The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the Ask the Author form.

• Q: I was performing a search of Internet browsing activity in an image, and I found that the Default User had some browsing history. What does this mean?

• A: Although we did not discuss Internet browsing history in this chapter (this subject has been thoroughly addressed through other means), this is a question I have received, and in fact, I have seen it myself in investigations. Robert Hensing (a Microsoft employee) addressed this issue in his blog. ^[46.] In a nutshell, the Default User does not have any Temporary Internet Files or browsing history by default. If a browsing history is discovered for this account, it is indicative of someone with SYSTEM level access making use of the WinInet API functions. I have seen this in cases where an attacker was able to gain SYSTEM level access and run a tool called wget.exe to download tools to the compromised system. Since the wget.exe file uses the WinInet API, the browsing history was evident in the Temporary Internet Files directory for the Default User. Robert provides an excellent example to demonstrate this situation by using launching...