Before You Start
If this is a new (or first time) installation of NetAnalysis, it is recommended that you take some time to configure the software prior to using it live on a case. The Options window can be activated from the Options toolbar button, or from the menu: Tools » Options.
Import Settings: Time Zone
This page (as shown in Figure 1) allows the forensic examiner to set the time zone of the suspect system prior to importing any data. You must ensure you establish the time zone settings for your suspect system (see the chapter relating to Time Zone Configuration) before you import any data into NetAnalysis.
Once the time zone has been set for a case, it is saved with the workspace file and cannot be changed. This is to ensure that mistakes cannot be made by inadvertently adding further data once the time zone has been altered.
Import Settings: Date Format
This page (as shown in Figure 2) allows the forensic examiner to set the default date/time format. The default format will be initially read in from the workstation the software is installed on, but can be changed at any time.
Import Settings: RestrictDateRange
This page (as shown in Figure 3) allows the forensic examiner to set a date/time restriction for the data you import. This option is disabled by default. The date restriction is tested during import against the Last Visited [UTC] field.
This option is particularly useful for the following scenarios:
- You have been given a mandate to only examine data within a specified date/time range (such as when directed by a Judge or within the parameters of a search warrant);
- You have recovered a large amount of browser related records but are only interested in a specific date range when an offence or incident occurred;
When this option is active, NetAnalysis will warn the user prior to importing any data. This option can be activated or deactivated at any time.
Case Settings: Investigation
This page (as shown in Figure 4) is only available once data has been imported into a workspace. It allows the forensic examiner to save case related information for their investigation. Some of this information is displayed in the printed reports. The forensic examiner will be prompted to complete this information prior to printing a report or exporting data (such as rebuilt web-pages).
Case Settings: Case Data Paths
This page (as shown in Figure 5) is only available once data has been imported into a workspace. It allows the forensic examiner to set the export folder.
The export folder is used to hold exported objects such as:
- Exported Cache Objects;
- Rebuilt Web-Pages;
- Page Rebuilding Audit Logs.
Web Page Rebuilding: Extraction Settings
This page (as shown in Figure 6) allows the forensic examiner to set the parameters used in the rebuilding of web-pages and the export of cached objects (such as JPEG images).
Group Output Files by Extension
This option creates a folder for each file type stored in the cache (by extension) and when files are extracted they are copied to the corresponding folder.
Use Default File Viewer
This option sets whether to use the operating system default HTML viewer when viewing rebuilt web pages.
Environment: User Interface
This page (as shown in Figure 7) allows the forensic examiner to change some of the default settings for the user interface.