I'm a fairly new forensic examiner and I was wondering what is the best way to locate search terms a suspect used or typed using EnCase? I already did an internet history search..
Registry analysis is your friend. Harlan Carvey makes a very nice tool for this.
The tool he's referring to is called RegRipper.
I assume you're refering to ""searches on the Internet ?
Did you recover Internet history from unallocated space ?
You can also analyze the web history you found to see what search engine your suspect uses and study the URL structure of a query. Then, build up a regular expression from that and run an Encase search.
If you're using Encase, you should be familiar with the techniques …
Actually under the "Searches" tab there is a box I check marked called "Search for internet history" which recovered websites the user viewed including hits on Google. I viewed a few hits relating to google, generally the information was found in search[3].htm. I am trying to exhaust all avenues in how to find search terms the user may have entered in on the computer.
You could in addition to the methods suggested, mount the forensic image using the EnCase Physical Disk Emulation module (or your prefered method) and extract all current and deleted index.dat records using the Histex function of the NetAnalysis tool.
This will return any complete records of Internet activity using Internet Explorer and hopefully will include the search terms you are looking for.
You could also run a data carve for HTML pages using search engine names as keywords in EnCase, you may get lucky.
If you are running an internet history search in Encase, do not run a comprehensive search unless you want your case to take hours to days to open. (Any version after 6.7 has this problem.)
If you have run the internet history search, you can go to the records tab and then use conditions to look for keywords to filter out everything except web searches. For instance, filter the URL Name for the word search and that will fitler only the search engine urls.
It is still messy, but it is one way to narrow it down.
You can also do a keyword search for just search engine terms. If you look on the Encase message boards, there is a post with a downloadable keyword file that has all of them ready to import into your case.
PSSP in the registry also can hold search terms - this is where autcomplete terms etc are stored. In the NTUSER.dat file–>Software–>Microsoft–>Protected Storage System Provider–>Internet Explorer.
The terms are stored by website or parameter. So for example google searches are in the format of "