To many people, reading logs is a boring endeavor, and it can be. I mean, when the Coulomb_Dialer kicks in and activates, it erases all Norton utility logs and restarts them after its comfortably embedded in your system. So what’s the sense of reading logs that won’t tell you anything. To a certain extent, the same is true of Adaware logs which tell you you have five or six copies of svchost.exe running but they don’t let you know which are real and which are in use by malware.
Now when it comes to kiddie porn cases, the logs which send you to jail are the index.dat files. Traditionally, three are described which are cookie, cache and history. But there are many more including weekly, daily and vendor specific files. Interestingly enough, a Windows search doesn’t show you all of the locations and not all are accessible in safe mode and not all can be erased. Even searching for hidden files doesn’t give you a complete list. I find that the more infected the machine, the more index.dat files that exist and the harder to find and get rid of them short of wiping the drive and reinstalling the operating system and even at that, the cache file of pictures survives that noble effort.
Now, EnCase at about $3000 will find those index.dat files and the Feds favor this tool. A poor man can get a lot of experience finding out the truth about what’s stored in index.dat files by using the free version of index.dat Analyzer. Once again, popups, spawned files, and URL’s not even noticed by an observer all end up in your index.dat files. To use index.dat Analyzer well takes a little experience. The newest version is far superior at finding those hidden files but you still have to print them or delete them one by one. The index.dat Analyzer finds and erases data entries missed by Norton and Adaware, but does nothing to attack the malware which created the entry.
In the case of Julie Amero, I not sure what her logs would show. Minimally, the index.dat files would show a history of online usage. when porn was first served and whether she was working when the machine was first online. They should also look for the tracks of know porn servers and scam-ware that delivers porn.
In the case of Chuck Stephano, he had an incredible amount of porn loading malware which will be discussed in detail in its own post.