But that does not mean that the information is not available. In part 2, we39ll discuss what to do to find these files if they do not immediately appear available. For now, we39ll assume that the data and files exists. Then, if we enter any of the directories presented above, you will find a file named Index.dat. The Index.dat file contains the Internet activity for each information store. In the cached web pages directory, this file is populated with more information than the others, even though the internal file structures are identical. In order to rebuild a web page a user had visited, the Operating System must find the correct locally cached web page and the corresponding URL the user visited. This relationship is mapped in the Index.dat file. This is the same technique we will use when reconstructing Joe39s Internet browsing activity. The Content.IE5 Internet activity directory will be the most useful to us when we reconstruct Joe39s activity because we can view the same web pages Joe viewed in the past through his cached versions of these web pages.Firefox/Mozilla/Netscape and other related browsers also save the Internet activity using a similar method to IE. Mozilla/Netscape/Firefox save the web activity in a file named history.dat. One significant difference between a history.dat file and an index.dat file is that a history.dat file is saved in an ASCII format rather than binary. This makes reviewing the file simpler than the corresponding IE file. The second difference with the history.dat file is that it does not link web site activity with cached web pages. Therefore, we cannot readily assemble views of web pages Joe visited in the same manner that we can with IE.The process of reconstructing web activity manually can be quite tedious. Fortunately, there are several tools, both free and commercial, that streamline this process considerably. The following sections present some of these tools. Please follow along with the web activity data you downloaded in the introduction to this article, and use the tools mentioned in this article to reconstruct the analysis.Pasco (the Latin word for Browse) is a command line tool that runs on Unix or Windows and can reconstruct the internal structures for IE Index.dat files. Pasco accepts an Index.dat file, reconstructs the data, and outputs the information in a delimited text file format. This format is useful when you need to import the data into a spreadsheet such as Microsoft Excel. Figure 1 shows Pasco in action.Although Pasco works well with IE Internet activity files, it does not reconstruct web activity from other web browsers such as Firefox/Mozilla/Netscape. The output of Pasco as used for this article can be downloaded from the SecurityFocus archives report.Now that we have the output for Joe39s IE Internet activity, we can begin reviewing the websites he visited. During this analysis, we will only present the activity that is relevant to the investigation since there are numerous instances of irrelevant web browsing events that can slow down an investigator. The output from Web Historian is shown below in Figure 3.We see above in Figure 5 that Joe visited Barnes and Noble. It appears as though he is interested in books related to hacking and cracking. There are also other instances of Joe searching for similar material at hacking related websites. In Figure 6 and Figure 7 you will see Joe accessing sites known to have hacking related material. You will also see that Joe is searching for cracks specific to Docustodian, the application that was overloaded with unauthorized material.As you have seen in the last section, we were able to show that Joe, or someone using Joe39s account, was interested in information that would allow him to crack the licensing for Docustodian. However, the time that most of the websites were visited was approximately at 5:50:58 PM on March 10, 2005. It39s important to remember that Joe was on vacation from March 7, 2005 through March 21, 2005. It would be highly unlikely that Joe visited these websites from a sunny beach in Florida. We would have to look harder at Joe39s computer to see how these websites were accessed.There are several commercial tools that will examine web related activity similar to the freely available tools we presented above. Although we already examined interesting activity in the last section, we will present some of the differences and other interesting web sites Joe39s account visited with commercially available tools in this section.IE History was one of the first commercial tools developed for web activity reconstruction. IE History is a Windows application that opens several types of web browser history files including IE and Firefox/Netscape/Mozilla. IE History is a lightweight tool that can easily export the web browsing history to spreadsheets and text delimited files.Once IE History parses the information in the Index.dat file, it offers some functionality that simplifies your review. For example, in several instances of activity shown in Figure 9, you can right-click and select Go to URL to quickly open a web browser and visit the website Joe visited. Notice, however, that IE History does not link the web activity to the relevant cached files. This means that when you review the URL through the right click function, you are actually viewing a live copy of the website. This means that you may be seeing a different view than Joe when he visited the website in the past.FTK combines some of the functionality from all of the tools we presented in this article. As commercial tools go, this receives our highest recommendation for the ease of use alone. With FTK, you can browse the cached web pages and see them in a web browser-like interface. For example, Figure 10 shows one of the cracking sites Joe39s account visited.FTK reconstructs the visited web pages very well. The drawback when using FTK is the reconstruction of the Index.dat file. Upon selecting an Index.dat file within FTK, you will notice the data is presented in a format that is difficult to use. Each instance of activity is presented as a separate table, and none of the information is clickable.