The “Search Internet History” option in EnCase is an excellent function, and pulls back a lot of information very quickly. However, it can show misleading information, if its not interpreted correctly.
In the “bookmarks” section, which EnCase produces (under “Record”) Encase reports bookmarks, or URL shortcuts on the hard drive being examined. Some people can interpret this as Bookmark that has been created manually, or is in the IE books marks tab. However this is not the case.
Some book marks are put their automatically, e. g the ubiquitous “MS.com” bookmark is in IE as a default.
Other bookmarks are not bookmarks at all. In the example shown below “Avast!” appear to be a bookmark in IE, but it is not. It is a shortcut is in the “program files” and its entirely possible that the user had no knowledge of it being there.
For this reason caution should be taken when explicitly stating that a bookmark proves knowledge of a website, or webaccess.