Just food for thought,
No offense the minute you scanned the box with a 3rd party utility and changed a timestamp or a hash of the value, the chain of evidence is broken, and what you find or don't find will probably be inadmissible in a court of law, because its heresay evidence, and the evidence itself has been tampered with (Ie your scanning, instead of taking a forensically sound bit by bit level copy of the hard-drive and working from that copy and not the original) That is why its best to have professional COMPUTER forensics guys/gals on call when you get into this situation, especially if you want to prosecute the crimes accordingly. PS: I am not a lawyer, and my comments do not construe legal advice of any way shape or form Z From: Kent, Larry CTR USA [mailto:larry.k...@us.army.mil] Sent: Friday, December 18, 2009 2:09 PM To: NT System Admin Issues Subject: RE: Retrieving deleted IE and Firefox history Urgent (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE I've had good luck with Mandiant Web Historian http://www.mandiant.com From: John Meyers [mailto:jrmeyer...@hotmail.com] Sent: Friday, December 18, 2009 7:01 AM To: NT System Admin Issues Subject: Retrieving deleted IE and Firefox history Urgent Good morning I have a laptop I need to somehow salvage ALL the deleted internet history from. IE was set to only keep for 20 days, not sure what Firefox was at. But I need to retrieve EVERYTHING I possibly can. I think the user at some point did a defrag, which is making it more difficult. I tried several analyzer programs that I loaded directly onto the pc to search with for recent activity, which I provided, then they brought it back and told me I needed to go deeper. At that point I removed the HD from it and only accessed it as an external drive to do the below listed attempts to retrieve the data. This is not normally my job, but I was asked to do it, and I'm not having much luck. I MUST have dates and times for the history, not just the sites. I imaged it with ghost and tried to use FireFox History recovery, but it found nothing. I tried Armor Forensic's NAT Stealth, but it only gives sites accessed. I tried File Scavenger from quetek, and it finds lots of things like index.dat files, but when I try to read them with index.dat analyzer they mostly say that they are not index.dat files. It doesn't seem to find any history.dat's. Can someone suggest what else I might try or some good forums for forensics? Thanks JR ________________________________ Hotmail: Trusted email with powerful SPAM protection. Sign up now. <blockedhttp://clk.atdmt.com/GBL/go/177141665/direct/01/> Classification: UNCLASSIFIED Caveats: NONE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~