We have released NetAnalysis v1.57.14023.7. This is a minor patch which fixes an issue processing corrupt IE9 data where the software hangs during import.
We are pleased to announce the release of NetAnalysis v1.56 and HstEx v3.10. This is a maintenance release which adds support for the installation on Microsoft Windows 8, as well as some minor processing improvements.
We have today released an updated version of the manual for NetAnalysis v1.54.
|Release Date||Build||Download Link|
|24 May 2012||1.54.12145.45||NetAnalysis-v1.54-win32-1.54.12145.45.zip|
We are pleased to announce the release of NetAnalysis v1.54. This version brings a number of new features as well as providing some improvements to existing features. There has been many changes to the top five browsers over the past few months; NetAnalysis v1.54 supports all of the latest versions of Google Chrome, Mozilla Firefox, Opera, Microsoft Internet Explorer and Apple Safari.
Introduction to NetAnalysis v1.54
- Introduction to NetAnalysis v1.54
- Mozilla Firefox
- Google Chrome
- Internet Explorer Visit Count
- Updated Query Manager
- Rebuilding and Exporting Filtered Cached Pages (and Objects)
- Add Bookmark to Multiple Records
- Web Page Rebuilding
In this release we have added a number of new features and improvements. Please see the Change Log for a full list of changes, which should assist with feature testing and validation. NetAnalysis v1.54 has been tested against all the current release versions of supported browsers. Please see the following list:
- Full Change Log for version 1.54
- List of supported browsers and versions
- Full Change Log for HstEx v3.8
- Release notes for HstEx v3.8
The corresponding version of HstEx for this release of NetAnalysis is HstEx v3.8. HstEx v3.8 uses an updated file format which can only be opened in NetAnalysis v1.54 and above.
Since the release of NetAnalysis v1.53, we have seen some significant changes in the world of browser forensics. Mozilla has committed to a more aggressive release schedule for the Firefox web browser. There were nearly three years between the launch of Firefox 3 and Firefox 4, however, versions 5 to 12 have been released within a matter of months. This has been a technical challenge from a support point of view as many artefacts have changed during these releases. We are pleased to report that NetAnalysis now supports all versions of Mozilla Firefox from version 1 through to the current release, Firefox version 12.
Firefox v13 will bring a slightly new look to some parts of the browser. Both the New Tab and the Home Page have been redesigned. The New Tab page now has links to your most recently and frequently visited sites which looks more or less just like Opera’s Speed Dial, which Chrome also mimics. Some of this functionality has been added to Firefox v12 in anticipation of the release of Firefox v13. Whilst Firefox v12 does not show the new Speed Dial page when new tab is selected, the page thumbnails are still saved to the cache when a page is visited. The URL portion of the cache entry looks like this:
We have added additional support to HstEx to recover these entries as part of the Firefox cache recovery. NetAnalysis v1.54 also supports these cache entries, with the added bonus of being able to extract the page-thumb file (which is usually stored in PNG format). Read more about Firefox Version 13.
These thumbnails can easily be exported and reviewed by the investigator. Using the new 'Export/Rebuild Current Filtered Cache Items' feature added to NetAnalysis v1.54, the thumbnail entries can be filtered and then the actual PNG thumbnail files can be exported from the cache. To filter the records, search for "moz-page-thumb" across the imported Firefox v12 records and then select Tools » Export/Rebuild Current Filtered Cache Items. The thumbnail files can then be examined from the "Extracted Files/PNG" folder.
We have added support to import data from the 'moz_formhistory' table. This contains artefacts relating to web form completion.
Figure 1 - Form History Completion (Example 1)
The screen shot in Figure 1 shows an example where the browser user opened a ZIP attachment whilst viewing Google Mail; they then created a draft email using the subject line "Some research I've done".
Figure 2 - Form History Completion (Example 2)
The screen shot in Figure 2 shows the user creating a new Google Mail account. It also takes the user through the question and answer fields which are required to create a new account. Although the details in this image have been redacted, you can see the field names which have been completed as part of the process. These artefacts when viewed in context can provide some very interesting information.
We have added significant extra functionality for Google Chrome artefacts. Chrome maintains a number of SQLite databases for data storage, and NetAnalysis v1.54 now extracts data from most of the significant databases.
History Index YYYY-MM c2body
We have added support for Google Chrome Page Content (c2body). Chrome's history system keeps a full text index for each page the user visits, making it easy to find pages based on their content, not just title and URL. The user's history is exposed through the History page, accessible via the Tools menu, or by pressing Ctrl+H. A user may also directly search their history by typing a search query in the address bar, and selecting the See all pages in history containing [query] item that appears if any results match the entered query.
When a user visits a page, the textual contents (those actually shown on screen) are stripped out and stored in the 'History Index YYYY-MM' database files (one file per month). NetAnalysis v1.54 allows the examiner to extract all of this information in one simple operation. The text files generated have been shown to contain potentially important information including Facebook and webmail data.
The text page content can be extracted by selecting Tools » Export Google Chrome c2body.
Figure 3 - Google Chrome c2body Extraction
Google Chrome stores a transition value which identifies the type of transition between pages. These are stored in the history database to separate visits, and are reported by the renderer for page navigations. NetAnalysis now extracts and decodes the page transition value and displays the transitions in the 'Status' column. By examining the page transitions, it is possible to see how a user landed on a page. To understand the meaning of each transition, please see Page Transitions.
Figure 4 - Google Chrome Page Transitions
We have also added support for Google Chrome download history.
Figure 5 - Downloads
Internet Explorer Visit Count
Recent testing has exposed an issue with the accuracy of Internet Explorer hit count values stored in the Master INDEX.DAT file. Normally, the hit count would be stored as a 32bit integer at record offset 0x54 (decimal 84). In many cases, comparing the record value to the hit count returned by Internet Explorer would show a mismatch. In these cases, Internet Explorer has an additional record object which stores an additional visit count. Testing has shown this additional count object to be accurate and is the value presented by the application. When the additional record object is present, NetAnalysis parses that block and displays that value in the Hits column. The original value stored at offset 0x54 is now displayed in the Status column as can be seen from the figure below.
Figure 6 - Status column showing 'Hits count' from Record Offset 0x54
Updated Query Manager
This release has an updated Query Manager with additional features. It is now possible to sort the 'Database Field List' and 'SQL Query Operators' by clicking on the corresponding column header. The 'SQL Query Operators' now have a 'Description' entry which explains the function of the Operator. The Operators have also been re-written to show the full Operator with parameters and wild card characters. This should make it much easier to build and understand your SQL queries. The 'Check SQL Syntax' button has been added as a more convenient way to verify the syntax of a query. For further information, please see SQL Query Operators.
Figure 7 - Updated Query Manager
Rebuilding and Exporting Filtered Cached Pages (and Objects)
NetAnalysis has long had the capability to rebuild either single webpages, or the entire cache in one operation. NetAnalysis v1.54 now allows the forensic examiner to rebuild part of the cache. Using the various filtering techniques available, the forensic examiner can generate a targeted subset of the browser data, and then rebuild only the live webpages (or export cached objects) contained within that subset.
For example, if you wanted to export only the moz-page-thumb files, search for "moz-page-thumb" across the imported Firefox v12 records and then select Tools » Export/Rebuild Current Filtered Cache Items. The thumbnail files can then be examined from the "Extracted Files/PNG" folder.
Add Bookmark to Multiple Records
The bookmarking feature in NetAnalysis v1.54 has been enhanced to allow the forensic examiner to bookmark many records with the same bookmark text. The forensic examiner can create a filtered list of specific records, and then apply the same bookmark text to all of these records in one operation. The bookmark column can also be used for filtering, so this functionality is a powerful addition to the armoury.
Web Page Rebuilding
We have enhanced the web page rebuilding engine to make it more robust and provide better results. We have also released v4 of QDV™, our internal web page viewing software. This new version suppresses script errors in web pages, so the forensic investigator will no longer need to cancel multiple error messages when reviewing some rebuilt web pages.
It can be downloaded from here:
|Build||Release Date||Download Link|
|1.53.11280.253||7th October 2011||NetAnalysis-v1.53-win32-1.53.11280.253.zip|
This release has been tested with Apple Safari up to version 5.1.7354.50. Safari has introduced a number of changes to the cache structure which is not supported in earlier versions of NetAnalysis.
This release has been tested with Google Chrome up to version 14.0.835.202. A modification in the cache in relation to the way digital certificates are stored introduced an error in NetAnalysis v1.52 when importing the cache. This has now been resolved.
Microsoft Internet Explorer
This release has been tested with Microsoft Internet Explorer up to version 9.0.8112.16421. Internet Explorer 9 introduced a new integrated download manager which stores the details of downloaded files in a new download INDEX.DAT file. This file has a different structure to the standard INDEX.DAT files. Figure 1 shows NetAnalysis 1.53 with a Download INDEX loaded. You can see the original URL and Download Path columns.
This release has been tested with Mozilla Firefox up to version 7.0.1. Mozilla has been on a mission recently and has released version 4 to 7 of their browser in a very short time frame. Version 4 saw a significant change to the structure of the cache as well as the structure for storing cached files on disk. We have also added support for the signons database.
This release has been tested with Opera up to version 11.51. Opera is another browser which has made changes to the structure of their cache file and disk layout.
Other New Features
In addition to the main five browsers, we have also tested this release against Sundial browser, version 4.0.1. To see a full list of all the changes, please see the following: