As you surf the Internet, the web browser you are using saves information to your computer in temporary storage. This process of saving web pages and documents in temporary storage is called Internet browser caching or web caching. The purpose of web caching is to improve the experience of the computer user as he or she browses the Internet. When you visit a website, your web browser will begin to save the information that you are viewing to your computer, and also parts of a website that you are not viewing. So while you are at the home page of a website, your browser might be temporarily saving the other pages also. The browser is anticipating that you will look at the other pages and images on the website, and it saves this information so that it will load faster when you navigate to them. With Internet Explorer, the website information is saved into what is known as Temporary Internet Files. However, the “Temporary” part of that is a bit of a misnomer, as these files are not truly temporary. They will remain saved to the hard drive until the user manually clears the browser cache. Even if these files are deleted by the user, they can still be recovered using forensic tools, or carved out of unallocated space. All of the various browsers such as Mozilla Firefox, Opera, Google Chrome, and Apple Safari cache web pages in much the same way as Microsoft Internet Explorer. However, where these various web browsers store their web cache data is dependent on the browsing program. Only Internet Explorer stores its cache data in the Temporary Internet Files location on the hard drive.

Web caching was developed for two primary reasons: to reduce load on web servers and to improve the Internet user’s experience while browsing the web. Back in the early days of the Internet, nearly everyone accessed the Internet via dial-up modem service. This type of Internet access is very slow compared to the high-speed Internet services available today. The speed difference in the connections is orders of magnitude:

To quantify those numbers, consider that at 56KB/Sec a 10MB file would take approximately 24 minutes to download. At 5MB/Sec, the same file would take approximately 10 seconds to download. At 50MB/Sec it would take less than a second.

For that reason, Internet caching on the local computer has been around a long time to improve the browsing experience for the Internet user.

On the other hand, the web server that supplies web pages for viewing by Internet users is also limited in the number of requests the server can handle at any given time due to server loads and bandwidth available to the web server. Bandwidth is the speed of the Internet connection from the server to the Internet. To support websites that handle millions of users, multiple servers provide web pages to users, balancing the total load on the servers by splitting up the users each server is handling. However, it is in the interest of the web server administrator to reduce the number of items the server has to send to the Internet user, for both practical and economic reasons; bandwidth and servers cost money to maintain.

Whenever you connect to a website, the web server sends something called a Hypertext Transfer Protocol (HTTP) header to your local computer. This header contains information about the last time the web page was updated. This information is stored on your local computer for the web server to access when you next browse that particular page. What the HTTP header does is allow the web server to know that you already have part of the web page on your computer so it does not have to send it to you again; it can load that part of the web page from your local hard drive, both speeding the page rendering for you and reducing the load on the server.

When you connect to a web page for the very first time, or after you have cleared the Internet cache on your computer, the web server sends everything that makes up the web page to your computer over the Internet. Your Internet browser, whether it is Internet Explorer, Mozilla Firefox, Apple Safari, or Google Chrome, to name the more popular Internet browsers, receives the web page in the form of a programming language called Hyper Text Markup Language (HTML). The web page can contain additional programming languages buried inside that HTML file, such as Java code, Adobe Flash elements, and other programming bits. What the browser does when it receives this file is to render the page into a readable form for the user.

Figure 31.1 shows the web page code sent to your browser for rendering in the form the that the browser program receives it.

In Fig. 31.2, the program code shown in Fig. 31.1 is rendered or drawn by the browser program into an attractive web page.

Data saved to a hard drive, phone, or tablet such as an iPad can be used as evidence in legal matters. Figure 31.3 shows what happens when you visit a web page. While your monitor may only let you see part of the web page, all of it is immediately downloaded to your computer.

For instance, mapping web pages such as Google Maps pages are used in many murder cases to show that the accused had been looking for a dump site for a body or a likely place to commit the crime. This was a factor in the trial of Scott Peterson in the murder of Laci Peterson where the prosecution introduced Google Maps pages recovered from Scott Peterson’s computer to allegedly show that he had been looking at areas that could become a possible disposal site.

The wide variety of uses for the Internet today has made the Internet cache and history on local computers an extremely valuable repository of evidence. Consider that your computer tracks every page you visit, including the time you visit and the user account that was logged in at the time of the web page visit. Also consider that the entire web page is downloaded and saved on your local computer hard drive.

Figure 31.4 shows part of an Internet history file viewed in forensic software. You can see that the Last Accessed date and time are recorded. This is the last time the user visited the web page. The Last Modification Time is the last time the web page noted that it was updated. The Expiration field records the time when the page will expire and be reloaded by the user’s browser if he or she visits the page again after that time. The Profile Name is the name of the user account that is logged in at the time the web page was visited. The URL Name is the actual Internet address of the page that was visited. The URL Host is the name of the website, in this case “office.microsoft.com.”

In a recent case in Cary, North Carolina, Brad Cooper was tried for the murder of his wife, Nancy Cooper. It was widely reported in the news that the prosecution produced a Google map web page from one of Brad Cooper’s computers showing the site where Nancy Cooper’s body was found. The date and time of the web page’s origination was used by the prosecution to show that the map page was visited prior to the murder. The prosecution argued that this was proof that Brad Cooper was scouting out a place to commit the murder of his wife.

All Internet browsers provide a way for the user to clear the Internet history and cache. However, that does not mean that the history and web pages are gone from the computer. In fact, when you delete something in Microsoft Windows, no data is actually removed from the hard drive. This means that a forensic examiner can very likely recover not only the Internet history records, but also the web pages themselves. The factor that is most common in not getting back Internet history or web pages is the length of time between the clearing of the cache and the examiner processing the hard drive. Once something is deleted, there is the possibility that the space being used by the deleted data will be used for some other data as the computer is used. Even if the data is partially destroyed in this manner, it may still be possible to recover some web pages from a computer hard drive. How deleted data can be recovered is discussed in Chapter 29.

This chapter covered what Internet caching is, how it works, and how it is used as evidence. It was also shown that clearing the Internet cache does not actually remove the evidence from the computer hard drive, leaving the possibility that deleted Internet history can still be recovered.