Internet Explorer RecoveryStore (aka Travelog) as evidence of Internet Browsing activity

This artifact has attracted my attention of late as I have seen some very useful information here in a few recent cases. Here you find not only browsed urls but webpage details like title (sometimes content) and timestamps. Even data from encrypted pages (https) are stored here in plaintext, which by default IE does not save in internet cache. I have even seen email and facebook passwords here on occasion!

What is RecoveryStore and why is it present?

IE 8 and 9 have a tab recovery feature by virtue of which you can restore all your tabbed browsing sessions if IE crashes, or when you close IE and chose to save tabs on exit (so that they may be reopened automatically when IE is started next time).

With IE8, Microsoft also introduced the concept of a ‘Travelog’ or 'Travel Log'. This is a mechanism to track urls (and associated parameters) that are fetched from a page when AJAX is used. AJAX is a technology which enables dynamic refreshes of small portions of a page without reloading the whole page. It was popularized by gmail and subsequently most webpages use it today. With AJAX, your main page url does not change, however the page contents change when your click around in the page (accessing data from other urls), this creates problems as you cannot use the browser back button to go back one click. To solve this problem (with back and forward buttons), the travelog is used to track AJAX urls. Read up more about it on MDSN here. 

So where is this cached information?

The RecoveryStore can be found under <profile>/Application Data on an XP machine and under <profile>/AppData/Local on a Vista or Windows 7 machine under subfolder Microsoft/Internet Explorer/Recovery

Location of RecoveryStore files on a Windows 7 Machine

Two folders are present by default, Active and LastActive. Sometimes a couple of other folders are seen, High and Low. All folders contain similar data, a few files with <GUID>.dat as their name and a single RecoveryStore.<GUID>.dat file per folder. GUIDs are in the standard format {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.

Analysis of RecoveryStore files Part I

All files are in the Microsoft OLE structured storage container format. When opened with a suitable viewer (many freeware available for this, if you use encase, use ‘view file structure’ to mount), you find many streams (files) within it.

There is a single RecoveryStore.<GUID>.dat file which represents the recovery store preserving tab order and some other information. It references the other <GUID>.dat files.

RecoveryStore.<GUID>.dat

This file contains 3 or more streams in it. If more than one session (instances of IE) are running, then more streams will be present.

Stream Name	Description
|KjjaqfajN2c0uzgv1l4qy5nfWe	Contains some guids
FrameList	List of DWORDs, function unknown
TSxx	Contains guids of Tabs in Session x (ie,if TS1 then tabs in session 1)

RecoveryStore.<GUID>.dat file viewed in an OLE object viewer
The FrameList stream is shown above

<GUID> in the filename

The GUID is actually a UUID (version 1), which is comprised of a FILETIME like timestamp and the machine MAC address. The details of this scheme can be referenced from RFC 4122 (http://www.ietf.org/rfc/rfc4122.txt). 

The timestamp is the first 60 bits of the UUID, and this represents the number of 100 second nanosecond intervals since 15 October 1582. Note the only major difference from Microsoft FILETIME values used everywhere else in windows is the starting date which is 01 January 1601 for FILETIME.

This time is going to be the tab/recoverystore created time and can be used to cross check the timestamp on disk for forensic validation. These UUIDs are also found in the ‘|KjjaqfajN2c0uzgv1l4qy5nfWe’ stream in RecoveryStore.<GUID>.dat

Example: {FD1F46CF-E6AB-11E0-9FAC-001CC0CD46AA}.dat

From this UUID, we can extract the timestamp as 01E0E6ABFD1F46CF which decodes to 09/24/2011 12:51:58 UTC.

The last 6 bytes is the MAC address on the machine (00 1C C0 CD 46 AA), it can be from any of the network interfaces on the machine.

Timestamp Easy Conversion Process 

(http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf)

An easy way of converting the timestamp without messing too much with the math behind it is to subtract the time period between 15 October 1582 and 1 January 1601 and then using a FILETIME decoder program (like DCODE) to do the rest. For the above example, we subtract 146BF33E42C000 (the excess time period) from the original value to get 1CC7AB8BEDC86CF which is decoded as 09/24/2011 12:51:58 UTC.

<GUID>.dat files

Each file represents a tab in the browser. Inside each file are 3 or more streams.

Stream Name	Description
|KjjaqfajN2c0uzgv1l4qy5nfWe	Contains some guids and last URL of tab
TravelLog	List of DWORDs representing each TravelLog entry
TLxx	Travelog stream (TL0, TL1, …)

'|KjjaqfajN2c0uzgv1l4qy5nfWe' stream inside a <GUID>.dat file shown above

TravelLog Stream

This stream has a complex binary format which stores many items. The base URL, referrer url and page title are always present. Page content, some timestamps and ajax parameters are optionally present.

I have been studying the format of the TravelLog and will shortly publish it as Part II of this blog entry. 


Update: An encase script is now available for download here to parse out travelLog info.