Monday, 22 March 2010

Internet History Examination Tools - you generally get what you pay for

My digital Life of Grime case and another ongoing case have caused me to look more closely at the tools we use to analyse internet history. Life of Grime's suspect had a penchant for the Flock browser and the other ongoing case involves Firefox 3.0.1 running on an Apple iBook. The version of Flock in use is built on Firefox 3 also. It seems to me that I am seeing Firefox as the browser of choice in the majority of my cases. I know that most available statistics still put Internet Explorer in top spot but I still maintain Firefox has overtaken IE in my cases. Certainly Firefox is (worryingly?) by far the most popular browser used to read this blog.

Now as far as the data we think of as internet history is concerned, Firefox 3.x.x stores this data in a Sqlite database, places.sqlite and sometimes additionally places.sqlite-journal. However in the wider sense internet history can also be determined from the Firefox cache because the page elements stored there contain each elements URL and associated times and dates. Firefox stores it's cache in a folder entitled Cache within the xxxxxxxx.default folder (it is possible for a user to have more than one profile -so there may be other profile names not having the word default appended). Cached items may be stored in a file by itself (albeit renamed without a file extension) or more often within cache block files (e.g. _CACHE_001_). These cache block files can contain many cached items and therefore an index file is needed to record where an item is stored in the cache. This index is called a cache map and is the file _CACHE_MAP_.

Many of us have made use of a number of free utilities to examine Firefox 3 internet history. These tools have become popular due to our mainstream, paid for, tools falling a little behind the curve and not supporting Firefox 3. These free utilities include:


All bar the Nirsoft tool can not parse any data out of Firefox cache. Now for me that is a problem -not necessarily with the tools, but with the methodology I am going to use in a production line forensics environment. I know there are other approaches -substituting the suspects profile into a test installation of Firefox for example but ideally I would prefer a one stop shop approach.

Regular readers will know that I work in an Encase shop and the Encase 6.15 comprehensive internet search will parse out live Firefox records from cache. However in both the cases I am working on now, the cache map file is zeroed out. In this situation Encase does not parse records still recorded within the cache block files (and for that matter neither does the Nirsoft utility).

Which brings me to NetAnalysis. As our more experienced readers will know NetAnalysis is the industry standard, tried and tested tool for the analysis of browser history and cache, particularly Internet Explorer history and cache. NetAnalysis has always supported other browser artefacts but until now not Firefox version 3. NetAnalysis 1.50 and the associated program HstEx 3 now support Firefox 3 and then some.

In both my cases I have copied out the profile folders and quickly added them to a NetAnalysis workspace using the Open all history from folder option. Because the cache map file is empty the cache is effectively deleted which is where HstEx 3 comes in. HstEx 3 is a deleted history record extractor which can locate deleted records from physical disks, raw images and new to this version, directly from Encase evidence files. In both my cases HstEx 3 was able to parse records from the cache block files that none of my other tools, including Encase 6.15, could do. The advantage of being able to run HstEx 3 directly over Encase evidence files can not be over stated. By running multiple sessions of Hstex 3, productivity can be considerably enhanced and at the same time freeing up image mounting tools for other uses.

NetAnalysis 1.50 also introduces many other new features -probably the headline one being the significantly enhanced cached web page rebuilding feature. This is very cool. Simply load in your suspects browser cache, press F6 and the workspace filters cached webpages that can be rebuilt. Double clicking on them displays the page in a viewer and within an export folder the underlying html and associated page elements can be found. Each rebuilt page folder can be copied for use in an html report for example. I can't do this feature justice here but a Digital Detective knowledge base article covers it in more detail. Other enhancements include the provision of an extensive audit log. I think this facility is anticipating the tightening of regulation here in the UK with the advent of the Forensic Science Regulator. More immediately it allows the creation of cracking contemp notes. Another notable addition is the ability to provide more information about redirect and referral URLs.

As a final thought, we all love free tools, many of them written by Harlan Carvey, Mark Woan, Tim Coakley, John Douglas and others we know and respect. But we do need to be careful - one or two of the free tools I have referred to above have been written by people who, for whatever reason, have had to obfuscate their identity. I do not doubt any of these tools, but what if a new tool was released that extracted data that none of our current tools could. If we do not know who is behind it how do we know that the said tool was not on a certain date in the future going to scour our forensic network and modify all the Encase evidence files it came across? As I said at the start you generally get what you pay for. Till next time.

1 comment:

Anonymous said...

Hi, thanks for the article on internet history examination. Would like to check whether you are aware of how CacheBack compares to NetAnalysis? Thanks.