View Source

In this release we have added a number of new features and improvements. Please see the change log for a full list of changes, which should assist with feature testing and validation. NetAnalysis v1.54 has been tested against all the current release versions of supported browsers. Please see the following list:

The corresponding version of HstEx for this release is v3.8. HstEx v3.8 uses an updated file format which can only be opened in NetAnalysis v1.54 and above.

NetAnalysis > NetAnalysis v1.54 > Digital Detective NetAnalysis v1.54 showing Firefox v12 data.png (Digital Detective NetAnalysis v1.54 showing Firefox v12 data.png)

Mozilla Firefox

Since the last release of NetAnalysis v1.53, we have seen some significant changes in the world of browser forensics. Mozilla has committed to a more aggressive release schedule for the Firefox web browser. There were nearly three years between the launch of Firefox 3 and Firefox 4, however, versions 5 to 12 have been released within a matter of months. This has been a technical challenge from a support point of view as many artefacts have changed during these releases. We are pleased to report that NetAnalysis now supports all version of Mozilla Firefox from version 1 through to the current release, Firefox version 12.

Firefox moz-page-thumbs

Firefox 13 will bring a slightly new look to some parts of the browser. Both the New Tab and the Home Page have been redesigned. The New Tab page now has links to your most recently and frequently visited sites which looks more or less just like Opera’s Speed Dial, which Chrome also mimics. Some of this functionality has been added to Firefox v12 in anticipation of the release of Firefox v13. Whilst Firefox v12 does not show the new Speed Dial page when new tab is selected, the page thumbnails are still saved to the cache when a page is visited. The URL portion of the cache entry looks like this:

moz-page-thumb:http://www.browserforensics.com/2011-09-14-Test-Data/visit-count/multi-visit-test.htm

We have added additional support to HstEx to recover these entries as part of the Firefox cache recovery. NetAnalysis v1.54 also supports these cache entries, with the added bonus of being able to extract the page-thumb file (which is usually stored in PNG format). Read more about Firefox Version 13.

These thumbnails can easily be exported and reviewed by the investigator. Using the new 'Export/Rebuild Current Filtered Cache Items' feature added to NetAnalysis v1.54, the thumbnail entries can be filtered and then the actual PNG thumbnail files can be exported from the cache. To filter the records, search for "moz-page-thumb" across the imported Firefox 12 records and then select Tools » Export/Rebuild Current Filtered Cache Items. The thumbnail files can then be examined from the "Extracted Files/PNG" folder.

Firefox moz_formhistory and moz_logins

We have added support to import data from the 'moz_formhistory' and 'moz_logins' tables. These contain artefacts relating to web form completion and login information.

NetAnalysis > NetAnalysis v1.54 > Digital Detective NetAnalysis Form History Example.png (Digital Detective NetAnalysis Form History Example.png)

Figure 1 - Form History Completion (Example 1)

The screen shot in Figure 1 shows an example where the browser user opened a ZIP attachment whilst viewing Google Mail; they then created a draft email using the subject line "Some research I've done".

NetAnalysis > NetAnalysis v1.54 > Digital Detective NetAnalysis Form History Example Google Account Sign-Up.png (Digital Detective NetAnalysis Form History Example Google Account Sign-Up.png)

Figure 2 - Form History Completion (Example 2)

The screen shot in Figure 2 shows the user creating a new Google mail account. It also takes the user through the question and answer fields which are required to create a new account. Although the details in this image have been redacted, you can see the field names which have been completed as part of the process. These artefacts when viewed in context can provide some very interesting information.

Google Chrome

We have added significant extra functionality for Google Chrome artefacts. Chrome maintains a number of SQLite databases for data storage, and NetAnalysis v1.54 now extracts data from most of the significant databases.

History Index YYYY-MM c2body

We have added support for Google Chrome Page Content (c2Body). Chromium's history system keeps a full text index for each page the user visits, making it easy to find pages based on their content, not just title and URL. The user's history is exposed through the History page, accessible via the Tools menu, or by pressing Ctrl+H. A user may also directly search their history by typing a search query in the address bar, and selecting the See all pages in history containing [query] item that appears if any results match the entered query.

When a user visits a page, the textual contents are stripped out and stored in the 'History Index YYYY-MM' database (one file per month). NetAnalysis v1.54 allows the analyst to extract all of this information in one simple operation. The text files generated have been shown to contain potentially important information including Facebook and webmail artefacts.

The text page content can be extracted by selecting Tools » Export Google Chorme c2body.

NetAnalysis > NetAnalysis v1.54 > Digital Detective NetAnalysis Google Chrome c2body Extraction.png (Digital Detective NetAnalysis Google Chrome c2body Extraction.png)

Figure 3 - Google Chrome c2body Extraction

Page Transitions

Google Chrome stores a transition value which identifies the type of transition between pages. These are stored in the history database to separate visits, and are reported by the renderer for page navigations.

NetAnalysis > NetAnalysis v1.54 > Digital Detective NetAnalysis showing Google Chrome Page Transitions from a History Database.png (Digital Detective NetAnalysis showing Google Chrome Page Transitions from a History Database.png)

Figure 4

Internet Explorer Visit Count

Recent testing has exposed an issue with the accuracy of Internet Explorer hit count values stored in the master INDEX.DAT file. Normally, the hit count would be stored as a 32bit integer at record offset 0x54 (decimal 84). In many cases, comparing the record value to the hit count returned by Internet Explorer would show a mismatch. In these cases, Internet Explorer has an additional record object which stores an additional visit count. Testing has shown this additional count object to be accurate and is the value presented by the application. When the additional record object is present, NetAnalysis parses that block and displays that value in the hit column. The original value stored at offset 0x54 is now displayed in the status column as can be seen from the figure below.

NetAnalysis > NetAnalysis v1.54 > Internet Explorer Visit Hit Count Issue.png (Internet Explorer Visit Hit Count Issue.png)

Updated Query Manager

This release has an updated Query Manager with additional features. It is now possible to sort the 'Database Field List' and 'SQL Query Operators' by clicking on the corresponding column header. The 'SQL Query Operators' now have a 'Description' entry which explains the function of the Operator. The Operators have also been re-written to show the full Operator with parameters and wild card characters. This should make it much easier to build and understand your SQL queries. The 'Check SQL Syntax' button has been added as a more convenient way to verify the syntax of a query. For further information, please see SQL Query Operators.

NetAnalysis > NetAnalysis v1.54 > NetAnalysis v1.54 Query Manager.png (NetAnalysis v1.54 Query Manager.png)

Figure 3 - Updated Query Manager