As you likely know, Windows records a number of user activities in log files. These logs (AKA ‘History’) can be deleted by users concerned about privacy issues. Once History has been deleted, performing a forensic audit on user activity is much harder.
This ‘How To’ presents the means to recover History previously deleted from a PC, such as:
- Internet History (including cookies).
- Recently opened documents.
- Search History.
- Run History.
- Open/Save History.
Steps
- The easiest, quickest way to restore file and activity History is the System Restore feature. Since most history is saved into the Windows Registry, restoring it to a previous state will restore file and program History.
- Choose a date you would like the computer reverted to.
- Enjoy restored History.
- But what about circumstances that aren’t as easy? Perhaps System Restore was disabled by a user, or is inappropriate to use. Windows keeps lesser known log files which are independent of both the Registry and individual program logs. They are called “index.dat” files. Use the Windows Search tool to find all occurrences of “index.dat” on your C: drive.
- On XP, click Start, and Search, then For Files & Folders, and All Files & Folders. Now enter “index.dat” in the Filename field. Before searching:
- Limit the search to C: drive using the Look In drop-down.
- Check the following options using the More Advanced Options line:
- Search System Files
- Search Hidden Files & Folders
- Search Subfolders
- Click printscreen.
- Be amazed at how many “index.dat” files there are.
- Minimize the Search Results window.
- You need a tool to read the index.dat files. They are NOT text files.
- Super WinSpy is one such reader, but what if it’s infected? You can search Google for “index.dat reader”. (Right-click on the Google link and select Open in New Window).
- Download the software, check it for viruses (as you do for all downloads) and install it. Start the program. You can enjoy different Histories, using the button provided.
- On XP, click Start, and Search, then For Files & Folders, and All Files & Folders. Now enter “index.dat” in the Filename field. Before searching:
Tips
- Use undelete software if your log files have been deleted accidentally.
- Check the computer for Usage Track eraser programs. One such program may have been used on your computer. All the following programs can erase tracks:
- Tracks Eraser Pro – Registry entries plus index.dat files.
- Microsoft AntiSpyware – Registry entries.
- Adaware – Registry entries.
- Spybot S&D – Registry entries.
- If a user has used advanced tools to erase usage tracks, program logs, registry history, and the index.dat files, restore is more difficult. Try using a disk editor to directly access hard disk sectors.
- It won’t come as a surprise that the people who makes products that cover your Usage Tracks also make software for viewing those tracks.
- One tool that can often get around the track-erasing software is NetAnalysis, by Craig Wilson of Digital Detective in the UK. One function of this computer forensic software is to search the hard disk for references that are no longer part of the index.dat file, and reconstruct additional history that cannot be found in the index.dat file. It is common to find tens of thousands of entries, and not uncommon to find hundreds of thousands. The resource for this statement is my own experience in using the tool.
Warnings
- Satisfy yourself that you have a right to alter computer settings. Changing computer content without legal right is a crime in many countries.
- Check with your Anti-Virus log files that your system was clean at the time before selecting a date with the System Restore tool. You wouldn’t want to resurrect a virus.
- When you use System Restore to revert the registry to a previous date, programs installed after that date may not work correctly. If you have any doubt, use the “index.dat” viewing method.
Leave a Reply