Hello,
I have a case in which the suspect only had the computer for 2 days prior to seizure.
In looking at websites of interest, I see some have quite large numbers (238, 236, 118, 219, 37, 15, etc).
Some come from index.dat and some come from volume shadow copies.
There is a general progression of the count going up. Sometimes it will jump quite a bit, but nothing that isn't humanly possible. There is also at least one instance of it going down.
I am using IEF, however, for those I listed I have verified them by hand.
Here is an example domain
Main History 12/21/2011 700 http//example.domain.com/ 120
Main History 12/21/2011 700 http//example.domain.com/ 120
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 904 http//example.domain.com/ 166
Main History 12/21/2011 929 http//example.domain.com/ 168
Main History 12/21/2011 954 http//example.domain.com/ 169
Main History 12/21/2011 954 http//example.domain.com/ 169
Main History 12/21/2011 1057 http//example.domain.com/ 176
Main History 12/21/2011 1127 http//example.domain.com/ 179
Main History 12/21/2011 1300 http//example.domain.com/ 237
Main History 12/21/2011 1809 http//example.domain.com/ 238
Main History 12/22/2011 1528 http//example.domain.com/ 84
Main History 12/22/2011 1528 http//example.domain.com/ 84
Main History 12/22/2011 1528 http//example.domain.com/ 84
I excluded daily history, but none of the recovered fragments are even close to 120 hits. In this instance, the highest was 4 hits (at 12/21/11 at 123047 UTC).
Any insight or help would be greatly appreciated.
There was a nice write-up a few months back on the Digital Detective blog about this
Not sure if it'll answer your question, but it's definitely an interesting read…
Putting the actual domain names up sometimes helps because of the way a certain site may react to that situation., another examiner may have encountered that, and be able to tell you what happened in their instance.
Hello,
I have a case in which the suspect only had the computer for 2 days prior to seizure.
In looking at websites of interest, I see some have quite large numbers (238, 236, 118, 219, 37, 15, etc).
Some come from index.dat and some come from volume shadow copies.
There is a general progression of the count going up. Sometimes it will jump quite a bit, but nothing that isn't humanly possible. There is also at least one instance of it going down.
I am using IEF, however, for those I listed I have verified them by hand.
Here is an example domain
Main History 12/21/2011 700 http//example.domain.com/ 120
Main History 12/21/2011 700 http//example.domain.com/ 120
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 744 http//example.domain.com/ 137
Main History 12/21/2011 904 http//example.domain.com/ 166
Main History 12/21/2011 929 http//example.domain.com/ 168
Main History 12/21/2011 954 http//example.domain.com/ 169
Main History 12/21/2011 954 http//example.domain.com/ 169
Main History 12/21/2011 1057 http//example.domain.com/ 176
Main History 12/21/2011 1127 http//example.domain.com/ 179
Main History 12/21/2011 1300 http//example.domain.com/ 237
Main History 12/21/2011 1809 http//example.domain.com/ 238
Main History 12/22/2011 1528 http//example.domain.com/ 84
Main History 12/22/2011 1528 http//example.domain.com/ 84
Main History 12/22/2011 1528 http//example.domain.com/ 84
I excluded daily history, but none of the recovered fragments are even close to 120 hits. In this instance, the highest was 4 hits (at 12/21/11 at 123047 UTC).Any insight or help would be greatly appreciated.
So, as I pondered this last night. Even if the hit counter is doubtful, would I not be correct in saying that this domain was visited at least 10 times (10 different date/times, 10 different hit counts)?
armresl I changed the domain for two reasons. First, this is a CP case, and I'd rather not advertise a domain (active or not) that contains/contained that material. Second, this is a solitary example, but I have many such domains with counts that are higher than one would expect from an internet user.