I just got a private message I'm not quite sure how to respond to:
Hi Chris,
I saw that you have posted before regarding the NcoDefs.ncz file and am hoping you can help
I'm examining a suspect's hard drive where, upon searching for a specific term, I received a hit on the term in a file named Identifiers.xml. This xml file was found in the compressed file NcoDefs.ncz, which was found in the file path of Norton\Definitions\WebProtectionDefs. I'm using AccessData's FTK to look at the suspect's hard drive, and the hit was found in a listed url which was found in the Identifiers.xml file.
I tried the Symantec chat to get an understanding of how the file is generated but that got me no where.
I'm wondering if you could explain to me how the Identifiers.xml file found in the compressed file NcoDefs.ncz is genereated. When looking at the contents of NcoDefs.ncz using WinZip, the Identifiers.xml file is under the Bin directory. I'm wondering if this file is generated by Symantec or if the user was actually visiting these sites listed. Some sites seem non-intrusive, such as bankofamerica.com while others, such as geocities.com/hott_sexxy_slutty, may raise a question or two.
Thanks for your help.
Don