Entries with tag "forensics"

This article on Web Browser Forensics (Part 1, Part 2) describes some of the tools and methods we use when investigating a suspected intrusion. I thought some of you might find it interesting/creepy to see how much information can be retrieved from the digital wake your web browser creates as you browse. Some of it is kind of technical, but if you're not interested in the details you can skim through part 1 and look at the screenshots of the various tools and get the gist of what's possible. Example: a cached Hotmail page.

The information described in the article is retrieved from the web browser's cache and history files. Internet Explorer ostensibly lets the user erase their cache and history, but it's interesting to note that the Content.IE5/index.dat and History.IE5/index.dat files — which contain the listing of visited URLs — are not erased when this occurs. In other words, IE will delete the cached content itself but preserves the list of URLs a user has visited. These files are locked by the operating system on startup, so they can't even be deleted manually under normal conditions. To remove them, you have to reboot your computer into command prompt mode and delete them from there. This "feature" has proved useful to us but not as beneficial for the users we've investigated.