We are pleased to announce the next major release for NetAnalysis® and HstEx® has just been published. For an overview of the new features we are shipping inside NetAnalysis® v2.2 and HstEx® v4.2, please take a moment to review our release notes and change log:
NetAnalysis® v2.2
This release brings a number of new features and improvements. We have added support for six new browsers as well as making the necessary updates required to support the changes in the mainstream browsers. We have also added support for some new artefacts.
New NetAnalysis® Browser Support
We have added new support in NetAnalysis® for the forensic analysis of the following browsers:
- 360 Browser v7
- Comodo Chromodo v36 – 43
- Sleipnir (Windows) v3 – 6
- Sleipnir (OS X) v3 – 4
- Titan Browser v1 – 33
- Vivaldi v1
- Yandex v1 – 15
New Artefacts
Favicons
We have added support for the import of Favicon data as well as extraction of icons and associated Favicon images to the export folder for the following browsers:
- Apple Safari
- Google Chrome and Chromium Based Browsers
- Mozilla Firefox and Mozilla Based Browsers
- Opera (Presto)
- Opera
The following screen shows some filtered Favicon entries from Safari.
During the import process, the actual icons/image files are extracted to the export folder. Open the export folder by selecting Tools » Open Case Export Folder and select the Favicons folder for the corresponding browser. This will show you all of the extracted images. You can match the unique reference number for the image (URN) to the unique reference number of the record entry. The image below shows a typical Favicons folder.
Any History record which has an associated Favicon entry will have the Favicon URL displayed in the Favicon URL column for that entry.
Chromium Session / Tab Restore
Google Chrome and many of the Chromium based browsers store session and tab information in four files:
- Current Session
- Current Tabs
- Last Session
- Last Tabs
These files store information relating to the current and last browsing session and can be very helpful in a forensic investigation. We have now added support to import the tab navigation information. The screen below shows opening a new session with the default new tab selected and then directly navigating to a test page on the Digital Detective web site.
Base58 Decoding
Base58 is a group of binary-to-text encoding schemes used to represent large integers as alphanumeric text. It is similar to Base64 but has been modified to avoid both non-alphanumeric characters and letters which might look ambiguous when printed. It is therefore designed for human users who manually enter the data, copying from some visual source, but also allows easy copy and paste because a double-click will usually select the whole string.
Compared to Base64, the following letters have been omitted from the alphabet: 0 (zero), O (capital o), I (capital i) and l (lower case L) as well as the non-alphanumeric characters + (plus) and / (slash). In contrast to Base64, the digits of the encoding don’t line up well with byte boundaries of the original data. For this reason, the method is well-suited to encode large integers, but not designed to encode longer portions of binary data. The actual order of letters in the alphabet depends on the application, which is the reason why the term “Base58” alone is not enough to fully describe the format.
Base58 is used for:
We have added Base58 decoding to the decoding/examination window. The following shows an example Bitcoin address being decoded:
HstEx® v4.2
This release brings support for an additional six new browsers, updated support for all the existing supported browsers and some user interface enhancements.
New HstEx® Browser Support
We have added new support for the following browsers:
- 360 Browser v7
- Comodo Chromodo v36 – 43
- Sleipnir (Windows) v3 – 6
- Sleipnir (OS X) v3 – 4
- Titan Browser v1 – 33
- Vivaldi v1
- Yandex v1 – 15
Updates for Existing Browsers
Google Chrome has updated the SQLite database schema format number for new databases which has resulted in a significant change to the on disk structure of individual SQLite records. To take into account this change, we have updated the recovery engine for Chrome Cookies, Downloads and History entries.
To review the current supported browsers, please see: Supported Browsers
User Interface Enhancements
To assist with selecting the most appropriate recovery modules, we have added a new toolbar to the Recovery Job window. It is now possible to select the following recovery profile scenarios:
- Common: This option selects the most common recovery profiles
- Windows: This option selects the recovery profiles for browsers that can be installed on Windows
- OS X: This option selects the recovery profiles for browsers that can be installed on OS X
- Linux: This option selects the recovery profiles for browsers that can be installed on Linux
- Xbox: This option selects the recovery profiles for browsers that can be installed on Xbox
- Select All: This options selects all recovery profiles
- Clear All: This option deselects any currently selected recovery profiles
