Hey there, guys–
In my organization, I've used Nirsoft's Internet Explorer History Viewer(IEHV) to analyze Internet History for users that we are investigating. These are, for the most part, simply malware investigations, and I'm just grabbing the website they were visiting at the time of infection. Nothing big.
Anyway, this worked fine until our IE 10 deployment. I've read Nirsoft's blog about the new Jet Blue database webcache, etc. On the Nirsoft blog, he says that BrowserHistoryView will be able to read IE 10 history, but he specifically says it will NOT work on remote machines using admin shares (C$).
I've tested this, and he's correct It doesn't work.
Can anyone suggest a tool that I can use to check IE 10 history remotely, via the c$? I'd like this to be as non-intrusive as possible, as IEHV used to be. Open source options are best, but at this point, I'm willing to buy some software.
I really appreciate your time; please let me know if I can provide any more information.
-Steve
EDIT I apologize, I should have added These are live machines we are checking, we would really like to avoid having to disrupt the user to log in ourselves.
My previous workplace we implemented a proxy on the firewall and all individual users internet usage was logged.
Easy then to simply log in to the firewall and view the audit log for any user you like.
I offer this as an 'outside the box' solution to your current approach, this is obviously no good if you don't have a firewall with the appropriate logging capabilities.
I am not familiar with how IEHV works, but if all you need is access to the drive, give F-Response a try. It can connect to a remote machine and mount a drive locally through iSCSI. To Windows, the remote drive will appear to be a local, read-only drive.
Additionally, both Encase Enterprise and AccessData's LAB allow for remote clients to be sent out across a network and acquire an image of a system. I've not played with these techniques, but I believe that with both you would be able to mount the drive, navigate through the tree to the location of your choice and then analyze specific files remotely. I realize that this option would be expensive and require licenses for both products, but at least it is a lesser known alternative.
We had Encase Enterprise in our office but we then went on to buy F-Response which we found much easier to use and I think it was a lot cheaper.
I recently tested F-Response on my own network to see if it was possible to use it to scan a remote machine with our ADF Triage Examiner tool and found it worked well although as expected it was slower than on a local machine.
I imagine F-Response would come in handy for you if you do this often. You can get a free evaluation of the ADF tool at http//
H
Not wanting to sideline the thread, but a question about F-Response as a few people have mentioned it - do you need physical access to the machine you want to remotely access or can you push over an agent ? The version I used a while back required a dongle to be in the machines
96Hz - F-Response Tactical requires a dongle on the examiner and target machines, that is in an effort to make it easier to create the connection. Consultant and Enterprise only require a dongle on the examiner machine and both can push an agent (with appropriate permissions) to the target machine. Consultant+Covert and Enterprise have a "stealthy" agent.
See the product matrix
EnCase have had a Direct Network Preview facility since v7.06 - you can create a servlet, install it on a remote machine (physical access or using psexec for example), then connect using the EnCase Forensic GUI, no need for the whole Enterprise setup for single connections now.
FTK has also had this facility for a while too, so dependent on your needs you may not need other software to make the connection for you.
