Digital Detective NetAnalysis® globo logo on top of a browser window

Introduction

This release of NetAnalysis® adds support for the new Microsoft Edge (Chromium) browser, which has been released in Dev and Canary versions; we have also added support for the new Opera GX gaming browser as well as adding support for fifty-eight other browsers.

New Browser Support

We have added support for the following new browsers:

Microsoft Edge (Chromium)

In December 2018, Microsoft announced their intention to adopt the Chromium open source project in the development of their Microsoft Edge browser. As of July 2019, they have released Developer and Canary editions. Microsoft Edge is currently available for Windows 7, 8, 8.1 and 10 as well as supporting macOS.

Microsoft Edge Chromium Dev and Canary Logos

Opera GX

Opera GX is a special version of the Opera browser built specifically to complement gaming. The web browser includes unique features to help the user get the most out of both gaming and browsing. It is a desktop web browser for Windows PCs.

Opera GX Logo

New Features

Login Stats Entries

We have added support for the recovery of Login Data stats entries for Chromium based browsers. This table records the number of times a user has logged into a password protected domain and dismissed the save password dialogue (for a maximum of three times). Once three instances have been recorded, the browser will no longer offer to save the username/password for the domain.

NetAnalysis showing Login Data Stats Entries

Examine Selected Text

This new feature allows you to select text from the Information panel and send it to the Examination Window for analysis and/or decoding. Simply open the Information panel, select the text you wish to examine, right click and select Examine Selected.

NetAnalysis showing text selected from the Information Panel

The selected text will appear in the Examine Window as shown below:

NetAnalysis Examine window showing a Decoded URL

New Report Template

We have added a new report template titled “Template with Decoded URL”. This can be accessed by opening the Report Manager from the View menu, or typing CTRL + Shift + R. This template demonstrates how to take the Decoded URL data and display it in the same split format as displayed in the Decoded URL panel. This is achieved by taking the data from the Decoded URL column, and processing it through a SplitDecodedUri() function. The script for the report can be seen by clicking on the Scripts tab in the Report Designer. The script is shown is the image below.

NetAnalysis Report Designer Script

Cache Prefix Handling

The URI key for an entry stored in the cache is normally the URI of the resource (for example https://www.digital-detective.net/favicon.ico).

A cache key may also contain one of more prefix values. These prefixes can be an internal scheme used by the browser when retrieving entries from the cache (Firefox) or indicate a sparse entry where the browser is able to store only parts of a resource (Chrome). The prefixes may contain attribute values used to map the cache entry to a partitioned area of the cache storage (Firefox) or to indicate protocol information stored in the cache (Chrome).

The image below shows a cache entry with prefix as displayed in the previous release, NetAnalysis® v2.9.

NetAnalysis showing Cache URL Prefix

Browsers have now started to include cache key prefixes that indicate cross-origin resource cache entries. The cache keys for these entries actually contain two or more URIs so that the top-level origin can be stored along with the resource URI. This can make cache handling problematic.

As a result of these changes, we have had to revisit the way NetAnalysis® handles cache entries containing prefixes. From NetAnalysis® v2.10, if a cache entry has a prefix, we will remove this data when handling URLs. This allows for easier URL handling and processing. To retain the original value, we will show this in the Information panel. With the exception of Chrome cache v2 sparse entries, the prefix will be retained to aid with sparse entry identification.

The image below shows a cache entry with prefix as displayed in NetAnalysis® v2.10. The prefix has been removed and the Information Panel shows the original cache key. The sparse entry prefix “Range_” can be seen in the other entries below.

NetAnalysis showing Cache Prefix Removed and Cache Key displayed in Information Window

Firefox Pinned Tabs

Firefox recently added a new feature for pinning the tabs of frequently used web sites for easy access. The pinned tabs are small and cannot be closed accidentally, they also open automatically when the browser is restarted. The user can easily pin a tab by right clicking on any tab and selecting Pin Tab from the menu (see the image below for Firefox pinned tabs, shown to the top left of this browser).

Mozilla Firefox Showing Pinned Tabs

To identify a pinned tab, open the sessionstore file in NetAnalysis® and review the Information window as shown below.

NetAnalysis Showing a Pinned Tab Entry from a SessionStore File

Chromium Login Data Name/Value Pairs

We have enhanced the handling of Chromium based login data in NetAnalysis® v2.10. The name/value pairs are now extracted and displayed in the Index Text window. The data is also written to the export folder so that the information can be indexed by our search engine. In the example below, our user has logged in to the web site of a local pizza company so that some tasty food can be ordered (and delivered). The Index Text window in this case shows the user’s name, contact number and delivery address. The Information window shows other information relevant to this transaction.

NetAnalysis showing a Login Data entry with Login Name/Value Pairs

Mozilla Firefox Containers

The Firefox Multi-Account Containers extension lets the user create a separate box for each of their online lives; which means they don’t have to open a different browser to separate work and home browsing. The extension separates website storage into tab-specific Containers. Cookies downloaded by one Container are not available to other Containers, so the user can log into the same site with different accounts and online trackers can’t easily connect the browsing. Custom labels and colour-coded tabs help keep the different activities or personas separate.

Existing tabs can be re-opened in a specific container by selecting from a right-click menu (see below).

Mozilla Firefox Multi-Account Containers Menu

NetAnalysis® 2.10 now supports the import of data from Firefox Multi-Account Containers. The image below shows a Container entry, and the Information window shows the corresponding unique user context ID. This value identifies the Container. In this case, we are looking at the Facebook container. This ID can then be used to identify other entries and activity related to that container.

NetAnalysis Showing a Facebook Containers Entry and Associated Activity

HstEx® New Features

Recovery of Login Data » stats Entries

With this release of HstEx® v4.10 we have added support for the recovery of Login Data stats entries for Chromium based browsers. The entries in this table records the number of times a user has logged into a password protected domain and dismissed the save password dialogue (for a maximum of three times). Once three instances have been recorded, the browser will no longer offer to save the username/password for the domain.

HstEx Google Chrome Recovery Profiles

Recovery of Microsoft Edge (Chromium)

Earlier in this post, we highlighted that Microsoft had released Developer and Canary versions of their new web browser. We have added support for the recovery of this data; the following artefacts can be selected and recovered:

HstEx Recovery Profile for Microsoft Edge Chromium Web Browser

Recovery of Opera GX

Another new browser added to HstEx® is the Opera GX gaming web browser. The following artefacts can be selected and recovered:

HstEx Recovery Profiles for the Opera GX Gaming Web Browser

Change Log

To review the full list of changes for this release, please see: