Bookmarking Evidence with Digital Detective’s NetAnalysis
Once you have loaded your browser history and cache data into NetAnalysis, you will begin the reviewing process looking for items of evidence which either support or undermine your current investigation. During your review, you will identify URL records of interest which you may wish to produce in an evidential form.
This article looks at the bookmarking process and explains how to print a summary report. To demonstrate this, we shall use an example investigation involving the purchase of illegal firearms over the Internet.
The first method we will look at is bookmarking. NetAnalysis has a facility to allow individual records to be bookmarked. Bookmarking allows the forensic investigator to add a text description to a specific record which can be later printed in a report.
In this first example, we will look at the Google searches conducted by our suspect. To filter the searches, press F8 to open the filter form and enter “Google” as a filter keyword. Figure 1 shows the resulting search.
We can see that the first record returned contains a Google search for the phrase “sig sauer auto”. As this URL shows our suspect searching for firearms, we will bookmark this search. There are three possible ways to bookmark a search:
• Press the “enter” or “return” key
• Select “Add / Edit Bookmark” from the Bookmark menu; or
• Right click on the record and select “Add / Edit Bookmark”
This will then open the bookmarking window which can be seen in Figure 2. As you can see, the form is split into two text areas. The top text box contains a decoded version of the URL record. The examiner will see a representation of the URL record with any encoded characters removed. Any Name|Value pair data is also split to make the record easier to understand.
The text box in the lower half of the form is where you can add the bookmark information for this record (as shown in Figure 3).
Click OK to save this bookmark. Now that this record has a bookmark entry associated with it, the bookmark icon will appear at the start of the URL record, as shown in Figure 4.
Advanced Evidence Report
The Advanced Evidence Report is a summary report which will show the current filtered list. To filter only records containing bookmarks, select CTRL + F9 or select “Filter Records with Bookmarks” from the Filter menu.
The report can be run by selecting Reports >> Advanced Evidence Report >> Preview Report or pressing CTRL + R. The report will provide a summary of the important fields within the record and show the bookmark text (as highlighted in Figure 5).