\Content.IE5 <profile>\AppData\Local\Microsoft\Windows\ Temporary Internet Files\Content.IE5\Low

Vista/Win7 Location:

(Another of these invisible folders)

44

IE Cache

Exists to speed up access by using previously obtained local copies of content which has not altered since accessed Not all entries are supposed to be cached (SSL, no-store), but IE6 used to cache a lot of content it shouldnt have Also, the RFCs never formally stated SSL should not be cached Can include references to entries that have been removed in the meantime Cleared entries are wiped more effectively by IE7 and later

A word about cache usage

Some RFCs & Microsoft specifications clearly define what is supposed to be cached

Developers sometimes misinterpret the meaning of the specifications

RFC2616 (HTTP 1.1): cache-response-directive = no-store RFC1945 (HTTP 1.0): entries past expiration date not cached (less clear) MS: INTERNET_FLAG_DONT_CACHE, or INTERNET_FLAG_NO_CACHE_WRITE

Older browser versions were very bad at properly interpreting and enforcing these specifications because of this

For instance, no-cache (http 1.1) and Pragma: nocache (http 1.0) dont mean do not cache. Both mean send request for content even if cached

IE Cache Size

IE6 Default is 10% of system drive IE7 50MB, increasable to 250MB

Another Virtual Folder

The Real Deal

Cache Subfolders

Cache Artifacts

Index.dat file under Content.IE5 Semirandomly named subfolders contain files with cached content Contain entries for cacheable URLs visited, each of which references a file that may or may not still exist Original filename with bracketed instance number before .ext Folders added in groups of four (if not, investigate why, could be data hiding location)

FYI: Other Temporary Internet Folders Subfolders (Not thoroughly researched)

AntiPhishing Content.MSO Not sure Local copy from external document linking in Office? Content.Outlook Attachment files opened directly in Outlook Content.Word Tempfiles created when Word used as editor for Outlook OLK5432 Unknown Others?

Index.dat Record (Cache URL)

Offset 0 4 8 16 24 92

Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record 8 LastModified FILETIME (URL) 8 LastAccessed FILETIME (URL) 4 Expiration FATTIME 4 Last Checked FATTIME
53

FATTIME
offset size 0 2 offset size Bit 0 (LSB) value 2 2 value 5 bits description date time description Day of the month

In little-endian the 16-bit date value corresponds to:

Bit 5
Bit 9 offset size

4 bits
7 bits value

Month 0x01 => January

Year 0x00 => 1980 description

In little-endian the 16-bit time value corresponds to:

Bit 0 (LSB)
Bit 5 Bit 11

5 bits
6 bits 5 bits

Seconds in 2 second intervals

Minutes Hours

Cache Timestamps from Index.dat

Modified: When content last saved to cache file (UTC) Accessed: When content last viewed in browser (UTC) Expiration: Set by server to ensure content retrieved again if accessed after specified date (UTC) Last Checked: When site last compared to cache. By default, same as last access, but modified browser settings could prevent recheck (UTC)

IE Cookies
XP Location:

<profile\Cookies
<profile>\AppData\Roaming\Microsoft\ Windows\Cookies <profile>\AppData\Roaming\Microsoft\ Windows\Cookies\Low

Vista/Win7 Location:

IE Cookies

Cookies exist to add state information to web browser sessions Not all sites use them Small text files (persistent cookies) Session cookies in memory only Included data:

Issuing website Account on that site NTFS FILETIMEs Website specific data in cookie Some cookie data is encrypted & some is not

Index.dat Record (Cookie URL)

Offset 0 4 8 16 24 84 92

Size Description 4 Signature/Magic Number (URL, REDR, HASH, LEAK) 4 # of 128 byte Blocks in record 8 LastModified FILETIME (URL) 8 LastAccessed FILETIME (URL) 4 Expiration FATTIME 4 Hits 4 Last Checked FATTIME 58

Cookie Index.dat Data (all times UTC)

Last Acessed: Last time cookie uploaded Last Modified: Last time website modified cookie Last Checked: Last time cookie expiration was checked Expiration: Date after which cookie will no longer be accepted Hits: How many times cookie was uploaded

An aside about cookies in general

I put this in the IE section simply because cookie data is so easy to get at there. Other browsers typically use storage methodologies that require more effort to extract data from.

Interesting Cookie Contents

Google Analytics cookies are used by many sites to track access Lots of sites use completely custom cookie data or encrypt it, but always take a look. You may be surprised what you can find there.

Ive seen an example of Mapquest.com, actually storing unencrypted location history (physical addresses) there.

Sample Google Analytics Cookies (from a file named 6B36WGQG.txt)

__utma 12495090.2011220730.1328875187.1328875187.1328875187.1 w.dilbert.com/ 1600 1827382528 30352782 2075877424 30205931 *

__utmb 12495090.1.10.1328875187 w.dilbert.com/ 1600 2889898240 30205935 2075877424 30205931 *

__utmz 12495090.1328875187.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) w.dilbert.com/ 1600 935429376 30242644 2075407424 30205931 *

__utma (Timestamps in UNIX Epoch Time)

Contents similar to XXXX.RRRR.FFFF.PPPP.CCCC.N

XXXX Hash of clients domain RRRR Random unique ID for client FFFF Date of first visit to site (probably following the last clear of cookies) PPPP Timestamp of previous (last) visit CCCC Current timestamp N Number of sessions since first visit (Incremented each time new session started after first)

__utmb

Contents similar to XXXX.P.10.C

XXXX = The Domain Hash. P = Pages of the site viewed in most recent session C = Timestamp of most recent session

__utmz

Contents similar to XXXX.TTTT.V.S.utmcsr{source}|utmccn{camp aign}|utmcmd{medium}|utmctr{keyword}

XXXX Hash of clients domain. TTTT Timestamp when cookie last set V Total visitor sessions (supposed to be the same as last # in __utma) S Count of different referrers followed to this site Utmcsr{source} Last referrer domain Utmccn{campaign} Ad followed if any Utmcmd{medium} Search channel information (paid ad, etc.) Utmctr{keyword} Search term used to find site

IE Favorites (<profile>\Favorites)

Stored as .URL files Contains complete target URL File timestamps show creation, last written, and last accessed times Its also possible to import favorites from other sources, so timestamps may reflect that instead of their acual creation by the user

IE Downloads

Often saved to default locations

XP default download folder defined by registry value HKCU\Software\Microsoft\Internet Explorer\Download Directory Defaults to the users desktop Vista/Win7 uses <profile>\Downloads\ as default If file opened rather than saved, temp copy created in IE cache folder, never cleaned unless manually IE9 has separate index.dat for downloads

IE Auto-Complete (other than history)

Typed URLs registry key maintains list of last 25 URLs typed by the user

HKU\*\Software\Microsoft\InternetExplorer\Ty pedURLs

Typed URLs (Or Pasted)

#1 is most recent

IE Auto-Complete (other than history)

Protected Storage (IE4-6; Also used by Outlook Express & MSN Explorer)

Form Autofill Field Data Accounts & Passwords (Web, FTP, Others)[checkbox] Encrypted on disk but not in memory. Trivial to acquire from live system, & crackable from a dead one (IE4-6) HKU\*\Software\Microsoft\Protected Storage System Provider\<SID>

(IE7+) HKU\*\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

Encrypted But key is name of website

A note about found passwords

These are great for using in cracking attempts against encrypted files since people often reuse the same passwords elsewhere You will rarely be authorized to log into the other accounts referenced You can provide usernames to legal for subpoena generation from other account providers

Changes in Vista/Win7

As mentioned previously, file locations have changed Protected Mode web browsing is performed as an unprivileged user

This is where the 2nd Low filename comes from in the various file artifacts There are two sets because not all operations use Protected Mode IE7-9 all support Protected Mode on Vista/Win7

Changes in IE7

New Security Features

Move away from Protected Storage use Added the Delete All button to clear browser artifacts

Combines four different operations under IE6

When clearing entries, IE6 did a poor job of cleaning out index.dat records. IE7 does a more thorough job, but some records can still be retrieved.

Changes in IE8/9

New Artifacts

Recovery Folders Suggested Sites DOM Storage

InPrivate Browsing Mode reduces artifacts for specified sessions Empty Temporary Internet Files folder when browser is closed option Delete browsing history on exit option

New Security Options

IE8/9 Automatic Crash Recovery

Complete activity tracking for current & previous session Enabled by default (even in InPrivate Mode). Deleted (but often recoverable) when History cleared Information tracked:

Tabs Open List of websites viewed in each tab, with referrers for each Session end time Time each tab was opened (Only if a crash occurred or if for some other reason files are still present in the Active folder) Code from the page Form data & Other artifacts

IE8/9 Crash Recovery Folders

XP (IE8 Only)

Vista/Win7

<profile>\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active <profile>\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active Current: <profile>\AppData\Local\Microsoft\Internet Explorer\Recovery\Active Previous: <profile>\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active

Files have .dat extension & are stored in Structured Storage Format

Like Jump Lists, can be examined using MiTeC Structured Storage Viewer

Tab Title & Last Site Viewed

Recovery Files in MiTeC SSV

Each TL# stream is a different site visited in this tab. Each includes the following data in unicode (complete format not well understood):

Full path & Referring path Page code to reconstruct Form data and other data, possibly including passwords

TravelLog contains forward/back button use, but theres no reference for the format

Structured Storage Format

File signature: D0CF11E0A1B11AE1 No easy way to find the total size of the file Can still carve, just allow larger than expected file size

Site & Referrer

IE8/9 Suggested Sites

Opt-in or out at install time Data located in <profile>\AppData\Local\Microsoft\Wind ows\Temporary Internet Files\Low\SuggestedSites.dat Tracks all sites visited to suggest similar ones Does not track local, HTTPS, or InPrivate browsing Normally deleted when history is, but may get out of sync. May not be handled by 3rd party wiping utilities.

SuggestedSites.dat

Starts out 5M in size Records Include in order:

URL of visited page (null terminated) Title of visited page (null terminated) URL of referring page (null terminated) 5 unknown bytes Windows FILETIME when page visited

Could probably write a simple perl or python script to parse Unknown binary format, so view with a hex editor Didnt test this myself. All direct data from Internet sources

IE8/9 InPrivate (Porn) Browsing Mode

When used, opens a new browser session that records & saves less data No History data saved All cookies treated as session cookies (No files created. Memory only) Typed URL & Form data not saved Cache files are created, but deleted at end of session Cache index.dat file may not be completely cleared You may want to have your admins disable via group policy (can prevent history clearing too)

IE8/9 InPrivate (Porn) Browsing Mode

So whats left?

Recover deleted cache files Session Recovery files (& deleted session recovery files) Incompletely cleaned remnants from index.dat Network traffic or proxy logs Data from memory if you can get it

PrivacIE Index.dat Entries

NOT from InPrivate Browsing Mode sessions Result of InPrivate Filtering enabled to prevent upload of tracking information

Brief Detour: IE Browser Extensions

BHOs Flash Java

IE Browser Helper Objects

A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of Windows Explorer, a new instance is launched for each window. HKLM\SOFTWARE\Microsoft\Windows\CurrentVe rsion\Explorer\Browser Helper Objects\<CLSID> Details of BHO under

HKLM\SOFTWARE\Classes\CLSID\<CLSID>

Macromedia/Adobe Flash

Plugin for most web browsers Effectively a separate application, but not installed like one Lives in: C:\WINDOWS\system32\Macromed\Flash Has a built-in scripting language; Actionscript Can make independent web requests

Flash Cookies/Local Shared Objects

Potentially much larger than regular cookies Not cleared when they are. .SOL file extension Usually stored in folders under:

Vista/Win7: <profile>\AppData\Roaming\Macromedia\Flash Player XP: <profile>\Application Data\Macromedia\Flash Player

Sometimes found in other locations Until recent updates, no easy way to clear

Managing Flash Cookies

Until recent updates, these had to be managed via the website

http://www.macromedia.com/support/docum entation/en/flashplayer/help/settings_manag er07.html Visits to this site can be an indication of attempted history removal

Now theres a Flash Player control panel application

Information from Flash Cookies

User/website access (full folder path) First/last access time (file timestamps) Data stored by the site (may be encrypted)

Java Downloads

Another separate application, but potentially runs downloaded code Applets are used as normal web content, but sandbox escape is easy on old versions, which are disturbingly common Cache folder:

XP: <profile>\Application Data\Sun\Java\Deployment\cache\6.0 Vista/Win7: <profile>\AppData\LocalLow\Sun\Java\Deplo yment\cache\6.0\6

Java Downloads

IDX files in this cache are Java applet cache indexes Included data:

Filename URL downloaded from IP of source host last modified date downloaded date

Java Exploitability

Old versions of Java did not upgrade themselves, just installed new versions alongside the old ones Web applications that knew the correct path to the old version could still access it. Theres lots of this still out there Specific versions of Java install with many applications, and arent necessarily upgraded because the security issues dont affect the applications they support

IE8/9 DOM Storage

HTML 5.0 equivalent to Flash Cookies Located in XML files and Index.dat under:

XP: <profile>\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore Vista/Win7: <profile>\AppData\Local\Microsoft\Intern et Explorer\DOMStore

IE8/9 DOM Storage

Up to 10MB per user & per site for any data a site cares to cache. Examples include:

Preferences Keywords visit tracking Usernames offline files

Does not expire, but is cleared when cookie are Prediction: In about ten years, HTML5 will be about like Java & Flash are now

Differences in IE 10

IE 10 Registry Keys

TypedURLSTime

IE 10 Files/Folders

<profile>\appdata\roaming\microsoft\window s\cookies\low <profile>\appdata\roaming\microsoft\window s\WebCacheV##\WebCacheV##.dat (ese db format)

No more index.dat. All old index.dat artifacts are stored in WebcacheV##.dat

97

Questions?

98