Digital Forensics

NetAnalysis® v1.52 – USB Dongle, Google Chrome Support and Export/Rebuild Entire Cache Option

Digital Detective is pleased to announce the release of NetAnalysis v1.52 (and HstEx v3.6).  The release of this version has been eagerly awaited, so we are glad to say the wait is finally over.

NetAnalysis v1.52 adds a number of new features and fixes some minor bugs.  Some of the major new features released in this version are the ability to export and rebuild the entire cache for each browser in a single process, new support for all versions of Google Chrome, support for Apple Safari Cache.db files and the ability to import recovered Apple Safari binary plist files recovered by HstEx v3.6.

 
Export and Rebuild Cached Data
 
 
On 24th October 2002, we introduced the ability to rebuild and export cached pages to NetAnalysis v1.25.  Over the years, this functionality has been extremely helpful in providing the necessary evidence in a whole host of forensic investigations. 
 
In v1.52, we have responded to your requests and added the ability to extract and rebuild all of the cached content in one single process.  This new functionality can be accessed from the Tools menu as shown in Figure 1. 
 
Digital_Detective_NetAnalysis_Rebuild_All_Pages
Figure 1
 
In addition to rebuilding and writing out the cached pages, NetAnalysis™ exports all of the individual cached files and groups them by file type.  This allows the contents of the cache to be quickly reviewed for evidence.  The output also includes a full audit for each rebuilt web page and contains relative paths to allow the export folder to be archived to external media.  You can also click on the hyperlinks within the audit log to access the cached content.USB Licence Dongle Support

As some of you may be aware, our Blade data recovery product is licensed via a USB licence dongle.  We are now offering the option to licence NetAnalysis/HstEx with a USB licence dongle.  The USB licence dongle provides you with much greater flexibility over a licence key file (which is restricted to one licence key per machine) as the USB dongle can be easily moved from machine to machine.  This is not permitted with a licence key file which is restricted to a single workstation.Existing licence key file holders can purchase a USB licence dongle upgrade through our store.  Please see the following link for further information on USB Dongle Licences.
 

 

 
TSV/CSV Exporting
 
Our support for exporting to TSV (tabbed separated values) and CSV (comma separated values) files has been completely re-written and enhanced.  We now include the field column headers in the output and have added a progress bar for the export process.  The export engines are also considerably faster than in previous versions. 
 
It is also possible to switch off or hide any columns you do not need or to change the column order prior to exporting.  This ensures the output format is in the same order as the grid columns.  The export engine will also only output the current filtered records.  The HTML export function will be updated in a future release.
 
 
Restrict Import Date Range
 
This is a new feature which was requested by some of our colleagues working within the corporate environment.  In some investigations, they may only be permitted to import data within a certain date range.  By selecting to restrict the import range, any data outside the target date range is not added to the workspace. 
 
This functionality can be found by selecting Options from the Tools menu and selecting Restrict Data Range (as shown in Figure 2).
 
Tools_Options_Restrict_Date_Range
 
Figure 2
 
 

 

F2 Find Next Tagged Record
 
This new function was added as a result of a request from a forensic examiner.  During an investigation, it may be necessary to tag certain records of interest and then review the activity on either side of each record.  This can be achieved by tagging the required records and then pressing F5 to remove all filters.  Selecting F2 (or Searching >> Find Next Tagged Record) will move the record pointer to the next tagged record allowing you to examine that record and the data surrounding it. 
 
 
HstEx v3.6 – Recovered Apple Safari History Binary Plist
 
NetAnalysis now has the ability to import Apple Safari History binary plists recovered by HstEx v3.6. 
 
The Apple Safari browser stores Internet history records in an Apple Property List (plist).  With the earlier versions of the Safari browser (version varies depending on operating system), this file was in XML format.  In later versions, Apple switched to using a proprietary binary plist format.  NetAnalysis supports both XML and binary plist files and now supports the recovery of this data direct from a forensic image or write protected physical/logical device.
 

 

The data is recovered by HstEx and output in the form of *.hstx files.  These files can then be loaded directly into NetAnalysis v1.52.  As of the publication of this article, NetAnalysis and HstEx are the only forensic tools capable of recovering this data.
Other Links

 

Using our proprietary Intelli-Carve™ technology (developed for our data recovery product Blade), we have enhanced HstEx by adding the ability to recover Safari binary plist history files.  HstEx can recover this data even if the original file was deleted.

 

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>