Index.dat recovery

Hi,

I have been tasked with trying to find and recover any deleted index.dat files from an eo image, we appear to have an EnScript package McCallum Petterson Enscript suite which has an ‘Internet history parser- carver’ but this is for EnCase v4.

Does anyone know of any similar script which will work with EnCase 6.18?

Jay

Encase "Search for Internet History" in "comprehensive search" mode?

It's not a script, but I highly recommend the Net Analysis\HSTEX combo for this sort of work.

If it's Encase you are using, perhaps try running recover folders and file finder across the image. If you manage to recover any then copy/unerase and then import to netanalysis. I have never used Hstex but this looks like it might be fruitful! D

It's not a script, but I highly recommend the Net Analysis\HSTEX combo for this sort of work.

Agreed. While EnCase has it's place I have not found it's browser history to be a strong point. HstEx will carve an image very fast and the results can be displayed in NetAnalysis very easily to sort, filter, etc.

I have to agree that HSTEX is great for finding deleted internet history while NetAnalysis will give you a wealth of information for Internet History. It's well worth the $300.00 (Not sure of the price anymore). If you only have EnCase then the previous suggestions by the other posters are spot very helpful.

Though in all fairness to the original post, the question was about recovering the index.dat files.

In EnCaes it can be a little buried but under case processor -> information finders -> File Finders you will get to where you can carve for crap (technical term).

You can add a file type (headers/footers) or Import from File Signatures Table and find the Internet sigs and there are options for dat files.