Before You Start
Prior to importing any data, or in fact, dealing with live evidence, please ensure you have read the following chapters.
- Introduction to NetAnalysis ®
- Installing NetAnalysis ®
- Installing a Licence Key File
- USB Hardware Dongles
- Practice Files
- NetAnalysis: A Guided Tour
- Configuring NetAnalysis
- Time Zone Configuration
We have provided a set of practice files to allow you to work through the various features of NetAnalysis; it is recommended you become familiar with the software through examining the practice files before accessing live evidence. To download the data sets, please see the page relating to Practice Files.
Establishing the Suspect Time Zone
In the forensic examination of a digital device, establishing the time zone is one of the first things a forensic examiner should do. If this information is not established at an early stage and taken into account, then the validity of all Date/Time values may be brought into question.
It is also extremely important that the digital forensic examiner understands the difference between Local and Coordinated Universal Time (UTC). This is explained fully in the chapter: Time Zone Configuration.
If the time zone of the suspect computer is not identified prior to extracting and viewing any Internet history or cache data then the date/time stamps may not be accurately represented! You MUST establish the correct settings prior to importing any data.
In the file structure of the practice files, there is a SYSTEM registry hive. Using the information from the Time Zone Configuration Chapter, examine the hive and establish which time zone this laptop was set to when it was seized.
Setting the Time Zone
If you have examined the registry hive correctly, you will have established that the time zone was set to ‘Istanbul(UTC +0200)’.
To set the time zone in NetAnalysis, select Tools » Options from the menu. The Options window should automatically appear with the time zone settings pane in view. Change the ‘Suspect System Base Time Zone’ to ‘Istanbul(UTC +0200)’ (as shown in Figure 1).
Now click OK to set the time zone for this case.
Importing History Files
There are two main ways to import data into NetAnalysis. The first allows you to open any supported file(s). This can be performed by selecting File » Open History. When the Open Internet History File window opens, you can change the file filter to only show files for the type of browser you wish to import (see Figure 2).
This method is used for opening a specific file or group of files.
Importing History from a Folder Structure
The second (more common) method is to use the ‘Open All History from Folder’ method. This option will recursively search the file system for supported files and then import any that have been found.
Some third party image mounting tools do not deal with NTFS symbolic links correctly within a forensic environment. Testing has identified an issue where NTFS symbolic links on mounted volumes point to folders on the forensic examiner's own hard disk.
If you use software (such as NetAnalysis or Anti-Virus software) to recursively search a folder structure from a mounted volume containing symbolic links, the operating system on the forensic workstation may point the software to folders which are not contained within the suspect volume. This is NOT an issue with NetAnalysis, but the mounting software not being suitable for forensic use. See Potentially Serious Issue with the Analysis of Mounted File Systems for further information.
To access the recursive import, select File » Open All History from Folder (as shown in Figure 3).
The Browse for Folder window will then open. Navigate to the drive containing your Victor Bushell data, and select the folder containing the user profile (see Figure 4).
Click OK to start searching through the profile for supported browser files. NetAnalysis should identify 16 possible browser files from this data. Once each file has been identified, NetAnalysis will start to import each record into the temporary workspace. The progress will be displayed as shown in Figure 5.
Once the records have been imported, NetAnalysis will display the summary screen as shown in Figure 6. This window shows that all the records have been imported successfully. It shows that 16 files have been imported with a total of 10,509 records identified.
The window also shows that the time zone settings for this import was ‘(UTC +0200)Istanbul’, which is the time zone we set prior to importing any data. This information is also written to the audit log.
You should now have a NetAnalysis window similar to Figure 7with a total of 10,509 records imported into the workspace.
Saving the Workspace
At this point, before you go any further, it is recommended that you save your workspace. Once the workspace has been saved, any modifications such as tagging or bookmarking will be automatically written to the workspace. To save the workspace, select File » Save Workspace As (or Save Workspace) from the menu. You can also save the workspace by selecting Save from the toolbar. It may be a good idea at this point to update the case information for this investigation. The case information window can be found by selecting: Tools » Options » Case Settings » Investigation from the menu (see Configuring NetAnalysis).
You are now ready to start searching and processing the evidence in this case.