• Creator
  • #2153853

    History on a Computer\ Computer Forensics


    by shhite ·

    I have a user that wipes his computer clean every time it comes into the IT department. By that I mean he gets rid of all his internet history and recently open docs and programs. They aren’t even in the registry anymore. I know the information is still in the memory of the hard drive somewhere and I need to see what he has been up too. Does anyone have a good program that is not to expensive that will pull this information?

    The OS is Windows XP with sp3. It is a Panasonic CF_51 laptop.



All Answers

  • Author
    • #2916045


      by shhite ·

      In reply to History on a Computer\ Computer Forensics


    • #2916002

      Well I use the On Track Solution

      by oh smeg ·

      In reply to History on a Computer\ Computer Forensics

      But it’s defiantly not cheap. However some other TR Members swear by Gibson Research Spin Rite you can have a look at it here

      As I have never used this product I’m not sure if it will do what is required here but other users may be able to help you out with an answer to that.


      • #2915909

        On Track

        by shhite ·

        In reply to Well I use the On Track Solution

        I like on track but I cannot spend that kind of money. Spin rite I have looked at before and not sure it is quite what I am looking for. But as always, thanks for your suggestions!

    • #2915990


      by shasca ·

      In reply to History on a Computer\ Computer Forensics

      Try Undelete it works fast and its fairly simple. Only 50.00.
      The demo will let see you what you can recover before you have to pay

      • #2915914


        by shhite ·

        In reply to Undelete

        Undelete looks like what i was looking for. Thanks!

    • #2915955

      I use…

      by Anonymous ·

      In reply to History on a Computer\ Computer Forensics

      R-studio’s for most applications. Its cost is not to bad.

      Whether you can recover or not depends on how the data is deleted. If he uses a usb install of Evidence Eliminator or another secure delete utility, forget it.

      Rather than recover files to spy on him, why not be more open and install a keylogger or VNC? If you are legitimate, then he can not object. If you are being needlessly nosy, then he has a legitimate complaint and need.

      • #2915912

        Keylogger or VNC

        by shhite ·

        In reply to I use…

        I like that idea. Do you have any suggestions? We don’t usually have to go to this extreme. Most of our drivers are not computer literate enough to hide what they are doing.


        • #2915899


          by Anonymous ·

          In reply to Keylogger or VNC

          Depends on what you want to do and how. A keylogger will give the the keystrokes the user performed after the fact. VNC will allow you to revies what he is doing as s/he does it.

          VNC also has the advantage of being able to record what is occurring in the event of collecting evidence.

          I have forgotten the URLs but a quick Google will give that. Search for VNC reader and then look into the enterprise edition.

        • #2915880

          For an occassional check

          by ic-it ·

          In reply to Keylogger or VNC

          Simply type in his computer name (Explorer address bar) and peek when he doesn’t expect it. You must have admin privliges on his computer.


          navigate to the local settings – History.

        • #2932247

          Internal network

          by shhite ·

          In reply to For an occassional check

          This would only work if he was actually inside our internal network which he is not. Most of the time the laptop is either at his house or inside his truck connected with a sprint card. But that is a good suggestion.

    • #2948190

      Helix or FTK should do the trick

      by fortbragg_surfgoddess ·

      In reply to History on a Computer\ Computer Forensics


      I would try Helix (you can download the ISO file) or FTK to view this stuff. Helix runs from the CD so it is a bit slow but works. Also, search the redgistry for a “U3” entry. if there is one, you should find a Cleanup.exe entry too. This means that he or she is running a brouser and other app from a U3 enabled flash drive and not the PC directly. this will make it hard to find anything.

      Hope it helps


Viewing 4 reply threads