±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35657
New Yesterday: 3 Visitors: 145

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Encase how to get temporary internet files, history

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

jimmysparrow
Newbie
 

Encase how to get temporary internet files, history

Post Posted: Mar 19, 19 20:04

I have already grabbed the drive, but when I am looking through the folders there is temporary internet files and history but there is nothing in them, how do I see them?  
 
  

hommy0
Senior Member
 

Re: Encase how to get temporary internet files, history

Post Posted: Mar 20, 19 11:41

HI,

There is not much to go on in the post, are you looking to manually review the temporary internet files or want EnCase to process for them.

Also what browser are you investigating and for which operating system?

If you want EnCase to automate the parsing of internet artefacts (including the internet cache) this can be achieved using the Evidence Processor (assuming version 7 / 8 )

Once processed the results can be reviewed from View/Results (for EnCase 7) or View/Artifacts (for EnCase 8).
You will see the name of the evidence and the Internet category, click the adjacent hyperlink and the artefacts should be displayed. These are separated by browser and artefact type.

Regards  
 
  

pbobby
Senior Member
 

Re: Encase how to get temporary internet files, history

Post Posted: Mar 20, 19 15:51

- jimmysparrow
I have already grabbed the drive, but when I am looking through the folders there is temporary internet files and history but there is nothing in them, how do I see them?


You may not be looking in the right place.
_________________
Don't get baited. 
 
  

jimmysparrow
Newbie
 

Re: Encase how to get temporary internet files, history

Post Posted: Mar 20, 19 16:55

- hommy0
HI,

There is not much to go on in the post, are you looking to manually review the temporary internet files or want EnCase to process for them.

Also what browser are you investigating and for which operating system?

If you want EnCase to automate the parsing of internet artefacts (including the internet cache) this can be achieved using the Evidence Processor (assuming version 7 / 8 )

Once processed the results can be reviewed from View/Results (for EnCase 7) or View/Artifacts (for EnCase 8).
You will see the name of the evidence and the Internet category, click the adjacent hyperlink and the artefacts should be displayed. These are separated by browser and artefact type.

Regards



Hi, I am manually looking to see the browser history of possibly google chrome, firefox, and IE. I already ran the process with internet cache checked. I am on Encase v.807. On downloads it just says WebCacheV01.dat, and in "History", allthe file names just say History  
 
  

hommy0
Senior Member
 

Re: Encase how to get temporary internet files, history

Post Posted: Mar 20, 19 17:23

EnCase will display the file as webcacheV01.dat since that is where current versions of internet explorer and edge keep its records relating to browsing activity.

Under the category of Internet Explorer/History (for example) you will see history records; cookies; and downloads. The adjacent table will display the individual records, scrolling to the end of the table and you should see the record contents (URL etc) if any column is missing these can be activated using the show columns drop-down.

The cache for IE will reference the file name of the object in the cache, and also at the end of the table will be URL information.

On the lower view pane, there is a Fields tab that will also show the record information.

If the browser types Mozilla 3 (windows/Mac); Mozilla (windows/Mac); and Chrome (windows) are missing your user might not have been using Firefox or Chrome.

EnCase will identify artifacts for supported browsers, there is no manual selection.

A manually check of the User profile and program files may help confirm if these additional browsers are in use.

Could you post a screen capture of what encase is showing you?

Regards  
 
  

jimmysparrow
Newbie
 

Re: Encase how to get temporary internet files, history

Post Posted: Mar 20, 19 17:37

- hommy0
EnCase will display the file as webcacheV01.dat since that is where current versions of internet explorer and edge keep its records relating to browsing activity.

Under the category of Internet Explorer/History (for example) you will see history records; cookies; and downloads. The adjacent table will display the individual records, scrolling to the end of the table and you should see the record contents (URL etc) if any column is missing these can be activated using the show columns drop-down.

The cache for IE will reference the file name of the object in the cache, and also at the end of the table will be URL information.

On the lower view pane, there is a Fields tab that will also show the record information.

If the browser types Mozilla 3 (windows/Mac); Mozilla (windows/Mac); and Chrome (windows) are missing your user might not have been using Firefox or Chrome.

EnCase will identify artifacts for supported browsers, there is no manual selection.

A manually check of the User profile and program files may help confirm if these additional browsers are in use.

Could you post a screen capture of what encase is showing you?

Regards


imgur.com/a/xGfH64j

this is what i am looking at, I appreciate your help  
 
  

hommy0
Senior Member
 

Re: Encase how to get temporary internet files, history

Post Posted: Mar 20, 19 17:55

The screen capture helps a lot.

So it looks like you have Internet Explorer (not unexpected); and Google Chrome

What is being highlighted in the screen capture is the Google Chrome history. The file is called History since the SQLite database that stores Chrome history is called "History" and EnCase has parsed each record from that database. If you scroll across that table you should see the URL information, or using Fields on the lower view pane (2 tabs across from Picture).

The table is dynamic and the scroll bar continue to adjust, just release it and it may have additional content.

If in the table if you think columns are missing use the show columns drop-down and turn on columns

Regards  

Last edited by hommy0 on Mar 20, 19 18:08; edited 1 time in total
 

Page 1 of 2
Page 1, 2  Next