Moredata

In the course of an investigation learning the various web sites someone visited along with screenshots and the date and time can be useful evidence.

For example, in a trade secrets case a senior level employee may have attempted to bypass company email to use his private "web email" to communicate regarding stolen trade secrets. Getting screenshots of such web based email pages and related communications would be helpful to prove the theft of trade secrets.

In another example, an employee visited a web site to download illegal content in violation of a company's policies and subsequently erases such content from the "my documents" area and denies the download.

Obviously to "forensically" obtain web browsing history would be helpful in investigating matters involving illegal downloading or to help explain or verify other wrongful conduct.

How do you reconstruct web browsing history? In an area deep in the caverns of the Windows operating system resides "temp" and "cache" directories and files some of which are "hidden" that contains, usually by default, the data needed to reconstruct a robust web browsing history. For most users this type of data is relatively inaccessible in that it is hard to find and harder to reassemble into a useful form.

There are software tools available to computer forensic investigators to automatically reassemble web browsing history. One well established tool is NetAnalysis which scans a PC for the hard to find files stored in areas like temp and cache directories and processes the files and attempts to reassemble them into a web browsing log complete with screenshots and time and dates of visits. NetAnalysis goes further and even has functions that will attempt to find data in the file "slack" and other hard to analyze storage areas. NetAnalysis also includes a robust report writer feature that summarizes web browsing history by useful criteria, including date, time, and URL.

On the flipside, there are multiple tools to "wash" a computer of "hidden" web browsing history including most notably Webroot's Window Washer  software which also allows for "bleaching" a fancy word for military standard deletion with multiple overwrites.

From an investigation perspective there is a bit of a race - keep in mind that you had better capture the hard drive to run NetAnalysis before the alleged wrongdoer runs Window Washer.

Getting access to web browsing history can be an important part of an investigation and can make or break a case. NetAnalysis allows you to quickly, efficiently, and comprehensively forensically analyze hard to get at web browsing system files to recreate browsing history and optimize your evidence results.