Issues on Internet ...
 
Notifications
Clear all

Issues on Internet Browser History Analysis

9 Posts
6 Users
0 Likes
358 Views
 p4c0
(@p4c0)
Posts: 9
Active Member
Topic starter
 

Hi all,

I'm currently doing an analysis and while extracting records from index.dat files, I notice a big incongruity in the result of different tools.

The file I tested is the one located under C\Documents and Settings\<user>\Local Settings\History\History.IE5\index.dat

These are the entries extracted by different tools
pasco 2699
Index.dat Analyzer 3166
Mandiant WebHistorian 3194
NetAnalysis 3194
Gaijin Historian 1979

Anybody experienced something similar or has an explanation for this? I'm really surprised of pasco's (bad) result.
I'll try to test it with other dat files to see if was just this un unlucky isolated case.

Thanks to everybody.

p4c0

 
Posted : 29/04/2010 4:03 pm
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
 

Could it be they do not use the same criteria to anaylize and to report?

 
Posted : 29/04/2010 9:32 pm
(@ddewildt)
Posts: 123
Estimable Member
 

Have you looked to see what kind of entries they are? For instance NetAnalysis will show much more than just the URL Records (like Redirects, Secure Accesses, Cache Entries etc) so it could just be that one product is not going to the same depth as the other…

 
Posted : 29/04/2010 10:46 pm
(@forensicakb)
Posts: 316
Reputable Member
 

What #2 said.

 
Posted : 30/04/2010 2:59 am
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
 

My question was a rethorical one, by the way.

p4c0, you need to remember that software developers, may have the same objective; in this case, to analyze the index.dat. But how they are going to get there is what creates differentiation the lines of code, the features, etc.

It may be better if you understand what each tool does in order to provide results. Then you'll find the answer to your original post. You compare apples to oranges with your approach.

I tested Pasco time ago, and what I remember is that you point the tool to a file. With Web Historian, and possibly the other tools, you can also point to the file you want to analyze or let the tool find any files, and the latter may account for the difference, in part; again, taking into account that those tools may use different criteria for analysis.

 
Posted : 30/04/2010 9:41 am
 p4c0
(@p4c0)
Posts: 9
Active Member
Topic starter
 

My question was a rethorical one, by the way.

p4c0, you need to remember that software developers, may have the same objective; in this case, to analyze the index.dat. But how they are going to get there is what creates differentiation the lines of code, the features, etc.

It may be better if you understand what each tool does in order to provide results. Then you'll find the answer to your original post. You compare apples to oranges with your approach.

The goal of each of this tools is to parse and extract all the info that are inside the index.dat files. Since in that file there are "file" access records and "url" access records, I could understand if one of that would extract only one type. But since all of them extract both, I don't understand which one they are skipping.
From my point of view, I could understand some of those tools to provide more information on every record compared to the other tools. But the number of records I expect to be the same.

I tested Pasco time ago, and what I remember is that you point the tool to a file. With Web Historian, and possibly the other tools, you can also point to the file you want to analyze or let the tool find any files, and the latter may account for the difference, in part; again, taking into account that those tools may use different criteria for analysis.

Yes, WebHistorian can find the files itself but will write the results of every single file on a different tab in the excel report… obviously I was comparing the same one with each tool.

Since they don't have the same output format, it's not even easy to do a simple diff of the outputs… but is what I'll try to do as last resource.

Any better idea?

 
Posted : 30/04/2010 2:00 pm
(@belkasoft)
Posts: 169
Estimable Member
 

We investigated the same issue when developing our Belkasoft Browser Analyzer and found that regular analysis of index.dat does not retrieve deleted/invalid entries in this file. This is, though, possible, as even damaged entry can have valid signature before it. So a carver tool will find all such entries perfectly.

 
Posted : 30/04/2010 11:52 pm
CFEx
 CFEx
(@cfex)
Posts: 69
Trusted Member
 

Hi all,

I'm currently doing an analysis and while extracting records from index.dat files, I notice a big incongruity in the result of different tools.
p4c0

Maybe you can elaborate on the reason you are doing analysis. What are you trying to accomplish?

 
Posted : 01/05/2010 2:34 am
(@xaberx)
Posts: 105
Estimable Member
 

Try out ours just curious on how many it finds compaired to them, we deconstructed the Index.dat file by hand to be sure to get all the different redirects, etc.

its found at
www.wiseforensics.com

hope it helps clearify the results your seeing and should provide a compairison to the others aswell.

Hope it helps
Ryan Manley
Wise Forensics LLC
www.wiseforensics.com

 
Posted : 01/05/2010 8:42 am
Share: