There are a number of ways we can capture and present internet history data to Browser History Examiner (BHE) for analysis. In a previous blog post we discussed the various methods for capturing internet history from a live system.

However, forensic examiners often require the use of forensic evidence container files to preserve the digital evidence for possible use in a court of law. In this case the internet history data will have been captured as part of a logical or physical imaging process using one of the available tools on the market for creating forensic images of data.

If logical imaging is carried out, the investigator may choose to collect only the internet history files themselves, the entire logical partition, or anything in between as part of their collection.

If physical imaging is carried out, the investigator has chosen to collect the entire physical drive data and the internet history files will buried within the file system of the operating system, within the forensic image.

Whichever method is chosen the investigator will need to mount the forensic image in order to present the internet history data to BHE, as it does not directly support the parsing of forensic image files. In order to make Volume Shadow Copies accessible we recommend using Arsenal Image Mounter which can be licenced or used in "Free Mode".

The image below shows an E01 forensic image mounted as a read-only drive.

The content of the forensic image is now mounted as drive E: so we can simply point BHE at the appropriate Windows user profile within the mounted drive to begin our examination of the associated internet history data. There is the option for BHE to process any available Volume Shadow Copies to try and recover deleted internet history.

This workflow, which can involve either free or commercial tools, ensures that the integrity of the internet history captured is maintained while allowing forensic examination of the data to continue.

To try this out for yourself, visit our Downloads page for a free trial of Browser History Examiner.