Overview
The purpose of this document is to outline some simple procedures for investigating when and what Internet web sites have been visited by a computer.
This is not a comprehensive guide to computer forensic science and cannot cover all the methods and procedures for information discovery. But it does provide enough information to make a good start.
If you are not running Netscape Navigator then I suggest you obtain the latest copy at http://home.netscape.com/. At the time of this writing, version 6 is the most current.
Quick
Definitions
Browser - The computer program used to access web sites; common examples are Internet Explorer (made by Microsoft) or AOL's Netscape Navigator.
Cache - A section of computer memory and/or disk space used to store copies of objects that have been accessed by the browser. This makes subsequent requests for those objects much faster since they don't have to be delivered across the Internet.
History - A list of web sites that have been accessed with the browser within the time period specified in the configuration - the default is 20 days.
URL - Stands for "Universal Resource Locator." It is simply the address used for a web site. For example, the URL for the Church of Jesus Christ of Latter-day Saints is "http://www.lds.org/" and is usually referred to as just www.lds.org.
Location Bar
The location bar is located near the top of the browser window. It is where you can type in an address (URL) for a web site (see Figure 1).
Figure 1 - Location Bar
Pressing the drop-down button, 
,
located at the far-right side of the location bar will display a list
of the URLs that have been entered directly into the location bar (see
Figure 2). Unfortunately, URLs opened in other ways won't show up here.
Figure 2 - Location Bar History
If the Location bar list is empty, then the browser's history might have been erased.
History
The "history" contains a list of all the Internet web sites that have been visited, as well as all the objects at a web site. An object can be a graphic, the text on a page, a video or audio clip, or pictures.
Netscape Navigator 6 makes it easy to see the history and it's objects.
Press F9 on the keyboard or choose View | My Sidebar from the main menu bar. A sidebar will open in the browser window.
If the History tab is not already visible, you can add it by selecting by clicking on the "Tabs" then making sure there is a check mark next to "History" (Figure 3).
Figure 3 - My Sidebar Tabs
Now select the "History" tab to see a list of all the web sites the browser has visited.
You can organize the data by changing the view. This is done by selecting
the button 
just
to the right of the word "title" then selecting the criteria
(Figure 4). Sorting by Visit Count, for example, will list sites in order
of how many times they were accesed.
Figure 4 - History Window
Be aware that this view will not show ALL the objects that have been accessed, only the pages. Things like graphics, sound clips, animations, etc. will not be displayed here; to see those you have to browse through the cache.
Cache
To see all the objects in the cache enter "about:cache" into the location bar and hit the Enter key. The browser will then display information about the Memory Cache and the Disk Cache (Figure 5).
Figure 5 - About:Cache
The Memory Cache is used to store objects in memory for extremly fast access. You can browse through a list of objects by clicking on the link "List Cache Entries."
The Disk Cache is used to store objects on the hard drive for fast access. You can browse through a list of objects by clicking on the link "List Cache Entries."
You will see a list of entries similar to the following:
| Key:
http://www.lds.org/ Data size: 5065 Bytes Fetch count: 1 Last Modified: 12/26/01 21:51:16 Expires: 01/10/02 12:52:13 |
The Key is really the URL for that object. You can click on it to see what it is.
If there is nothing in the Disk Cache or the Memory Cache there is a good possibility it has been erased.
Cookies
When the World Wide Web was first created, web sites could not do a whole lot. There were no shopping carts, no ordering, an no personalization. To help facilitate these functions there needed to be a way to store a small amount of information on the user's computer so it could be retrieved later by the web site.
Folklore says that the first demonstration of this function showed Cookie Monster from Sesame Street and, when a picture of a cookie was clicked on, Cookie Monster would eat the cookie. The web site would keep track of how many cookies you had fed him no matter how many times you left the web site and came back.
Thus the name "Cookie" was given to the function of storing a small amount of data on the user's computer for later retrieval by a web site.
Cookies are not affected by clearing the cache, or deleting the history. They stick around until the cookie expires (each cookie has an expiration date set by the web site. Some durations are short, so cookies are deleted when the user leaves the web sites. Others are set to last forever).
Finding the cookies for Netscape Navigator 6 is a little tricky, but not that bad.
First, find out where the disk cache directory is by typing "about:cache" into the location bar and pressing the Enter key.
Under the "Disk cache" section you will see an entry called the "Cache Directory." Write down the path but leave off the "NewCache" at the end and substitute "cookies.txt" instead. This is the full path to the cookies file.
For example, if my screen showed:
Disk cache device
List Cache Entries |
Then the full path to my cookies would be:
C:\Program Files\Netscape\Users50\default\cookies.txt
The easiest way to view this file is to press the Start button on the task bar, choose Run then enter the full path to the cookies file, then press OK.
Heed the warning and do not edit the file. When you are done looking at it, close it but don't save any changes if asked.
Trash
When files are deleted, or the web browser's history is deleted, the files don't just disappear, they are placed in the "Trash" just in case you need it back. This is actually a good thing in case you make a mistake.
To check the contents of the trash, right-click on the Recycle Bin icon located on the desktop then choose "explore" (Figure 6).
Figure 6- Recycle Bin
You should now see a list of files that have been deleted. If the list is empty, the trash has been emptied recently (Figure 7).
Figure 7- Browsing the Recycle Bin