Bookmarking Evidence with Digital Detective’s NetAnalysis

Evidence

Once you have loaded your browser history and cache data into NetAnalysis, you will begin the reviewing process looking for items of evidence which either support or undermine your current investigation. During your review, you will identify URL records of interest which you may wish to produce in an evidential form.

This article looks at the bookmarking process and explains how to print a summary report. To demonstrate this, we shall use an example investigation involving the purchase of illegal firearms over the Internet.

Bookmarking

The first method we will look at is bookmarking. NetAnalysis has a facility to allow individual records to be bookmarked. Bookmarking allows the forensic investigator to add a text description to a specific record which can be later printed in a report.

In this first example, we will look at the Google searches conducted by our suspect. To filter the searches, press F8 to open the filter form and enter “Google” as a filter keyword. Figure 1 shows the resulting search.

NetAnalysis_Search_Result

Figure 1

We can see that the first record returned contains a Google search for the phrase “sig sauer auto”. As this URL shows our suspect searching for firearms, we will bookmark this search. There are three possible ways to bookmark a search:

• Press the “enter” or “return” key
• Select “Add / Edit Bookmark” from the Bookmark menu; or
• Right click on the record and select “Add / Edit Bookmark”

This will then open the bookmarking window which can be seen in Figure 2. As you can see, the form is split into two text areas. The top text box contains a decoded version of the URL record. The examiner will see a representation of the URL record with any encoded characters removed. Any Name|Value pair data is also split to make the record easier to understand.

NetAnalysis_Bookmark_URL_Record

Figure 2

The text box in the lower half of the form is where you can add the bookmark information for this record (as shown in Figure 3).

NetAnalysis_Bookmark_URL_Text

Figure 3

Click OK to save this bookmark. Now that this record has a bookmark entry associated with it, the bookmark icon will appear at the start of the URL record, as shown in Figure 4.

NetAnalysis_Bookmark_Icon

Figure 4

Advanced Evidence Report

The Advanced Evidence Report is a summary report which will show the current filtered list. To filter only records containing bookmarks, select CTRL + F9 or select “Filter Records with Bookmarks” from the Filter menu.

The report can be run by selecting Reports >> Advanced Evidence Report >> Preview Report or pressing CTRL + R. The report will provide a summary of the important fields within the record and show the bookmark text (as highlighted in Figure 5).

NetAnalysis_Advanced_Report

Figure 5

References

 

Published by Robert Rutherford

Comments are closed.