Firefox 3 History Recovery helps in all other cases. It is a command line tool that can analyse uncompressed disk images to discover traces of the four SQLite tables moz_places, moz_historyvisits, moz_formhistory and moz_downloads. What the recovery tool can return are therefor the visited urls, the form history and the downloads.

Firefox 3 History Recovery is a forensic tool and therefor not designed with usability in mind. It can only be executed from the command line and the biggest problem that users face is that they need to create a disk image for this process. The developer mentioned a few tools that can be used to create those disk images: winhex, ftk imager and dcfldd.

The program itself is easy to use in comparison. All the user needs to do is to enter the command

ff3hr -i


to start the recovery process. The command line tool will create four new text documents in its directory that will contain the information found on the disk image. Firefox 3 History Recovery is an Open Source software program that is available at the Sourceforge website.

Related posts

• Xkcd Comic Wallpaper Changer (2)
• Xenocode Web Browser Sandbox (0)
• Wireless Network Scanner inSSIDer (3)
• Windows Tabbed Browsing (4)
• Windows Run Aliases (8)

Registry hives can be loaded into the software program by clicking on File > Open Registry Files.

A click on File > Create Report or pressing CTRL R will create the report of the selected Registry hive. The report will display various information about the hive which can be summed up as various system settings. Depending on the hives that are loaded in the software information such as Windows accounts and users, Windows services, printers, firewalls, network settings and various other information.

The Ntuser.dat file is probably the most interesting hive that can be loaded in the Registry software as it displays recently opened documents, recently opened applications and last typed applications. The settings can be used to add or remove data from the report. Various modules are not enabled by default. Enabling them can increase the depth of the report. Registry Report can be downloaded from the developer’s website.

Related posts

• Windows Registry Watcher (5)
• Registry Analyzer (3)
• Windows Registry Protection (9)
• Windows Registry Monitoring With RegFromApp (3)
• Set File Associations Without Writing To The Windows Registry (6)

The main interface of Windows File Analyzer is driven by five buttons in the top toolbar that each open up a file browser window. The file analysis software can be used to analyse the following five files: index.dat, prefetch, thumbs.db , shortcuts and recycle bins. Not every Windows system makes use of all of those files as some functions like the thumbnail generation can be deactivated.

Windows File Analyzer will analyse the contents of the selected file and display the results in a table. The table will contain various information depending on the file that has been analyzed. Analyzing a thumbs.db file will for example display all the thumbnails that it contains while the analysis of the prefetch data will display information about the applications that are prefetched, the time the entry has been created and last used on the computer system.

Windows File Analyzer combines various tools that can be used to analyse a computer system and reveal information about its users. Multiple file analysis’ can be open at the same time. Each report can be printed in user friendly form for further analysis. Some knowledge is required to start a file analysis which might require research on the Internet to find out where the files that can be analyses are located on the computer system.

Related posts

• Windows Registry Watcher (5)
• Secure Windows Services Configuration (2)
• Remove Fake Antivirus Software Programs (11)
• Password Protect Applications (9)
• Forensic Windows Registry Software Registry Report (0)

Drive Look is a free forensic disk investigation tool from the developers of Drive Image XML. The forensic data recovery software is free to use and runs on many Microsoft operating systems like Windows 2000 or Windows XP but not Windows Vista. Registration data has been posted on the download page that needs to be entered into the software.

The forensic software will scan a selected hard drive, partition, logical drives, network drives or images and index all words that meet specific criteria. The user can select the minimum and maximum word length and chars during setup. There is also the possibility to specify words that should be included in the scan.

Drive Look will list all words that it has found during scan in a searchable interface in the end. It is possible to scroll through the words on the left side or enter a search term to find out if a word or phrase has been discovered in the specified location. The forensic data software will display the locations on the storage device in either Ascii or Hex mode and list the sector and offset information of each hit. It is possible to read the text that is surrounding the discovered phrase to get a better understanding.

An alternative to Drive Look is The hard drive data retrieval tool Disk Investigator which makes use of a realtime search.

Related posts

• Recover Deleted Files With DiskDigger (6)
• Hard Drive Data Retrieval (12)
• DVD Data Recovery Software (4)
• CD DVD Data Recovery Software (4)
• CD Data Recovery Tools Overview (7)

It’s a standalone tool which means it can be run from external devices connected to the computer which is definitely a prerequisite for all forensic tools. It analyses the user level at startup and displays information like the local IP and hostname. A click on Start Collecting processes 14 sequences, some with subsequences, that collect data and write that data into logfiles in the Evidence Collector directory.

The software did write 25 different log files into the log directory including a list of opened files, installed applications and processes. Evidence Collector concentrates on hardware and software only while law enforcement agencies would definitely scan the computer for files as well, probably using a software like Locate to find information in filenames and contents.

A detailed list of what is analysed:

• Shares and policies applied on shares
• Started and stopped services
• Installed software
• Installed Hotfixes
• Enumerated Processes
• Events logs
• TCP / UDP mapping endpoints
• Process handles tracking
• List start-up programs
• Suspected modules
• Users policies
• USB history

Evidence Collector is a free software currently in beta. There is no information on the homepage about compatibility, it runs fine on my Windows XP Service Pack 3 system.

Related posts

• Let The Computer Make Decisions For You (0)
• Zip Repair (3)
• Zip File Recovery with Object Fix Zip (6)
• Zen Key An All Purpose Application Manager (3)
• Youtube Batch Downloader (13)