History on a Computer\ Computer Forensics

By shhite ·
I have a user that wipes his computer clean every time it comes into the IT department. By that I mean he gets rid of all his internet history and recently open docs and programs. They aren't even in the registry anymore. I know the information is still in the memory of the hard drive somewhere and I need to see what he has been up too. Does anyone have a good program that is not to expensive that will pull this information?

The OS is Windows XP with sp3. It is a Panasonic CF_51 laptop.



This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Well I use the On Track Solution

by OH Smeg Moderator In reply to History on a Computer\ Co ...

But it's defiantly not cheap. However some other TR Members swear by Gibson Research Spin Rite you can have a look at it here


As I have never used this product I'm not sure if it will do what is required here but other users may be able to help you out with an answer to that.


Collapse -

On Track

by shhite In reply to Well I use the On Track S ...

I like on track but I cannot spend that kind of money. Spin rite I have looked at before and not sure it is quite what I am looking for. But as always, thanks for your suggestions!

Collapse -


by shasca In reply to History on a Computer\ Co ...

Try Undelete it works fast and its fairly simple. Only 50.00.
The demo will let see you what you can recover before you have to pay


Collapse -


by shhite In reply to Undelete

Undelete looks like what i was looking for. Thanks!

Collapse -

I use...

by normhaga In reply to History on a Computer\ Co ...

R-studio's for most applications. Its cost is not to bad.

Whether you can recover or not depends on how the data is deleted. If he uses a usb install of Evidence Eliminator or another secure delete utility, forget it.

Rather than recover files to spy on him, why not be more open and install a keylogger or VNC? If you are legitimate, then he can not object. If you are being needlessly nosy, then he has a legitimate complaint and need.

Collapse -

Keylogger or VNC

by shhite In reply to I use...

I like that idea. Do you have any suggestions? We don't usually have to go to this extreme. Most of our drivers are not computer literate enough to hide what they are doing.


Collapse -


by normhaga In reply to Keylogger or VNC

Depends on what you want to do and how. A keylogger will give the the keystrokes the user performed after the fact. VNC will allow you to revies what he is doing as s/he does it.

VNC also has the advantage of being able to record what is occurring in the event of collecting evidence.

I have forgotten the URLs but a quick Google will give that. Search for VNC reader and then look into the enterprise edition.

Collapse -

For an occassional check

by IC-IT In reply to Keylogger or VNC

Simply type in his computer name (Explorer address bar) and peek when he doesn't expect it. You must have admin privliges on his computer.


navigate to the local settings - History.

Collapse -

Internal network

by shhite In reply to For an occassional check

This would only work if he was actually inside our internal network which he is not. Most of the time the laptop is either at his house or inside his truck connected with a sprint card. But that is a good suggestion.

Collapse -

Helix or FTK should do the trick


I would try Helix (you can download the ISO file) or FTK to view this stuff. Helix runs from the CD so it is a bit slow but works. Also, search the redgistry for a "U3" entry. if there is one, you should find a Cleanup.exe entry too. This means that he or she is running a brouser and other app from a U3 enabled flash drive and not the PC directly. this will make it hard to find anything.

Hope it helps


Related Discussions

Related Forums