Introduction
To fully understand the extracted data as presented by NetAnalysis®, it is important to understand the type of data held in each column (or field). In this section, we will examine each column header and identify what type of data is stored in that field.
| Column Name | Information |
|---|---|
| Entry Type | The Entry Type value is generated by NetAnalysis® and identifies the type of entry the record relates to. For a full breakdown of each value, see the following: Entry Type. |
| Scheme | Each URI begins with a scheme name that refers to a specification for assigning identifiers within that scheme. Scheme names consist of a sequence of characters beginning with a letter and followed by any combination of letters, digits, plus ("+"), period ("."), or hyphen ("-"). Although schemes are case-insensitive, the canonical form is lowercase. |
| Tag | This column exists to assist with the examination and analysis of the data loaded into NetAnalysis®. Tags can be set by the user and used for many purposes; they can be used to quickly filter records of interest in the grid. |
| Date Visited [UTC] | This date and time is stored as a UTC value and represents a visit; it is sourced from a number of different timestamps depending upon the subject data. |
| Date Visited [Local] | This date and time is usually (although not always) calculated as a local time value from the Date Visited [UTC] value above. |
| Visits | An integer value which represents the recorded visit count. This is a value read directly from a source record (as stored by the original source browser) and is not a calculated value. |
| URL | URL is an acronym for Uniform Resource Locator and is a reference (an address) to a resource on a network, typically the Internet. A URL is a type of URI (Uniform Resource Identifier) which uses a string of letters, digits and symbols to identify a resource. In addition to identifying a resource, a URL contains the information about how to fetch the resource from its location. |
| Decoded URL | A URI consists of a restricted set of characters. The restricted set of characters consists of digits, letters, and a few graphic symbols chosen from those common to most of the character encodings and input facilities available to Internet users. They are made up of the "unreserved" and "reserved" character sets as defined in RFC 3986. In addition, any byte (octet) can be represented in a URI by an escape sequence: a triplet consisting of the character "%" followed by two hexadecimal digits. A byte can also be represented directly by a character, using the US-ASCII character for that octet. Some of the characters are reserved for use as delimiters or as part of certain URI components. These must be escaped if they are to be treated as ordinary data. Read RFC 3986 for further details. The Decoded URL column displays a string with each %XX sequence replaced with the actual byte. |
| Host Name | The Host Name is a string which is usually the DNS host name or IP address of the server. |
| Page Title | This column displays any associated Page Title. For bookmark folder entries, this column holds the name of the folder. |
| Absolute Path | The Absolute Path contains the path information that the server uses to resolve requests for information. Typically, this is the path to the desired information on the server's file system, although it also can indicate the application or script the server must run to provide the information. The path information does not include the scheme, host name, or query portion of the URI. |
| Query | This column contains any query information included in the URI. Query information is separated from the path information by a question mark (?) and continues to the end of the URI. The query information returned includes the leading question mark. The query information is escaped according to RFC 2396 by default. If International Resource Identifiers (IRIs) or Internationalized Domain Name (IDN) parsing is enabled, the query information is escaped according to RFC 3986 and RFC 3987. |
| Search Term | The column contains the search term extracted from the query information in the URI. |
| Fragment | This column contains any URI fragment information. The Fragment property gets any text following a fragment marker (#) in the URI, including the fragment marker itself. |
| Port | The port number defines the protocol port used for contacting the server referenced in the URI. A scheme may define a default port. For example, the "http" scheme defines a default port of "80", corresponding to its reserved TCP port number. The type of port designated by the port number (e.g., TCP, UDP, SCTP) is defined by the URI scheme. |
| User | This value represents the active user account name in Microsoft Windows when the record type relates to Microsoft Internet Explorer or Microsoft Edge browsers. There will be no values in this column for non-Microsoft browsers. Microsoft Browsers store the user account name as part of the structure of some records (cache entries). Sometimes the letter case of the username differs from the actual user account name. NetAnalysis® displays the text using the same case as is stored in the original file. |
| Logon User | These two columns contain user and password information. The username and password values are either website login or sign-on entries or are extracted from the userinfo subcomponent of the authority component of the URI if present. The password values will be decrypted where possible. |
| Logon Password | |
| Redirect URL | Redirection is the process of forwarding one URL to a different URL. There are three main kinds of redirects: 301, 302, and meta refresh. This column relates to server side redirects where the HTTP status code is in the 300 range. |
| Referral URL | The referrer or referring page is the URL of the previous web page from which a link to the current page was followed.
|
| Feed URL | This URL relates to an RSS feed. |
| Favicon URL | This URL relates to the location of an associated favicon. |
| Local Path | This column relates to a local path and contains the local operating-system representation of a file name. For example, a download record would hold the location where the downloaded file had been saved. |
| Cache Folder | This column contains folder path information relating to the cached file for this entry. |
| Cache File | This column contains the file name relating to the cached file for this entry. |
| Cache File Extension | This column contains the file name extension relating to the cached file for this entry. |
| Cache File Length | This column contains the data length in bytes relating to the cached file for this entry. |
| Cache File Exists | This column indicates whether or not the cached file data actually exists and can be viewed. Cached files can be displayed in the Viewer Panel: View » Viewer (although Cache entries will need to be exported first). |
| Date HTTP Response [UTC] | The HTTP response header field Date information can be found in this column. This field contains the date and time at which the response message was originated. |
| Date HTTP Last Modified [UTC] | The HTTP response header field Last-Modified information can be found in this column. This field contains the date and time at which the server believes the resource was last modified. |
| HTTP Request | This column contains text relating to the request message made by a browser to the web-server as part of the request/response process using the Hypertext Transfer Protocol (HTTP). This may include the request method and request header fields. When viewed in the grid the individual elements are separated by a vertical bar character "|". The contents of this column can also be displayed in the HTTP Request Panel: View » HTTP Request. |
| HTTP Response | This column contains text relating to the response message made by a web-server as a result of receiving a request using the Hypertext Transfer Protocol (HTTP). This may include the response status information and response header fields. When viewed in the grid the individual elements are separated by a vertical bar character "|". The contents of this column can also be displayed in the HTTP Response Panel: View » HTTP Response. |
| Content Type | The HTTP response header field Content-Type information can be found in this column. This field is used to indicate the media type (or MIME type) of the resource. Its purpose is to describe the data contained in the HTTP response body fully enough that the receiving user agent can pick an appropriate agent or mechanism to present the data to the user, or otherwise deal with the data in an appropriate manner. |
| Content Length | The HTTP response header field Content-Length information can be found in this column. This field holds the length of the HTTP response body in octets (8-bit bytes). |
| Content Encoding | The HTTP response header field Content-Encoding information can be found in this column. This field is used to indicate any additional content encoding applied to the data contained in the HTTP response body. Its purpose is to let the client know how to decode the data in order to obtain the media type referenced by the Content-Type header field. |
| Active Time Bias | This column is derived from information stored in daily Microsoft Internet Explorer/Edge records and represents the time zone active bias. The active bias represents the number of minutes to be added to a local time to convert it back to Coordinated Universal Time. We can use this information to establish if the time zone translation settings are correct. If the record does not relate to a daily history entry belonging to a Microsoft based browser, it will be empty. |
| Date First Visited [UTC] | This date and time value is stored as UTC and is sourced from timestamps described as Created, Added or First Visited. In the case of download entries, this relates to the Start Time. |
| Date Last Visited [UTC] | This date and time value is stored as UTC and is sourced from timestamps described as Last Visited or Last Accessed. |
| Date Expiration [UTC] | This date and time value is stored as UTC and is sourced from timestamps described as Expiration. |
| Date Last Modified [UTC] | This date and time value is stored as UTC and is sourced from timestamps described as Last Modified. |
| Date Index Created [UTC] | This column is derived from information stored in weekly Microsoft Internet Explorer/Edge records and relates to the date and time at which the daily entries were updated to weekly entries. If the record does not relate to a weekly history entry belonging to a Microsoft based browser, it will be empty. For Microsoft based browsers, the source of the timestamp data can be examined by reviewing the Information panel. Select View » Information. |
| Date Added [UTC] | This date and time value is stored as UTC and is sourced from timestamps described as Added or Created. |
| Date Last Synch [UTC] | This date and time value is stored as UTC and is sourced from timestamps described as Synced. In the case of download entries, this relates to the End Time. |
| Source File | This column shows the file path of the resource containing the information from which the record is extracted. |
| Source Offset | This column shows a value which points to where the original data containing the information for his record is extracted. This may be a Row Identifier (Row ID), Entry Identifier (Entry ID), File Offset (FO) or Physical Sector and Sector Offset (PS, SO). |
| Browser Version | This column represents the browser and version information relating to the identified artefact. If it is not possible to identify a specific browser, then NetAnalysis® will identify the family of browsers the data relates to; for example, Chromium Based. This column will also identify the type of data this record relates to; for example, History or Cache. |
| Warning | If any issues are encountered during the import process, or if any data requires further analysis to establish evidential integrity, a warning flag is set in the URL column and information relating to the warning can be found in the Warning column. One example of this is partially overwritten records recovered by HstEx®. Warnings can be read in the grid (with multiple items separated by a vertical bar character "|"), or displayed in the Warning Panel: View » Warnings. |
| Information | This column is used to display Information relating to the record which does not necessarily have a corresponding column in the grid. The Information panel may also contain further useful information about an entry. Information can be read from the grid (where each item is separated by a vertical bar character "|"), or displayed in the Information Panel: View » Information. |
| Bookmark | This column exists to assist with the examination and analysis of the data loaded into NetAnalysis®. Bookmarks can be set by the user to annotate entries. |
| URN | Unique Reference Number (URN). NetAnalysis® generates a unique reference number for every entry added to the grid in a workspace. URNs allow the user to quickly access a specific record by selecting: Tools » Navigate To » Record URN. URN values are also used internally for identifying specific records in the Workspace. |
Uniform Resource Identifier
hierarchical part
┌───────────────────┴─────────────────────┐
authority path
┌───────────────┴───────────────┐┌───┴────┐
abc://username:password@example.com:123/path/data?key=value#fragid1
└┬┘ └───────┬───────┘ └────┬────┘ └┬┘ └───┬───┘ └──┬──┘
scheme user information host port query fragment
urn:example:mammal:monotreme:echidna
└┬┘ └──────────────┬───────────────┘
scheme path