Rebuilding a web page from the data contained within a suspect's Temporary Internet Files (also known as the Cache) can be one of the strongest pieces of evidence available. NetAnalysis was the first Forensic software to include this functionality and with version 1.50, this functionality has been considerably improved.
Exporting Temporary Internet Files from EnCase
Extracting the required data from EnCase is a simple process. First of all, blue check all of the required browser index/cache files. For example, with Microsoft Internet Explorer, select all of the INDEX.DAT files in the case and the entire content of the following Temporary Internet Files folder:
Once the files have been selected, right click on the root volume (or root device if there are multiple volumes containing browser data) and select Copy Folders. The following dialogue will be displayed in EnCase:
Make sure you have selected 'Copy only selected files inside each folder'. EnCase will then copy the Temporary Internet Files folder with all of the selected files and keep the original structure on the suspect disk.
Opening the Temporary Internet Files within NetAnalysis
From the File Menu, select 'Open All History from Folder', as shown in below. This will allow you to select the root folder you have exported from EnCase (or any other method used to export the required data).
Once the data has been imported, you will be ready to review the live cache entries and rebuild web pages. Please ensure you have filtered the cache entries you require. To quickly filter the live web pages, use the shortcut key F6. The cache entries are shown with a type 'cached' (see below).
Double clicking on any live cache entry will result in the page being rebuilt and loaded into QDV, the lightweight viewer supplied with NetAnalysis. You can also right click on an entry and select 'Rebuild and View Cached Page or Item'.
If you have not set an Export Folder for this workspace, you will be prompted to do this. The Options form will open and the Case Data Paths page will be displayed. Please select a folder to export your data to.
NetAnalysis will use this folder to export rebuilt web pages and viewed cached items. Once the page has been rebuilt, it will be loaded into the built-in QDV viewer as shown below.
QDV will allow you to view the source of the page by selecting View >> Source. You can also print the page at this point if you wish. Selecting 'Open Containing Folder' from the Tools menu will open your Export Folder and highlight the rebuilt web page.
The Title Bar in QDV will indicate the full path of the rebuilt web page. As you can see, this page has been exported with the name 'F0000008101.html'. This is so you can easily link the page back to the workspace. The number 8101 refers to the Unique Reference Number (URN) allocated to each entry in the workspace.
This page shows a rebuilt Hotmail page. All of the page elements (such as the images for this page) have all been extracted from the user's cache. NetAnalysis extracts these items and also writes them out to the Export Folder in a sub folder called Exported Web Items. The page is then edited so that it can locate the elements it requires in the F0000008101_files folder. The paths are relative so that your export folder can be copied to another location (or to external media).
In adition to the exported pages, NetAnalysis creates an audit log (contained within a folder called “Exported Web Pages_Audit”) which details the changes made during the rebuild. The following screen shot is part of the audit log from the Hotmail page above.
It shows the original URLs for each element in the page, the original cache file name and folder as well as the newly renamed cache items. If the cached item is from an embedded cached system sych as Firefox, it will also give the File Offset and Length of the original data in the cache block file.
0 comments:
Post a Comment