Versions Compared

Old Version 86

changes.mady.by.user Craig Wilson

Saved on

compared with

New Version Current

changes.mady.by.user Craig Wilson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction to NetAnalysis v1.54

Section
Column

Table of Contents

Column

 Image Removed

 

Overview

Section
Column

In this release we have added a number of new features and improvements.  Please see the Change Log for a full list of changes, which should assist with feature testing and validation.  NetAnalysis v1.54 has been tested against all the current release versions of supported browsers.  Please see the following list:

The corresponding version of HstEx for this release of NetAnalysis is HstEx v3.8.  HstEx v3.8 uses an updated file format which can only be opened in NetAnalysis v1.54 and above.

Column
 

Mozilla Firefox

Since the release of NetAnalysis v1.53, we have seen some significant changes in the world of browser forensics.  Mozilla has committed to a more aggressive release schedule for the Firefox web browser.  There were nearly three years between the launch of Firefox 3 and Firefox 4, however, versions 5 to 12 have been released within a matter of months.  This has been a technical challenge from a support point of view as many artefacts have changed during these releases.  We are pleased to report that NetAnalysis now supports all versions of Mozilla Firefox from version 1 through to the current release, Firefox version 12.

Firefox moz-page-thumbs

Section
Column

Firefox 13 v13 will bring a slightly new look to some parts of the browser.  Both the New Tab and the Home Page have been redesigned.  The New Tab page now has links to your most recently and frequently visited sites which looks more or less just like Opera’s Speed Dial, which Chrome also mimics.  Some of this functionality has been added to Firefox v12 in anticipation of the release of Firefox v13.  Whilst Firefox v12 does not show the new Speed Dial page when new tab is selected, the page thumbnails are still saved to the cache when a page is visited.  The URL portion of the cache entry looks like this:

 

Code Block
languagenone
titleFirefox moz-page-thumb cache entry
moz-page-thumb:http://www.browserforensics.com/2011-09-14-Test-Data/visit-count/multi-visit-test.htm

We have added additional support to HstEx to recover these entries as part of the Firefox cache recovery.  NetAnalysis v1.54 also supports these cache entries, with the added bonus of being able to extract the page-thumb file (which is usually stored in PNG format).  Read more about Firefox Version 13.

These thumbnails can easily be exported and reviewed by the investigator.  Using the new 'Export/Rebuild Current Filtered Cache Items' feature added to NetAnalysis v1.54, the thumbnail entries can be filtered and then the actual PNG thumbnail files can be exported from the cache.  To filter the records, search for "moz-page-thumb" across the imported Firefox 12 v12 records and then select Tools » Export/Rebuild Current Filtered Cache Items.  The thumbnail files can then be examined from the "Extracted Files/PNG" folder.

Column

...

We have added support to import data from the 'moz_formhistory' table.  This contains artefacts relating to web form completion. 

...

We have added support for Google Chrome Page Content (c2body).  Chrome's history system keeps a full text index for each page the user visits, making it easy to find pages based on their content, not just title and URL. The user's history is exposed through the History page, accessible via the Tools menu, or by pressing Ctrl+H. A user may also directly search their history by typing a search query in the address bar, and selecting the See all pages in history containing [query] item that appears if any results match the entered query.

...

Page Transitions

Google Chrome stores a transition value which identifies the type of transition between pages.  These are stored in the history database to separate visits, and are reported by the renderer for page navigations.  NetAnalysis now extracts and decodes the page transition value and displays the transitions in the 'Status' column.  By examining the page transitions, it is possible to see how a user landed on a page.  To understand the meaning of each transition, please see Page Transitions.

 

Figure 4 - Google Chrome Page Transitions

...

This release has an updated Query Manager with additional features.  It is now possible to sort the 'Database Field List' and 'SQL Query Operators' by clicking on the corresponding column header.  The 'SQL Query Operators' now have a 'Description' entry which explains the function of the Operator.  The Operators have also been re-written to show the full Operator with parameters and wild card characters.  This should make it much easier to build and understand your SQL queries.  The 'Check SQL Syntax' button has been added as a more convenient way to verify the syntax of a query.  For further information, please see SQL Query Operators.

 

Figure 7 - Updated Query Manager

...

For example, if you wanted to export only the moz-page-thumb files, search for "moz-page-thumb" across the imported Firefox 12 v12 records and then select Tools » Export/Rebuild Current Filtered Cache Items.  The thumbnail files can then be examined from the "Extracted Files/PNG" folder.

...