We are pleased to announce the release of NetAnalysis v1.56 and HstEx v3.10. This is a maintenance release which adds support for the installation on Microsoft Windows 8, as well as some minor processing improvements.
NetAnalysis v1.56
HstEx v3.10
I wanted to share with you an application we use during software testing called qTrace. It really is a great application and could probably be utilised for evidential capture as well. We are in no way affiliated with the company that makes qTrace (apart from using their software); however, it is definitely worth a look.
For us as a company, qTrace solves a number of different problems:
When a qTrace session has been completed, the editor opens a screen which looks like Figure 1 below. The qTrace output can also be saved in PDF or Microsoft Word document format.
Figure 1 qTrace Editor
The editor shows the step by step actions taken by the user when using the application under test. Each of the screens can be annotated. The resulting output is a fraction of the size of a full video screen capture, and is far more flexible.
I can think of a number of different uses outside of software testing, so I am sure the investigators out there can think of a number of different applications.
Here is the example qTrace file from a NetAnalysis session:
According to The Register, privacy-conscious users have sounded the alarm after it emerged the "New Tab" thumbnail feature in Firefox 13 is "taking snapshots of the user's HTTPS session content".
Firefox actually introduced the thumbnail capturing capability in Firefox v12 and did not tell the users; however, there is no way to display them in v12. Firefox v13 displays the thumbnails when a new tab is selected.
We added the ability to extract these thumbnail images (stored in the cache) to NetAnalysis v1.54. See the following for further information on moz-page-thumb entries.
http://kb.digital-detective.co.uk/display/NetAnalysis1/Firefox+moz-page-thumbs
We are pleased to announce the release of NetAnalysis v1.54. This version brings a number of new features as well as providing some improvements to existing features. There has been many changes to the top five browsers over the past few months; NetAnalysis v1.54 supports all of the latest versions of Google Chrome, Mozilla Firefox, Opera, Microsoft Internet Explorer and Apple Safari.
In this release we have added a number of new features and improvements. Please see the Change Log for a full list of changes, which should assist with feature testing and validation. NetAnalysis v1.54 has been tested against all the current release versions of supported browsers. Please see the following list:
The corresponding version of HstEx for this release of NetAnalysis is HstEx v3.8. HstEx v3.8 uses an updated file format which can only be opened in NetAnalysis v1.54 and above.
Since the release of NetAnalysis v1.53, we have seen some significant changes in the world of browser forensics. Mozilla has committed to a more aggressive release schedule for the Firefox web browser. There were nearly three years between the launch of Firefox 3 and Firefox 4, however, versions 5 to 12 have been released within a matter of months. This has been a technical challenge from a support point of view as many artefacts have changed during these releases. We are pleased to report that NetAnalysis now supports all versions of Mozilla Firefox from version 1 through to the current release, Firefox version 12.
Firefox v13 will bring a slightly new look to some parts of the browser. Both the New Tab and the Home Page have been redesigned. The New Tab page now has links to your most recently and frequently visited sites which looks more or less just like Opera’s Speed Dial, which Chrome also mimics.
Figure 1
Some of this functionality has been added to Firefox v12 in anticipation of the release of Firefox v13. Whilst Firefox v12 does not show the new Speed Dial page when new tab is selected, the page thumbnails are still saved to the cache when a page is visited. The URL portion of the cache entry looks like this:
Figure 2
We have added additional support to HstEx to recover these entries as part of the Firefox cache recovery. NetAnalysis v1.54 also supports these cache entries, with the added bonus of being able to extract the page-thumb file (which is usually stored in PNG format). Read more about Firefox Version 13.
These thumbnails can easily be exported and reviewed by the investigator. Using the new 'Export/Rebuild Current Filtered Cache Items' feature added to NetAnalysis v1.54, the thumbnail entries can be filtered and then the actual PNG thumbnail files can be exported from the cache. To filter the records, search for "moz-page-thumb" across the imported Firefox v12 records and then select Tools » Export/Rebuild Current Filtered Cache Items. The thumbnail files can then be examined from the "Extracted Files/PNG" folder.
We have added support to import data from the 'moz_formhistory' table. This contains artefacts relating to web form completion.
Figure 3
The screen shot in Figure 3 shows an example where the browser user opened a ZIP attachment whilst viewing Google Mail; they then created a draft email using the subject line "Some research I've done".
Figure 4
The screen shot in Figure 4 shows the user creating a new Google Mail account. It also takes the user through the question and answer fields which are required to create a new account. Although the details in this image have been redacted, you can see the field names which have been completed as part of the process. These artefacts when viewed in context can provide some very interesting information.
We have added significant extra functionality for Google Chrome artefacts. Chrome maintains a number of SQLite databases for data storage, and NetAnalysis v1.54 now extracts data from most of the significant databases.
We have added support for Google Chrome Page Content (c2body). Chrome's history system keeps a full text index for each page the user visits, making it easy to find pages based on their content, not just title and URL. The user's history is exposed through the History page, accessible via the Tools menu, or by pressing Ctrl+H. A user may also directly search their history by typing a search query in the address bar, and selecting the See all pages in history containing [query] item that appears if any results match the entered query.
When a user visits a page, the textual contents (those actually shown on screen) are stripped out and stored in the 'History Index YYYY-MM' database files (one file per month). NetAnalysis v1.54 allows the examiner to extract all of this information in one simple operation. The text files generated have been shown to contain potentially important information including Facebook and webmail data.
The text page content can be extracted by selecting Tools » Export Google Chrome c2body.
Figure 5
Google Chrome stores a transition value which identifies the type of transition between pages. These are stored in the history database to separate visits, and are reported by the renderer for page navigations. NetAnalysis now extracts and decodes the page transition value and displays the transitions in the 'Status' column. By examining the page transitions, it is possible to see how a user landed on a page. To understand the meaning of each transition, please see Page Transitions.
Figure 6
We have also added support for Google Chrome download history.
Figure 7
Recent testing has exposed an issue with the accuracy of Internet Explorer hit count values stored in the Master INDEX.DAT file. Normally, the hit count would be stored as a 32bit integer at record offset 0x54 (decimal 84). In many cases, comparing the record value to the hit count returned by Internet Explorer would show a mismatch. In these cases, Internet Explorer has an additional record object which stores an additional visit count. Testing has shown this additional count object to be accurate and is the value presented by the application. When the additional record object is present, NetAnalysis parses that block and displays that value in the Hits column. The original value stored at offset 0x54 is now displayed in the Status column as can be seen from the figure below.
Figure 8
This release has an updated Query Manager with additional features. It is now possible to sort the 'Database Field List' and 'SQL Query Operators' by clicking on the corresponding column header. The 'SQL Query Operators' now have a 'Description' entry which explains the function of the Operator. The Operators have also been re-written to show the full Operator with parameters and wild card characters. This should make it much easier to build and understand your SQL queries. The 'Check SQL Syntax' button has been added as a more convenient way to verify the syntax of a query. For further information, please see SQL Query Operators.
Figure 9
NetAnalysis has long had the capability to rebuild either single webpages, or the entire cache in one operation. NetAnalysis v1.54 now allows the forensic examiner to rebuild part of the cache. Using the various filtering techniques available, the forensic examiner can generate a targeted subset of the browser data, and then rebuild only the live webpages (or export cached objects) contained within that subset.
For example, if you wanted to export only the moz-page-thumb files, search for "moz-page-thumb" across the imported Firefox v12 records and then select Tools » Export/Rebuild Current Filtered Cache Items. The thumbnail files can then be examined from the "Extracted Files/PNG" folder.
The bookmarking feature in NetAnalysis v1.54 has been enhanced to allow the forensic examiner to bookmark many records with the same bookmark text. The forensic examiner can create a filtered list of specific records, and then apply the same bookmark text to all of these records in one operation. The bookmark column can also be used for filtering, so this functionality is a powerful addition to the armoury.
We have enhanced the web page rebuilding engine to make it more robust and provide better results. We have also released v4 of QDV™, our internal web page viewing software. This new version suppresses script errors in web pages, so the forensic investigator will no longer need to cancel multiple error messages when reviewing some rebuilt web pages.
We are pleased to announce the release of HstEx v3.8. This version brings a number of new features as well as providing some improvements to existing features. There have been many changes to the top five browsers over the past few months; HstEx v3.8 recovers artefacts from the latest versions of Google Chrome, Mozilla Firefox, Microsoft Internet Explorer and Apple Safari.
Figure 1
In this release (Change Log v3.8) we have added some new functionality in terms of source processing and browser support. We have added support for processing data saved in Advanced Forensic Format as well as adding the ability to recover Google Chrome cache records. In addition, we have added support for Logicube Dossier E01 images.
The Advanced Forensics Format (AFF®) is an extensible open format for the storage of disk images and related forensic metadata. It was developed by Simson Garfinkel and Basis Technology. HstEx (and Blade) now support the processing of AFF® image files (as well as other forensic formats). The following page lists the current supported file formats: Forensic Image Formats Supported by HstEx.
HstEx version 3.8 now adds the ability to recover live and deleted Google Chrome Cache records from all source data types. This is a significant addition to the software, as previously, it was only possible to examine live records, which were still available, on a suspect system. HstEx v3.8 can recover cache entries from Google Chrome browser v2 through to the current release v19.
Figure 2
Mozilla has committed to a more aggressive release schedule for the Firefox web browser. There were nearly three years between the launch of Firefox 3 and Firefox 4, however, versions 5 to 12 have been released within a matter of months. This has been a technical challenge from a support point of view as many artefacts have changed during these releases. We are pleased to announce that HstEx now supports all versions of Mozilla Firefox cache entries from version 1 through to the current release, Firefox version 12.
Figure 3
Firefox 13 will bring a slightly new look to some parts of the browser. Both the New Tab and the Home Page have been redesigned. The New Tab page now has links to your most recently and frequently visited sites which looks more or less just like Opera’s Speed Dial, which Chrome also mimics. Some of this functionality has been added to Firefox v12 in anticipation of the release of Firefox v13.
Figure 4
Whilst Firefox v12 does not show the new Speed Dial page when new tab is selected, the page thumbnails are still saved to the cache when a page is visited. The URL portion of the cache entry looks like this:
Figure 5
We have added additional support to HstEx to recover these entries as part of the Firefox cache recovery. NetAnalysis v1.54 also supports these cache entries, with the added bonus of being able to extract the page-thumb file (which is usually stored in PNG format).
Read more about Firefox Version 13.
According to Logicube:
"The sixth generation of computer forensic solutions from Logicube, the Forensic Dossier® was designed and engineered exclusively to meet forensic investigators' requirements. Version 2.0.1 provides support for the E01 file format compression (hardware-based compression to maintain line-speed performance), and support for NTFS file format for support of 2TB and greater capacity hard drives and support of single, disk-wide dd image capture."
With HstEx v3.8, we have added support for the E01 files produced by the Logicube Forensic Dossier. Unfortunately, earlier versions of HstEx are unable to load and read the E01 files generated by the Logicube Dossier because of an incompatibility with the metadata fields. Some of the values written to these fields are in a different format than those written by EnCase or FTK Imager. This has now been resolved.
Figure 6
As we are entering a new financial year in the UK, many of you will be starting to plan your budgets and training schedules for 2012/13.
We are pleased to announce the dates for the following NetAnalysis Foundation Courses. This is an ideal opportunity for you or your staff to gain valuable training and certification in the use of NetAnalysis / HstEx within a forensic environment.
This course will teach you how to get the most out of our software.
 |
The time zone lesson was excellent and really made me think. I wish I had known that before I came on the course. It is such an important subject to cover. |
|
Really good all round course, not mundanely product specific… Good teaching style. |
|
This is one of the best courses I have attended. I will certainly recommend it to my everyone. |
|
Practical exercises helped a lot to instil the content… The whole course was very relevant to my daily tasks within HTCU… I will definitely be back for the advanced course. |
Places are limited allocated on a first come, first served basis and are filling up fast; so contact us now to avoid disappointment.
There are a number of seats still available on the following courses which are being held at Learning Tree International in London:
· 26th - 27th April 2012 - NetAnalysis Foundation Level Course
· 30th - 31st May 2012 - NetAnalysis Foundation Level Course
· 21st - 22nd June 2012 - NetAnalysis Foundation Level Course
For our many users outside of the UK, we are planning to run a number of courses in US and Canada later this year and will publish details on our web site.
To book your place on a course or to obtain further information, please contact us on 0845 224 8892, or drop us an email at our sales address.
For further information regarding our training courses, please visit the following links:
We are pleased to announce the release of Blade v1.9.
This release of Blade™ brings a number of fixes and some great new features. This is the first release of Blade™ to have evaluation capabilities which allow the user to test and evaluate our software for 30 days. When Blade™ is installed on a workstation for the first time (and a valid USB dongle licence is not inserted) the software will function in evaluation mode.
The following list contains a summary of the new features:
We have also been working on the data recovery engines to make them more efficient and much faster than before. The searching speed has been significantly increased.
