Location of Tempora...
 
Notifications
Clear all

Location of Temporary Internet Files folder

11 Posts
5 Users
0 Likes
527 Views
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

Maybe someone could help explain this seemingly strange behaviour?

User1 has a cookie showing user1@pornsite[2].txt file created 152604

Yet within seconds of this there are dozens of images from this site that have been stored in the Temp Internet Files folder of User2.

I've checked the registry to see if User1 has altered the location of his cache and he hasn't. So why would his temp. internet files show up under another user's profile?

 
Posted : 19/10/2005 4:41 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Is it possible that User1 knows User2's password, and launched IE using the RunAs command? You didn't specify the version of Windows, but if it's XP you're looking at, have you considered this?

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 19/10/2005 5:31 pm
 samr
(@samr)
Posts: 119
Estimable Member
 

Possible (probably obvious) this I can think of are the following

* User1 has copied their Internet temp from their own temp directory to the directory of another user (assuming User1 has admin privledges).

* User1 had previously a default location for their internet temp in a directory of another user (assuming that they had permission for this) and then changed it back at some point after the files were placed there.

* User1 was running their web browser as a different user (User2) whilst logged in as User1 - this is possible in Windows 2000 and XP – I have just tested this in Windows 2000 with IE which caused the cookies to be labelled as user2@whereever.

 
Posted : 19/10/2005 5:43 pm
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

Have spoke to User2 who says they have a strong password, also the IT manager at the organisation who says it's not possible that User2's password could have been compromised… but personally I'll keep on open-mind on that until proved otherwise.

The creation dates of the images in the Temp Internet Files profile of User 2 are within 5/6 seconds of User1's cookie being created; not enough time to log off and log on.

The OS is Windows 2000.

 
Posted : 19/10/2005 5:46 pm
(@fatrabbit)
Posts: 132
Estimable Member
 

I’m no expert in this area so this is a question rather than a fact, but surely if user1 fired up IE from the run as command and logged on as user2 then the entire IE session would be attributed to user2 and therefore the cookie that was created would also be user2 and not user1?

 
Posted : 20/10/2005 1:17 pm
 samr
(@samr)
Posts: 119
Estimable Member
 

Hi,

I performed the following tests

1) Logged onto a Windows 2000 machine with User1.
2) Opened IE and went to a page which sets cookies to check that the cookies were in my default directory under user1@…. and in my temporary internet. They were as expected.
3) Opened IE using the runas command running as user2.
4) Visited website that sets cookies and checked where the cookies and temporary history was placed. Cookies were placed in user1's default directory with the file name format user2@….. Looking at it in NetAnalysis User1's temporary Internet history is also altered but the user attribute is User2.

I hope this helps to clarify things. If anyone else has done any similar experiements or has any other information about this sort of stuff I would be interested in hearing about it )

Sam

 
Posted : 20/10/2005 2:08 pm
(@fatrabbit)
Posts: 132
Estimable Member
 

So according to your experiment if user1 used the run as command then the cookie would also have been created as user2. So this doesn’t explain the situation in the original post that the cookie was created as user1 and then seconds later images were placed in the temp Internet folder of user2?

 
Posted : 20/10/2005 3:37 pm
 samr
(@samr)
Posts: 119
Estimable Member
 

So according to your experiment if user1 used the run as command then the cookie would also have been created as user2. So this doesn’t explain the situation in the original post that the cookie was created as user1 and then seconds later images were placed in the temp Internet folder of user2?

Yes, that is true. I was just trying to illustrate the runas behaviour with IE )

What I would suggest is that the original poster checks to ensure that the temp Internet is *stored* in the user's location and not just marked as that user in something like NetAnalysis. Failing that then it is indeed a mystery.

 
Posted : 20/10/2005 4:36 pm
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

I can't test this because I'm at the office but is it possible for a user to change his "enviroment" variables under sytem properties and just replace %userprofile% with the user2 name just for a session…?

Andrew-

 
Posted : 20/10/2005 5:19 pm
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

Thanks for all your responses, I first noticed the odd locations of the cached images through EnCase 4.20 not NetAnalysis. In fact NetAnalysis lists the user throughout as being User1 and User2 has no entries at all for the day in question. Most odd.

 
Posted : 20/10/2005 6:24 pm
Page 1 / 2
Share: