LITIGATION SUPPORT TIP OF THE NIGHT

At this location in Windows 7:

C:\Users\[yourusername]\AppData\Local\Microsoft\Windows\WebCache

. . .if you're running Internet Explorer 10 or higher, you'll find a file named, 'WebCacheV01.dat'. This database file holds information on web addresses visited by the user, queries he or she has run, and files that have been opened. Earlier versions of IE used a file named 'index.dat'. These files can only be deleted using special software. The information in this cache can be cleared, but its function for the collection of data cannot be disabled.

You can download NirSoft's IECacheView at http://www.nirsoft.net/utils/ie_cache_viewer.html . When I unzipped this freeware to a folder on my Windows 7 operating system, it found the dat file for IE automatically. As you can see this viewer shows where each file from a web page was accessed.

If you right click on any one file and select Properties a form will open that will show the web address of the page that the file comes from.

Event logs are saved by Windows in order to record certain actions taken by the operating system, or software on the system.

In Windows 7 you should see these files saved to this location:

C:\Windows\System32\winevt\Logs

These can be viewed simply by typing in 'Event Viewer' at Start and opening the Event Viewer application.

You'll see that it provides a summary of administrative events and recently viewed nodes. If you click on the Event Viewer (Local) icon in the pane on the left, a drop down menu will open. Go to Window Logs . . . Application and you should a number of recorded events indicating the time when the computer was in use. Here for the sake of security I have redacted the viewable events except for one. Note that its Event ID is 6000, which indicates that there was unsuccessful login attempt. See the note here: https://technet.microsoft.com/en-us/library/cc734033(v=ws.10).aspx

By making reference to the event IDs, you find out a lot about actions taken on a PC.

Windows 7 and other Win OSes older than Windows 2003 have event logs saved with the extension, .evtx, whereas earlier Windows systems had event logs saved with the extension, .evt.

When you copy data from a hard drive on to a flash drive or other storage device, normally you'll notice the meta data for the file is altered. Instead of the date created on the source, you end up with the current time & date at the point of transfer. For the purposes of data collection you want to preserve the original meta data values intact. In order accomplish this, make use of the Robocopy command in Windows.

You just need to go to the folder you want to copy data from, press SHFT + CTRL + Right click and choose 'Open Command Window Here' , and then enter the file path of the folder from which data is to be collected (use quotes if the path has spaces), the path of the destination, and forward slash 'E'. See for example this command:

I:\Litigation Support\Electronic Discovery\EDRM>Robocopy "I:\Litigation Support\ Electronic Discovery\EDRM" H:\ /E

So when we collect data from a folder like this:

. . . and run the Robocopy command - 'Robust File Copy for Windows' . . . the data is copied in a special fashion

. . . so the Date Created field is not altered.

#Datacollection #Robocopy