The use of HstEx (in NetAnalysis) on the physical medium would be a good idea. Absent that, why not just search free clusters for the name of the site, as you may turn up a complete URL record.
Search the unallocated areas for
Client UrlCache
at offset 0 to find index.dat files,
Individual records within an index.dat file start with "URL " (note the space). If you can locate fragments you can normally append them to a standard Index.dat header (768 byte from memory) and process the records that way.
I haven't tested this personally, but what if the user had a portable version of Firefox on a USB stick and used it to surf the web? The website
Anyone try this?
cfoodeat, I have tried this, and true to its word there is not evidence left on the host machine. The only thing that I may sugest checking is in the prefetch files and the registry to see if there is any evidence of such a browser being used.
Hello Jakeaw03,
the temporary internet files, and the index.dat file can be redirect. For example to a ram drive (google for qsoft and ramdrive). All the files will be volatile, and therefore totaly gone when computer is turned of, including the index.dat file. Secondly you should look at the installed applications and search the registry for applications which can vanish the temp. int. files.
Over the past few years I have located two different programs that clear out or replace the index.dat files. The first is http//
I have not tested either fully but the first seems to work without testing using low level tools.
You haven't given any network details but it may be possible to get at least a history of Internet usage if the system was attached to any kind of network where traffic analysis was being performed.
This would include home/individual machines connected to ISPs who do tracking, academic institutions and business, etc.
From these sources you may be able to at least establish the destination IP and port(s), the session times, and the number of packets transmitted/received.
If you set the internet history retention to 0 days in IE it still keeps 7 days. In any case, just becuase the index.dat files don't give indication of internet activity, does not mean there wasn't any. I would definately do an HTML carve in encase with a set of keywords. Chances are you will find some web pages cached on the hard drive.
Did you look at the typedURLS section of the registry?
This is a late reply but still worth posting. Whether you manually or automatically flush history, cookies and temp internet files the index.dat will record them for the number of days to save as it is set in the internet options. If it is set to zero you are hosed. Many of my investigations are for porn in Internet Explorer and I have found that sometimes Mandiant will refuse to open a dat file by saying it is empty when I know it is not. I will look at it in Windows Explorer and it will be a couple of hundred kilobytes in size. When this happens I run it in Pasco and it shows me what really is there. It will not be a lot but it will be more than nothing. This ususally happens to the cookie file. I rarely had a problem seeing the history in Mandiant. Of course I also run it in FTK so I can add it to my report and Larry is right that if you are not seeing what you expect then it is time to run a data carve for html files. The only problem with those is that you lose ownership because there is no time stamp or path statement pointing to the user's profile. If it is a single user machine then it doesn't matter much anyway. We have multi user machines so showing ownership is critical for my work. Your graphics files are going to suppliment your case against the guy. If you don't have much history you will ususally find enough graphics to burn him with.
Something to keep in mind is the possibility of using a bootable pen drive and booting into a new OS entirely, OR having a locally installed browser on the pen drive where the internet history is stored on that device. The Ironkey is just one example of a commercial application of that.
Just thinking outside the box (pun intended)
Jon