There are many reasons why internet history may be deleted:
- The user manually cleared the history
- The browser deleted the history (e.g. Chrome deletes history that is 90 days old)
- The browser overwrote or deleted temporary data such as session tabs
- The user carried out an action such as deleting a bookmark
Fortunately we can make use of Volume Shadow Copies
in Microsoft Windows to access historical data that wouldn't otherwise be available. The Volume Shadow Copy Service is a technology in Microsoft Windows for taking snapshots of data at a point-in-time. It is used to provide the Windows System Restore feature that most of us are familiar with.
Depending on when Volume Shadow Copies are created and how long they are retained for we may be able to recover deleted internet history from them. In order to take advantage of this additional data source we have updated Browser History Examiner
(BHE) to capture internet history from Volume Shadow Copies.
When performing a capture BHE now has a 'Deleted History' data option.
With this option enabled BHE will process each Volume Shadow Copy from the target machine and capture internet history data such as bookmarks, cookies, downloads, form history, saved logins, searches and website history. The data captured from each Volume Shadow Copy is placed within a folder structure such as ...\Capture\Archived\636346002001469356. The final folder name is the timestamp of when the Volume Shadow Copy was created.
This functionality works together with the remote capture feature
, allowing you to recover deleted internet history from a remote Windows computer.
The browser history files are captured in their original format, therefore depending on how frequently the Volume Shadow Copies were created there may be duplication of internet history data. To streamline this process BHE automatically de-duplicates internet history that has been captured from Volume Shadow Copies. The user can simply load the captured history into BHE as normal and any additional history that has been found within the Volume Shadow Copies will also be loaded.
The following screenshot shows the history captured from one of our test machines, which dates back to 3rd July 2017. Deleted history was not collected as part of this capture.
We then re-captured history from the same machine, but this time using the Deleted history option to collect data from Volume Shadow Copies. We now have history dating back to 19th June 2017, with over 200 additional website visits.
By simply checking the new "Deleted History" option during internet history capture, examiners are able to easily capture and analyse an extended range of internet history information that may have otherwise been lost and not recovered.
A free trial of Browser History Examiner is available from our Downloads