Skip to end of metadata
Go to start of metadata

Introduction

A critical element of web browser forensic analysis is the recovery of deleted data.  HstEx is an advanced, professional forensic data recovery solution, designed to recover browser artefacts and Internet history from a number of different source evidence types.

HstEx Processing

HstEx has been designed to process a forensic image, physical/logical disk or binary dump at sector level.  It does not work at the file system level.  The recovered data fragments are written out to an HSTX file which can then be imported into NetAnalysis.

When HstEx searches your source, it will search it a sector (or number of sectors depending on the block size set) at a time. HstEx uses linear processing and will examine each block of data contiguously.  This means that it will potentially recover data from the areas outlined in Table 1.

 

Potential Evidence Source

Unallocated Clusters

Allocated   Clusters

Cluster Slack

Volume Slack

Memory Dumps

Binary Dumps

Swap Files

Hibernation   Files

Unused Disk Space

Live Files

Resident   Files

Deleted Files

Restore   Points

Shadow Volumes

Hidden Partitions

Deleted   Partitions

Table 1

 

HstEx works in a similar way to an imager in that it starts at sector zero and processes all the data to the end.  In many cases, it can recover individual records relating to browser activity without the entire file being present on the source image or disk.

As HstEx ignores the file system, it can be run across many source file system types without issue.  It also means that when it recovers from a disk or image, it will potentially recover the live data as well as any that is deleted.

To identify the location of source evidence, HstEx embeds the exact location of each data fragment inside the HSTX file.  NetAnalysis can interpret the exact location and present that to the forensic examiner.  This allows an independent third party to verify the exact source of the evidence on the original source disk or image.

In addition to physical devices and volumes, HstEx supports all of the major forensic image formats (as shown in Table 2).

  

Forensic Image Source Type

Extension

EnCase® v1-7 Image File (EVF / Expert Witness Format)

*.e01

AccessData® FTK Image Files

*.e01, *.001, *.s01

SMART/Expert Witness Image File

*.s01

X-Ways Forensics Image File

*.e01

Tableau Imager

*.e01, *.dd

VMWare Virtual Disk File

*.vmdk

Virtual Hard Disk File

*.vhd

Segmented Image Unix / Linux DD / Raw Image Files

*.000, *.001

Single Image Unix / Linux DD/Raw Image Files

*.dd; *.img; *.ima; *.raw

Memory Dumps

*.dmp;   *.dump; *.crash; *.mem; *.vmem; *.mdmp

Binary Dumps

*.bin;   *.dat; *.unallocated; *.rec; *.data; *.binary

Micro Systemation Extraction File

*.xry

Table 2

Limitations of Linear Processing

What HstEx cannot do is recover data that traverses a cluster boundary on non-contiguous clusters.  This is one of the reasons why you need to also extract and examine the available live data.

Record Based Extraction (RBE)

With many of the browser types, HstEx uses a powerful search engine which is capable of Record Based Extraction.

In some circumstances, there can be limitations with RBE.  Some live browser files contain information that cannot be recovered using RBE.  For example, Microsoft Internet Explorer cache records contain an integer representing a zero based index which identifies the location of the cached item.  Whilst the index is contained within the record, the folder array containing the folder name string is stored at the start of the file.  RBE will not recover the name of the folder as it is not stored within the record.

File Based Extraction (FBE)

Another extraction methodology employed by HstEx is File Based Extraction.  Some browser index files are designed in such a way as to make RBE impossible.  The History file from Firefox v1 - 2 is one such example.  Firefox v1 - 2 uses a Mork database which, because of its complicated structure, makes RBE impossible.  As such, it is impossible to recover individual Mork entries from unallocated clusters.  In this case, HstEx employs FBE to recovery Firefox v1 - 2 History.

Recommended Forensic Methodology

We recommend that you extract the live data from your source as well as processing the entire image so that you recover potentially fragmented live files and all the recoverable deleted data.

This is because:

  • HstEx employs a mixture of Record (RBE) and File Based Extraction (FBE)
  • Fragmented data cannot be recovered with Linear Processing
  • HstEx does not support all the data types supported by NetAnalysis
  • NTFS compressed data is not processed at sector level

 

Of course, you will end up with some duplication during your examination, but this is a small price to pay to ensure that you have all the possible evidence.

You will also need to recover live cache files for processing so that NetAnalysis can rebuild the visited pages.  Internet Explorer cache entries have an index value which points to a zero based string array which stores the cache folder name.  This is stored at the front of the file.  This means you have to import a live cache INDEX.DAT file to get the full original path of the cache object.

During RBE extraction used by HstEx, although we can identify the index value for the array, we do not have the string array containing the folder names; therefore it is not possible to identify full cached paths using Record Based Extraction.  This is why you must use both methods for a full examination.