Yes there are tools such as from Foundstone at the link below.
http://www.foundstone.com/us/resources-free-tools.asp --- Founstone
forensic tools
Regseeker can also display contents of user index.dat files showing internet
activity.
http://www.hoverdesk.net/freeware.htm --- Regseeker
http://en.wikipedia.org/wiki/Index.dat --- about index.dat
The link below from Microsoft Antivirus Defense-In-Depth shows steps of how
to analyze a computer that is still running for evidence of what has
happened/current state though it is written for a hack attack but much of
the same applies.
http://www.microsoft.com/technet/security/guidance/serversecurity/avdind_4.mspx
You can also use the built in search in XP and search for files
created/modified within a date range and sort the results being sure to
select for hidden files and folders.
Having said that you have to be very careful in doing forensics if for any
legal reason or for proof and follow best practices for "chain of custody"
and no one should do it for legal/proof reasons unless they are highly
trained at it and can take a grilling in court from computer security
experts for the defense. When doing forensics the original hard drive is
typically cloned and then the original hard drive is saved as evidence and
the cloned drive is examined. There is much much more to it than that but
that is a start.
Steve
