• 0Shopping Cart
Digital Detective
  • Home
  • Corporate
    • About Us
      • Executive Team
      • Our Clients
      • Testimonials
    • News and Events
      • Latest News
      • Press Release
    • Legal
      • Privacy Policy
      • Cookie Policy
      • Returns Policy
  • Products
    • Forensic Software
      • NetAnalysis®
      • HstEx®
      • Blade®
    • Downloads
      • Evaluation Request
      • Free Digital Forensic Tools
    • Product Documentation
      • NetAnalysis® Documentation
      • HstEx® Documentation
      • Blade® Documentation
  • Careers
  • Support
    • Knowledge Base
    • Support Portal
    • Digital Forensics Forum
  • Store
    • Forensic Software
    • View Shopping Cart
  • Blog
  • Contact Us
  • Search
  • Menu Menu

Understanding Redirects

Digital Forensics, Digital Foresnsic Software, Forensic Investigations, NetAnalysis®, Web Browser Forensics
Random binary data with magnifying glass showing the text REDIRECT in red

Introduction

Redirects provide a way to transport the browser from one point on a web site to another.  Redirects are most commonly used to translate references to outdated web pages to new, updated ones.  They can be instigated either by the browser, in which case they are referred to as client-side redirect, or by the server, in which case they are referred to as server-side redirects.

Virtually all webmasters at some point will discover that not all links to their site end up where they were intended.  For example, if the author of another web site places a link to your site, but misspells the hyperlink, the result will be a 404 error every time that link is selected.

Another common occurrence is site reorganisations.  As you move files around, rename them or even delete them entirely, you will find visitors will receive 404 errors.  This is because other sites, search engines and directories often link to those pages.  It is an impossible task to be able to change all the hyperlinks to your site.

If the webmaster determines that someone has linked to a non-existent page, there are ways of redirecting the user to the correct page.

Browser / Client Side Redirects

If you are a webmaster and you wish to recapture the traffic from the lost/moved/deleted pages, there are several things that can be done.  One of the easiest ways to add a redirect is through a special Meta tag called “refresh” to direct their visitors to the new page.

To do this they create a blank page which contains the tag as shown below (it is placed in the header). The tag simply says “wait some time then go to a named page”.  In this example, the browser will wait one second.

Meta_Refresh_Tag

If you wish to use ASP, then the following code inside an ASP page will perform the same function.

ASP_Redirect

Server Side Redirects

There are many ways to implement server-side redirects depending on the web server being used.  One of the most common is to use the .htaccess file, which is supported by the Apache web server.  .htaccess supports a directive called redirect.  This directive transparently changes the URL to a new URL.   However, this is not the usual method for implementing Server-Side redirects as not all hosts support this.

In IIS7, creating server side redirect is a simple task.  Log on to the Internet Information Services (IIS) Manager and select the file or folder you wish to create a redirect for.  Clicking on the HTTP Redirect button will launch the screen shown below.  This allows the webmaster to select the URL to be redirected to, and also which type of redirect is required.

IIS7_Redirect

This information is then saved to a web.config file in the folder where the redirect is to be launched from.

Redirect Evidence in Microsoft Internet Explorer

Embedded within the CACHE INDEX.DAT file are numerous Internet records that have REDR as the record header.  This header is a REDIRECT entry and is evidence of a SERVER-SIDE redirect.  Client Side redirects are NOT recorded within the INDEX.DAT files as REDR records.  The REDR entry is a URL that has been visited and the server has responded with an HTTP 300 response which tells the browser the page is in a different location.  This entry reflects the URL which caused the redirection.  In NetAnalysis, the entries are marked as Type: Redirect as shown below.

NetAnalysis_Redirect_Entry

In previous versions of NetAnalysis, we were not able to show where the user was redirected to.  Following research and testing, we identified a methodology for resolving redirect entries.  However, it is only possible to show the resulting redirected URL if the data still exists within the INDEX.DAT record.  There is a marker to indicate whether the entry is live or deleted.  It is also only possible to show resulting redirect entries from live INDEX.DAT files.  It is not possible to do this with the data recovered by HstEx.

This is a significant development in the analysis of Internet browser artefacts as previously, the invetigator did not have this information.  At the time of writing this Article, NetAnalysis v1.50+ is the only software available to extract this important evidence.

In addition to identifying the URL where the user was redirected to, it is also possible to identify the date/time this action occurred.  This also was not previously possible.  The status column informs the examiner whether the redirect entry is intact or not.  If it is intact and from a live INDEX.DAT file, there will be date/time information.  As mentioned previously, this data is not available for overwritten or deleted redirect entries.

Redirect_Entries_In_NetAnalysis

The image above shows NetAnalysis and two Server Side Redirect entries.  In this case, item number one is the original URL which caused the server to respond with a server side redirect HTPP response.  This is the standard URL record which is shown in the URL column.  In addition, as this is a REDR record which is intact, NetAnalysis has the Redirect URL (item number two) in the corresponding column.  The Type column reflects the fact it is a redirect entry, as does the IE Type column (Internet Explorer Record Type).

As this Redirect entry is intact, the Last Visited time stamp can be extracted.

23rd April 2010/by Craig Wilson
Tags: Browser Evidence, Internet Explorer
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on Pinterest
  • Share on LinkedIn
  • Share on Tumblr
  • Share on Vk
  • Share on Reddit
  • Share by Mail
You might also like
Hands typing on computer keyboard Userdata History Type in Internet Explorer
Casey Anthony and Jose Angel Baez standing during the murder trial Digital Evidence Discrepancies – Casey Anthony Trial
Microsoft Internet Explorer Daily/Weekly INDEX.DAT Files
Clock dial showing hands approching 12 o' clock NetAnalysis® Date and Time Fields
Keyboard with chain and palock Microsoft Internet Explorer PrivacIE Entries
Internet Explorer logo over a computer keyboard Understanding Microsoft Internet Explorer Cache
Cookies next to a laptop keyboard Random Cookie Filenames
Computer keyboard with red enter key being pressed NetAnalysis® v1.52 – USB Dongle, Google Chrome Support and Export/Rebuild Entire Cache Option

Categories

Recent Posts

  • DataDump™ – Data Extractor
  • NetAnalysis® v3.3 and HstEx® v5.3 Released
  • NetAnalysis® v3.2 and HstEx® v5.2 Released
  • Forensic Analysis of the Zone.Identifier Stream
  • NetAnalysis® v3.1 Released

Tags

ACPO AOL Big Endian Browser Evidence Byte Order Cache Case Study Change Log Cookies Data Extraction Data Recovery Data Recovery Profiles Date & Time Digital Evidence Discount Dongles Email Recovery Endianness File System Find Panel Free Good Practice Guidelines Hard Disk Head Swap Image Mounting Intelli-Carve Internet Explorer Junction Points Legal Licensing Little Endian Microsoft Windows Mozilla Firefox News NTFS Offer PFC Release Notes Seagate Search Syntax Timestamps Tools Tutorial

About Us

Digital Detective enhances digital forensic science though cutting edge research and development. We offer a range of products and services for digital forensic analysis and advanced data recovery.

Recent Tweets

Exciting news! Our popular #DataDump tool just got even better with the release of v2.1. Download now for free and experience the difference! #freetool #dataextraction digital-detective.ne…

About 3 weeks ago from Digital Detective's Twitter via Twitter Web App

Nothing seems to have changed in the last 13 years. lbc.co.uk/news/polic…

About 2 months ago from Digital Detective's Twitter via Twitter Web App

This has been a lot of work; hope you like it. NetAnalysis® v3.3 and HstEx® v5.3 have been released. Lots of new functionality! digital-detective.ne…

About 3 months ago from Digital Detective's Twitter via Twitter Web App

Her Majesty The Queen Elizabeth II 1926 - 2022 pic.twitter.com/sWSC…

About 5 months ago from Digital Detective's Twitter via Twitter for iPad

Recovery and analysis of MFT resident Zone.Identifier alternate data streams and how they are helpful in a forensic investigation. #DFIR #DigitalForensics #BrowserForensics #FileSystemAnalysis digital-detective.ne…

About a year ago from Digital Detective's Twitter via Twitter Web App

Follow @DigitalDetectiv

Select Language

Translate our site by selecting your language from the option below.

en English
ar Arabiczh-CN Chinese (Simplified)nl Dutchen Englishfr Frenchde Germanit Italianpt Portugueseru Russianes Spanish

Contact Us

Digital Detective Group
Motis Business Centre
Cheriton High Street
Folkestone
KENT, CT19 4QJ
United Kingdom

///courts.endearing.bulbs
+44 (0) 20 3384 3587

Copyright © 2001 - 2023 Digital Detective Group Limited
  • Facebook
  • Twitter
  • Youtube
  • Mail
  • Home
  • Sitemap
  • Corporate
  • Products
  • Store
  • Blog
  • Contact
Scroll to top

This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies.

OKLearn more

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Google Analytics Cookies

These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.

If you do not want that we track your visit to our site you can disable tracking in your browser here:

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Other cookies

The following cookies are also needed - You can choose if you want to allow them:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Privacy Policy
Accept settingsHide notification only