| < Day Day Up > |
|
The examiner’s ability to search, organize, and analyze Internet usage logs can become crucial to making or breaking a case. IE History is a tool you can use to process the data files associated with web browsers. IE History can be obtained by e-mailing its author, Scott Ponder, at support@phillipsponder.com. IE History’s purpose is to parse the binary history files for the analyst so that you can analyze each web visit. Without using a tool such as this, tracking web browser usage would be much more difficult because a general-purpose file viewer cannot fully read the content of the binary history files.
Upon starting IE History, you should see an Internet History Viewer screen similar to this:
To open a file, click the Open History File button to open a browsing window similar to that shown in the next illustration. Notice that this browsing window is different from typical Windows file browsing windows, in that it does not translate all the files according to the specifications in the desktop.ini file. This makes it possible for the user to browse the local disk’s history files, which are usually translated into history file pages by Windows Explorer.
IE History can handle many types of files, including Internet Explorer and Netscape web activity history files. Table 24-2 summarizes where these files are typically located.
Operating System | Web Browser | File Path(s) |
---|---|---|
Windows 95/98/Me | Internet Explorer | \Windows\Temporary Internet Files\ Content.IE5\ \Windows\Cookies\ \Windows\History\History.IE5\ Any index.dat file is a history file. |
Windows NT | Internet Explorer | \Winnt\Profiles\<username>\Local Settings\Temporary Internet Files\ Content.IE5\ \Winnt\Profiles\<username>\ \Winnt\Profiles\<username>\Local Settings\History\History.IE5\ Any index.dat file is a history file. |
Windows 2000/XP/2003 | Internet Explorer | \Documents and Settings\ <username>\Local Settings\ \Documents and Settings\ <username>\Cookies\ \Document and Settings\ <username>\Local Settings\ History\History.IE5\ Any index.dat file is a history file. |
Windows 95/98/Me | Netscape | \Windows\Application Data\ Mozilla\Profiles\ Any history.dat file is a history file. |
Windows 2000/XP/2003 | Netscape | \Documents and Settings\ <username>\Application Data\ Mozilla\Profiles\<profile name>\<profile directory>\ Any history.dat file is a history file. |
Windows NT | Netscape | \Winnt\Profiles\<username>\Application Data\Mozilla\Profiles\ <profile name>\<profile directory>\ Any history.dat file is a history file. |
Unix (Linux, BSD, etc.) | Netscape | ~<username>/.netscape/ Any history.dat file is a history file. |
Another function of IE History is its ability to sort by the URL or date visited. Furthermore, by right-clicking an individual line and selecting Go To URL, you can load the URL in the default browser on the forensic workstation.
The last type of file IE History can translate are Recycle Bin records for the Windows operating system. Because Windows is known to store deleted files in the Recycle Bin before true deletion from the disk, this record may provide more clues into what the suspect was deleting before the evidence was acquired. The following table summarizes where the INFO2 records are located for Windows operating systems.
Operating System | Location of INFO2 Recycle Bin Records |
---|---|
Windows 95/98/Me | \RECYCLED\INFO2 |
Windows NT/200x/XP | \RECYCLER\<User’s SID>\INFO2 |
After copying the Recycle Bin record from a suspect’s computer, load the INFO2 file in IE History in the same manner used for the index.dat or history.db files. The following illustration shows an example Recycle Bin record after it is loaded into IE History:
| < Day Day Up > |
|