Are people using the Internet Explorer RecoveryStore aka Travelog artifact? There is currently not much writeup and research on it and it is limited in scope. But if your evidence lies in internet history, this is a good place to look.
I want to know (like Harlan in a previous post) if anybody else has used this artifact in an active case.
I myself have been lazy in documenting the format. There is a basic writeup on my blog from a few months back and I am going to be soon (?) releasing a whitepaper on its format. I also have written an encase enscript parser which I have been wanting to port to a windows exe.
Yogesh,
If you happen to have a sample file you can share, I would appreciate it if you could send me a copy at keydet89 at yahoo dot com…I have some recent experience writing parsers for data structures similar to what you described in your post, and I think I could write something up.
Thanks.
Harlan,
Check your email, I have sent you a sample file, and parsed output. I guess you did not read my reply for your post on my blog. I have already written a parser enscript (which you can download from the blog), to break apart the elements, some interpretation is now required. Any additional research is most welcome.
Thanks
Yogesh,
Thanks, I did receive what you sent. And I did read your blog…which says
"Update An encase script is not available for download here to parse out travelog info."
Note that is says "not" available.
Based on your above response, I followed the link, and found that it is to an EnPack. As I do not use EnCase, there isn't much I can do with this.
Are you willing to share the uncompiled version of the EnScript, or just the details of parsing the various streams?
Thanks.
Sorry, fixed the typo, I meant to say "now" instead of "not". Code will be available soon once i clean it up a bit.
