±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36115
New Yesterday: 0 Visitors: 143

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Multiple deleted index.dat files from the recent past

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

paul206
Senior Member
 

Multiple deleted index.dat files from the recent past

Post Posted: Sep 29, 11 19:24

I am thinking that I am seeing evidence of an internet history scrubber having been used because I have a Windows XP user profile that has an index.dat file at the moment but FTK is also showing deleted copies from 5/27, 3/22, 3/21 and 3/08/2011. Is this a reasonable conclusion?  

Last edited by paul206 on Sep 29, 11 22:33; edited 1 time in total
 
  

mjantal
Member
 

Re: Multiple deleted index.dat files from the recent past

Post Posted: Sep 29, 11 21:36

I wouldn't make that conclusion without quite a bit more artifacts/evidence than the existence of deleted index.dat files. First question would be, what is your definition of "history scrubber"? Have you considered InPrivate browsing mode as an explanation? If the recovered index.dat files are for webcache, this could be an explanation. If you are specifically interested in looking for evidence that an application of this nature was executed, you may want to focus on registry artifacts, prefetch files, jump lists, etc. (depending on the OS).  
 
  

Xennith
Senior Member
 

Re: Multiple deleted index.dat files from the recent past

Post Posted: Sep 29, 11 22:34

I see the logic, but if there was a history scrubber then there wouldnt be any index.dat files left. You can of course check the installed programs etc.

Isnt it more likely that a user has used the "delete internet history" button in IE? Check the default browser for a start and then if it is IE, do a little experiment, surf the web and change the clock, surf a little more after a restart and then delete the history and see what happens.  
 

Page 1 of 1