I have a laptop with CP only in unallocated. I am trying to determine if there are logs, or MRU's that track when IE history was cleared. I have run RegRipper (Thanks Harlan), but found nothing that indicates this, unless I missed it, or may not be exactly sure what to look for. There are no third party application, such as CCleaner, that would do this. The computer is a Vista, Home Premium, and only in use since July '08. Any thoughts or suggestions appreciated.
User Assist Spy?
Can you confirm that something like CCleaner hasn't been installed then uninstalled.
Also is the Hard Drive the original that came with the unit?
Is the unit brand new or was it obtained second hand?
Only ask as it could be that a previous owner reinstalled the OS thinking that would wipe any evidence.
Have you looked at the registry restore points?
http//128.175.24.251/forensics/restorepoints.htm
I gather Harlan was going to include rp functionality in regripper but I'm not sure if he did yet…
http//
Hi Anti-curse
Any clue how they were downloaded, Limewire, kazaa etc, have you looked for downloads.dat / bak files or bits of in the un-allocated.
I have found that sometimes a title in the downloads.dat is so descriptive you can match it to an image or video file content. Not ideal but good circumstantial.
I have a laptop with CP only in unallocated. I am trying to determine if there are logs, or MRU's that track when IE history was cleared. I have run RegRipper (Thanks Harlan), but found nothing that indicates this, unless I missed it, or may not be exactly sure what to look for. There are no third party application, such as CCleaner, that would do this. The computer is a Vista, Home Premium, and only in use since July '08. Any thoughts or suggestions appreciated.
I'm curious as to the avenue of investigation you're taking here. I'd be interested to hear what you hope to determine from being able to pinpoint when the history was deleted?
Have you run something like Histex or cacheback over the unallocated space on the drive?
What kind of success have you had with keyword searches?
I take it from your post that you have only found files in unallocated areas, is this as a result of a data carve over the whole case?
If you are working with a mountable image file you can, as suggested by DFICSI, mount the image as a physical disk and run Histex over the volume or volumes. This will give you all the Internet history records that have not been overwritten. The results however will not assist you in showing the provenance of the images you have recovered since you have no file names to relate to the Internet history records. Do any of the recovered images contain EXIF data?
Instead of determining when the history was cleared, would it be useful to carve index.dat records out of unallocated clusters? I have had success using both EnCase grep and Scalpel to carve these records. Try searching for items in the format of
YYYYMMDDYYYYMMDD any_text_here\x00
Where the line literaly starts with a colon character followed by 16 digits, followed by a colon, followed by a single space. The line will be terminated by a null (zero) byte. The "any_text"here" will be the username and the URL visited in the form of "user@http//
Also search for
Visited any_text_here \x00
Both will carve entries from unallocated (might work on pagefile.sys and hiberfile.sys too) showing IE history start/end date range, userid, and URL.
If you use EnCase, the grep expression is
################ [\x21-\x7e]+\x00
or
Visited [\x21-\x7e]+\x00
If you use Scalpel, the syntax for the scalpel.conf file is
ttp n 500 http// \x00
tps n 500 https:// \x00
Hope this helps.
One additional thought - by finding all of the deleted index.dat IE history file fragments that contain the start_date-end_date string at the beginning of the record, you can look at the records returned and sort by the date string.
The latest date string should tell you that the history was deleted after that date I think (need to test/verify). Not the exact date it was cleared, but at least you know the data existed up through that date.