Browser History: What Happened?

Occasionally, you might need to trace a user's Web-browsing path. Manual forensic analysis, which involves digging through cookie files, the browser's cache, and browser history data, isn't easy.

For a good rundown on forensic analysis of browser activity, you should consider reading "Web Browser Forensics, Part 1," by Keith J. Jones and Rohyt Belani of Red Cliff Consulting. The article, published on the SecurityFocus Web site, offers a brief usage overview of some very useful tools: in particular, Pasco, Internet Explorer History Viewer, Web Historian, and Forensic Toolkit.

http://www.securityfocus.com/infocus/1827

Pasco is an open-source tool that can be used to reconstruct browser use from Microsoft Internet Explorer's (IE's) index.dat files. The files contain data such as which URLs were visited and when. Pasco is a command-line tool that creates a text-based output file.

http://sourceforge.net/projects/odessa

Internet Explorer History Viewer, available from Phillips Ponder, has been around for a while. It too can reconstruct IE usage and has the added benefits of being able to read Netscape history data and find fragments of deleted files in the Windows Recycle Bin. IE History costs $50.

http://www.phillipsponder.com/histviewer.htm

The free Web Historian, provided by Red Cliff Consulting, is more powerful than the previous two tools. It can help you analyze the historic usage of Internet Explorer, Mozilla, Firefox, Netscape, Opera, and Apple Computer's Safari.

http://red-cliff.com/index.php?fuseaction=tools.overview

Forensic Tookit (FTK), from AccessData, is the most powerful of the bunch, and at $995, it better be. It too can reconstruct browser use history, but it's also billed as a tool that can perform "complete and thorough forensics examinations." Among other tasks, Forensic Toolkit can index entire drives, allows quick text searches, and supports more than 270 file types.

http://www.accessdata.com/Product04_Overview.htm

Now let's suppose for a minute that you don't want anybody to be able to perform such analysis on your systems. For example, if your laptop is stolen or lost, do you want whoever ends up with it to be able to find out detailed information about you by analyzing your surfing habits? To prevent someone else from accessing your data, you could implement disk encryption.

You can also manually delete browser details (IE History and Cache) fairly easily, but you have to remember to do that, and you also need to erase the disk sectors to ensure that the data can't be recovered. I know that many standalone tools can do both these tasks quickly and effortlessly. Privacy Eraser is one example (which I haven't yet tried).

http://www.privacyeraser.com/features.htm

Are any such tools that include centralized management available for an enterprise? If you know of any, please send me an email with the details or a URL.

====

Don't miss a Web chat with Randy Franklin Smith on the topic "The Security Event Log: The Unofficial Guide." It will take place May 4, 12:00 P.M. Eastern (9:00 A.M. Pacific). For more information, go to

http://www.microsoft.com/communities/chats/default.mspx#05_0504_TN_SEUG

And, finally, you have less than one week left to vote for your favorite products in Windows IT Pro's annual Readers' Choice Awards. Voting ends May 2, so vote now at

http://windowsitpro.com/readerschoice/