My Road to Digital Forensics Excellence

System Restore and Internet History

Posted by Paul Bobby on November 4, 2008

I wanted to be sure that using System Restore, and restoring to a previous saved snapshot, would not alter the internet history stored on the machine. So I ran the following tests:

1. Clear out the browsing history from IE7
2. Create a restore point
3. Do some web activity
4. Run Encase and run the Search Internet History function (saved a report of the Visited Links)
5. Restored the machine to the point in #2
6. Ran Encase again.

The only difference is that the Typed URLs were missing. The NTUser.dat file was restored back to previous.Which makes me think that using restore points ss good way to hide data from UserAssist analysis….

…next step is to test Microsoft SteadyState.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: