The majority of the investigations I have to perform lately revolve around internet usage and I'm wondering if anyone has any suggestions on quickly and easily pulling a decent report of internet usage from a machine remotely.
Ideally, I would be able to simply point the tool to a mapped network drive or drive image and get a nice report of all the URLs visited with a time stamp. Would also be useful if it would associate it with the particular user profile that it was found under. And it would need to support IE, Chrome, and Firefox. Not just one or the other.
I am not wanting one of the many USB tools that plugin and do this. So do any of you more seasoned forensics veterans know of any tools that do something similar?
Thanks.
Have you looked at netanalysis, by digital detectives, yet? Sounds close to what you are looking for. There are also enscripts that would do this for you for EnCase. If you had enterprise edition with the correct enscripts you could easily get what you want over the network live.
Hope this helps.
IEF (Internet Evidence Finder), NetAnalysis and CacheBack are the major players in that market.
I am currently trying out NetAnalysis and trying to work up a quick easy report for the requests I get. We do have EEE……v7 (. So even if the enscripts did work, I'm sure it would take years to complete.
I had seen IEF and Belkasoft, but they either Weren't as easy to use for remote usage, had an extremely limited trial which was too limited to be of any use, or both.
I will check out CacheBack as well.
I'm also looking into something such as Squid and/or WebSpy. Basically, I want to be able to pull a nice pretty, management approved, report that ties all web requests for a given time period. The hard part has been finding a way to do this with it tied to a specific user account instead of just a source IP address.
Thanks for the input so far.
Free to download and use - no restrictions
"Mandiant’s Web Historian helps users review the list of websites (URLs) that are stored in the history files of the most commonly used browsers, including Internet Explorer, Firefox and Chrome."
http//
I take remote control of a client's computer by having them run TeamViewer and then I install this on their system. Not forensically defensible, but it works.
I take remote control of a client's computer by having them run TeamViewer and then I install this on their system. Not forensically defensible, but it works.
Could you explain this bolded bit please. I'm wondering why use something that you know goes against the norm. Just a question.
Thank you
IEF (Internet Evidence Finder), NetAnalysis and CacheBack are the major players in that market.
Out of curiosity, has anyone had a positive experience with CacheBack? I have used it one three occasions and found it to be more frustratingly slow than EnCase v7… yes, that slow! Perhaps I didn't read the instructions correctly, but our machines are fairly good spec and for some reason this software just took forever to sort/filter/populate!!
Maybe it is easier to split your case.
1 A way to get a decent report of internet activity
2 Do it remotely
Indeed in my opinion Netanalysis is a great tool to parse internetbrowser records and Internet Evidence Finder is awesome if you're looking for the contents itself like chat history etc.
A way to get the information remotely is combining these tools with a tool like f-response.
Don't have any experience myself but on the f-response blog there is a story about this combination.
Goodluck
To explain the quoted bold you were asking about It is not forensically sound due to having to install it directly on the custodians device. Traditionally speaking, this is not forensically sound and an attorney may have a field day trying to discredit you in court. It is viewed as compromising your evidence.
FYI this is not a jab at anyone's procedures, just trying to explain from a traditional standpoint.
Hello,
You can download a trial of Internet Evidence Finder (IEF) from
I would be happy to answer any other questions you may have.
Regards,
Adam