There are a number of ways we can capture and present internet history data to Browser History Examiner (BHE) for analysis. In a previous blog post we discussed the various methods for capturing internet history from a live system.
However, forensic examiners often require the use of forensic evidence container files to preserve the digital evidence for possible use in a court of law. In this case the internet history data will have been captured as part of a logical or physical imaging process using one of the available tools on the market for creating forensic images of data.
If logical imaging is carried out, the investigator may choose to collect only the internet history files themselves, the entire logical partition, or anything in between as part of their collection.
If physical imaging is carried out, the investigator has chosen to collect the entire physical drive data and the internet history files will buried within the file system of the operating system, within the forensic image.
Whichever method is chosen the investigator will need to mount the forensic image in order to present the internet history data to BHE, as it does not directly support the parsing of forensic image files. There are a number of tools available for mounting forensic images, a favourite of ours is Mount Image Pro, but there are also free tools such as Access Data’s FTK Imager.
The image below shows the mounting of an AD1 logical forensic image as a read-only drive.
The content of the forensic image is now mounted read-only, as drive E: and we can simply point BHE at the appropriate Windows user profile within the mounted drive to begin our examination of the associated internet history data.
If we do not want to analyse the history from all web browsers installed we can use the 'Load history manually' option to load specific history profiles of interest. This can be seen below where we have chosen to examine the Firefox browser history only.
This workflow, which can involve either free or commercial tools, ensures that the integrity of the internet history captured is maintained while allowing forensic examination of the data to continue.
To try this out for yourself, visit our Downloads page for a free trial of Browser History Examiner.