Digital Detective NetAnalysis Released

NetAnalysis® v2.6 and HstEx® v4.6 Released

Introduction

This version of NetAnalysis® introduces support for a number of new browsers as well as adding support for Chromium Simple Cache format used by a number of the mobile browsers. We have also added support for Microsoft Internet Explorer and Edge Recovery Store, Tab Session, Travel Log, Roaming Tab Sessions and the detection of InPrivate browsing.

New Browser Support

We have added support for the following browsers:

Opera Neon

Opera Neon Logo

Opera Neon is a new concept browser: “a vision of what browsers could become”. It was first released in January 2017 and is available for Mac and Windows.  The browser is Chromium based but with some additional unique features.  Opera Neon gives the user new ways to interact with web content, including the ability to drag, push and pop the tab icons.

NetAnalysis® will recover the standard Chromium based artefacts as well as the top sites, tab page icons and the gallery snapshots.  The tab page icons and the gallery snapshots are written to the case export folder and loaded into the Viewer window.

Brave

Brave Browser Logo

Brave is another new, open-source, multi-platform web browser developed by Brave Software; it is based on the Chromium web browser and its Blink engine. It claims to block website trackers and remove intrusive Internet advertisements. The browser also claims to improve online privacy by sharing less data with advertising customers.

NetAnalysis® will recover the standard Chromium based artefacts.

Updated Support for New Versions of Existing Browsers

All of the mainstream browsers have updated their file formats and added new features. In addition to adding new browser support, we have enhanced the support provided for existing browsers:

Google Chrome/Chromium Based Simple Cache for HTTP

This disk cache is used by default in Google Chrome on Mac OS X, Linux and Android mobile devices.  It can also be enabled on Chrome and most Chromium based browsers running on Windows desktop. It was initially designed as a simple cache back-end to deal with the IO bottlenecks which impaired mobile browsing performance on some platforms.

NetAnalysis® supports processing Google Chrome and Chromium based Simple disk cache and well as exporting and rebuilding web pages.

Firefox and Mozilla based permissions.sqlite

This database holds preferences about which sites are allowed or prohibited to set cookies, to display images, to open popup windows and to initiate extensions installation.

NetAnalysis® can read this information and display the permission settings in the Information panel.

 Mozilla Firefox Permissions in NetAnalysis

Vaivaldi Notes

Vivaldi browser allows the user to save notes while they browse.  A note can be linked to a specific web page and the user can attach full page or selected area screenshots as well as files from their computer.

NetAnalysis® now recovers Vivaldi Notes.  The note content is written to the case export folder and indexed.  Any attachments are written to the case export folder.

Mozilla Firefox v2 Cache

The Disk Cache format v2 for Mozilla Firefox has evolved and changed. NetAnalysis® supports all versions of this disk cache format and allows cache objects to be exported as well as rebuilding web pages.

Microsoft Recovery Store, Tab Sessions, Roaming Tab Sessions and Travel Logs

Microsoft Internet Explorer and Edge browsers keep track of browsing history in two main ways; History and Travel Log. The active tab’s list of back/forward navigations is called the Travel Log. Within Internet Explorer, you can see this list with a click-and-hold on the back or forward arrow. This data can also be used for recovering sessions in the event of the browser crashing, or by starting a new session with tabs from the last session when set as an option by the user. The browsers store this data in recovery store and tab session files.

 

Microsoft Edge v38 Recovery Store

Detection of InPrivate Browsing

InPrivate Browsing Logo

If a user activates InPrivate browsing, the browser continues to write Travel Log data to the Recovery Store and Tab Session files. At the end of the InPrivate session, the browser deletes these files. NetAnalysis® has the ability to genuinely identify InPrivate browsing sessions and will flag them by placing an icon at the start of the URL (as shown below). HstEx® also has the ability to recover deleted InPrivate Recovery Store and Tab Session files.

Some forensic tools claim to recover InPrivate browsing, but in fact are only searching for URLs in the Travel Log stream and have no idea whether they relate to InPrivate browsing or not.

 

Microsoft Internet Explorer - Edge Detected InPrivate Browsing Session

 

Improved Reporting

Reporting has been completely overhauled to allow reports to be generated on records filtered with a Find Panel active search as well as an active filter.  Previously, reports could be generated on all rows in the grid or on the rows visible when a filter is active.

There are some additional report templates.  A template based on the original NetAnalysis® v1 “Print – Current to PDF” report has been added named “Simple History”.  There is a new template based on the original v1 “Group By Host” named “History By Host” and a new template based on the original v1 “Group by Index Type” named “History By EntryType”.

Improved Cache Exporting and Page Rebuilding

The cache exporting engine has been revisited and considerably improved. We have increased processing speed, as well as enhancing the capability of the process. The following bullet points highlight some of the enhancements we have made.

  • Cache extraction and page rebuilding has been improved to speed up processing and is able to handle much larger volumes of cached page data.
  • Improved content detection.
  • Added support for Brotli decompression.
  • Google Chrome / Chromium Based cache v2 Sparse data entries are now extracted and used in cache export and page rebuilding.  Chrome uses this method to store large cache data in its disk cache.  Internally the cache stores the data as sparse chunks among a set of child cache entries that are linked together from a main parent entry.
  • Processing “srcset” attribute has been added.
  • Processing “data-thumb” attribute has been added.
  • Processing “data-src” attribute has been added.
  • Added support for Chrome Dictionary files during export.

Improved Exporting

Exporting functionality has been improved to include records filtered with a Find Panel active search as well as an active filter. Previously, the exported rows would be dependent upon the active filter or all rows in the grid would be included.

User Interface Improvements

We have made some changes to the user interface to enhance usability:

Save and Load Column Layout

It is now possible to save and reuse grid column layouts. We have provided a number of sample layouts to demonstrate the feature. This is particularly useful if you like to arrange the columns in a certain order, or if you like to remove some of the columns altogether. To save a column layout, select Column » Save Column Layout. To load a column layout select Column » Load Column Layout. There is also an option to save data grouping if you select save with Data Settings when saving the layout.

Right Click Grid Filter By

We have added two new dynamic filters which can be accessed by right clicking a target record. By selecting Filter By, a sub-menu will appear showing the Host Name and Browser Version strings for this record. Clicking either entry will result in a filter being applied relating to the clicked item.

 

NetAnalysis Right Click Filter

Clear All Active Filters and Searches

Following user feedback, we have added a simple, one-click, option to remove all active filters and searches thereby restoring the full record count to the grid. This can be activated by selecting Tools » Show All Records (Shift + F5) or Right Click » Show All Records.

HstEx® v4.6

This release of HstEx® adds the ability to recover a number of new artefacts as well as adding support for two new browsers. We have also made a number of changes to support the modifications introduced by all of the main stream browsers.

New Features

HstEx® v4.6 now supports the following:

Microsoft Internet Explorer/Edge

Microsoft Internet Explorer and Edge browsers keep track of the visits for each tab; these visits are stored in what is known as a Travel Log. The Travel Log allows the user to navigate backwards and forwards through the log of visits. This information is saved into a Tab Session file. HstEx® can recovery individual Travel Log entries for Internet Explorer v8 to 11 and Microsoft Edge v20 to 38. HstEx® can also search for, and recover, Recovery Store, Tab Session and Roaming Tab Session data (including page thumbnails and previews).

Recovery of Data Relating to InPrivate Browsing

InPrivate Browsing Logo

When Recovery Store, Tab Session and Roaming Tab Session files are targetted for recovery and the resulting data was from an InPrivate browsing session, NetAnalysis® has the ability to identify and flag such sessions.

Recovery of Google Chrome/Chromium Based Simple Cache for HTTP

This disk cache is used by default in Google Chrome on Mac OS X and Linux and also Android mobile devices.  It can also be enabled on Chrome and most Chromium based browsers running on Windows desktop. It was initially designed as a simple back-end to deal with the IO bottlenecks which impaired mobile browsing performance on some platforms. HstEx® can now recover Simple Cache entries.

New Browser Support

We have added support for the following browsers:

Opera Neon

Opera Neon is a new concept browser: “a vision of what browsers could become”. It was first released in January 2017 and is available for Mac and Windows.  The browser is Chromium based but with some additional unique features.  Opera Neon gives the user new ways to interact with web content, including the ability to drag, push and pop the tab icons.

HstEx® can recover the following:

  • History Entries
  • Download Entries
  • Cookie Entries
  • Cache Entries
  • Simple Cache Entries
  • Keyword Search Terms
  • Form History
  • Login Data

Brave

Brave is another new, open-source, multi-platform web browser developed by Brave Software; it is based on the Chromium web browser and its Blink engine. It claims to block website trackers and remove intrusive Internet advertisements. The browser also claims to improve online privacy by sharing less data with advertising customers.

HstEx® can recover the following:

  • History Entries
  • Download Entries
  • Cookie Entries
  • Cache Entries
  • Simple Cache Entries
  • Keyword Search Terms
  • Form History
  • Login Data
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>