Windows File History Plugin
This program is the 24th Autopsy plugin that I have created. This plugin is an extension of the research that Ken Johnson did on Windows File History. You can read more about that research here.
This plugin will export the Catalog1.edb and the Catalog2.edb for each user and parse the information into a SQLite database and then import the data into the extracted content. The extracted content will be named “File History Catalog1” and “File History Catalog2”. The data will have each user name attached to it so you can see what user has what backed up. One thing to note is that there may be a lot of data that is extracted depending on what files they are monitoring and how many changes have been made to them. The following is a screen shot of what the data looks like:
The plugin can be found here. Comments and suggestions always welcome and encouraged. Enjoy!
