You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Introduction

This release brings a number of significant new features and improvements. We have added support for a number of new browsers as well as making the necessary updates required to support the changes in the main browsers. We have also added support for some new artefacts.

Some of the significant features for this release include support for the automatic decryption of usernames and passwords in Mozilla Firefox, Mozilla Firefox on Android, Sea Monkey, Pale Moon, Wyzo, Comodo IceDragon and K-Meleon. We have also added support for the changes made in Apple Safari v8.

New Features

We have added a whole host of new features to this release. The following represents some of the more important changes.

Username and Password Decryption

Firefox and other Mozilla based browsers include a Password Manager that can save the passwords provided by the user as they log in to websites. The Password Manager securely stores the usernames and passwords used to access websites and then automatically fills them in for the user when they next visit the site. For additional security, the user can also set a Master Password to protect the Password Manager. The user is then prompted to enter the Master Password when the browser needs to access the stored passwords. Usernames and passwords are encrypted and stored within the Mozilla profile.

NetAnalysis® v2.1 is now able to decrypt and display the usernames and passwords stored for each web site. The following image shows the NetAnalysis® Information Panel with some decrypted Username and Password values. Also, the entry on line number 1 shows that the Master Password has not been set in this case.


Read more about Username and Password decryption here: Username and Password Decryption.

New Browser Support

In addition to extending support for the existing browsers and their recent changes, we have now added support for two new browsers:

New Artefacts

Google Search EI/SEI Parameter Decoding

The Window below shows the automatic decoding of a Google URL which contains an EI parameter. The EI parameter is a Base64 encoded 16 byte value. The first 4 bytes contain a timestamp which can be seen in the example above.

 

Google Chrome Autofill Profiles

The window below shows the extraction of Google Chrome Autofill Profile data. The text relating to the autofill fields are extracted to the export folder so that the data can be indexed and searched.

 

 

Google Chrome Credit Card Autofill Profiles

The window below shows the extraction of Google Chrome Credit Card Autofill data. The text relating to the autofill fields are extracted to the export folder so that the data can be indexed and searched.

 

 

Google Chrome Search Engine Parameters

The window below shows the Search Engine entry type extracted from a Google Chrome keywords table. This information is used to setup standard and bespoke searching for the user when keywords are entered into the omnibox.

 

Google Chrome Shortcuts

The window below shows a number of Google Chrome shortcut entries. These entries represent the transition between the text entered by a user into the omnibox and the selected suggestion as presented by Google Chrome. The shortcut entry is created when the user selects a suggested entry from the dropdown list and visits the corresponding page.

 

 

In the example above, the user typed "www.ebay.c" into the omnibox (see the image below) and the browser displayed a number of suggestions in the list below the omnibox. The user then selected the top entry in the suggestion list (or pressed enter) and subsequently visited the ebay site. 

 

Mozilla Firefox Username and Password Decryption

The window below shows the automatic decryption of usernames and passwords as stored by Mozilla Firefox. NetAnalysis v2 can automatically decrypt these usernames and passwords.

 

Mozilla Firefox moz_hosts and moz_inputhistory

The window below shows some Host and Input History entry type records. Input History entries show what the user entered into the address bar and the associated URL that was clicked as the result of the suggestion made by Firefox. Host entries are similar to Internet Explorer Host entries and show the hostname relating to a visit to a URL.

 

Mozilla Firefox moz_disabledhosts

The window below shows some Firefox moz_disabledhosts entries. These entries show sites where the user has selected NOT to save a username or password.

 

Apple Safari Reading Lists

The window below shows a number of Apple Safari Reading List entries. These represent sites the user has selected to view at a later date. Once the user visits a site from the Reading List, the Date Visited is updated to reflect the date and time of the visit.

 

Opera Blink Favorite Entries

The window below shows a number of Opera Favorite entries.

 

Opera Presto Search Field History

The window below shows a number of entries from the Opera Presto search_field_history.dat file. These entries represent the text entered by the user into the search box.

Improvements

We have also made a number of improvements for this release such as improving the way we deal with encoding throughout the case, improving the way we deal with the new Firefox Cache v2 entries (added support for orphaned and doomed entries), adding new filters, report templates, layout files and keyword lists. We have also increased the evaluation period to 21 days.

Change Log

You can find the complete change log for NetAnalysis® v2.1 here:

  • No labels