Apple
Safari
This
search will parse Safari web history from the Plist/Binary Plist files Safari
uses to store its data. This includes website visits, bookmarks, downloads,
cookies, last session, and “Top Sites” (including thumbnails). The software can
also carve Safari web history from live RAM, unallocated space, etc. and does
not need the entire Binary Plist file to be present for recovery.
Bing
Toolbar
The
Bing toolbar is a browser add-on where a user can perform Bing searches. While
the majority of the information, such as Facebook and email is encrypted
information, the softwareis able to retrieve the user search history. This
includes anything they have typed and searched for, or performed an
autocomplete and then conducted a search.
The
Bing Bar artifact is also capable of retrieving information from the mapping
capability of the Bing Bar. This includes the default location of where the
Bing Bar Map starts along with the latest locations the user searched for. The
amount of searches that are able to be retrieve varies based on the length of
the locations the user has searched for.
Browser
Activity - Chrome Incognito/Firefox Private Browsing
The
Browser Activity artifact will recover browser-related URLs, including Chrome
Incognito and Firefox Private Browsing URLs, HTTP request artifacts from
multiple browsers, and regular web browsing. These artifacts do not include
meta data like the Windows username, dates/times, etc. The intended use for
this artifact recovery is to recover private/incognito browsing but various
types of browsing activity will be recovered due to the nature of this
artifact. Please note that some recovered URLs can be from background browser
processes related to certificate authorities, etc. This artifact is meant to
assist with intelligence gathering and to recover browsing history when in
extreme cases where only private browsing was used or other forms of
anti-forensics.
Firefox
Places.Sqlite History Artifacts
This
is a first-of-its-kind search that recovers browsing history URLs from the
places.sqlite files Firefox® uses to store browsing history and other
information. The entire SQLite file is not required, only the individual
entries. Due to the format and nature of this artifact, some parsing must be
done to separate the URL and web page title items. Sometimes this parsing will
be incorrect, in this case please see the unparsed column for the original
data. Recovered items include the parsed URL, parsed web page title, visit
count, whether or not the URL was typed by the user, last visited time (in
UTC), and the unparsed URL/web page title.
.
Firefox
Formhistory.Sqlite Artifacts
This
is a first-of-its-kind search that recovers query history from the
formhistory.sqlite files Firefox® uses to store web page form entry history
(e.g. a search entered into Google or other search engine). The entire SQLite
file is not required, only the individual entries. Recovered items include the
fieldname (the name of the textbox the where the query was made), the value
(the text that was entered into the textbox on the web page, e.g. the search
term entered), number of times used, the date/time (UTC) the query was first
made, and the date/time (UTC) was last made.
Firefox
Sessionstore.Js Artifacts
This
search will recover URLs from the sessionstore.js file Firefox® uses to store
URLs to facilitate recovering from a web browser crash. The entire sessionstore.js
file is not required, only the individual entries. Recovered items can include
the URL, the web page title, and the referring URL. Some items will have the
web page title while some will only have the referring URL.
Google
Chrome History
This
search will parse Chrome web history from the SQLite files Chrome uses to store
its data. This includes website visits, downloads, keyword search terms, top
sites, cookies, autofill, autofill profiles, saved credit cards, logins,
archived web history, archived keyword search terms, and favicons data.
In a
separate search, the software also can carve the SQLite records from the
History files Chrome uses – no other tool can do this. Both the carving and
non-carving searches are performed when Chrome is checked.
Google
Maps
This
special artifact will carve for Google Maps URLs, whether or not they are
recoverable in regular web history formats. Recovered web history URLs are also
parsed for Google Maps data. The recovered information from these URLs can
contain:
- The
query the user entered
- The
starting location of a route
- The
center location of the map
- The
latitude and longitude of a business
- The
source address of the search
- The
destination address of the search
- The
route type of the search
- Additional
addresses in the search
- The
latitude and longitude while viewing in street view
- The
artifact the Google Maps URL was found in
- The
record number the Google Maps URL was found under
- The
date/time the search was performed
Google
Maps Tiles
This
search will recover tiles used in displaying Google Maps and also carve for
file names that match the format that the tile files are saved under. The
recovered tiles and tile coordinates (x, y, and zoom level) are displayed and
by clicking on the "Surrounding Area" tab, the software will download
the surrounding tiles to provide a view of the surrounding area. The 'World Map
View' will plot all recovered Google Maps coordinates and GPS coordinates found
in the Exif data of recovered pictures on a world map. Plotted points that are
close to other points are grouped in clusters to provide a cleaner view.
Google
Toolbar
The
Google toolbar is a browser add-on where a user can perform Google searches.
While there are many different features to the Google Toolbar, the software
currently focuses on the search history. The software is capable to finding the
search history, whether it is typed or autocompleted. The software is also
capable of determining which category the userís search comes from, whether it
is Google Search, YouTube, Google Maps, Google News, etc.
Internet
Explorer v10 history
This
search will recover history, cookies, and content left behind when using
Internet Explorer v10. IE10 uses a completely different log format than
previous versions of Internet Explorer.
Opera
This
search will carve and parse web history from the Opera web browser, including
carving/parsing the “typed” history (URLs or search terms entered by the user).
The entire history file is not required, single records can be carved from live
RAM captures and unallocated clusters, etc.
360
Safe Browser
This
search will parse 360 safe browser web history from SQLite files. This includes
website visits, downloads, keyword search terms, top sites, cookies, autofill,
autofill profiles, saved credit cards, logins, archived web history, archived
keyword search terms, and favicons data.
Xbox
Internet Explorer History
This
search will recover history, recent/favourites/featured items, and content left
behind when using Internet Explorer on the Xbox 360. This can be recovered when
doing a sector level search on a Xbox 360 hard drive or image.