When doing an investigation of a user that happened to get a virus infection one thing that I always make a point to do is to capture the browsing history. If you are new to this there are a couple of freely available tools that can help you. The first one is pasco from Foundstone. This is free to download and it runs from the command line.
Once you run this aforementioned command you can then open the text file that you have created. Copy & paste this data into your favourite spreadsheet proggie and you are good to go. It is isn’t pretty but, it has what you’re looking for. One thing that isn’t talked about much is the fact that even if a user deletes their history there are still 8 days of traffic history retained. If you are really in a bind you can use tools such as EnCase, FTK or Autopsy to recover deleted histories.
The next free tool that you can use will dump out some nice looking HTML rather than the non-sexy spreadsheet. The tool is Web Historian from Mandiant.
This one will suck in the index.dat or history.dat (firefox) that you need to review and output an html report.
This is very handy for checking on what a user may have been up to with their laptops while on the road. In addition to IE and Firefox this tool can also process the histories from Netscape, Safari and Opera browsers. Bear in mind that neither of the aforementioned tools would qualify as being forensically sound. That being said, they are handy for a basic troubleshooting exercise.
[tags]Web History, Browser History, Computer Forensics[/tags]
