[Update 2019-03-10] I’ve added the version numbers of Axiom, Encase and FTK used. Also added details about EnCase Firefox support update coming in next release.
So, last night, after watching the Forensic Dinner (yeah yeah it’s the Forensic Lunch, but hello time zones) I was busy with some testing for #ForensicMania.
Dealing with a simple question ‘What was searched for in Youtube on xx date’, I came to bit of a speed bump in EnCase. In short, I couldn’t get to the answer in EnCase for Youtube web histories viewed in Firefox. It was late, so I wasn’t sure if I were to blame, or EnCase. With this, I stopped with the #ForensicMania stuff and thought, let’s do some targeted testing.
The next morning (today), I decided to do a quick and simple test:
- Conduct a few searches in Chrome and Firefox
- Parse the web histories with Axiom, EnCase and FTK
- Compare the results
I fired up Chrome and Firefox, and made sure they were up to date:
With last night’s Forensic Lunch still fresh in my mind, I Googled the following between 11:00 and 12:00 on 2019-03-09.
The same searches were done with Chrome first, and then with Firefox.
Google search: “Is lee whitfield brittish?”
Result opened: “https://www.sans.org/instructors/lee-whitfield”
Google search: “How do you spell british?”
Result opened: “https://en.oxforddictionaries.com/spelling/british-and-spelling”
Google search: “Where did Matt get the cool blue sunglasses?”
Result opened: https://www.menshealth.com/style/a26133544/matthew-mcconaughey-blue-colored-sunglasses/
Google search: “Why is no one having lunch on the Forensic Lunch?”
Result opened: https://www.youtube.com/user/LearnForensics/videos
Youtube search: “drummer at the wrong gig”
Video played: https://www.youtube.com/watch?v=ItZyaOlrb7E
And then played this one from the Up Next bar:
https://www.youtube.com/watch?v=RvatDKpc0SU
Google search: “Can you nominate yourself in the Forensic 4Cast awards?”
Result opened: https://www.magnetforensics.com/blog/nominate-magnet-forensics-years-forensic-4cast-awards/
Following this, I created a logical image of the Chrome and Firefox histories on my laptop with EnCase. The total size for the histories were 3GB. (Yes, lots of historic stuff included there as well).
So the testing is pretty straight forward: Can I get to the above listed searches and web histories in Axiom, FTK and EnCase. Let’s see:
Axiom (v2.10)
Parsing the logical image in Axiom gave us the following for ‘Web related’ artifacts:
Chrome
Firefox
Result: Great Success
FTK (v7.0)
Same thing, processed the image and got the following from the ‘Internet’ tab:
Chrome
Firefox
Again: Great Success
Now, let’s fire up the ‘2019 SC Magazine Winner‘ for ‘Best Computer Forensic Solution‘…
EnCase (v8.08):
After processing the image with EnCase, we hobble on over to the ‘Artifact’ tab and open the ‘Internet Records’ section.
First up, Chrome histories:
Great, it works as expected.
Next up, Firefox (The browser with 840,689,200 active users in the past 365 days)
And this is where we ran into trouble: EnCase was able to parse Firefox Cookies and some cache files, but for the life of me I couldn’t get to any actual browsing histories.
I suspect that, as it’s shown on the processing window, EnCase only supports Firefox up until v51.0.0. The current Firefox version is v65.
Firefox version 51.0.0 was released to channel users on January 24th 2017. That is the same month when Ed Sheeran released his single “Shape of You”. (And now you can’t unsee the singing dentist guy covering the song)
What I’m trying to say is that Firefox v51 is old.
I’ve logged a query with OpenText about this and will update this post if and when I get feedback. (Really hoping this is something I’m doing wrong, but we’ll see.)
[Update 2019-03-10: EnCase v8.09, set for release in April, is said to have updated Firefox support]
What’s the point of this post?
- Test stuff. If something doesn’t look right, test it.
- You don’t need test images to test your tools. If you have a laptop or a mobile phone, then you have test data.
- Don’t assume stuff. If my results above are correct, there’s a good chance you could have missed crucial Firefox data if you were only relying on EnCase.
- If I’m wrong, then at least I’ll hopefully know pretty soon how to get EnCase to parse Firefox histories correctly… and someone else might learn something too.
You had me at ‘2019 SC Magazine Winner‘ for ‘Best Computer Forensic Solution…that’s why I rely on the Big Commercial Tools coz they expensive for all my big cases!
Lolz