HstEx v3 is an advanced, Windows-based, multi-threaded, forensic data recovery solution which has been designed to recover deleted Browser History and Cache data from a variety of source forensic evidence files as well as physical and logical devices. Designed to work in conjunction with NetAnalysis, this powerful software can recover deleted data from a variety of Internet browsers, whether they have been installed on Windows, Linux or Apple Mac systems.
Supported Forensic Sources
This version is a complete re-write of HstEx v2 and supports direct extraction from forensic evidence files produced by EnCase and AccessData FTK Imager. It supports extraction from the following sources as shown in the table below. It also supports direct disk access to write protected hard drives, volumes and removable media.
Supported Forensic Image Formats
EnCase® v1-6 Image File (EVF / Expert Witness Format)
AccessData® FTK Image Files
*.e01, *.001, *.s01
SMART/Expert Witness Image File
X-Ways Forensics Image File
VMWare Virtual Disk File
Segmented Image Unix / Linux DD / Raw Image Files
Single Image Unix / Linux DD/Raw Image Files
*.dd; *.img; *.ima; *.raw
Virtual Hard Disk File
Binary / Memory Dumps
*.bin; *.dat; *.dmp; *.mem; *.dump; *.crash
HstEx v3 has been designed to be extremely fast and is considerably faster than HstEx v1 or 2. The HstEx output file format has also been changed and enhanced.
Please note, the output from HstEx v3 is not compatible with NetAnalysis versions prior to v1.50.
During the extraction process, HstEx identifies the extract Physical Sector and Sector Offset of the data on the original disk. This information is embedded within the file and read by NetAnalysis when the data is imported. This means that you can pin-point the exact physical location of a piece of evidence on the original hard disk. HstEx also logs the source evidence metadata which is also read and logged by NetAnalysis. This means that you will always be able to identify the source forensic evidence files from an output file and there is a clear link between produced evidence and the original forensic source. HstEx v3 also maintains a recovery log for each extraction.
All of the extraction engines have been re-written and optimised. HstEx v3 now supports extraction of the following file types. We are currently working on support for the extraction from other browsers.
HstEx v3 Supported Browsers
Microsoft Internet Explorer v4
Microsoft Internet Explorer v5-9
Mozilla Firefox v1-2 File
Firefox v1-2 History / Cache Entries (All Mozilla based including Netscape)
Mozilla Firefox v1-3 Cache Entries
Firefox v1-3 Cache Entries for all Mozilla based browsers
Safari (XML) Plist History Entries
Safari XML based PLIST (Early Windows and Apple Mac Versions)
Safari (Binary) Plist History Entries
Safari Binary based PLIST History
Mozilla / Netscape / Firefox Bookmarks Entries
Mozilla based browser Bookmark File
Yahoo! BT Browser History Entries
Yahoo! Browser from British Telecom
Firefox v1-3 Cache
Research and development has allowed us to identify a method for recovering Firefox v1-3 cache index entries. HstEx v3 is the only forensic software product that can recover this deleted data directly from a disk or forensic evidence file.
See the following for further information on getting started with HstEx.