Depending upon what this is for I'd advise you to be VERY careful. Forensics is a tricky science and if you might be going to court with this information phrases like "spoliation" and "chain of custody" are going to come into play.
My colleagues who do this stuff for a living would probably tell you that the very first thing to do is make a forensic image of the hard drive in question and do all of your investigation on that forensic copy - not the original. That said you might check out HELIX and see if there are any tools in there that can help you. Best wishes and aloha, Ben M. Schorr Chief Executive Officer ______________________________________________ Roland Schorr & Tower www.rolandschorr.com <http://www.rolandschorr.com/> [email protected] From: John Meyers [mailto:[email protected]] Sent: Friday, December 18, 2009 2:01 AM To: NT System Admin Issues Subject: Retrieving deleted IE and Firefox history Urgent Good morning I have a laptop I need to somehow salvage ALL the deleted internet history from. IE was set to only keep for 20 days, not sure what Firefox was at. But I need to retrieve EVERYTHING I possibly can. I think the user at some point did a defrag, which is making it more difficult. I tried several analyzer programs that I loaded directly onto the pc to search with for recent activity, which I provided, then they brought it back and told me I needed to go deeper. At that point I removed the HD from it and only accessed it as an external drive to do the below listed attempts to retrieve the data. This is not normally my job, but I was asked to do it, and I'm not having much luck. I MUST have dates and times for the history, not just the sites. I imaged it with ghost and tried to use FireFox History recovery, but it found nothing. I tried Armor Forensic's NAT Stealth, but it only gives sites accessed. I tried File Scavenger from quetek, and it finds lots of things like index.dat files, but when I try to read them with index.dat analyzer they mostly say that they are not index.dat files. It doesn't seem to find any history.dat's. Can someone suggest what else I might try or some good forums for forensics? Thanks JR ________________________________ Hotmail: Trusted email with powerful SPAM protection. Sign up now. <http://clk.atdmt.com/GBL/go/177141665/direct/01/> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
