Total Recall

  • Overview
  • Internet Explorer and Docs
  • My Computer
  • Tables

What is "Total Recall"

"Total Recall" was written to give the computer user tools to reconstruct Internet Explorer activity and some user's activity on the computer.

Almost every computer user is familiar with a Web browser, such as Internet Explorer.

This Web browser holds the history files of the Web Sites (or Uniform Resource Locators - URLs) visited by users of this system. Because browser history files are in binary form, special tools are required to read them.

Internet Explorer caches URLs which were visited by users. When a user visits any Web Site, Internet Explorer checks to see if it has already stored (cached) a local copy of that Web Site on the hard drive first. If a local copy exists, Internet Explorer uses the locally cached file instead of downloading the information from the Internet. Internet Explorer stores cached files in the Temporary Internet Folders on the local hard drive. It also assigns each cached file an alphanumeric name, and maps the new filename to the actual filename in the system file. The system file used to map the cached alphanumeric names to the actual URLs and filenames is the index.dat file. Internet Explorer saves numerous files named "index.dat" within each user's home directory on the computer system. This file maps web sites visited to locally saved cache files in randomly named directories so that the next time the user visits the same web site, he will not have to download the same graphics and web pages all over again.

Now, our program investigates: MS Internet Explorer activity MS Internet Explorer history MS Internet Explorer cookie MS Internet Explorer favorites Recent files and folders Not erased temporary files

IE Activity

This program provides support for Microsoft Internet Explorer versions 4 through 7. You can determine what version of Internet Explorer you are running by opening your web browser, then clicking on "Help | About Internet Explorer" to display the information.

Microsoft Internet Explorer stores its Internet activity in index.dat files. These files are binary database files, which are used by Microsoft as the file type for storing several different sets of information. Included among these files are user data, Internet cookies, and Internet history storage. These files are found scattered throughout the users' profile folders. Some of the most common places you will find index.dat files which contain Internet activity records are:

Operating System File Path(s)
Windows 95/98/Me \Windows \Temporary Internet Files \Content.IE5 \Windows \Cookies \Windows \History \History.IE5\
Windows NT \Winnt\Profiles \<username> \Local Settings \Temporary Internet Files \Content.IE5 \Winnt\Profiles \<username> \Cookies \Winnt\Profiles \<username> \Local Settings\History \History.IE5\
Windows 2K/XP \Documents and Settings \<username> \Local Settings\Temporary Internet Files \Content.IE5 \Documents and Settings \<username> \Cookies \Document and Settings \<username> \Local Settings \History \History.IE5\

Some or all of these fields can be recovered for each of the websites the user visits, depending upon the integrity of the individual records contained in the database file.

The program automatically searches know locations of index.dat files, but you may also select a different location.

The index.dat files can also contain whole or partial remains of deleted records. This information is reflected in the table too. Often, a portion of information from the deleted records is missing or incomplete; hence, the reason for blank fields in the table.

After pressing the button (main menu "Internet Explorer | IE Activity") the program automatically defines the location of index.dat file and after clicking on "Open" button

the information from index.dat file will be loaded into the following table:

The fields of the table are:

Field Meaning
URL Address The website to which the user navigated
Modification Time The date and time the website was modified
Access Time The date and time the user viewed the website
File Name The locally cached file name
File Extension The locally cached file extension
Type The type of link that brought the user to the website
Directory Local directory (from the root of the Temporary Internet Folders)
HTTP Header The header information associated with the website that was viewed

IE History

After pressing the button (main menu "Internet Explorer | IE History") the program automatically defines the location of index.dat file after clicking the "OK" button

the information from index.dat file will be transformed in to following table:

The fields of the table are:

Field Meaning
URL Address The website to which the user navigated or a link to some local file
Modification Time The date and time the website (or local file) was modified
Access Time The date and time the user viewed a website or local file
Cached File The path from the index.dat of the original location of the cached file

IE Cookie

After pressing the button (main menu "Internet Explorer | IE Cookie") the program automatically finds the location of index.dat file and after clicking the "OK" button

the information from index.dat file will be loaded into the appropriate table.

The fields of the table are:

Field Meaning
Site The website that issued the cookie
Variable The variable name
Creation Time The creation date and time for the cookie
Expiration Time The date and time when the cookie will not longer be valid for the website
File Name The local cookie file name
Value The value for the variable
Flags Optional flags

IE Favorites

After pressing the button (main menu "Internet Explorer | IE Favorites") program automatically begins filling the following table:

The fields of the table are:

Field Meaning
Name The name of the favorite link
Creation Time The creation date and time for the link
Last Access The last date and time the user viewed a website
URL Address The local path to the link to the website to which the user navigated

Recent Documents

A lot of different information about a user's activity is kept within the personal computer. Usually the user does not know about its existence. A large part of this data may be found in the "Documents" folder.

This table shows the content of a system folder called "Recent" and the information about recently opened files from system's Registry.

After pressing the button (main menu "Documents | Recent Documents") the program automatically fills the following table:

The fields of the table are:

Field Meaning
Name The local file name
File Extension The local file extension
Creation Time The date and time of the file creation
Last Access The date and time of most recent access
Link Address Full file path

Temporary Files

This table shows the content of system folder "Temp".

After pressing the button (main menu "Documents | Temporary Files") the program automatically fills following table:

The fields of the table are:

Field Meaning
Name The local file name
File Extension The local file extension
Creation Time The date and time of the file creation
Last Access The date and time of most recent access
Link Address Full file path

Total Recall

Click the button (menu item) "Total Recall" and wait when the information is collected and shown. All the tables for "Internet Explorer" and "Document" partitions will be filled automatically one by one. The progress of this action is illustrated by progress bars on status bar panels of the program's window.

Recall with Conditions

The program allows collecting data for all tables or for some tables depending upon the criteria set: date of the last access (within date range or outside date range); some field of the table contains (or not) some phase, word or characters.

To set the date or date range press icon and make your selection when the pop-up calendar appears:

The date may be changed simply by clicking on an appropriate figure. The month may be changed in two ways. Either by arrows

(the month names change forward or backward depending on the direction arrow clicked) or by clicking on the month name and entering the name of the month.

The year may be selected while you are changing months by arrow or by clicking on the year icon and entering the year desired or by using the vertical arrow buttons.

Setting the date order is not necessary. The program will automatically sort the dates, selecting the first and last date.

The calendar context menu provides quick clearing of the calendar.

To select two criteria for filtering the information, join the criteria using "AND" or "OR" to achieve the desired results.

Search

"Find" locates the row of a table containing the first occurrence of the string and highlights the row. Choose "Search | Find" to display the Find Text dialog box.

Dialog box options:

Columns for Search Check or uncheck appropriate column's titles
Text to find Enter a search string or click the down arrow next to the input box to select from a list of previously entered search strings. To select from a list of previously searched strings, click the down arrow next to the input box.
Direction - direction to search, starting from the current cursor position
Forward From the current position to the end of the file. Forward is the default.
Backward From the current position to the beginning of the file.
Options - specify attributes for the search string
Case sensitive Differentiates uppercase from lowercase when performing a search.
Origin - where the search starts
From cursor The search starts at the cursor's current position, and then proceeds either forward to the end of the scope, or backward to the beginning of the scope depending on the Direction setting. From the cursor is the default Origin setting.
Entire scope The search covers either the entire block of selected text or the entire file (no matter where the cursor is in the file), depending upon the Scope options.

Choose "Search | Search Again" to repeat the last "Find" command.

Go to Line Number

Choose "Search | Go to Line Number" to display the "Go To Line Number" dialog box.

This dialog box prompts you for the number of the row you want to find. When this dialog box appears, the current line number is in the input box.

Enter New Line Number Specify the line (row) number of the table you want to go to. To select from a list of previously entered line numbers, click the down arrow next to the input box.

Sorting

Any table may be sorted by columns in descending or ascending order. By clicking on the header of a column, the items in the table will be sorted, which changes header's icon:

Table Context Menu

The table context menu provides quick access to useful commands. To display the table context menu, right-click anywhere on the table.

Context Menu Commands:

Command Action
Open Opens the selected row. The row can be an executable file, a document file or a URL. (or double click on the table's row or click on the panel with the file name: )
Open with... Display "Open with..." system dialog box
Open Folder Explores the folder where the specified file is located
Copy to... Copies the file in the currently selected row to the selected directory. If the file with the same name exists in the directory you specify, you're asked if you want to overwrite the existing file.
Move to... Moves the file from the currently selected row to the selected directory. If the file with the same name exists in the directory you specify, you're asked if you want to overwrite the existing file.
Properties Display the "File Properties" system dialog box

Viewing Pictures

When you select the image from the table its thumbnail is shown at the bottom right corner and it helps you

preview the pictures using a built-in viewer. Click the thumbnail to view it in "Picture" window:

The "Picture" window has a toolbar with different buttons. These buttons correspond to different commands.

These buttons are described below.

Button Button Name Description
Exit Returns to the main program window (clicking the Esc button yields the same result).
Zoom Out Reduce the displayed image by 1%
Zoom In Enlarge the displayed image by 1%
Rotate clockwise Rotate the image 900 clockwise. You can turn the picture several times to get the desired view. For example turning the picture twice will turn it upside-down.
Rotate counter-clockwise Rotate the image by 900 counter-clockwise. You can turn the picture several times to get the desired view.
Best fit Reduce or enlarge the image to fit into the window's current size.
Actual Size Display the image without scaling

When any , , button is pressed the scale regulator is shown (if it was not shown before)

The scale regulator's slider allows you to increase or decrease the image size 300%. The current scale in % is shown as a tool tip when the mouse cursor hovers over the regulator. Click the left mouse button on 0 to restore the picture scale, click the panels "-" or "+" to change the scale by 1%.

Click the button to hide the scale regulator.

The full path to the current picture is shown on the window's bottom status bar.

Some graphic formats support storing several pictures inside one file. For example, TIFF files may have several pictures in the same file which where scanned with different resolutions.

Animation is one more reason to have several frames. In the majority of cases the animated pictures blinking on millions of web pages are animated GIF pictures. The panel with a preview thumbnail shows the initial two frames for multiple-frame TIFF file and nonstop animation for GIF files.

Export of table to XML or TXT file

The contents of any table may be exported to an .XML file or a .TXT file with Tab delimited values.

After selecting the appropriate "Export" menu item, specify file name in the dialog box

Once an .XML (or .TXT) file is created, the results can be imported into an application like Microsoft Excel for further viewing, printing or processing

Flag Counter