Internet history in...
 
Notifications
Clear all

Internet history in the "NetworkService" Account?

8 Posts
5 Users
0 Likes
274 Views
(@kurt2121)
Posts: 43
Eminent Member
Topic starter
 

I was running index.dat viewing software for internet explorer on an older computer running XP, and I noticed some internet history in some history files in the Documents and Settings\ NetworkService directory, as if it was just another normal user account.
Why does this happen? Is it malware related or something else?

Thanks

 
Posted : 19/08/2016 9:21 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

IIRC, the history for IE can include sites visited by applications rather than a real person using IE. The user folders are ordinarily created when a user has an interactive login. I'm not sure if there are other circumstances that would cause one to be created.

 
Posted : 19/08/2016 10:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Both
\Documents and Settings\LocalService\
\Documents and Settings\NetworkService\
"Cookies" and contents of "Local Settings", i.e. History, Temporary Internet Files and temp may be affected, not necessarily it is "malware", there could be "legitimate" (as much as a non-interactive access to the web is legitimate) tools that create those traces, as an example automatic updates, antivirus programs, webdav. etc.

Some of those are "touched" even at boot time
http//www.forensicswiki.org/wiki/Files_changed_at_bootWindows_XP

jaclaz

 
Posted : 19/08/2016 10:55 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

Jaclaz Are the Network Service/Local Service folders always present in Docs and Settings on Win XP?

 
Posted : 19/08/2016 11:19 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Jaclaz Are the Network Service/Local Service folders always present in Docs and Settings on Win XP?

AFAIK yes, they are "standard" though they are normally "hidden" (i.e. you won't see them on a "standard" XP where by default not all folders/path/files are visible in explorer).

jaclaz

 
Posted : 19/08/2016 11:40 pm
(@athulin)
Posts: 1156
Noble Member
 

Some of those are "touched" even at boot time
http//www.forensicswiki.org/wiki/Files_changed_at_bootWindows_XP

That reference should be taken with double portions of salt.

The test, as stated, does not say how installation is done, or anything about what happens after installation – how are patches installed, for example – so there's really no way to know what state the installation is in when the third step is performed. This means we can't say if this boot is 'normal' or 'special' in any way. I seem to remember being prompted for various kinds of 'Welcome to XP. Would like to configure your XXX?' prompts are those also included in these reports?

And how are events happening at boot time isolated from events that happen on user login? We don't even know that they are.

The text part also suggests that powering of without 'software shutdown' for some reason is advisable – I guess to isolate boot events from shutdown events –, but this is not obviously part of the description.

And when exactly is that event taking place? Once the login screen is displayed? Or once the desktop after automatic login is shown? Or one minute later? Or … ?

Flushing time stamp caches would probably be an important step of a test, yet I see no trace of it here.

Nor is there is, as far as I can see, any way to separate activities during installation from activities during boot – nor any indication that installation and post-installation activities activities have somehow been removed from the data.

We don't even know that the file system is NTFS … or what flavour of XP is used. I would suspect XP Pro might have some additional events that Home didn't, for example. And I might also suspect that the Tablet, the Media Center and the Starter editions also might have differences. I would even suspect that differing SPs could affect it.

And we can't say what happens on secondary disks, or with unusual boot set ups.

We also have some difficulty in determining what 'File changed' means – particularly with the caveat in the text that 'Not all file marked as changed really changed'. While we might be able to guess, we have no way of verifying those guesses.

I would like to have seen some attention to what always happens on a boot, and what sometimes happen on a boot, probably by collecting multiple data sets on succeeding days (reals or emulated).

But each additional question also adds to the test complexity.

Take the data as an indication of what happened in one particular, and probably irreproducible instance, but don't rely on it for anything important.

 
Posted : 20/08/2016 11:50 am
(@athulin)
Posts: 1156
Noble Member
 

Why does this happen?

I remember reading an article that traced at least some of these entries to Windows system calls (or equivalents). As IE core functionality is fairly deeply embedded in Windows XP, it's not IE that makes the request – it just passes it on to Windows. The operation of those system calls create the log files. And as anyone and anything can call those functions, the log entries are created also for other uses than those associated with Internet Explorer.

One such use was, I'm fairly certain, by certain mail programs. That is not directly relevant to your question, except so far that it needn't be a web browser that causes these entries to be created.

Unfortunately, the link I had is gone, and my Google-fu isn't good enough to find it. But perhaps someone else may have it?

So take this with a bit of salt. At least until you have found an authoritative source that states that these files have only one possible source.

 
Posted : 20/08/2016 12:22 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Network service is just a security context in which something runs, like the System/Network/Local services, it does not require the use of any browser technology.

You can open up a network socket and communicate without using any built in browser features at all. Do not assume that you will find Internet Explorer type artifacts. All that is needed is the old VS runtime libraries or the more recent .NET runtime libraries. There is no logging or tracking of any kind when using these.

 
Posted : 20/08/2016 1:47 pm
Share: