Thanks to everyone for the info provided. Daniel, Steven, Victor, Missy, Choong & Gary. I haven't been able to glean the time stamp data I was really after. The history.html file has been purged I think, as it only contains about 2 months worth of data. The cache.waf file has been extremely useful and has provided a gold mine of info! all the urls ever visted are there. Regards Ivan -----Original Message----- From: forensics-return-36-ivan=incode.com.auat_private [mailto:forensics-return-36-ivan=incode.com.auat_private]On Behalf Of daniel heinonen Sent: Wednesday, May 30, 2001 2:12 PM To: forensicsat_private Subject: Re: Help any MAC users! Hey Ivan, Someone mentioned can opener. I looked at the webpage and it seems it would be great to strip all the web requests however I can not see any mention of it striping the Image files out. URLologist sounds like a mac program that would do the same thing it can be obtained from tucows, there should be a pc equivlent. If you go to word and use the "recover text from" option when you open the file it should help a lot if you are not going to use the above tools and do searches fro http or jpg. I have found heaps of netscape cache views but i have had problems finding ones for IE. You could try the netscape ones there are a heap at tucows. I used regedit (which looks at the files registry and settings) and the cache.waf file does not have a resource fork. Using a hex editor might come out with more information but basics like URLS are viewable using a text editor. BTW BBedit is a really powerful text editing tool which has greps and lots of other features. The history.html file does not include details about the content of the files such as images recently used just the base url. Hope this helps just let me know if you want me if you need any more information. Daniel Heinonen Computer Systems Officer Faculty of Art QUT <<<<<<<<<< SAMPLE FROM CACHE.WAF using a text editor >>>>>>>>>>>>>> </table> <p> </p> </div> </body> </html> </body> </html> <P><HR><B>Execution Time</B><P><PRE>184 milliseconds</PRE>post bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXcate y1yb /&5J5 E D ntry (7'IтБIo ƘJH S url /http://support.cdes.qut.edu.au/images/info.jpg bsrl xhttp://support.cdes.qut.edu.au/index.cfm?fuseaction=reservations&subaction= cliententry&action=displaycalender&keyid=226 mime image/jpeg hntt "2b1d3-be0-3aa050b2" hvrs data JFIF H H Photoshop 3.0 8BIM G G 8BIM x8BIM 8BIM 8BIM' 8BIM H /ff lff /ff 2 Z 5 - 8BIM p Yzc}vl~>3[\ߌڭe8 k Idd#juCKr1ֻUKҁGTyk徊?BڿFw3s;5^7R GM`Y]ۃ]տ=͵k+}x QbSe~\ӹo k;pm7dё`憼7nhї$l3A~ &3vE̱T,49o1 I**Tʩ$v |J~\ ֨߇?~ y <<<<<<<<<< SAMPLE FROM HISTORY.HTML using a web browser >>>>>>>>>>>>>>>> History History The Sloppy AppleScript Archive http://srd.yahoo.com/goo/cache.waf+read+view/4/*http://207.208.148.74/apples cripts_99.shtml Yahoo! Search Results for cache.waf read view Yahoo! The iMac NewsPage Another Look at Internet Explorer 4.5 http://srd.yahoo.com/goo/cache.waf+read+view/3/*http://adforceonline.com/new spage/1999/19990119_explorer45.shtml Slashdot | Serious Security Flaw in MSIE 5.01, 5.5 http://search.yahoo.com/bin/search?p=cache.waf+read+view Academy of Arts Support WebSite Privacy Tips for MicroSoft's Internet Explorer http://srd.yahoo.com/goo/cache.waf+view/2/*http://www.phaster.com/unpretenti ous/browsing_micro$oft.html Yahoo! Search Results for cache.waf view http://search.yahoo.com/bin/search?p=cache.waf+view Tuesday, 29 May 2001 Hotmail Inbox At 09:01 AM 28/05/01 +1000, you wrote: >Hello All, > I have been asked to extract the urls, timestamps etc from a >"cache.waf" file on a MAC. >I do not have any info on the version of the MAC OS or the version of IE it >is running. What tools can be used to extract the data from this file? > >Thanks in Advanced >Ivan
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 14:28:09 PDT