Jeff is on the right track.
Another good place to look is the swap/page file, especially if the user is
cleaning the history or cache regularly (e.g. setting history retention to 0
days).
Also, going over unallocated clusters for URL entries is a great source of
detail that remains even if the user ...
Another good place to look is the swap/page file, especially if the user is
cleaning the history or cache regularly (e.g. setting history retention to 0
days).
Also, going over unallocated clusters for URL entries is a great source of
detail that remains even if the user ...
[ more ]