Web Pages with txt ...
 
Notifications
Clear all

Web Pages with txt extension in Temp Internet Files

13 Posts
5 Users
0 Likes
820 Views
(@dean23)
Posts: 4
New Member
Topic starter
 

Dealing with a job at the moment where there are web pages cached in the Temp Internet Files that are named in the form "Title_com.txt".

When the extension is changed to htm they open up as web pages.

I have carried out a little bit of research on the internet where a possible explanation given was that Outlook Express 6 had a bug that created .txt versions of a webpage when the "Send as email" fuction was used within Internet Explorer. I tried this on my own machine but subsequently established that the bug had been fixed and was therefore not able to test it.

OE 6 is installed but only the "Welcome Message" entry is present. No deleted emails were recovered.

The operating system is Windows XP SP3. The file activity itself occured between July - September 09.

I am not convinced that the above explains what has occured and would appreciate any other thoughts/explanations.

 
Posted : 08/12/2010 3:27 pm
(@athulin)
Posts: 1156
Noble Member
 

I am not convinced that the above explains what has occured and would appreciate any other thoughts/explanations.

There's nothing that prevents a web server from serving up a .txt file (or an .exe file for that matter), with content-type information that says 'this is a HTML file'. On Apache, I'm pretty certain you can configure the connection yourself. You may need to research what would happen on the examined system under such circumstances.

Web browser extensions occasionally need somewhere to save data … and Temporary Internet folders is a suitable default starting place for a 'Save …' dialog in an extension.

And don't forget that 'Save as … ' in a web browser may default to the previous place something was saved (tried it just now with IE8, and found that I ended up in a project folder on a file share, which was a bit unexpected).

Does the file appear in any MRU list, for example? That might provide a clue to what happened.

 
Posted : 08/12/2010 5:26 pm
(@dean23)
Posts: 4
New Member
Topic starter
 

Thanks for the reply.

There are 45 of the files mixed in with a quantity of similar web pages with htm extensions. To all intents and purposes it looks like surfing actitvity but with some of the web pages cached to Temp Internet Folders with txt extension rather than an htm(l) extension.

I will have to do a little research on the Apache side but it does seem a more likely explanation that the web pages are being created/saved as txt on the server side and Apache configured to treat them as web pages.

 
Posted : 08/12/2010 5:59 pm
 Hvva
(@hvva)
Posts: 14
Active Member
 

Hey there. Apache can serve text files as web pages.
On the server side, httpd.conf "AddType" option
# AddType allows you to tweak mime.types without actually editing it, or to
# make certain files to be certain types.
#
# For example, the PHP3 module (not part of the Apache distribution)
# will typically use
#
#AddType application/x-httpd-php3 .phtml
#AddType application/x-httpd-php3-source .phps

http//livenudefrogs.com/~anubis/apache/httpd-conf.shtml

And in .htaccess - either "multiviews" should be enabled ~or~ they could type the full url with the file extension "http//example.com/Title_host.txt"

http//wiki.kartbuilding.net/index.php/Apache#Multiviews_-_Automatically_append_file_extension

More info
http//www.webmasterworld.com/apache/3976145.htm

Hope this helps.
Joshua James

 
Posted : 08/12/2010 6:31 pm
azrael
(@azrael)
Posts: 656
Honorable Member
 

I absolutely concur with Hvva that it is possible - although in 10+ years of Linux Apache servers I've _never_ actually seen one configured like that - I would definitely suggest that if you are seeing this behaviour on more than one site it's probably not that …

Given that there are a number of "similar" pages that you say, is it possible that the machine user has opened the original cached page, made an edit in Notepad and then saved with a default txt extension ?

 
Posted : 08/12/2010 6:46 pm
 Hvva
(@hvva)
Posts: 14
Active Member
 

Hello. Just to check I created a text file "test.txt" on a Debian server with a default Apache install. When I navigate to http//localhost/test with or without the extension, the text file is served as a web page. Same for connecting to the server from another host. Firefox/iceweasel was used as the browsers.

I did not test with Windows or IE.

 
Posted : 08/12/2010 7:21 pm
(@dean23)
Posts: 4
New Member
Topic starter
 

Thanks for the replies

The main thing that gives me doubts about the user saving the pages is the naming convention used. A couple of examples are

tinymodelnews_com.txt
newstar-bambi_net.txt

and appologies for not mentioning it earlier

search.txt that is a google results page on the search term "cute star"

My feelings are that if a user saved the files they would probably rename totally or just except the default name with the new txt extension. However, I cannot of course rule this out at the moment.

 
Posted : 08/12/2010 7:30 pm
(@athulin)
Posts: 1156
Noble Member
 

tinymodelnews_com.txt
newstar-bambi_net.txt

That's more useful Do the files share some or all of the attributes as any corresponding web domains (i.e. tinymodelnew.com, newstar-bambi.net, etc. )

If this behaviour isn't explained by standard browser or server behavior, could be the result of some kind of proxy software installed on the system? Say, some kind of anonymizing setup?

Do you have proof of web browsing – say, corporate web proxy logs? or could this be from a CD or suchlike?

 
Posted : 08/12/2010 9:14 pm
jekyll
(@jekyll)
Posts: 60
Trusted Member
 

Just another potential angle for yor research here is that you could use live view to fire up the forensic image in a VM and do some testing to see if they are created dynamically. Sometimes, being in the actual user envirnment makes it all clear as our tools are so abstract from the user experience.

This of course is going to depend on the circumstances of your case and whether this is safe / appropriate. You could even run wireshark on the machine then and see what is happening on the machine vs what's coming down the wire.

 
Posted : 09/12/2010 1:23 am
azrael
(@azrael)
Posts: 656
Honorable Member
 

Hello. Just to check I created a text file "test.txt" on a Debian server with a default Apache install. When I navigate to http//localhost/test with or without the extension, the text file is served as a web page. Same for connecting to the server from another host. Firefox/iceweasel was used as the browsers.

I did not test with Windows or IE.

Kind of … The usual is that it's served as a txt file, so, if you create a page with an HTML structure, Apache will list all of it from < HTML > to </ HTML> inclusive as a text file with content type information that says "this is a text file" ( e.g. Content-type=text/plain rather than Content-type=text/html ) - this wouldn't render on the browser - it would just list the text, thus you wouldn't see any of the IMGs for example, or other multi-media content - much as if you had done a "view source" … I've just tested this on Ubuntu 10.10 standard install of Apache (64bit) and it behaves the way I've described. ( So default an install that I just did a "cp" of the default index.html to index.txt and then looked at them both in Firefox on the localhost address to check the above. )

Of course this does of course mean that the files could have been downloaded by viewing them as above - just remember that it's not likely that if this is the case that they have been rendered, as it would require a specific ( and slightly odd, as it would break the ability to send plain txt files as such ) change to the Apache configuration to make a txt file be sent as content type text/html. You can make Apache render any file extension in a certain way with the right configuration - even a .banana file can be sent as html - http//www.thinking-security.co.uk/example/forensic_focus.banana - and there is a default setting for which Apache will treat file extensions that we haven't explicitly stated in the httpd.conf file ( usually text/plain ) - http//www.thinking-security.co.uk/example/forensic_focus.apple for example.

 
Posted : 09/12/2010 1:38 am
Page 1 / 2
Share: