Windows 10 Internet...
 
Notifications
Clear all

Windows 10 Internet Cache No Image files (Edge and Chrome)

9 Posts
4 Users
0 Likes
1,313 Views
(@spo7046)
Posts: 17
Active Member
Topic starter
 

I am working a case where the offender was doing image searches through Yahoo, Bing, and Google, but there are no cached images for these searches. This is a Windows 10 Home laptop. Imaged through FTK Imager and Analyzed through Axiom and FTK, with the same results. I have found the relevant search queries in the Chrome History and Edge WebCacheV01.dat files. Some of the links show he clicked on the displayed image, pulling it up in the browser. This was verified by navigating to the link. The one I used was in Bing. When accessed, the link showed the images from the search, but focused on one individual image. Through WebCacheV01.dat, I can see dates and times he visited the sites. Focusing the graphic section down to these times and dates revealed nothing. I have also scrolled through all the images which were not date/time stamped, to no avail. I checked for CCleaner and the likes, but could not find any program which would clear the internet history/cache. I also ruled this as being improbable, because the historical records are there just no corresponding images.

I have browsed through the forums and the Googles, but haven't come up with an answer. As this is a probation violation case, I have what I need for the violations (the searches themselves and I can show what each search potentially showed him on the day he searched), but I am just perplexed as to why there are no images associated with these searches.

Sorry if this has been discussed before.

Regards,

Steve

 
Posted : 19/10/2017 4:15 pm
(@mcman)
Posts: 189
Estimable Member
 

2 things come to mind for me

1) did they only do an images search or did they click right through to the site where the image was hosted? ie Google images search vs. visiting the actual site behaves differently

2) was the history sync'ed from another device. I know Chrome will let you sync your history and unlikely that the cache carries over so have you confirmed the search was done on that computer? (for Chrome look at the history db, in the visits and visit_source tables which will tell you where the data came from)

Jamie

 
Posted : 19/10/2017 7:35 pm
(@spo7046)
Posts: 17
Active Member
Topic starter
 

2 things come to mind for me

1) did they only do an images search or did they click right through to the site where the image was hosted? ie Google images search vs. visiting the actual site behaves differently

2) was the history sync'ed from another device. I know Chrome will let you sync your history and unlikely that the cache carries over so have you confirmed the search was done on that computer? (for Chrome look at the history db, in the visits and visit_source tables which will tell you where the data came from)

Jamie

Thanks for the reply. He did do searches within the Image section of the previously listed search engines. I followed a few of the links, and he definitely clicked on a few of the images, as the link pulls up a specific image. I didn't think about Chrome cache carrying over. That is a thought for the chrome browser history, but we have history in the Edge browser as well. Would it pull into Edge cache if he was logged into the Google account through a toolbar? Just spit balling ideas.

Thanks again.

 
Posted : 19/10/2017 8:10 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

… but I am just perplexed as to why there are no images associated with these searches.

Steve, did you already analyze

- the Thumbnail Cache
- MFT
- USNJournal
- the Volume Shadow Copy
- a Memory Dump or related files like hiberfil.sys and pagefile.sys

It sounds like a CP case…i would definetly search for illegal images everywhere, even outside the browsers.

good hunting!

Robin

 
Posted : 19/10/2017 11:35 pm
(@spo7046)
Posts: 17
Active Member
Topic starter
 

… but I am just perplexed as to why there are no images associated with these searches.

Steve, did you already analyze

- the Thumbnail Cache
- MFT
- USNJournal
- the Volume Shadow Copy
- a Memory Dump or related files like hiberfil.sys and pagefile.sys

I did not go through the USNJournal. I will attack that in the morning. I did do a full scan of the EO1 with IEF. I know I had images from pagefil.sys, MFT, and thumbnail cache. I am not in front of the evidence now, but I am almost certain that the Volume Shadow Copy was checked as well. With that being said, I did comb through all of the images detected in FTK and IEF. I have a ton of 0 byte gif files, which I wonder if those are what I am looking for, as he did a lot of searches for gifs. Thanks for the help!

 
Posted : 20/10/2017 2:16 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Two thoughts on this was there another drive in use? The suspect could have modified the registry so all Cookies, Pics, cached Websites are stored on a USB drive or - much worse - on a RAM drive.
Have a look at
Computer\HKEY_CURRENT_USER\Software\Classes\
LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\
Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\
Extensible Cache\DOMStore

there is a value for "CachePath"- and at several other locations in the Registry. I do not know which one is correct, but those pathes could be modified to save all Browser related evidence to another drive. If this drive was encrypted…good luck -/

I do not know IEF, but perhaps it is possible to filter on skin tones and picture sizes? Having 30% skin tones and a picture size of minimum 50kb should be effective.

have a nice weekend,
Robin

 
Posted : 20/10/2017 9:56 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I do not know IEF, but perhaps it is possible to filter on skin tones and picture sizes? Having 30% skin tones and a picture size of minimum 50kb should be effective.

Just in case (old news, still …)
http//www.4ensics.co.uk/smutdetect4autopsy/
but
https://www.forensicfocus.com/Forums/viewtopic/t=9693/

jaclaz

 
Posted : 20/10/2017 2:21 pm
(@spo7046)
Posts: 17
Active Member
Topic starter
 

The drive is not encrypted, so we are good there. )

USNjournal and Volume Shadow Copy have been examined with still no image artifacts. IEF does have skin tone filtering, and I have used this to no avail. I have manually gone through all 392,985 images found under the Graphics tab of FTK. This was done out of frustration after going through the file filters under the Overview tab and finding nothing under the different file extensions. there are numerous images found under the folder [root]/Users/Owner/AppData/Local/Packages/Microsoft.MicrosoftEdge_8wekyb3d8bbwe/AC/#!001/MicrosoftEdge/Cache/. There are numerous subdirectories under the Cache folder. However, many of the files show their logical and physical size as 48B. Files which actually show an image are much bigger. I used AccessData Registry Viewer to view the Software registery. However, the path you list, as well as everyone on Google, does not exist in this hive. I looked in Software\classes\Local Settings\Software\Microsoft\CurrentVersion. However, I only have a folder labeled AppModel. I don't have the folder you listed. Am I looking in the wrong registry hive? I searched for CchePath to try and find this section, but was unsuccessful.

Thanks for all your assistance.

 
Posted : 20/10/2017 5:26 pm
(@spo7046)
Posts: 17
Active Member
Topic starter
 

So after thinking about where that entry would be, I looked up UsrClass.dat and found the path you were talking about. His CachePath was set for local storage. Thanks for the lead though.

 
Posted : 20/10/2017 5:31 pm
Share: