Hello,
I am performing an exam and I am researching the Internet usuage. I know that the individual went to a certain website b/c the network logs indicate so. When I look at the image I have many different index.dat files for this user, but they all come back as No Internet Activity found when I browse them in WebHistorian. I even tried another tool with no luck. There is no other browser on the system. Anyone know why the index.dat would return No Internet Activity found? I would think that atleast one would return something. If the Internet activity was purged would their still be an index.dat file? The dates go back months and years for the several different index.dat files. Oh and why are there more tan one? I have found some good articles online but none answer these questions.
Thanks,
What are the sizes of the index.dat files? Have you opened any of them with a hex editor to see if they have any content? What is the other tool you used? Are there any cached files in the TIF folder(s)?
Keydet89,
Yes I have previewed the files in Encase, some of the files are 1.4kb, some are 500kb etc. I undersant the files that are only 1.4kb, but what created them and limited them to that size. What about the larger ones? That is what I don't understand. Why would these files be created w/ no or garbage data. The TIF files are full of cached data. Are there any really good papers explaining index.dat files? There is a really good one on security focus called "web browser forensics", but it only got me so far.
Thanks,
If these index.dat's were purged, then the records may still be resident on the drive. I would suggest you purchase NetAnalysis and use the "Unallocated Extractor" to recover deleted history records. Other tools are capable of carving for the individual records, but I've not seen any that then wrap them up into an index.dat for analysis.
If you have the software tool "Net Analysis" I would sugget using it to view the internet history as it tends to pick up more web browsers than using an Encase internet history search.
csusama008…
> …as it tends to pick up more web browsers…
Not sure why that would be a rational for using NetAnalysis when the OP stated "There is no other browser on the system.". Under those circumstances, being able to "pick up more web browsers" really isn't a selling point, per se.
Sorry I misread the post.
If the user choose to not save history wouldn't that keep his history out of the index.dat files? And, there are a few of these things and I don't think they are all called index.dat too.
The Index.dat files may have been wiped. I have created a tool that I chose not to release that would overwrite the Index.dat file while the system was running. This would effectively wipe the information from within the file while leaving the file in place having the same size it had before the wipe took place. After re-booting the box and re-opening the Index.dat file in WinHex, the file headers are back in place, but not internet activity would have been reported. Something similar to this may have taken place.
you must confess what you have done to do such a thing.