Notifications
Clear all

Browsing Trail  

  RSS
tazbv
(@tazbv)
New Member

I am relativly new to computer forensics and I would like to know how you would determin what Web pages were visited after the History and cookies have been cleared?

Quote
Posted : 12/06/2005 4:38 am
keydet89
(@keydet89)
Community Legend

Well, first you'd have to image the drive, and then recover deleted files…if that's possible. When I say, "if that's possible", what I mean is that when you "clear the history", you don't actually have to delete the file (ie, index.dat, etc) and then create a new one…you can simply reduce the size of the file to zero bytes, and save it. That frees up the subsequent sectors, and if they aren't overwritten, you may be able to reconstruct some data from there.

You can also attempt to recover the deleted cached files.

Depending upon the specific operating system and web browser, you may have other options. For example, on Windows platforms, there are Registry entries for items such as addresses typed into the Address bar in IE.

On a live system, you may find AutoCompletion and/or username/password information on the system, either in the Registry (depending on browser and web site) or in Protected Storage.

Hope this helps,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 13/06/2005 11:19 pm
femur
(@femur)
New Member

TAZBV, Linux, Mac, Windows? IE, Firefox? (or others)

ReplyQuote
Posted : 16/06/2005 3:01 pm
Share: