NetAnalysis v1.56

• NetAnalysis v1.56 Release Notes
• Change Log for NetAnalysis v1.56

HstEx v3.10

• HstEx v3.10 Release Notes
• Change Log for HstEx v3.10

I wanted to share with you an application we use during software testing called qTrace.  It really is a great application and could probably be utilised for evidential capture as well.  We are in no way affiliated with the company that makes qTrace (apart from using their software); however, it is definitely worth a look.

For us as a company, qTrace solves a number of different problems:

1. Assisting with the software testing process by allowing Test Engineers to easily record their actions during software testing cycles;
2. Allowing step by step procedures to be recorded and documented as well as capturing environmental information such as OS, memory and version information;
3. Allowing us to directly submit issues to our issue tracking and test management systems;
4. Allowing customers to use the free version of qTrace to record step by step instructions when a support issue arises, thereby allowing our Support Engineers to quickly identify the cause of a problem.  Customers can submit the output from qTrace directly to us.

When a qTrace session has been completed, the editor opens a screen which looks like Figure 1 below.  The qTrace output can also be saved in PDF or Microsoft Word document format.

Figure 1 qTrace Editor

The editor shows the step by step actions taken by the user when using the application under test.  Each of the screens can be annotated.  The resulting output is a fraction of the size of a full video screen capture, and is far more flexible.

I can think of a number of different uses outside of software testing, so I am sure the investigators out there can think of a number of different applications. 

Here is the example qTrace file from a NetAnalysis session:

• NetAnalysis qTrace Example PDF

Firefox actually introduced the thumbnail capturing capability in Firefox v12 and did not tell the users; however, there is no way to display them in v12.   Firefox v13 displays the thumbnails when a new tab is selected.

NetAnalysis v1.54 can extract Mozilla Firefox Thumbnail Images

We added the ability to extract these thumbnail images (stored in the cache) to NetAnalysis v1.54.  See the following for further information on moz-page-thumb entries.

http://kb.digital-detective.co.uk/display/NetAnalysis1/Firefox+moz-page-thumbs

Overview

In this release we have added a number of new features and improvements. Please see the Change Log for a full list of changes, which should assist with feature testing and validation. NetAnalysis v1.54 has been tested against all the current release versions of supported browsers. Please see the following list:

• Full Change Log for version 1.54
• List of supported browsers and versions
• Full Change Log for HstEx v3.8
• Release notes for HstEx v3.8

The corresponding version of HstEx for this release of NetAnalysis is HstEx v3.8. HstEx v3.8 uses an updated file format which can only be opened in NetAnalysis v1.54 and above.

Mozilla Firefox

Since the release of NetAnalysis v1.53, we have seen some significant changes in the world of browser forensics. Mozilla has committed to a more aggressive release schedule for the Firefox web browser. There were nearly three years between the launch of Firefox 3 and Firefox 4, however, versions 5 to 12 have been released within a matter of months. This has been a technical challenge from a support point of view as many artefacts have changed during these releases. We are pleased to report that NetAnalysis now supports all versions of Mozilla Firefox from version 1 through to the current release, Firefox version 12.

Firefox moz-page-thumbs

Firefox v13 will bring a slightly new look to some parts of the browser. Both the New Tab and the Home Page have been redesigned. The New Tab page now has links to your most recently and frequently visited sites which looks more or less just like Opera’s Speed Dial, which Chrome also mimics.

Figure 1

Some of this functionality has been added to Firefox v12 in anticipation of the release of Firefox v13. Whilst Firefox v12 does not show the new Speed Dial page when new tab is selected, the page thumbnails are still saved to the cache when a page is visited. The URL portion of the cache entry looks like this:

Figure 2

We have added additional support to HstEx to recover these entries as part of the Firefox cache recovery. NetAnalysis v1.54 also supports these cache entries, with the added bonus of being able to extract the page-thumb file (which is usually stored in PNG format). Read more about Firefox Version 13.

These thumbnails can easily be exported and reviewed by the investigator. Using the new ‘Export/Rebuild Current Filtered Cache Items’ feature added to NetAnalysis v1.54, the thumbnail entries can be filtered and then the actual PNG thumbnail files can be exported from the cache. To filter the records, search for “moz-page-thumb” across the imported Firefox v12 records and then select Tools » Export/Rebuild Current Filtered Cache Items. The thumbnail files can then be examined from the “Extracted Files/PNG” folder.

Firefox moz_formhistory

We have added support to import data from the ‘moz_formhistory’ table. This contains artefacts relating to web form completion.

Figure 3

The screen shot in Figure 3 shows an example where the browser user opened a ZIP attachment whilst viewing Google Mail; they then created a draft email using the subject line “Some research I’ve done”.

Figure 4

The screen shot in Figure 4 shows the user creating a new Google Mail account. It also takes the user through the question and answer fields which are required to create a new account. Although the details in this image have been redacted, you can see the field names which have been completed as part of the process. These artefacts when viewed in context can provide some very interesting information.

Google Chrome

We have added significant extra functionality for Google Chrome artefacts. Chrome maintains a number of SQLite databases for data storage, and NetAnalysis v1.54 now extracts data from most of the significant databases.

History Index YYYY-MM c2body

We have added support for Google Chrome Page Content (c2body). Chrome’s history system keeps a full text index for each page the user visits, making it easy to find pages based on their content, not just title and URL. The user’s history is exposed through the History page, accessible via the Tools menu, or by pressing Ctrl+H. A user may also directly search their history by typing a search query in the address bar, and selecting the See all pages in history containing [query] item that appears if any results match the entered query.

When a user visits a page, the textual contents (those actually shown on screen) are stripped out and stored in the ‘History Index YYYY-MM’ database files (one file per month). NetAnalysis v1.54 allows the examiner to extract all of this information in one simple operation. The text files generated have been shown to contain potentially important information including Facebook and webmail data.

The text page content can be extracted by selecting Tools » Export Google Chrome c2body.

Figure 5

Page Transitions

Google Chrome stores a transition value which identifies the type of transition between pages. These are stored in the history database to separate visits, and are reported by the renderer for page navigations. NetAnalysis now extracts and decodes the page transition value and displays the transitions in the ‘Status’ column. By examining the page transitions, it is possible to see how a user landed on a page. To understand the meaning of each transition, please see Page Transitions.

Figure 6

Downloads

We have also added support for Google Chrome download history.

Figure 7

Internet Explorer Visit Count

Recent testing has exposed an issue with the accuracy of Internet Explorer hit count values stored in the Master INDEX.DAT file. Normally, the hit count would be stored as a 32bit integer at record offset 0×54 (decimal 84). In many cases, comparing the record value to the hit count returned by Internet Explorer would show a mismatch. In these cases, Internet Explorer has an additional record object which stores an additional visit count. Testing has shown this additional count object to be accurate and is the value presented by the application. When the additional record object is present, NetAnalysis parses that block and displays that value in the Hits column. The original value stored at offset 0×54 is now displayed in the Status column as can be seen from the figure below.

Figure 8

Updated Query Manager

This release has an updated Query Manager with additional features. It is now possible to sort the ‘Database Field List’ and ‘SQL Query Operators’ by clicking on the corresponding column header. The ‘SQL Query Operators’ now have a ‘Description’ entry which explains the function of the Operator. The Operators have also been re-written to show the full Operator with parameters and wild card characters. This should make it much easier to build and understand your SQL queries. The ‘Check SQL Syntax’ button has been added as a more convenient way to verify the syntax of a query. For further information, please see SQL Query Operators.

Figure 9

Rebuilding and Exporting Filtered Cached Pages (and Objects)

NetAnalysis has long had the capability to rebuild either single webpages, or the entire cache in one operation.  NetAnalysis v1.54 now allows the forensic examiner to rebuild part of the cache.  Using the various filtering techniques available, the forensic examiner can generate a targeted subset of the browser data, and then rebuild only the live webpages (or export cached objects) contained within that subset.

For example, if you wanted to export only the moz-page-thumb files, search for “moz-page-thumb” across the imported Firefox v12 records and then select Tools » Export/Rebuild Current Filtered Cache Items.  The thumbnail files can then be examined from the “Extracted Files/PNG” folder.

Add Bookmark to Multiple Records

The bookmarking feature in NetAnalysis v1.54 has been enhanced to allow the forensic examiner to bookmark many records with the same bookmark text.  The forensic examiner can create a filtered list of specific records, and then apply the same bookmark text to all of these records in one operation.  The bookmark column can also be used for filtering, so this functionality is a powerful addition to the armoury.

Web Page Rebuilding

We have enhanced the web page rebuilding engine to make it more robust and provide better results.  We have also released v4 of QDV™, our internal web page viewing software.  This new version suppresses script errors in web pages, so the forensic investigator will no longer need to cancel multiple error messages when reviewing some rebuilt web pages.

Figure 1

In this release (Change Log v3.8) we have added some new functionality in terms of source processing and browser support. We have added support for processing data saved in Advanced Forensic Format as well as adding the ability to recover Google Chrome cache records. In addition, we have added support for Logicube Dossier E01 images.

• Full change log for version 3.8
• List of supported browsers
• List of supported source types and data formats

Advanced Forensics Format (AFF®) Support

The Advanced Forensics Format (AFF®) is an extensible open format for the storage of disk images and related forensic metadata. It was developed by Simson Garfinkel and Basis Technology. HstEx (and Blade) now support the processing of AFF® image files (as well as other forensic formats). The following page lists the current supported file formats: Forensic Image Formats Supported by HstEx.

Recovery of Deleted Google Chrome v2 – 19 Cache Records

HstEx version 3.8 now adds the ability to recover live and deleted Google Chrome Cache records from all source data types. This is a significant addition to the software, as previously, it was only possible to examine live records, which were still available, on a suspect system. HstEx v3.8 can recover cache entries from Google Chrome browser v2 through to the current release v19.

Figure 2

Recovery of Deleted Mozilla Firefox v1 to 12 Cache Records

Mozilla has committed to a more aggressive release schedule for the Firefox web browser. There were nearly three years between the launch of Firefox 3 and Firefox 4, however, versions 5 to 12 have been released within a matter of months. This has been a technical challenge from a support point of view as many artefacts have changed during these releases. We are pleased to announce that HstEx now supports all versions of Mozilla Firefox cache entries from version 1 through to the current release, Firefox version 12.

Figure 3

Recovery of Firefox v12 ‘moz-pages-thumb’ entries

Firefox 13 will bring a slightly new look to some parts of the browser. Both the New Tab and the Home Page have been redesigned. The New Tab page now has links to your most recently and frequently visited sites which looks more or less just like Opera’s Speed Dial, which Chrome also mimics. Some of this functionality has been added to Firefox v12 in anticipation of the release of Firefox v13.

Figure 4

Whilst Firefox v12 does not show the new Speed Dial page when new tab is selected, the page thumbnails are still saved to the cache when a page is visited. The URL portion of the cache entry looks like this:

Figure 5

We have added additional support to HstEx to recover these entries as part of the Firefox cache recovery. NetAnalysis v1.54 also supports these cache entries, with the added bonus of being able to extract the page-thumb file (which is usually stored in PNG format).

Read more about Firefox Version 13.

Logicube Forensic Dossier® E01 Support

According to Logicube:

“The sixth generation of computer forensic solutions from Logicube, the Forensic Dossier® was designed and engineered exclusively to meet forensic investigators’ requirements. Version 2.0.1 provides support for the E01 file format compression (hardware-based compression to maintain line-speed performance), and support for NTFS file format for support of 2TB and greater capacity hard drives and support of single, disk-wide dd image capture.”

With HstEx v3.8, we have added support for the E01 files produced by the Logicube Forensic Dossier. Unfortunately, earlier versions of HstEx are unable to load and read the E01 files generated by the Logicube Dossier because of an incompatibility with the metadata fields. Some of the values written to these fields are in a different format than those written by EnCase or FTK Imager. This has now been resolved.

Figure 6

We are pleased to announce the dates for the following NetAnalysis Foundation Courses.  This is an ideal opportunity for you or your staff to gain valuable training and certification in the use of NetAnalysis / HstEx within a forensic environment. 

This course will teach you how to get the most out of our software. 

	The time zone lesson was excellent and really made me think.  I wish I had known that before I came on the course.  It is such an important subject to cover.

	Really good all round course, not mundanely product specific…  Good teaching style.

	This is one of the best courses I have attended.  I will certainly recommend it to my everyone.

	Practical exercises helped a lot to instil the content…  The whole course was very relevant to my daily tasks within HTCU…  I will definitely be back for the advanced course.

Places are limited allocated on a first come, first served basis and are filling up fast; so contact us now to avoid disappointment.

There are a number of seats still available on the following courses which are being held at Learning Tree International in London:

·         26^th – 27^th April 2012 – NetAnalysis Foundation Level Course

·         30^th – 31^st May 2012 – NetAnalysis Foundation Level Course

·         21^st – 22^nd June 2012 – NetAnalysis Foundation Level Course

For our many users outside of the UK, we are planning to run a number of courses in US and Canada later this year and will publish details on our web site.

To book your place on a course or to obtain further information, please contact us on 0845 224 8892, or drop us an email at our sales address.

For further information regarding our training courses, please visit the following links:

• Digital Detective Training Home
• NetAnalysis Foundation Course Training

This release of Blade™ brings a number of fixes and some great new features.  This is the first release of Blade™ to have evaluation capabilities which allow the user to test and evaluate our software for 30  days. When Blade™ is installed on a workstation for the first time (and a valid USB dongle licence is not inserted) the software will function in evaluation mode.

The following list contains a summary of the new features:

• Support for Advanced Forensic Format (AFF®)
• Hiberfil.sys converter – supports XP, Vista, Windows 7 32 and 64bit
• Accurate hiberfil.sys memory mapping, not just Xpress block decompression
• Hiberfil.sys slack recovery
• Codepage setting for enhanced multi-language support
• SQLite database recovery
• 30  Day evaluation version of Blade™ Professional
• New recovery profile parameters for more advanced and accurate data recovery
• Support for Logicube Forensic Dossier®
• Support for OMA DRM Content Format for Discrete Media Profile (DCF)

We have also been working on the data recovery engines to make them more efficient and much faster than before. The searching speed has been significantly increased.

One of the growth areas in digital forensics is the use of USB dongles for the licencing of software.  Every single practitioner now finds themselves managing a veritable menagerie of tiny USB devices, just to enable them to carry out their day-to-day work. 

Of course, where dongles for core forensic software are concerned, most people will possess their own NetAnalysis, EnCase or FTK dongles and these will be jealously guarded, with practitioners unwilling to let their prized (and in some cases, very expensive) hardware leave their sight.  But what about some of the lesser used, but no less valuable, licencing dongles out there?  At the moment, most labs will resound to the cries of “who’s got the X dongle? I need it to do Y”.  Several minutes of frantic searching and head scratching then ensues, until someone remembers that they borrowed it to use in the imaging lab for five minutes, two weeks ago. 

One solution to this problem is a dongle server (figure 1).

 Figure 1

This little piece of kit may look like an ordinary powered USB hub, but it can do so much more.  The dongle server runs its own operating system, which manages each USB port separately.  When a dongle is plugged into a USB port, the operating system is then able to present this dongle to the attached network.  Using client software installed on remote workstations, practitioners are then able to grab the use of this dongle via the network, and use it as if it were plugged into their own machine.  The use of the dongle is exclusive to the person that has taken ownership of it, but they are able to surrender control at any time, and the next user can take on the use of the licence.  Each USB port is independently configurable to allow only certain users or IP addresses to make use of the licence(s).

Figure 2

This means that all of your ‘we use this once in a blue moon’ licencing dongles can be stored in one location, and accessible to all of your staff via your forensic network.  The port area of the dongle server is lockable, meaning that no-one is able to remove dongles without the key; and if you use the rack-mounting kit, the dongle server can even go in your server rack for further security. 

Figure 3

If working practices allow, the dongle server can be accessed over the Internet, meaning that on-site working doesn’t have to involve carrying around thousands of pounds worth of dongles.  A remote worker can also have temporary access to a dongle when required.  The server works with all the common forensic dongles such as Feitian, Aladdin HASP, SafeNet and Wibu CodeMeter.  This means that even your core forensic function dongles can be kept securely locked away, safe from loss or damage.

Main Benefits

• Easily share any licensing dongle via the local area network
• Lock away expensive dongles to prevent theft
• Easily share, and provide dongle access to remote workers
• Easily share licensing dongles in the office without having to constantly plug/unplug and throw them around

This would be an ideal purchase for small offices that cannot afford to buy licences for everyone, particularly for expensive software which may not be used every day.

We are currently selling the MyUTN-80 for £698, + VAT and shipping.  Please feel free to contact us on 0845 224 8892 (or +44 (0) 203 384 3587) to discuss any questions you may have about the functionality of the kit or to place an order.

We are pleased to announce the launch of our new, and much improved, Knowledge Base.  Each software product now has its own unique space which is fully searchable and full of rich, dynamic content such as technical articles, RSS feeds, blog posts, FAQ, Problem Solving and Tutorials.  Each knowledge base article can be easily exported in PDF and is easily viewable within a web browser or mobile device. 

Take a look for yourself – to get started, here are the main Product Spaces for NetAnalysis, HstEx and Blade:

• NetAnalysis Knowledge Base – Home Page
• HstEx Knowledge Base – Home Page
• Blade Knowledge Base – Home Page

A frequent question when dealing with browser forensics is ‘Does the Hit Count value mean that the user visited site ‘x’, on ‘y’ occasions?’ Most browsers record a ‘Hit Count’ value in one or more of the files they use to track browser activity, and it is important that an analyst understands any potential pitfalls associated with the accuracy, or otherwise, of this value.

We recently received a support request from an analyst who was analysing Internet Explorer data. They had found a record relating to a Bing Images search, which showed a hit count of 911. The particular search string was significant, and very damning had it actually been used 911 times. The analyst wanted to know if the hit count value could be relied upon.

The following experiment was carried out in order to establish how this surprisingly high hit count value could have been generated. In order to obtain a data set which contained as little extraneous data as possible, a brand new VMWare virtual machine was created. The machine was setup from the Microsoft Windows XP SP3 installation disc, which installed Internet Explorer v 6.0.2900.5512.xpsp.080413-2111 by default. Two user accounts were created on the machine – one to be used as an Admin account, for installing software etc; and the other to be used as the ‘browsing’ account. This separation of the accounts further assisted with minimising the possibility of any unwanted data being present within the ‘browsing’ account. Using the Admin account, the version of Internet Explorer in use on the virtual machine was upgraded to IE v 8.0.6001.18702. The ‘browsing’ account was then used for the first time. Starting Internet Explorer immediately directed the user to the MSN homepage. The address ‘www.bing.com’ was typed into the address bar, which led to the Bing search engine homepage. The ‘Images’ tab was clicked. This Auto Suggested a search criterion of ‘Beautiful Britain’, as can be seen in the figure below:

Figure 1

The term ‘aston martin’ was then typed into the search box, as shown below:

Figure 2

None of the images were clicked or zoomed, nor was the result screen scrolled. Internet Explorer was closed, and the browsing account logged off. The Admin account was used to extract the browser data for processing in NetAnalysis. The below image shows some of the results. Both of these entries are from Master History INDEX.DAT files:

Figure 3

As can be seen, both entries show a hit count of 5. Both of these pages were visited only once, so it is immediately apparent that the hit count value maintained by Internet Explorer may not be an accurate count of how many times a particular page has been visited. However, this still did not explain how Internet Explorer had produced a hit count of 911.

The virtual machine was started again, and the browsing account logged on. The previous steps were repeated; typing ‘www.bing.com’ into the URL bar; visiting the Bing homepage; and clicking on the ‘Images’ tab. Once again, Bing Auto Suggested the search criterion of ‘Beautiful Britain’, and displayed the same thumbnail results page. The search criterion ‘aston martin’ was again typed into the search box and the same thumbnail results page was produced. None of the images were clicked or zoomed. The results page was scrolled using the side scroll bar, which generated more thumbnails as it went. Internet Explorer was closed, and the browsing account logged off. The Admin account was used to extract the browser data for processing in NetAnalysis. The below image shows some of the results. Both of these entries are again from Master History INDEX.DAT files:

Figure 4

As can be seen, the ‘Beautiful Britain’ search now has a hit count of 13 – it is not at all clear how Internet Explorer determined this figure. Moreover, the ‘aston martin’ search now shows a hit count of 511. This page was not visited 511 times, nor were 511 of the thumbnail images clicked. The contents of the INDEX.DAT for the local cache folders (Content.IE5) were checked to see how many records were held relating to thumbnails that had been cached. The results were as follows:

Figure 5

So it does not even appear that there are 511 thumbnails held in the local cache. The result page was scrolled quickly, so the user did not see a large proportion of the thumbnail images.

In conclusion, it is apparent that the ‘Hit Count’ maintained by Internet Explorer cannot be relied upon. Although this experiment involved a quite specific process relating solely to image searches carried out on one particular search engine, the disparity between results and reality makes it clear that unquestioning acceptance of what Internet Explorer is recording as a ‘Hit Count’ could lead to significant errors if presented in evidence.

To complete the experiment, two further identical Virtual Machines were created. On one, the Google Chrome browser (v 15.0.874.106 m) was installed and used. On the other, the Mozilla Firefox browser (v 8.0) was installed and used. The same steps were repeated: typing ‘www.bing.com’ into the URL bar; visiting the Bing homepage; and clicking on the ‘Images’ tab. The results from these processes are shown below:

Chrome:

Figure 6

Firefox:

Figure 7

It is apparent that both of these browsers seem to maintain a more accurate ‘Hit Count’.