It is important to be able to quickly identify the Internet history records that can prove your case. NetAnalysis has a number of different ways to do this:
- Quick Filters
- Multi-Level SQL Filtering
- Keyword Searching
- Column Filter Bar
- Find First, Find Next
In addition to filtering and searching, NetAnalysis also provides a number of different ways to step through, review and bookmark the evidence.
After a filter has been applied, it can be quickly removed by hitting F5, clicking on the Remove Filter button on the toolbar, or selecting the following menu: Filter » Remove Filter - Show All. The status bar will always show whether a filter is active.
The quickest way to find specific records within NetAnalysis is to set a quick filter. This will be the normal method for searching, filtering and reviewing.
Filters make it easy to specify which records you want to include in a report or view in the grid. You can select which field (also referred to as a column) to filter along with optional time parameters. You can also set whether you want the search string to match the start of the field, end of the field, whole field or any part of the field. The default setting is for any part of the field. The Filter Text box also remembers the previous 15 strings used to activate filters.
The Filter Form can be activated by clicking on the Show Filter Form button on the toolbar or from the following menu: Searching » Select Filter Criteria. The keyboard shortcut F8 can also be used. This will show the Filter Form, as shown in Figure 1.
By selecting the ‘Set Between Dates' check box, the start and end date fields become active. This allows you to filter the activity between two dates. This date filter will remain active until it is deselected. When you access the Filter form with the date filter activated, you will see the red text “Status: Date Filter Is Active” to warn you that the filter is active (as shown in Figure 2).
The default field value is URL. This can be changed to any of the other fields by clicking on the drop-down box. The filter type can be changed by clicking on the Search drop-down box. The actual text to be searched for can be entered into the Filter Text box. Clicking ‘OK’ will activate the desired filter.
The status bar will indicate that a filter is active (see Figure 3). If any of the column headers are then clicked, the order of the records will change whilst maintaining the current filter.
Viewing/Highlighting Keyword Hits
When searching and filtering for data, it is often difficult to see the actual text within the URL. To assist with this, open the URL Examination Window by selecting View » URL Examination Window from the menu. This window will show the whole URL and will highlight the keywords for easy recognition (as shown in Figure 4).
In this example, we searched for the string ‘sig sauer’. NetAnalysis automatically generates a search which would filter both words separated by either space separator (%20) or (+).
Removing a Filter (F5)
When a filter is active (any filter), it can be removed by pressing the shortcut key F5, clicking the Remove Filter button on the toolbar, or selecting File » Remove Filter - Show All from the Filter menu. NetAnalysis also remembers which record was selected when filters are removed.
Find First URL (F7)
Another quick option for finding URL records is to press the shortcut key F7 and open the Find First form. This can also be activated by selecting Searching » Find First URL Record from the menu.
This form allows you to enter a URL (or part of a URL) and then jump to the first instance containing the string within the workspace. Selecting F3 and F2 allows you to jump back and forward. These options can also be accessed by selecting Searching » Find Next or Searching » Find Previous from the menu.
Keyword Lists (F4)
NetAnalysis also has a useful function for searching multiple keywords against the URL, Page Title, Absolute Path or Cache File column. Pressing the shortcut key F4 activates the Keyword List window (as shown in Figure 6). It can also be activated by selecting Searching » User Keyword List from the menu.
Keyword lists can also be saved for later use or shared with other NetAnalysis users. There are also a number of example keyword lists installed with the full setup. These example keyword lists can be opened by selecting File » Open Keyword List (as shown in Figure 7).
When you have built a keyword list, it can be saved and re-used at a later date. To save a keyword list, select File » Save Keyword List As from the menu.
Searching with Logical Operators
When adding keywords to the list, you have an additional option to select a logical AND/OR operator. With AND searching, every keyword must be present in the field you are searching. With the OR search, at least one of the keywords needs to be present. This allows you to easily search for a list of domains or to build up the required components for a specific URL (such as a web search).
Once you have built (and saved if required) a keyword list, it can be searched against the current workspace by selecting the following menu options:
- Searching » Execute Keyword Search - URL
- Searching » Execute Keyword Search - Page Title
- Searching » Execute Keyword Search - Cache File
- Searching » Execute Keyword Search - Absolute Path
SQL Query Builder (CTRL + F4)
One of the most powerful functions for filtering can be activated by using the SQL Query builder. With the query builder, the user can create powerful SQL filter queries to return only the records they need.
To execute the query, select the ‘Execute SQL’ button from the Query Builder (you can also clear query results from here), or select Searching » Execute SQL Query from the menu.
NetAnalysis also comes with a number of example SQL Queries which can be opened from the File menu within the query builder form (see Figure 9). For further information, please see SQL Query Operators.
At any time, you can sort the order of the workspace records by clicking on the column header for the field you wish to order. The sort order can be toggled (ascending or descending) with subsequent clicks. The sort indicator is shown to the right of the column header (as shown in Figure 10). In this case, a descending sort is active.
If you wish to set a multiple level filter, or a multiple level sort, you will need to create a custom SQL query.
When processing evidence and analysing browser records, you may wish to tag records of interest so that you can return quickly to them at a later point, or filter them. There are a couple of ways to tag a record. The quickest and most convenient is to hit the space bar. The second method is to right click on the record and select Tag URL Record.
Tagged records are changed to bold to make them easier to identify. When filtering tagged only records, the bold formatting is removed to make them easier to read.
Tags for the current filtered Recordset can be removed, or added, en masse by selecting Tools » Tag Current Filtered Records or Tools » Remove Tags from Current Filtered Records.
Moving Between Tagged Records
Sometimes you may wish to review the records on either side of a tagged record. This can easily be done by using the functionality to move between tagged records.
To find the next tagged record from your current position, select Searching » Find Next Tagged Record (F2) from the main menu. To find the previous tagged record from your current position, select Searching » Find Previous Tagged Record (Shift + F2) from the main menu.
Filtering Tagged Records
To filter and review tagged records, select Filter » Filter Tagged Records (F9).
As you review and analyse the data, you may identify records which are of evidential value or relevant to the particular investigation. The bookmark field is set by the forensic examiner and contains a string which can be used to identify or describe a record.
The bookmark string appears in the Advanced Report and is commonly used to annotate particular records when they are of evidential value to your case. The Record Bookmark window (as shown in Figure 98), can be activated by any of the following methods when the corresponding record is selected:
- Press the Enter Key;
- Right click and select Add/Edit Bookmark;
- Select Bookmark » Add/Edit Bookmark from the main menu.
In the text box at the bottom of the window, the forensic examiner can enter a free text description for the URL.
When the item has been bookmarked, the string text will appear in the bookmark column, as well as displaying a bookmark icon to the left of the URL (as shown in Figure 13). Bookmarked records can also be easily filtered by selecting Filter » Filter Records with Bookmarks
Figure 14 shows the bookmarked records displayed in the Advanced Evidence Report.
Right Click Context Menu
A number of the more common functions can be accessed by right clicking on a record to display the context menu (as shown in Figure 15).
Table 1 contains a list of menu items and explains the function of each item.
Rebuild and View Cached Page or Item
For a live cached item or page, this function will rebuild and show the cached web page, or cached item.
Open Containing Folder
For a live cached item or page, this function will open the original cache folder and highlight the cached file for the selected record.
This will launch the URL for the currently selected record in the default browser.
This will launch the Decode URL window and display a decoded version of the currently selected URL.
Tag URL Record
This will tag (or remove a tag if already set) the currently selected record.
Add / Edit Bookmark
The will launch the Bookmark window allowing a bookmark to be added to the currently selected record.
This will remove the bookmark from the currently selected record.
This will copy the URL for the currently selected record to the clipboard.
Copy Selected Field Data
This will copy the data from the currently selected field/record to the clipboard.
Copy Entire Internet Record
This will copy each field for the visible columns, for the currently selected record, in a structured format, to the clipboard. This function can be used to copy record data into an external report.
Filter Records by Selected Field Data
This will filter the workspace using the data from the selected field for the currently selected record.
Filter this User
This will filter the workspace using the data from the user field for the currently selected record.
Filter this Day
This will filter the workspace for records for the 24 hour period of the currently selected record.
Filter this Host
This will filter the workspace for records relating to the currently selected host.