Overview
The purpose of this document is to outline some simple procedures for investigating when and what Internet web sites have been visited by a computer.
This is not a comprehensive guide to computer forensic science and cannot cover all the methods and procedures for information discovery. But it does provide enough information to make a good start.
If you are not running Internet Explorer 6 then I suggest you obtain the latest copy at http://windowsupdate.microsoft.com/. At the time of this writing, version 6 is the most current.
Quick
Definitions
Browser - The computer program used to access web sites; common examples are Internet Explorer (made by Microsoft) or AOL's Netscape Navigator.
Cache - A section of computer memory and/or disk space used to store copies of objects that have been accessed by the browser. This makes subsequent requests for those objects much faster since they don't have to be delivered across the Internet.
History - A list of web sites that have been accessed with the browser within the time period specified in the configuration - the default is 20 days.
URL - Stands for "Universal Resource Locator." It is simply the address used for a web site. For example, the URL for the Church of Jesus Christ of Latter-day Saints is "http://www.lds.org/" and is usually referred to as just www.lds.org.
Address Bar
The address bar is located near the top of the browser window. It is where you can type in an address (URL) for a web site (see Figure 1).
Figure 1 - Address bar in IE 6
Pressing the drop-down button, 
,
located at the far-right side of the address bar will display a list of
the URLs that have been entered directly into the address bar (see Figure
2). Unfortunately, URLs opened in other ways won't show up here.
Figure 2 - Address Bar History
If the address bar is empty, then the browser's history might have been erased.
History
The "history" contains a list of all the Internet web sites that have been visited, as well as all the objects at a web site. An object can be a graphic, the text on a page, a video or audio clip, or pictures.
Internet Explorer makes it easy to see the history and it's objects.
Press [Control + H] on the keyboard or press the sundial icon, 
,
on the tool bar and the browser will display a list of all the web sites
that have been accessed.
You can organize the data by changing the view. This is done by selecting the down-arrow button just to the right of the word "view" then selecting the criteria (Figure 3). Sorting by date, for example, will list the sites visited in chronological order by day, and alphabetically by URL.
Figure 3 - History Window
Be aware that this view will not show ALL the objects that have been accessed, only the pages. Things like graphics, sound clips, animations, etc. will not be displayed here; to see those you have to browse through the cache.
Cache
To see all the objects in the cache select Tools | Internet Options on the menu bar (Figure 4).
Figure 4 - Tools Drop-Down Menu
It will open up a new window called "Internet Options" and will have several tabs across the top.
Select the "General" tab if it isn't already selected.
The middle section of that window contains the "Temporary Internet Files" options (Figure 5).
Figure 5 - Temporary Internet Files
Pressing "Delete Cookies" will delete all the cookies stored in the cache. We'll talk about cookies in the next section.
Pressing "Delete Files" will delete all the files and objects stored in the cache.
Pressing "Settings" will open a new window where you can browse through the cookies and files in the cache (Figure 6).
Figure 6 - Temporary Internet Files Settings
The top section of the Settings window has four different options for the "Check for newer versions of stored pages" settings. This should be set to "Automatically" unless you know what you are doing and need it changed.
The bottom section will show the current location of the cache within the file system (or, as some would say, on the hard drive).
The "Amount of disk space to use" for the cache can be set by you. A larger cache will allow more objects to be stored for faster retrieval, but it also takes away file space from other uses. If you aren't sure what this setting does, just leave it alone.
Pressing "Move Folder" will change the location where the cache (temporary files) are stored. Normally, you don't need to ever change this.
Pressing "View Files" will open a new window and show you the actual files in the cache including the graphics and any other objects that have been accessed. It will also show when the objects were accessed. If this window is empty, then the cache has been erased.
Pressing "View Objects" will display the mini programs that have been installed to handle special kinds of objects on the Internet, such as Flash animations and others.
Cookies
When the World Wide Web was first created, web sites could not do a whole lot. There were no shopping carts, no ordering, an no personalization. To help facilitate these functions there needed to be a way to store a small amount of information on the user's computer so it could be retrieved later by the web site.
Folklore says that the first demonstration of this function showed Cookie Monster from Sesame Street and, when a picture of a cookie was clicked on, Cookie Monster would eat the cookie. The web site would keep track of how many cookies you had fed him no matter how many times you left the web site and came back.
Thus the name "Cookie" was given to the function of storing a small amount of data on the user's computer for later retrieval by a web site.
Cookies are not affected by clearing the cache, or deleting the history. They stick around until the cookie expires (each cookie has an expiration date set by the web site. Some durations are short, so cookies are deleted when the user leaves the web sites. Others are set to last forever).
Internet Explorer makes it easy to see the cookies. Simply follow the instruction to view the cache files (Tools | Internet Options | Settings | View Files) as described in the previous section.
Trash
When files are deleted, or the web browser's history is deleted, the files don't just disappear, they are placed in the "Trash" just in case you need it back. This is actually a good thing in case you make a mistake.
To check the contents of the trash, right-click on the Recycle Bin icon located on the desktop then choose "explore" (Figure 7).
Figure 7 - Recycle Bin
You should now see a list of files that have been deleted. If the list is empty, the trash has been emptied recently (Figure 8).
Figure 8 - Browsing the Recycle Bin