X-WAYS TRACE

X-Ways Trace can parse the data records in MS Internet Explorer's history/cache files index.dat and in MS Windows Recycle Bin's internal info2 file. When parsing in index.dat, it outputs complete URLs, date and time of the last visit, usernames, filenames, file sizes, and the location of the listed record. For info2, it outputs date and time of deletion, original path , filename, size , and record location. X-Ways Trace offers a native list output and exports to a tab-delimited text file that can be imported by MS Excel, any text editor, or a database. X-Ways Trace is available at http://www.x-ways.net/trace/.

Implementation

X-Ways Trace gives you the option of examining an individual file, a folder (with an option to include subfolders ), or the entire disk (which may still contain remnants of previously existing index.dat and info2 files in unallocated space and slack space). When choosing to examine the entire disk, it is preferable that you open a logical drive instead of a physical disk . When opening physical disks, X-Ways Trace will not search for info2 files, only for index.dat file records. You would open the physical disk only if you want to search several partitions of a hard disk at the same time or if a partition is damaged.

In this example, we will search a suspect's hard drive for information relating to potential International travel.

Choose File Open Disk and select the drive letter of the logical disk you want to examine.

The output will look something like this:

X-Ways Trace provides multiple options for searching, as shown next . It can also search through all open files at the same time.

Any URL displayed in the list can be copied to the clipboard or looked up directly on the Internet using the default browser. By default, date and time information will be translated to the analyst's local time zone as set in MS Windows.



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net