This release of NetAnalysis® adds support for the forensic analysis of two browsers which have been designed for the security/privacy market, Avast Secure Browser and CCleaner Browser. We have also added support for seventy-four new versions of other browsers.
New Browser Support
We have added support for the following browsers:
Avast Secure Browser
Avast Secure Browser (previously Avast Safe-Zone) is a Chromium based web browser developed by Avast. Initially, the browser was available alongside Avast’s paid versions of their Avast Antivirus software. However, as of March 2016, the company included the web browser as part of its free antivirus software.
CCleaner Browser is a Chromium based web browser developed by Piriform, the same company responsible for the data erasing, security software, CCleaner. The company describes the software as
a web browser with built-in security and privacy features to keep you safe online. It comes packed with all the tools you need to manage your online privacy, identity, and personal data.
We have added support for auto-fill corrections, touch icon cache settings, per-site preferences and favicons.
Property Set Information
Microsoft Internet Explorer and Edge (non-Chromium) browsers maintain files for recovering sessions and tracking browser navigation between tabs. NetAnalysis® shows this data when viewing Recovery Store, Tab Session, Roaming Tab Session and Travel Log entries. Some of the data for these types is stored in a data structure called a Property Set. This is simply a collection of properties, along with a FMTID (Format Identifier) to identify the property set format.
In previous version of NetAnalysis®, we only displayed a summary of the known properties in the Information panel. This has now been updated so we show all property IDs along with the raw values, as well as the CLSID for the Format Identifier. Some examples are shown below.
The following images show the Information panels from Recovery Store entries. The raw Property Set values are below the FMTID.
The following images show the Information panels from Tab Session entries. The raw Property Set values are below the FMTID.
The following images show the Information panels from Tab Roaming entries. The raw Property Set values are below the FMTID.
A common scenario is to examine the records between specific days of the week and between specific times. In NetAnalysis® v2.11 we have added some new Filter files which demonstrates this.
The first example is a filter which will only show entries where the Date Visited falls between Monday and Friday, and the local time is between 08:00 and 16:59 hours. As this filter uses the Function facility, it will not be able to display the results in the expression tree.
This Filter uses the GetHour() and GetDayOfWeek() functions. The GetDayOfWeek() function returns an integer which corresponds to the day of the week. Monday = 1, Tuesday = 2 and so on. The GetHour() function also returns an integer which represents the hour in the 24-hour clock.
HstEx® Release Notes
Recovery of Avast Secure Browser
Earlier in this post, we highlighted that we had added support for importing Avast Secure Browser data into NetAnalysis®. We have also added the recovery of the following artefacts:
Recovery of CCleaner Browser
We have also added support for the recovery of artefacts from CCleaner Browser. The following artefacts can be selected for recovery:
We have added support for the recovery of data from:
- Mozilla Firefox/Mozilla Based Signons
- Brave Reward Entries
- Yandex Ya Credit Cards
- Yandex Ya Autofill Data
Open Session MRU
We have added a Most Recently Used (MRU) drop-down list on the Open button so that the user can access previously saved session files.
Recovery Profiles Filter and Search
In the Recovery Job window, we have added the ability to search through the recovery modules. The example below shows the user searching for “download” profiles.
We have also added a filter option to allow the user to filter and display individual or multiple recovery profiles or browser types.
The full Change Log can be found here: