Forensic Software

NetAnalysis – Web Browse Forensic Analysis Suite

The forensic examination and analysis of user activity on a computer system can be the pivotal point of any criminal or civil case.

With the increase in the use of computers by paedophiles and other criminals who commit crime on the Internet, it is vital for digital forensics investigators to be able to extract this data, analyse it quickly and present the evidence in an understandable format.

More importantly, as a forensic specialist, you need to be sure that the software you use is accurate and can recover live and deleted data from a suspect system.

NetAnalysis is the industry leading software for the recovery and analysis of Internet browser artefacts.  It was developed in 2001 by a digital forensics practitioner working for a police Digital Forensics Unit in the United Kingdom.  It is a feature rich software suite specifically designed for the analysis of web browser data.

In use by Law Enforcement agencies around the world, this tool is ideal for the analysis of the Internet history data.  Some other forensic utilities only offer the ability to print the data, which can be many thousands of URLs.  How do you sift through all that data, identifying the all important evidence?  The answer is NetAnalysis.  Powerful searching, filtering and evidence identification with targeted evidence presentation.

Offline Cache Viewing and Web Page Rebuilding

The Offline Cache viewer is a very powerful feature – NetAnalysis will automatically rebuild HTML web pages from an extracted cache, automatically adding the correct location of the graphics allowing you to view the page as the suspect did. NetAnalysis also allows you to easily view JPEG and other pictures that have been viewed by the suspect, straight from the cache!

The offline viewer can also be used as a viewer for forensic software such as Encase. It is a fast, sleek offline HTML viewer which supports Flash Movies, Graphics formats and various plug-ins to view PDF and Office Documents.

Auto Investigate Feature and Powerful SQL Queries

NetAnalysis also has a unique feature to quickly identify possible child pornography sites, search criteria typed by the user, passwords and usernames and access to online storage.

NetAnalysis will automatically filter out possible search criteria. This allows you to separate this vital evidence and present it as a separate exhibit. How can the suspect claim he/she stumbled across the pictures by accident if you have pages and pages of search criteria looking for that material.

In addition, NetAnalysis also allows you to build keyword lists and SQL queries.  These queries and lists can be shared amongst colleagues and saved for later use.

HstEx – Browser Data Recovery Tool

HstEx is a Windows-based, advanced professional forensic data recovery solution designed to recover browser artefacts and Internet history from  a number of different source evidence types.  HstEx supports all of the major forensic image formats.  It is an integral part of the NetAnalysis suite and can recover deleted browser data from a number of different forensic sources.

The software has been designed for extremely fast/accurate data recovery.  It has specifically been written for the field of Digital Forensics and was developed 100% in-house.  Digital Detective Group is proud of the fact that we do not outsource any of our software development work, unlike other software companies.

Sources of Evidence

When performing web browser forensics, how do you find deleted Internet history?  In addition to the live files on the system, Internet History and file activity can be found in numerous locations such as:

- Unallocated clusters
- Cluster slack
- Live Memory, memory dumps and crash dumps
- Page files, system files, hibernation files
- System restore points

NetAnalysis has its own History Extractor (HstEx v3) which will search and extract history records from a variety of sources. The source of the evidence can be any of the popular forensic image files such as from EnCase or AccessData FTK, write protected physical and logical devices, flat file monolithic image formats or segmented flat file images.

In some cases (such as Internet Explorer) HstEx / NetAnalysis does not need the full Internet history file, it can recover individual live and deleted records.