| ||
The examiner 's ability to search, organize, and analyze Internet usage logs can become crucial to making or breaking a case. IE History is a tool you can use to process the data files associated with web browsers. IE History can be obtained by e-mailing its author, Scott Ponder, at support@phillipsponder.com. IE History's purpose is to parse the binary history files for the analyst so that you can analyze each web visit. Without using a tool such as this, tracking web browser usage would be much more difficult because a general-purpose file viewer cannot fully read the content of the binary history files.
Upon starting IE History, you should see an Internet History Viewer screen similar to the illustration at right:
To open a file, click the Open History File button to open a browsing window similar to that shown in the next illustration. Notice that this browsing window is different from typical Windows file browsing windows , in that it does not translate all the files according to the specifications in the desktop.ini file. This makes it possible for the user to browse the local disk's history files, which are usually translated into history file pages by Windows Explorer.
IE History can handle many types of files, including Internet Explorer and Netscape web activity history files. Table 24-2 summarizes where these files are typically located.
Operating System | Web Browser | File Path(s) |
---|---|---|
Windows 95/98/Me | Internet Explorer | \Windows\Temporary Internet Files\ Content.IE5\ |
Windows NT | Internet Explorer | \Winnt\Profiles\< username> \Local Settings\Temporary Internet Files\ Content.IE5\ |
Windows 2000/XP/2003 | Internet Explorer | \Documents and Settings\ < username> \Local Settings\ Temporary Internet Files\ Content.IE5\ |
Windows 95/98/Me | Netscape | \Windows\Application Data\ |
Windows 2000/XP/2003 | Netscape | \Documents and Settings\ |
Windows NT | Netscape | \Winnt\Profiles\ <username> \Application Data\Mozilla\Profiles\ <profile name> \ <profile directory> \ |
Unix (Linux, BSD, etc.) | Netscape | ~< username> /.netscape/ |
Another function of IE History is its ability to sort by the URL or date visited. Furthermore, by right-clicking an individual line and selecting Go To URL, you can load the URL in the default browser on the forensic workstation.
The last type of file IE History can translate is Recycle Bin records for the Windows operating system. Because Windows is known to store deleted files in the Recycle Bin before true deletion from the disk, this record may provide more clues into what the suspect was deleting before the evidence was acquired . The following table summarizes where the INFO2 records are located for Windows operating systems.
Operating System | Location of INFO2 Recycle Bin Records |
---|---|
Windows 95/98/Me | \RECYCLED\INFO2 |
Windows NT/200x/XP | \RECYCLER\< User's SID> \INFO2 |
After copying the Recycle Bin record from a suspect's computer, load the INFO2 file in IE History in the same manner used for the index.dat or history.db files. The following illustration shows an example Recycle Bin record after it is loaded into IE History:
Filename | Description |
---|---|
C:\Documents and Settings\ <username> \ Cookies\index.dat | The audit trail for the cookies that are installed on the system. Useful in locating cookies that are intentionally misnamed and obfuscated . |
C:\Documents and Settings\ <username> \ Local Settings\History\ History.IE5\index.dat | The history for the last calendar day that the browser was in use. Files older than one day roll into a separate folder. |
C:\Documents and Settings\ <username> \ Local Settings\History\ History.IE5\MSHistXXXXXXXXXXX\ index.dat | Where the history data rolls to after it expires from the above index.dat. Each installation will have several of these directories, indicating yesterday , last week, two weeks ago, last month, and so on. |
C:\Documents and Settings\ <username> \Local Settings\Temporary Internet Files\Content.IE5\index.dat | The audit trail for supporting files such as pictures and includes on the web site. Look here to help reconstruct documents. |
C:\Documents and Settings\ <username> \ UserData\index.dat | This index.dat holds information about automatic Windows accesses to the Internet, such as Windows update and other utilities. |
Table 24-3 shows a breakdown of .dat files that exist in Windows XP, their location, and what each one does.
| ||