Digital Detective NetAnalysis® globo logo on top of a browser window

Introduction

This release of NetAnalysis® adds support for the forensic analysis of two browsers which have been designed for the security/privacy market, Avast Secure Browser and CCleaner Browser. We have also added support for seventy-four new versions of other browsers.

New Browser Support

We have added support for the following browsers:

Avast Secure Browser

Avast Secure Browser (previously Avast Safe-Zone) is a Chromium based web browser developed by Avast. Initially, the browser was available alongside Avast’s paid versions of their Avast Antivirus software. However, as of March 2016, the company included the web browser as part of its free antivirus software.

Avast Secure Browser Logo

CCleaner Browser

CCleaner Browser is a Chromium based web browser developed by Piriform, the same company responsible for the data erasing, security software, CCleaner. The company describes the software as

a web browser with built-in security and privacy features to keep you safe online. It comes packed with all the tools you need to manage your online privacy, identity, and personal data.

CCleaner Browser Logo

New Features

Apple Safari

We have added support for auto-fill corrections, touch icon cache settings, per-site preferences and favicons.

Improvements

Property Set Information

Microsoft Internet Explorer and Edge (non-Chromium) browsers maintain files for recovering sessions and tracking browser navigation between tabs. NetAnalysis® shows this data when viewing Recovery Store, Tab Session, Roaming Tab Session and Travel Log entries. Some of the data for these types is stored in a data structure called a Property Set. This is simply a collection of properties, along with a FMTID (Format Identifier) to identify the property set format.

In previous version of NetAnalysis®, we only displayed a summary of the known properties in the Information panel. This has now been updated so we show all property IDs along with the raw values, as well as the CLSID for the Format Identifier. Some examples are shown below.

The following images show the Information panels from Recovery Store entries. The raw Property Set values are below the FMTID.

Recovery Store Property Set

Recovery Store Property Set

Recovery Store Property Set

The following images show the Information panels from Tab Session entries. The raw Property Set values are below the FMTID.

Tab Session Property Set

Tab Session Property Set

The following images show the Information panels from Tab Roaming entries. The raw Property Set values are below the FMTID.

Tab Roaming Property Set

Tab Roaming Property Set

Filter Functions

A common scenario is to examine the records between specific days of the week and between specific times. In NetAnalysis® v2.11 we have added some new Filter files which demonstrates this.

The first example is a filter which will only show entries where the Date Visited falls between Monday and Friday, and the local time is between 08:00 and 16:59 hours. As this filter uses the Function facility, it will not be able to display the results in the expression tree.

This Filter uses the GetHour() and GetDayOfWeek() functions. The GetDayOfWeek() function returns an integer which corresponds to the day of the week. Monday = 1, Tuesday = 2 and so on. The GetHour() function also returns an integer which represents the hour in the 24-hour clock.

Edit Filter Window showing Filter Functions

HstEx® Release Notes

This release of HstEx® adds support for two browsers which have been designed for the security/privacy market, Avast Secure Browser and CCleaner Browser.

Recovery of Avast Secure Browser

Earlier in this post, we highlighted that we had added support for importing Avast Secure Browser data into NetAnalysis®. We have also added the recovery of the following artefacts:

 Forensic Recovery Support for Avast Secure Browser

Recovery of CCleaner Browser

We have also added support for the recovery of artefacts from CCleaner Browser. The following artefacts can be selected for recovery:

Forensic Recovery Support for CCleaner Browser

New Features

We have added support for the recovery of data from:

Improvements

Open Session MRU

We have added a Most Recently Used (MRU) drop-down list on the Open button so that the user can access previously saved session files.

 

Digital Detective HstEx Session File MRU

Recovery Profiles Filter and Search

In the Recovery Job window, we have added the ability to search through the recovery modules. The example below shows the user searching for “download” profiles.

 

HstEx Add Job Search through Recovery Profile

We have also added a filter option to allow the user to filter and display individual or multiple recovery profiles or browser types.

HstEx Add Job Filter Recovery Profile

Change Log

The full Change Log can be found here: