if a user has used a "deletion program" that has left no cache on her machine. Where could I find other information for my investigation on her past internet activities?
anyone has any ideas?
If the deletion hasn't been done in a thorough way (wiping, or something similar) but the user has just selected the files and deleted them you could recover a lot of stuff with FTK, EnCase or something similar…
Even if the files are no longer in the allocated space, you could try looking for typical HTML tags in the unallocated space and trying to recover as many pieces of complete pages you could.
If you have a .dat file reader you can open the index.dat within the browser temp internet files and cookies and get all the information that has been deleted. This is the reason you can't delete an index.dat file.
Hi,
The program NetAnalysis can scan the hard drive looking specifically for deleted index.dat files, or at least the entries within the files. It can then display the contents showing dates, times, web addresses and logged on user.
Steve
Hi!
Try to find with WinHex in unallocated space.
In my case I had only e-mail address. There was Mozilla in WinXP, all caches clear.
I find many information about dates and times internet activities, site`s addresses.
Igor
I have never ever seen a computer which didn't have internet history available for extraction from the disk. It is almost impossible for the user to remove this trace. However, I am not going to go into too much detail on an open forum.