We are pleased to announce the next major release for NetAnalysis® and HstEx® has just been published. For an overview of the new features we are shipping inside NetAnalysis® v2.1 and HstEx® v4.1, please take a moment to review our release notes:
Here is an example of some the updates:
Username and Password Decryption
Firefox and other Mozilla based browsers include a Password Manager that can save the passwords provided by the user as they log in to websites. The Password Manager securely stores the usernames and passwords used to access websites and then automatically fills them in for the user when they next visit the site. For additional security, the user can also set a Master Password to protect the Password Manager. The user is then prompted to enter the Master Password when the browser needs to access the stored passwords. Usernames and passwords are encrypted and stored within the Mozilla profile.
NetAnalysis® v2.1 is now able to decrypt and display the usernames and passwords stored for each web site. The following image shows the NetAnalysis® Information Panel with some decrypted Username and Password values. Also, the entry on line number 1 shows that the Master Password has not been set in this case.
New Browser Support
In addition to extending support for the existing browsers and their recent changes, we have now added support for two new browsers:
- SRWare Iron v1 – 38
- K-Meleon v1 – 74
Apple Safari 8
Apple Safari v8 was released with OS X Yosemite and brought with it a change to its history storage. As a result, HstEx® v4.1 has been updated to support the recovery of individual entries from Safari v8 history records. History records are split across History Items and Visits. We offer an option to recover both types.
We have been working hard to increase the performance, accuracy and stability of HstEx® v4. As a result, we have updated all of our SQLite recovery engines to ensure they are accurate and fast. We have improved the handling and reporting of corrupt entries (partially recovered records are flagged in NetAnalysis® v2). We have also made some improvements to the recovery of Binary Plist data.
Firefox v32+ Cache v2
Mozilla Firefox officially released their new caching backend with the release of Firefox v32 back in September 2014. The structure is completely different from that used previously. HstEx® v4.0 was the first forensic tool to support the recovery of deleted Mozilla Firefox Cache v2 records. After Firefox v33 was released, Mozilla made some further changes to the file format. HstEx® v4 supports all the currently released formats of Mozilla’s Cache v2 structure. We have also made some further improvements to the recovery of Cache v2 records, in particular the identification of corrupt data.
Keyword Search Terms
We have extended support for the recovery of individual keyword search terms for all Chromium based browsers and have improved the recovery of very large keyword strings.
We have added support for the extraction of over a dozen new artefacts and data types. For a detailed list of each artefact, please see the following:
Here are a few examples:
Google Search EI/SEI Parameter Decoding
Google search URLs will sometimes contain an EI or SEI parameter. We have added support to the URL/Cookie Examination and Analysis window to allow automatic decoding of these parameters. The window below shows the automatic decoding of a Google URL which contains an EI parameter. The EI parameter is a Base64 encoded 16 byte value. The first 4 bytes contain a timestamp which can be seen in the example below.
Google Chrome Autofill Profiles
Autofill forms is a feature of Google Chrome and other Chromium based browsers. It allows for the user to store information such as name, address, phone number and email address as an Autofill entry so that forms can be automatically populated. In NetAnalysis® v2.1, we extract the data from the Autofill Profiles and display them in the main grid. We also extract the corresponding form data and save it to the export folder for indexing and searching.
Google Chrome Credit Card Autofill
The window below shows the extraction of Google Chrome Credit Card Autofill data. The text relating to the autofill fields are extracted to the export folder so that the data can be indexed and searched.
Apple Safari Reading Lists
The window below shows a number of Apple Safari Reading List entries. These represent sites the user has selected to view at a later date. Once the user visits a site from the Reading List, the Date Visited is updated to reflect the date and time of the visit.
Opera Blink Favorite Entries
The window below shows a number of Opera Favorite entries.