To assist with rapid evidence identification, we have added a high-performance, full-featured text search engine to NetAnalysis® v2. The following data types are added to the search index:

  • Indexed Text: Many web browsers maintain their own index to assist with searching. NetAnalysis® can extract the original data from these search databases. This data is then written out for indexing and searching.
  • Text Extracted from Web Pages: During web page rebuilding, NetAnalysis® extracts the text from web pages by stripping HTML code, CSS and script, leaving behind the content of the page. This data is then written out for indexing and searching.
  • HTTP Entity Body: Some browsers store HTTP entity body information. This data can contain a wide variety of valuable information which may be of interest in an investigation. This data is written out for indexing and searching.
  • Safari Reading List Preview Text: Safari Reading List entries represent sites the user has selected to view at a later date. As part of the reading list, Safari stores a text preview of the start of the page. This data is written out for indexing and searching.
  • Chromium AutofillProfile and CreditCard Autofill Information: Autofill forms is a feature of Google Chrome and other Chromium based browsers. It allows for the user to store information such as name, address, phone number and email address as an Autofill entry so that forms can be automatically populated. Another feature of the AutofillProfiles is the storage of credit card information. In NetAnalysis® v2, we extract this data and display it in the main grid and text display window. We also extract the corresponding user data and save it to the export folder for indexing and searching.

Once the user has created an index, it can be easily searched.

 

The search viewer highlights the corresponding hits allowing the user to easily navigate through the list.

 

Double clicking the search index entry will filter the original record entry which corresponds to the search hit. In this case, we have identified a hit in the original text for a web page. NetAnalysis® is showing the rebuilt web page in the internal viewer.