Recovering deleted internet history from System Restore points

13 January 2018
Most of us are familiar with System Restore, the feature within Microsoft Windows that allows you to restore your computer to a previous state. This feature can be a very useful source of data when analysing internet history, as it can provide access to data that has been deleted.

There are many reasons why internet history may be deleted:
  • The user manually cleared the history
  • The browser deleted the history (e.g. Chrome deletes history that is 90 days old)
  • The browser overwrote or deleted temporary data such as session tabs
  • The user carried out an action such as deleting a bookmark

Therefore, depending on when System Restore points are created and how long they are retained for, they can provide us with historical data that wouldn't otherwise be available. In order to take advantage of this additional data source we have updated our software to capture internet history from System Restore points.

Firstly, our free capture tool BHC now has an 'Archived History' data option.

With this option enabled BHC will process each System Restore point from the target machine and capture internet history data such as bookmarks, cookies, downloads, form history, saved logins, searches and website history. The data captured from each restore point is placed within a folder structure such as:

The final folder name is the timestamp of when the restore point was created.

This functionality has also been added to the capture feature within BHE, allowing you to capture archived internet history from a remote Windows computer. The following diagram illustrates how these two features work together.

More detail about the remote capture process can be found in the following blog post:

The archived browser history files are captured in their original format allowing them to be analysed using your tool of choice. However, depending on how frequently the System Restore points were created there may be duplication of internet history data. This means if you were to analyse the history from each restore point individually you may be analysing the same data multiple times.

To streamline this process BHE automatically de-duplicates internet history that has been captured from System Restore points. Therefore, the user can simply load the captured history into BHE as normal and any additional history that has been found within the System Restore points will also be loaded.

The following screenshot shows the history captured from one of our test machines, which dates back to 3rd July 2017. Archived history was not collected as part of this capture.

We then re-captured history from the same machine, but this time using the Archived history option to collect data from System Restore points. We now have history dating back to 19th June 2017, with over 200 additional website visits.

By simply checking the new "Archived History" option during internet history capture, examiners are able to easily capture and analyse an extended range of internet history information that may have otherwise been lost and not recovered.

A free trial of Browser History Examiner is available from our Downloads page.

Uncovering plain text passwords in internet history

    Prev Post

FoxAnalysis and ChromeAnalysis products retired

Next Post