Web History Analysis for Forensic Investigations!

Published: June 30th, 2016 • 4 Min Read
Introduction
When it comes to digital forensics, browser forensics, especially web history analysis comes into picture. Of course web browser history is a crucial element of digital forensics and many evidentiary traces can be carved out in order to get some critical evidences. For instance, critical evidences can be there in online searches, web histories, web-based, emails, etc. Web history analysis traces factors like a searched alibi, profile of suspect, case related searches, etc. Acquiring these details can help investigators for resolving any case based on digital evidences
Where to Acquire Details for Web History Analysis?
Web history files are stored in the system in some specific directories. Its investigation and analysis can be done once these files are acquired. Different browsers store history files in different locations. Users can acquire these history files by going to those particular locations and copying the files
Internet Explorer:
Google Chrome:
Mozilla Firefox:
Why Is Browser File So Important?
Browser history file saves all the data to that database which includes entities like web pages visited, URLs checked, keywords searched, date and time for the searches made, number of visits, time of visits, title, ids, number of time the address was typed or accessed, referred, and the visit ids. Everything is noted down in this Sqlite database in a tabular format which can be viewed and analyzed so as to examine the hidden facts. The basic urge for examining the web history is to see the activities done by suspect in that specific time period of crime in digital pitch. But while analyzing this Sqlite database file, the data will resemble in a clutter. It becomes quite difficult to analyze when the data appears to be in disorganized manner.
Investigation is usually done on all the Internet activity data files which along with history file includes; cookies, bookmarks, favicons, last sessions, login-data, preferences, etc. In order to perform thorough web-browser investigation, it is important to analyze all these files. But it must be noted that the suspect can delete these files in order to remove all the evidences. So first it has to be made sure that the data is available in the suspect’s system.
The cached web pages comprise of a lot of information which can be used to reconstruct the internet activities of the suspect. Internet Explorer browser was once used by almost all users. This browser comprises of Index.dat file which is saved in a proprietary binary format and some of its internal data information can be useful to reconstruct the file if not available in the system using some expertise skills and external utilities. Similarly browsers like Mozilla/Netscape/Firefox saves complete activities in the history.dat file which is ASCII format file.
How Visualization Can Help for Better Web History Analysis?
Many experts realized that the text data available in the History database file can be little confusing and difficult to be analyzed. In such situation visualization technique can aid for analyzing the information. Graphical representation of the tables and text matter can take lesser time to scrutinize the suspicious searches and frequency of any particular URL or keyword searches. It can be helpful in spotting patterns or correlations through wide-spread data sheet. Visualization can be an images, graphic, animation, diagram, pie-chart, etc. which displays the data in such a way that it can be understood in better way. Modern applications are also capable to provide mathematical & scientific visualizations, 3D designs, product visualization, and also medical imaging. These techniques involve equations & formulae, photos or CAD, data acquired from medical scanners. In short the large dataset is represented visually for analytical analysis. However, data visualization is still not adapted by several investigators. This is because investigation is matter of time and analysis. Data visualization techniques take time and skills for proper and neat analysis. So in order to cut the extra time for visually analyzing the data, users can take help of the applications which are used for the displaying the web history file data in tabular format.
Conclusion:
The most important and crucial stage of Web Browser or Web History forensics is knowing the active browsers used by user and acquiring the history files without manipulating the data. Next is analysis of these web history files which can be done by any open source Sqlite database browser. But if the databases are corrupted or investigators want to analyze them in an organized manner the professional products like Sqlite Viewer can be used. This software can perform complete analysis on corrupted or damaged Sqlite databases as well. It shows all the contents and elements available in the database files.