HTTP Get Requests -...
 
Notifications
Clear all

HTTP Get Requests - Where do they get Stored?

7 Posts
6 Users
0 Likes
504 Views
(@xaberx)
Posts: 105
Estimable Member
Topic starter
 

I was looking at a hard drive image and I ran into many Get Requests in unallocated space. The question I have is when the server returns the header information where does this actually get stored? Does the request data become stored in the pagefile.sys or is it stored in a history file under application data.

The Get Requests look like below

HTTPhttp//www.forensicfocus.com/themes/fisubsilversh/images/logo.gif request-method GET response-head HTTP/1.1 etc etc…….

Thanks for any advice.

 
Posted : 13/01/2012 10:30 pm
(@athulin)
Posts: 1156
Noble Member
 

The question I have is when the server returns the header information where does this actually get stored?

In primary memory. Where it goes after that (if anywhere) depends on what the client software does with it. It needn't go anywhere, but it's a pretty fair bet it may be stuffed into a cache.

Does the request data become stored in the pagefile.sys or is it stored in a history file under application data.

Well, all memory pages used for data have a fair chance of ending up in the pagefile, but nothing is placed there without a reason – such as memory getting filled up. But pagefile is fairly static, I believe. You shouldn't expect to see pagefile contents in unallocated sectors very often. – if it happens, it is probably when the pagefile was defragmented, or the pagefile moved to another volume, and such cases.

But for the rest … it depends on the code. Are you referring to any particular browser?

The Get Requests look like below

HTTPhttp//www.forensicfocus.com/themes/fisubsilversh/images/logo.gif request-method GET response-head HTTP/1.1 etc etc…….

That is nothing like what the HTTP protocol contains – looks more like some kind of log or history file.

If you want to find out where that information comes from, try looking for significant substrings that could be useful in a file search – 'HTTPhttp//' looks like a possibility, or perhaps 'request-method GET response-head'. Then search all files for that – when you get a hit, compare the context with the original. If they are similar enough, it's a pretty good chance you've found a possible source.

 
Posted : 13/01/2012 11:18 pm
(@xaberx)
Posts: 105
Estimable Member
Topic starter
 

From what I have read sofar from articles here and there, as we thought it is the response to the Get Request from the server. This is then read by the browser and stored in a cache file(not sure where and when….but firefox's is supposedly the easiest to find).

Thanks, I hope this helps others as well as the URL that is being accessed is shown with the time stamp embedded by the Host the user is accessing. I can see these items being very useful to internet investigations.

 
Posted : 13/01/2012 11:27 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I was looking at a hard drive image and I ran into many Get Requests in unallocated space. The question I have is when the server returns the header information where does this actually get stored? Does the request data become stored in the pagefile.sys or is it stored in a history file under application data.

The Get Requests look like below

HTTPhttp//www.forensicfocus.com/themes/fisubsilversh/images/logo.gif request-method GET response-head HTTP/1.1 etc etc……

I've done a number of exams where I've found some valuable information in the pagefile with respect to GET/POST requests and the server responses, but I have to say, I haven't found any formatted quite like what you show. That doesn't even look like an IIS web server log entry. That's definitely odd.

You mentioned that there was a time stamp involved. Have you considered creating a timeline of system activity, and then adding these entries (after you've determined the time zone of the server being accessed via the requests)? That might illuminate things for you a bit…

 
Posted : 14/01/2012 4:49 am
(@spawn)
Posts: 34
Eminent Member
 

Ultimately the HTTP request has to go out on the wire and what was posted looks remarkably like a storage are which was used to hold the data while it was being processed, probably by Firefox given the variable names.

A quick searched showed that "aboutcache" in Firefox will pull up similar data structures have you have in the post.

 
Posted : 15/01/2012 9:10 pm
harryparsonage
(@harryparsonage)
Posts: 184
Estimable Member
 

I was looking at a hard drive image and I ran into many Get Requests in unallocated space. The question I have is when the server returns the header information where does this actually get stored? Does the request data become stored in the pagefile.sys or is it stored in a history file under application data.

Is this a general "I wonder where it goes" sort of question or is it aimed at identifying evidence for an investigation? If the latter what is it you are trying to find out?

The chance is that you are looking at some fragments of internet history records which are invariably splattered all over unallocated space and can be collected and analysed using Hstex and NetAnalysis.

regards
H

 
Posted : 16/01/2012 12:26 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

Would be good to see a larger chunk of the data. Be easier to have a guess at the origin.

Other possibility is logs from a web server. e.g. Apache, IIS.

 
Posted : 16/01/2012 3:37 am
Share: