NetAnalysis v2 Blog

NetAnalysis® v2.1 and HstEx® v4.1 Released

We are pleased to announce the next major release for NetAnalysis® and HstEx® has just been published. For an overview of the new features we are shipping inside NetAnalysis® v2.1 and HstEx® v4.1, please take a moment to review our release notes:

Here is an example of some the updates:

Username and Password Decryption

Firefox and other Mozilla based browsers include a Password Manager that can save the passwords provided by the user as they log in to websites. The Password Manager securely stores the usernames and passwords used to access websites and then automatically fills them in for the user when they next visit the site. For additional security, the user can also set a Master Password to protect the Password Manager. The user is then prompted to enter the Master Password when the browser needs to access the stored passwords. Usernames and passwords are encrypted and stored within the Mozilla profile.

NetAnalysis® v2.1 is now able to decrypt and display the usernames and passwords stored for each web site. The following image shows the NetAnalysis® Information Panel with some decrypted Username and Password values. Also, the entry on line number 1 shows that the Master Password has not been set in this case.


NetAnalysis v2 Mozilla Firefox Username and Password Decryption

Mozilla Firefox Username and Password Decryption


New Browser Support

In addition to extending support for the existing browsers and their recent changes, we have now added support for two new browsers:

  • SRWare Iron v1 – 38
  • K-Meleon v1 – 74

Apple Safari 8

Apple Safari v8 was released with OS X Yosemite and brought with it a change to its history storage. As a result, HstEx® v4.1 has been updated to support the recovery of individual entries from Safari v8 history records. History records are split across History Items and Visits. We offer an option to recover both types.


HstEx v4 Recovery of Apple Safari v8 History Visits and Entries

Recovery of Apple Safari v8 History



We have been working hard to increase the performance, accuracy and stability of HstEx® v4. As a result, we have updated all of our SQLite recovery engines to ensure they are accurate and fast. We have improved the handling and reporting of corrupt entries (partially recovered records are flagged in NetAnalysis® v2). We have also made some improvements to the recovery of Binary Plist data.

Firefox v32+ Cache v2

Mozilla Firefox officially released their new caching backend with the release of Firefox v32 back in September 2014. The structure is completely different from that used previously. HstEx® v4.0 was the first forensic tool to support the recovery of deleted Mozilla Firefox Cache v2 records. After Firefox v33 was released, Mozilla made some further changes to the file format. HstEx® v4 supports all the currently released formats of Mozilla’s Cache v2 structure. We have also made some further improvements to the recovery of Cache v2 records, in particular the identification of corrupt data.

Keyword Search Terms

We have extended support for the recovery of individual keyword search terms for all Chromium based browsers and have improved the recovery of very large keyword strings.

New Artefacts

We have added support for the extraction of over a dozen new artefacts and data types. For a detailed list of each artefact, please see the following:

Here are a few examples:

Google Search EI/SEI Parameter Decoding

Google search URLs will sometimes contain an EI or SEI parameter. We have added support to the URL/Cookie Examination and Analysis window to allow automatic decoding of these parameters. The window below shows the automatic decoding of a Google URL which contains an EI parameter. The EI parameter is a Base64 encoded 16 byte value. The first 4 bytes contain a timestamp which can be seen in the example below.


NetAnalysis v2 Decoding Google EI Parameter

Decoding Google EI Parameter


Google Chrome Autofill Profiles

Autofill forms is a feature of Google Chrome and other Chromium based browsers. It allows for the user to store information such as name, address, phone number and email address as an Autofill entry so that forms can be automatically populated. In NetAnalysis® v2.1, we extract the data from the Autofill Profiles and display them in the main grid. We also extract the corresponding form data and save it to the export folder for indexing and searching.


NetAnalysis v2 Google Chrome Autofill Profiles

Google Chrome Autofill Profiles

Google Chrome Credit Card Autofill

The window below shows the extraction of Google Chrome Credit Card Autofill data. The text relating to the autofill fields are extracted to the export folder so that the data can be indexed and searched.


NetAnalysis v2 Google Credit Card Autofill

Google Chrome Credit Card Autofill

Apple Safari Reading Lists

The window below shows a number of Apple Safari Reading List entries. These represent sites the user has selected to view at a later date. Once the user visits a site from the Reading List, the Date Visited is updated to reflect the date and time of the visit.


NetAnalysis v2 Apple Safari Reading List

Apple Safari Reading List


Opera Blink Favorite Entries

The window below shows a number of Opera Favorite entries.

NetAnalysis v2 Opera Favorite Entries

Opera Favorite Entries


Download Version

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>