IE6 Cached Images Missing

There is a limit to the size of the cache. So maybe other files pushed out the images?

Or maybe the user was running low on disk space and right clicked on C drive and clicked on "Disk Cleanup". But in this case one would expect the find something in unallocated space. Unless the disk was near full.

Additionally, the HTTP protocol allows a response to define a a response as no-cache or no-store so it could be that the file never made it into the cache?

http//www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1

(actually I don't think no-cache ensures that the file is not stored, only that it should always be re-downloaded)

No idea if that'd be the case here, but something to be aware of maybe?

There is a limit to the size of the cache. So maybe other files pushed out the images?

Or maybe the user was running low on disk space and right clicked on C drive and clicked on "Disk Cleanup". But in this case one would expect the find something in unallocated space. Unless the disk was near full.

I'm still per plexed. The images I have, about a dozen, are from early May. The Cached data in the Content.IE5 folders runs through the end of June. The fact that I have so much browser history, including JPGs, tells me that the user did not run clean up or delete the browser history.

As for cache size limits I would think it would roll out the old stuff first.

Another funny thing is I have JPGs all the way till the end of June, just not the inapproperate ones from the websites that were visited.

Very strange. If you have any other thoughts I'd love to hear them…

~C

Additionally, the HTTP protocol allows a response to define a a response as no-cache or no-store so it could be that the file never made it into the cache?

http//www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1

(actually I don't think no-cache ensures that the file is not stored, only that it should always be re-downloaded)

No idea if that'd be the case here, but something to be aware of maybe?

Thanks for the reply. I had read something about no-cashe before. It's my understanding that "no-cache" is something that would be written into the code on the website being browsed. Not a setting on the client.

To test this I browsed to one of the pages the user had gone to. I saw from the HTML in the cached file that there should be an image on the page. When I opened the page in my browser sure enough there was a nude image of a popular actress on the screen.

I checked my owen Intrernet history folders and imeadiatly found the image stored on my hard drive. But this image can not be found on the subject PC, even after I scowered unallocated space for a deletion.

I've already submitted my report on this indivigual. I would like to get to the bottom of this for my own edification. If you have any other thoughts, I'm all ears.

Thanks…

~C

While I don't think it is going to help with your case, you can check a web site's caching policy using wget with the -S parameters.

For example here is a wget from our site for an image file,

C\WGet>wget -S www.osforensics.com/images/discover_recentactivity.jpg

–092314– http//www.osforensics.com80/images/discover_recentactivity.jpg
=> `discover_recentactivity.jpg'
Connecting to www.osforensics.com80… connected!
HTTP request sent, awaiting response… 200 OK
2 Date Thu, 11 Aug 2011 232332 GMT
3 Server Apache/2.2.19
4 Last-Modified Mon, 13 Sep 2010 013023 GMT
5 ETag "717e-4901a0a49c9c0"
6 Accept-Ranges bytes
7 Content-Length 29054
8 Cache-Control max-age=604800
9 Expires Thu, 18 Aug 2011 232332 GMT
10 X-UA-Compatible IE=EmulateIE7
11 Connection close
12 Content-Type image/jpeg
13

0K -> ………. ………. …….. [100%]

092316 (28.37 KB/s) - `discover_recentactivity.jpg' saved [29054/29054]

The bolded lines 8 and 9 in the HTTP header are the interesting ones. But the browser isn't forced to obey these fields however.

Here are some another thoughts.

Maybe the site changed since May. Maybe the images you are seeing now weren't there in May?

Maybe the caching policy changed at the site since May?

Maybe the IE caching policy is not to delete the oldest files when space is needed, but to delete the least used files first. This is just speculation. I don't really know how they coded it.

Did you check the size of the cache and compare that to the setting in IE6, to see if the cache had reached it's limit.

Hi All,

I'm running an Internet history on a user who had some porn on the PC. I found some inapproperate images but not as many as I would expect. Looking at the cached HTLM files, visited links and typed URLs there should be an abundance of very explicit images.

Any thoughts you have are appreciated.

~Craig

If you think the jpegs are still there, try using the demo of Adroit Photo Forensics to do a recovery. It searches almost everything for embedded photos and does jpeg byte carving across the unallocated space to find photos. If your jpegs are present in the system (deleted or not) it should find them.

*Edit - Sorry forgot to disclose that I am from the company that makes APF

If I understand your methodology as you explained, you visited the site - that contained the images of note - on your own pc and the images of note were then cached - as one would expect - in your own profile cache. This is a very risky experiment as I assume images of note are now on your own pc. Please correct me if my interpretation of your methods are wrong as I hope you performed your test in 'offline' mode and you are simply asking why the images of note appeared in your test (from cache in offline mode) but do not appear to be in the cache folders!

If the latter is the case, the images have to be cached somewhere on the suspects machine in order for the browser to present them in offline mode.

On the other hand…
It may be that for some reason they were not fully cached due to a network failure or the user turned off images for the session or site; or as previously mentioned the cache for this activity has been selectively deleted leaving artefacts either side.

If you have copies of the images in question (control images), you may try executing a hash map analysis - using EnCase - in order to determine if any hash maps of sectors on the suspect drive are identical to hash maps of sectors that contain your control images. A positive result would at least go some way to supporting the argument that selective internet history deletion had occurred.