Hopefully this is easily explained. I am using Encase v6.18 for analysis of a W7 hard drive. I ran the LNK file parser Enscript which provided several lnk files for review. I then ran the internet history parser which I understand will show internet history and windows explorer activity from the index.dat files. I have several files that show up that do not have LNK files associated with them. Do the files that show in the records tab for internet history mean they were accesses or opened? Why are there some for the explorer activity but no LNK file associated?
Thanks
I think you are working on a flawed assumption that LNK == Internet History which is not the case.
Yes you can get LNK files which point to URL's but that is not the norm.
LNK files are created by calls to SHELL32 (MSDN contains plenty of references).
Internet History, i.e. INDEX.DAT, is created by any application which uses WININET.DLL (or related functions) to open a resource on the internet. If you don't believe me open NOTEPAD.EXE then do 'File Open' and use "http//
Hope that helps
Alan
Hopefully this is easily explained. I am using Encase v6.18 for analysis of a W7 hard drive. I ran the LNK file parser Enscript which provided several lnk files for review. I then ran the internet history parser which I understand will show internet history and windows explorer activity from the index.dat files.
Sorry, I don't follow…can you elaborate on what "windows explorer activity from the index.dat files" is?
Why are there some for the explorer activity but no LNK file associated?
Because some "explorer activity" (do you mean Internet or Windows Explorer) does not necessarily generate LNK files.