SecureArtisan

My Road to Digital Forensics Excellence

Alternative to Typed URLs?

Posted by Paul Bobby on August 15, 2012

Wiping software had blown aware the TypedURLs kvp normally found at HKCU/Software/Microsoft/Internet Explorer. Whilst performing a keyword search I got a hit in the file appdata\local\temp\structuredquery.log. A Google search later and I found that this file records those entries you type in the URL bar in Internet Explorer that causes the ‘auto suggestion’ display of IE.

For example, if I’ve previously been to www.google.com and various sub-sites of Google, if I just type google in the URL bar, Internet Explorer will search my history and favorites using a sql query like this:

SQL query built: SELECT TOP 6 “Microsoft.IE.TargetUrl”, “System.ItemPathDisplay”, “Microsoft.IE.Title”, “Microsoft.IE.SelectionCount” FROM SystemIndex..SCOPE()  WHERE  CONTAINS(“System.Search.Store”,’”iehistory*”‘,1033)  AND ((NOT CONTAINS(“System.ItemType”,’”Folder”‘) AND NOT CONTAINS(“System.ItemType”,’”Directory”‘))) AND (((CONTAINS(“Microsoft.IE.TargetUrlHostName”, ‘”go*”‘,1033) RANK BY COERCION(Absolute, 250)) ) OR ((CONTAINS(“Microsoft.IE.Title”, ‘”go*”‘,1033) RANK BY COERCION(Absolute, 150)) ) OR ((CONTAINS(“Microsoft.IE.TargetUrlPath”, ‘”go*”‘,1033) RANK BY COERCION(Absolute, 100)) )) ORDER BY “Microsoft.IE.SelectionCount” DESC , “Microsoft.IE.VisitCount” DESC , “System.Search.Rank” DESC

SQL query built: SELECT TOP 6 “Microsoft.IE.TargetUrl”, “System.ItemPathDisplay”, “Microsoft.IE.Title”, “Microsoft.IE.VisitCount”, “System.ItemUrl” FROM SystemIndex..SCOPE()  WHERE  SCOPE=’file:C:\Users\pbobby\Favorites\’  AND ((NOT CONTAINS(“System.ItemType”,’”Folder”‘) AND NOT CONTAINS(“System.ItemType”,’”Directory”‘))) AND (((CONTAINS(“Microsoft.IE.Title”, ‘”googl*”‘,1033) RANK BY COERCION(Absolute, 500)) ) OR ((CONTAINS(“System.ItemFolderNameDisplay”, ‘”googl*”‘,1033) RANK BY COERCION(Absolute, 400)) ) OR ((CONTAINS(“Microsoft.IE.TargetUrlHostName”, ‘”googl*”‘,1033) RANK BY COERCION(Absolute, 150)) ) OR ((CONTAINS(“Microsoft.IE.TargetUrlPath”, ‘”googl*”‘,1033) RANK BY COERCION(Absolute, 75)) )) ORDER BY “Microsoft.IE.SelectionCount” DESC , “System.Search.Rank” DESC , “Microsoft.IE.VisitCount” DESC

Some quick testing shows that this log file persists through deleting internet history from inside of Internet Explorer, and through the default configuration of CCleaner. BCWipe however did trash the file.

Still, this is yet another artifact that ‘remains behind’ and can shed light on the surfing habits of your subject. It also has the side benefit of answering the question “what are they browsing for” which is difficult to answer when just looking at internet history or a proxy log. These queries only get created when typing content in the URL bar.

Anyone had experience with this file?

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: