The browser can be a source of both direct evidence and circumstantial or supporting evidence. Obviously, in cases of child pornography, the browser might contain direct evidence of the specific crime. You may also find direct evidence in the case of cyberstalking. However, if you suspect someone of creating a virus that infected a network, you would probably find only indirect evidence, such as evidence of the suspect having searched virus creation or programming-related topics.

Even if the suspect’s browsing history has been erased, it is still possible to retrieve it if he or she was using Internet Explorer. Index.dat is a file used by Microsoft Internet Explorer to store web addresses, search queries, and recently opened files. So if a file is on a universal serial bus (USB) device but was opened on the suspect machine, index.dat would contain a record of that file.

Most forensics tools do examine the index.dat file (or its newer version, webcache.dat). You can also download a number of tools from the Internet that will allow you to retrieve and review the index.dat file. Here are a few:

• http://www.eusing.com/Window_Washer/Index_dat.htm

• http://www.acesoft.net/index.dat%20viewer/index.dat_viewer.htm

• http://download.cnet.com/Index-dat-Analyzer/3000-2144_4-10564321.html

You can see Window Washer in FIGURE 8-8.

Whatever tool you choose to use, the index.dat file is a fantastic source of forensic information that cannot be overlooked in your forensic investigation.

Note that this file has been supplanted in later versions of Internet Explorer. Since version 10, Internet Explorer has kept history information in C:userusernameAppData LocalMicrosoftWindowsWebCacheWebcacheV01.dat. Other browsers use their own locations. For example, Mozilla Firefox has history in a file named history.dat, which is analogous to index.dat. It is located in one of two locations:

• C:Documents and SettingsuserApplication DataMozillaFirefoxProfiles<random text>history.dat

• C:Documents and SettingsuserApplication DataMozillaProfiles<profile name><random text>history.dat

There are three types of files in this directory:

• A cache map file

• Three cache block files

• Separate cache data files

Fortunately, you won’t have to examine these files and extract data manually. All the major forensics software packages, including AccessData’s FTK, Guidance’s Encase, and Passmark’s OSForensics, extract Internet history for you.