Forensics: When is a bookmark not a bookmark in IE

The “Search Internet History” option in EnCase is an excellent function, and pulls back a lot of information very quickly. However, it can show misleading information, if its not interpreted correctly.

Looking for Internet History with EnCase

Looking for Internet History with EnCase

In the “bookmarks” section, which EnCase produces (under “Record”) Encase reports bookmarks, or URL shortcuts on the hard drive being examined.  Some people can interpret this as Bookmark that has been created manually, or is in the IE books marks tab. However this is not the case.

Some book marks are put their automatically, e. g the ubiquitous “MS.com” bookmark is in IE as a default.

Other bookmarks are not bookmarks at all. In the example shown below “Avast!” appear to be a bookmark in IE, but it is not. It is a shortcut is in the “program files” and its entirely possible that the user had no knowledge of it being there.

When a bookmark is not a bookmark

When a bookmark is not a bookmark

For this reason caution should be taken when explicitly stating that a bookmark proves knowledge of a website, or webaccess.

Add to Technorati Favorites

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: