Confirming User Accessed a URL & Not Malware that Planted/Accessed it
I'm relatively new to forensics, but I have seen in The Art of Memory Forensics by Ligh, Case, Levy, and Walters; that malware can, "delete entries in the IE cache by using the DeleteUrlCacheEntry API. Likewise, keep in mind that you can use CreateUrlCacheEntry to methodically plant a history entry, even if the URL wasn't accessed on the machine..."
I'm aware that is is possible but during an investigation, how can you confirm that the malware created these entries?
Also, can you confirm that these actually connected to the planted site's server, or if they were just planted solely in the history.
Does anyone know of any real-world examples of this actually happening that can be reviewed - case study, articles, etc.