There are times when a full forensic suite is best for a specific case and there are times when a *small tool is best. Only you can decide which is best.
Side Note: * small does not mean “lesser”. I say “small” to mean a forensic tool that is singularly focused on one or few analysis tasks rather than being able to do practically everything possible.
Too long; didn’t read
Foxton Forensics’ Browser History Examiner is super easy to use, really fast in processing Internet user-profiles and does what it says it does. There are some cool free tools offered too.
The longer version
I have often written my opinion on the selections and lists of “best” forensic tools. In my opinion, it is impossible to have a list of the best of anything, whether that be the best vacation destination, best car or truck, or best DFIR software application. There is no such software application that covers everyone for everything as the “best”. There are too many dynamic and ever-changing variables to consider.
With DFIR tools, the best tool is the tool that best fits your needs for a specific task.
As to Foxton Forensics’ Browser History Examiner ( BHE ), this tool is not a full-fledged forensic suite. It is, however, exactly what it says: A Browser History Examiner. No more, no less. But it is what I would want it to be as an Internet history tool. This brings me to choosing the "best" tool for the job, and where I see BHE fitting in.
About the free tools! Foxton Forensics' free tools include a Browser History Capturer (BHC) , Browser History Viewer (BHV) , and a SQLite Examiner . I mention this because BHC comes into play with BHE later in this write up.
Choosing the “best” tool
I should probably first describe how I generally choose which forensic tools to work a case. When I say ‘generally’, I mean that generally because every case is different from the next. But generally , there are usually three broad categories of questions that I need answered to be effective in choosing which tools I will use.
---What is the goal of the case?
---What does the client want?
---Where is the data?
---What is the data type?
Even with these questions, the answers can conflict with each other which affects which tools to use. The goal of a case (ie, the truth) might conflict with what a client expects, data may not be accessible, time may be limited and funding is almost always limited.
In some cases, the objective is so broad, the data so widespread, and the unknowns so many, that I may choose a fully equipped forensic suite that ingests everything and sorts the data for me. With a high-level view, it is sometimes easier to see the big picture first, then dive into the specific data that looks relevant. This is the long way to start any analysis and it is also not Foxton Forensics’ Browser History Examiner’s place.
For most every other case where the objective is clear, and the dataset is targeted, I typically pick a small tool for a laser-guided focus analysis. If the focus is Internet use, then this is Foxton Forensics’ Browser History Examiner’s sweet spot. Targeting specific and known data is the best way to meet your objective with the most efficient use of your time and effort.
I don’t always read the instruction manual…to anything (even IKEA furniture). I most always put hands-on, try to figure it out or at least look at the parts, sometimes break “it” in the process, but eventually will read the manual. By the time I read a manual, I’ve hopefully figured just enough to be dangerous.
With software, I’m no different. Forensic apps are notorious for not being intuitive, having undocumented or hidden features and buttons with some having no manual references. But I still prefer to turn on the application before reading the manual as a test of intuitiveness of design. As I mentioned, I eventually read the manual and help files, line-by-line, but not at first.
The Browser History Examiner meets my expectations of intuitive design. Sure, it’s just Internet data, but still, everything is easy to find, easy on the eyes, and easy to figure out (at least the basic use of the app). Internet history is very important by the way in so so many cases :)
The bottom line
It is easy to load Internet history. The program is fast. Quick to process the data. Simple to view the output and simple report creation. I have had quite a few cases where Internet history was the primary or only objective (Internet misuse policy violations, general ‘bad’ Internet activity, etc.…) and this tool would have fit in well had I known about it at the time. Now I know.
Running Foxton Forensics’ Browser History Capturer (the free app!) on a USB means a minimal intrusion to a system to capture Internet history (Chrome, Edge, Firefox, IE) to examine off a live evidence or custodian machine with Brower History Examiner or any tool for that matter. Or import data from an external drive. Or capture remotely. Cool.
All the expected features are there. Filtering by keyword, date, and time. And filtering by type of web browser and download state. Artifacts are neatly categorized, and the viewing pane is quite cool. The viewing pane shows rebuilt webpages, cached images, a “search history” cloud, and about anything else you need related to Internet analysis.
Some cool things are the URL Details and the Inspect JSON features. For the websites making API requests and returning JSON data, this is a quite nice and quick way to get to the JSON and look at it.
What am I going to use this for?
This is an easy question to answer: Internet history analysis. Specifically, I see a use (for me) of grabbing history remotely and having everything that I need for an Internet case in minutes. Seriously. It is quite quick at putting out the Internet history to the UI to start digging into it.
Employee Internet Misuse, or any case with Internet History
Simply grab the user profile with BHC and analyze with the Browser History Examiner. Grabbing the user profile, depending on the scenario, can be done from the live custodian machine (locally or remotely), or from a full or partial image of the custodian machine.
About the big tools
The big forensic suites are as useful as any small forensic tool, because as mentioned, the best tool is the tool that is best for the specific task in front of you. This could be a massively featured suite, a small one-function command-line application, or anything in between.
Most suites give the examiner some ability to examine Internet history, some better than others. A few suites do a horrible job at parsing out the history into something a little better than hex if anything at all. The small forensic tools can fill in the gaps that some big tools have.
I can also see this as a good option on the police patrol/parole side of investigations. There are many triage tools that can capture a wealth of information for triage or preview of evidence machines, like sex offenders on parole having court-ordered computer-use restrictions. However, from my experience of teaching parole/patrol officers in triage and preview methods, anything more than a few buttons usually means that the officers are not going to (1) be proficient enough or (2) not willing to try it to begin with. I can at least see using the Browser History Capturer in grabbing the user profiles is an option to at least capture the Internet profiles instead of doing nothing at all.
I encourage LE/parole-probation officers to use triage and preview methods when reasonable on for client visits and consent searches, but I also know the reality of throwing in technical analysis into a non-technical analysis job means that it doesn’t always happen. With that, for those who don’t want to touch a forensic boot USB/CD/DVD or run programs that are more complicated than Microsoft Word, at least using BHC to grab the profiles may fill a gap that is otherwise ignored.
The technical of Browser History Examiner
Reviews that I prefer to read are where I can get the opinion of does it work and is it worth my time? This is the reason I don’t want to write much in the technical aspects of any software (unless it is a technical write up of software, which is not a review..). I also find it to be more accurate when the developer of a software explains the technical aspects rather than guessing how a tool works.
So, I will defer the ‘how-to’ use the Browser History Examiner to Foxton Forensics, even as it is very intuitive, you’ll find some nuggets of good stuff in their posts of using their tool.
As to my opinion of BHE...I like it. I have some major suites that also make short work out of Internet analysis, but there is definitely a place for BHE, whether it be to fill a gap that a suite may not do well or as a small tool used as laser focus on a specific problem, like Internet use. Will I use BHE on a case? I already have and when another opportunity arises where BHE fits the bill, I will use it.
Using the built-in JSON Viewer to analyse cached JSON data:
Reconstructing web pages from the cache:
Capturing history from a remote computer on a Windows network:
Analysing browser history by URL category:
Recovering deleted history from System Restore points:
Using BHE to analyse other artifacts such as Skype: