Join Us!

Encase how to get t...
 
Notifications
Clear all

Encase how to get temporary internet files, history  

  RSS
jimmysparrow
(@jimmysparrow)
New Member

I have already grabbed the drive, but when I am looking through the folders there is temporary internet files and history but there is nothing in them, how do I see them?

Quote
Posted : 19/03/2019 7:04 pm
hommy0
(@hommy0)
Member

HI,

There is not much to go on in the post, are you looking to manually review the temporary internet files or want EnCase to process for them.

Also what browser are you investigating and for which operating system?

If you want EnCase to automate the parsing of internet artefacts (including the internet cache) this can be achieved using the Evidence Processor (assuming version 7 / 8 )

Once processed the results can be reviewed from View/Results (for EnCase 7) or View/Artifacts (for EnCase 8).
You will see the name of the evidence and the Internet category, click the adjacent hyperlink and the artefacts should be displayed. These are separated by browser and artefact type.

Regards

ReplyQuote
Posted : 20/03/2019 10:41 am
pbobby
(@pbobby)
Active Member

I have already grabbed the drive, but when I am looking through the folders there is temporary internet files and history but there is nothing in them, how do I see them?

You may not be looking in the right place.

ReplyQuote
Posted : 20/03/2019 2:51 pm
jimmysparrow
(@jimmysparrow)
New Member

HI,

There is not much to go on in the post, are you looking to manually review the temporary internet files or want EnCase to process for them.

Also what browser are you investigating and for which operating system?

If you want EnCase to automate the parsing of internet artefacts (including the internet cache) this can be achieved using the Evidence Processor (assuming version 7 / 8 )

Once processed the results can be reviewed from View/Results (for EnCase 7) or View/Artifacts (for EnCase 8).
You will see the name of the evidence and the Internet category, click the adjacent hyperlink and the artefacts should be displayed. These are separated by browser and artefact type.

Regards

Hi, I am manually looking to see the browser history of possibly google chrome, firefox, and IE. I already ran the process with internet cache checked. I am on Encase v.807. On downloads it just says WebCacheV01.dat, and in "History", allthe file names just say History

ReplyQuote
Posted : 20/03/2019 3:55 pm
hommy0
(@hommy0)
Member

EnCase will display the file as webcacheV01.dat since that is where current versions of internet explorer and edge keep its records relating to browsing activity.

Under the category of Internet Explorer/History (for example) you will see history records; cookies; and downloads. The adjacent table will display the individual records, scrolling to the end of the table and you should see the record contents (URL etc) if any column is missing these can be activated using the show columns drop-down.

The cache for IE will reference the file name of the object in the cache, and also at the end of the table will be URL information.

On the lower view pane, there is a Fields tab that will also show the record information.

If the browser types Mozilla 3 (windows/Mac); Mozilla (windows/Mac); and Chrome (windows) are missing your user might not have been using Firefox or Chrome.

EnCase will identify artifacts for supported browsers, there is no manual selection.

A manually check of the User profile and program files may help confirm if these additional browsers are in use.

Could you post a screen capture of what encase is showing you?

Regards

ReplyQuote
Posted : 20/03/2019 4:23 pm
jimmysparrow
(@jimmysparrow)
New Member

EnCase will display the file as webcacheV01.dat since that is where current versions of internet explorer and edge keep its records relating to browsing activity.

Under the category of Internet Explorer/History (for example) you will see history records; cookies; and downloads. The adjacent table will display the individual records, scrolling to the end of the table and you should see the record contents (URL etc) if any column is missing these can be activated using the show columns drop-down.

The cache for IE will reference the file name of the object in the cache, and also at the end of the table will be URL information.

On the lower view pane, there is a Fields tab that will also show the record information.

If the browser types Mozilla 3 (windows/Mac); Mozilla (windows/Mac); and Chrome (windows) are missing your user might not have been using Firefox or Chrome.

EnCase will identify artifacts for supported browsers, there is no manual selection.

A manually check of the User profile and program files may help confirm if these additional browsers are in use.

Could you post a screen capture of what encase is showing you?

Regards

https://imgur.com/a/xGfH64j

this is what i am looking at, I appreciate your help

ReplyQuote
Posted : 20/03/2019 4:37 pm
hommy0
(@hommy0)
Member

The screen capture helps a lot.

So it looks like you have Internet Explorer (not unexpected); and Google Chrome

What is being highlighted in the screen capture is the Google Chrome history. The file is called History since the SQLite database that stores Chrome history is called "History" and EnCase has parsed each record from that database. If you scroll across that table you should see the URL information, or using Fields on the lower view pane (2 tabs across from Picture).

The table is dynamic and the scroll bar continue to adjust, just release it and it may have additional content.

If in the table if you think columns are missing use the show columns drop-down and turn on columns

Regards

ReplyQuote
Posted : 20/03/2019 4:55 pm
jimmysparrow
(@jimmysparrow)
New Member

Oh wow, I feel really dumb now. I just didn't scroll bar over, another question do you have problems grabbing internet artifacts on SSDs? I ran the process on a SSD and it didn't grab anything.

ReplyQuote
Posted : 20/03/2019 5:01 pm
hommy0
(@hommy0)
Member

All good!!

Not normally an issue, I have captured internet artefacts many times from devices using SSD's for storage.

Not sure if anyone else has experienced this issue

Regards

ReplyQuote
Posted : 20/03/2019 5:06 pm
Share: