HstEx v3.8 Released
We are pleased to announce the release of HstEx v3.8. This version brings a number of new features as well as providing some improvements to existing features. There have been many changes to the top five browsers over the past few months; HstEx v3.8 recovers artefacts from the latest versions of Google Chrome, Mozilla Firefox, Microsoft Internet Explorer and Apple Safari.
Figure 1
In this release (Change Log v3.8) we have added some new functionality in terms of source processing and browser support. We have added support for processing data saved in Advanced Forensic Format as well as adding the ability to recover Google Chrome cache records. In addition, we have added support for Logicube Dossier E01 images.
- Full change log for version 3.8
- List of supported browsers
- List of supported source types and data formats
Advanced Forensics Format (AFF®) Support
The Advanced Forensics Format (AFF®) is an extensible open format for the storage of disk images and related forensic metadata. It was developed by Simson Garfinkel and Basis Technology. HstEx (and Blade) now support the processing of AFF® image files (as well as other forensic formats). The following page lists the current supported file formats: Forensic Image Formats Supported by HstEx.
Recovery of Deleted Google Chrome v2 – 19 Cache Records
HstEx version 3.8 now adds the ability to recover live and deleted Google Chrome Cache records from all source data types. This is a significant addition to the software, as previously, it was only possible to examine live records, which were still available, on a suspect system. HstEx v3.8 can recover cache entries from Google Chrome browser v2 through to the current release v19.
Figure 2
Recovery of Deleted Mozilla Firefox v1 to 12 Cache Records
Mozilla has committed to a more aggressive release schedule for the Firefox web browser. There were nearly three years between the launch of Firefox 3 and Firefox 4, however, versions 5 to 12 have been released within a matter of months. This has been a technical challenge from a support point of view as many artefacts have changed during these releases. We are pleased to announce that HstEx now supports all versions of Mozilla Firefox cache entries from version 1 through to the current release, Firefox version 12.
Figure 3
Recovery of Firefox v12 ‘moz-pages-thumb’ entries
Firefox 13 will bring a slightly new look to some parts of the browser. Both the New Tab and the Home Page have been redesigned. The New Tab page now has links to your most recently and frequently visited sites which looks more or less just like Opera’s Speed Dial, which Chrome also mimics. Some of this functionality has been added to Firefox v12 in anticipation of the release of Firefox v13.
Figure 4
Whilst Firefox v12 does not show the new Speed Dial page when new tab is selected, the page thumbnails are still saved to the cache when a page is visited. The URL portion of the cache entry looks like this:
Figure 5
We have added additional support to HstEx to recover these entries as part of the Firefox cache recovery. NetAnalysis v1.54 also supports these cache entries, with the added bonus of being able to extract the page-thumb file (which is usually stored in PNG format).
Read more about Firefox Version 13.
Logicube Forensic Dossier® E01 Support
According to Logicube:
“The sixth generation of computer forensic solutions from Logicube, the Forensic Dossier® was designed and engineered exclusively to meet forensic investigators’ requirements. Version 2.0.1 provides support for the E01 file format compression (hardware-based compression to maintain line-speed performance), and support for NTFS file format for support of 2TB and greater capacity hard drives and support of single, disk-wide dd image capture.”
With HstEx v3.8, we have added support for the E01 files produced by the Logicube Forensic Dossier. Unfortunately, earlier versions of HstEx are unable to load and read the E01 files generated by the Logicube Dossier because of an incompatibility with the metadata fields. Some of the values written to these fields are in a different format than those written by EnCase or FTK Imager. This has now been resolved.
Figure 6