Notifications
Clear all

Browsing Trail

3 Posts
3 Users
0 Likes
221 Views
(@tazbv)
Posts: 1
New Member
Topic starter
 

I am relativly new to computer forensics and I would like to know how you would determin what Web pages were visited after the History and cookies have been cleared?

 
Posted : 12/06/2005 3:38 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Well, first you'd have to image the drive, and then recover deleted files…if that's possible. When I say, "if that's possible", what I mean is that when you "clear the history", you don't actually have to delete the file (ie, index.dat, etc) and then create a new one…you can simply reduce the size of the file to zero bytes, and save it. That frees up the subsequent sectors, and if they aren't overwritten, you may be able to reconstruct some data from there.

You can also attempt to recover the deleted cached files.

Depending upon the specific operating system and web browser, you may have other options. For example, on Windows platforms, there are Registry entries for items such as addresses typed into the Address bar in IE.

On a live system, you may find AutoCompletion and/or username/password information on the system, either in the Registry (depending on browser and web site) or in Protected Storage.

Hope this helps,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 
Posted : 13/06/2005 10:19 pm
(@femur)
Posts: 6
Active Member
 

TAZBV, Linux, Mac, Windows? IE, Firefox? (or others)

 
Posted : 16/06/2005 2:01 pm
Share: