FORENSICS V2 LAB SERIES

Lab 03: Live Forensics

Document Version: 2021-01-11

Copyright © 2021 Network Development Group, Inc.

www.netdevgroup.com

NETLAB+ is a registered trademark of Network Development Group, Inc.

Microsoft® and Windows® are registered trademarks of Microsoft Corporation in the United States and other countries. Google is a
registered trademark of Google, LLC. Amazon is a registered trademark of Amazon in the United States and other countries.
Lab 03: Live Acquisition

Contents
Introduction ........................................................................................................................ 3
Objectives............................................................................................................................ 3
Lab Topology....................................................................................................................... 4
Lab Settings ......................................................................................................................... 5
Getting Familiar with Digital Evidence & Forensic Toolkit (DEFT 8) & Digital Advance
Recovery Toolkit (DART) ..................................................................................................... 6
Using Drive Manager to Get Drive Information........................................................ 13
Using FTK Imager to Identify Windows User Directories ......................................... 17
Using TreeSizeFree to Get Drive Information ........................................................... 27
Using WinAudit to Get Drive Information ................................................................ 34
Using Browser History View to View and Capture Browsing History ....................... 46

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 2

Lab 03: Live Acquisition

Introduction

When dealing with digital evidence, it is important to know the correct methodologies
and procedures that are acceptable for collecting electronic data. This lab aims to teach
the student how to collect relevant evidence and navigate a live computer to review key
artifacts that may aid in the full examination without altering evidence.

Objectives

● Review the hard drive file structure

● Review frequent paths for an average user(s)
● Document all action/steps taken

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 3

Lab 03: Live Acquisition

Lab Topology

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 4

Lab 03: Live Acquisition

Lab Settings

The information in the table below will be needed to complete the lab. The task sections
below provide details on the use of this information.

IP Address / Account Password

Virtual Machine
Subnet Mask (if needed) (if needed)

Caine 172.16.16.30 caine Train1ng$

CSI-Linux 172.16.16.40 csi csi

DEFT 172.16.16.20 deft Train1ng$

WinOS 172.16.16.10 Administrator Train1ng$

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 5

Lab 03: Live Acquisition

Getting Familiar with Digital Evidence & Forensic Toolkit (DEFT 8) &
Digital Advance Recovery Toolkit (DART)

Live analysis of a computer requires certain tools that can ascertain valuable data while
leaving very small footprints. One of these tools is the Digital Evidence & Forensic
Toolkit (DEFT). This is a full Linux operating system that can also be used for live analysis
and incident response. It has a full suite of tools, and we will be utilizing a few of them in
this lab.

1. To begin, launch the WinOS virtual machine to access the graphical login screen.
a. Select Send CTRL+ALT+DEL from the dropdown menu to be prompted with the
login screen.

b. Log in as Administrator using the password: Train1ng$.

2. Once you are logged into the VM, open file explorer by clicking the icon on the
taskbar as highlighted in red below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 6

Lab 03: Live Acquisition

3. Within File Explorer, browse to Desktop > Toolbox > deft-8.2-002, as seen in items 1,
2, and 3 below. This will allow you to view the extracted contents of the DEFT ISO
file, as seen in item 4.

It is important to note that the tools contained within DEFT can be

reported as False Positives in antivirus programs. When practicing in
the real-world environment, be sure to disable antivirus solutions to
prevent them from complicating the capture process.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 7

Lab 03: Live Acquisition

4. Once the folder is opened, you will see the following folder structure appear. These
are the files and folders that make up the DEFT 8 operating system. In this exercise,
we will only be using the Digital Advance Recovery Toolkit (DART) feature of DEFT.
DART is a handy live response toolkit that has applications designed for extracting
valuable evidence from running systems. To open DART, double-click the dart.exe
icon highlighted below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 8

Lab 03: Live Acquisition

5. When opening, DART will display the DART DISCLAIMER window. Read it carefully to
understand the risk that is taken when performing an analysis on a computer that is
booted into its operating system. It will also provide details about common issues.
Click the Yes button as highlighted below to continue.

Note taking is a very important factor in ensuring that you are able to
regurgitate what exactly happened when you interacted with the
evidence item. The DART logs assist in this detailed recording, which
makes it extremely vital. It should always be used and stored on a
drive prepared for evidence storage and NEVER on the computer
being examined.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 9

Lab 03: Live Acquisition

6. The next window that will appear is the Browse For Folder window. DART creates a
log of actions taken while using it, and it requires a path to store the log file. To
adhere to forensic procedures, the logs must be stored on an external evidence
drive to prevent creating more artifacts than necessary and potentially overwriting
data on the host’s system. Let us make a new folder in the Evidence Repository drive
that has the drive letter (E:). To do this, browse to Evidence Repository (E:) and click
Make New Folder as seen in items 1 and 2 below.

7. Let us name the new folder FOR_LAB_003 as highlighted below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 10

Lab 03: Live Acquisition

8. Inside the folder called FOR_LAB_003, we will create another new folder by clicking
Make New Folder again, and we will call it DART_LOGS as highlighted in items 1 and 2
below.

9. Once the folder is created, click OK as highlighted below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 11

 Lab 03: Live Acquisition

10. You will now be presented with the DART 2.0 home page. From this window, you
will be able to navigate the different categories of applications offered in DART. The
categories are outlined in the table below the following screenshot.

Acquire This category contains applications that will allow you to burn, copy, or create forensic images.
Data Recovery The Data recovery category contains apps that are ideal for finding and restoring deleted information
even after it has been removed from the recycle bin.

Forensics The forensics category contains the most tools. It provides applications that can recover data from web
browsers, view e-mails, check for encryption, examine files, create file hashes, view instant messaging
data, and identify peer to peer software. It has a whole suite of tools that are specifically designed for
extracting data from the windows operating system.

Incident Resp. The incident response category helps you learn about the system and has some antivirus tools that help
with investigating compromised systems.

Networking The networking category contains tools that provide data about the computer’s network connections. It
can reveal Wireless network data, reveal cookies, and sniff network traffic, etc.

Password The Password category has a myriad of tools designed for finding, revealing, and cracking various types
of passwords. Some categories are browser passwords, Wi-Fi passwords, and Asterisk passwords, etc.

Visualize The Visualize category contains tools that allow you to view different types of data. It contains software
that allows you to view graphics, multimedia, and documents.

Utility The utility category is somewhat of a miscellaneous list of useful software. Tools that allow you to erase
drives, read hexadecimal files, perform screen captures, and more.

11. Now that you are familiar with DART 2.0. Let us move to the next task, getting
information using Drive Manager.

DART contains many tools that we won’t be able to cover in this

course. Feel free to navigate the options and test the different
software. They each have their own help files to teach you what they
are for and how to use them.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 12

Lab 03: Live Acquisition

Using Drive Manager to Get Drive Information

Now that you are familiar with the DART interface, let us look at a few of the tools. The
first one we will use is Drive Manager. This tool helps to display the connected drives in
a Microsoft Windows operating system and provides lots of details about them.

1. DART should already be open. If it is not, reopen it and click on the Incident Resp.
category, as seen in item 1 below. The Items on the left side of the window are the
names of the different programs. The ones with the arrow beside them, highlighted
in item 2 below, are programs.

Some programs are further categorized in folders. To expand them,

click the plus (+) beside the folder name.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 13

Lab 03: Live Acquisition

2. In this exercise, we will be using the Drive Manager tool (DriveMan), which is found
in the System Info folder. Click the + sign beside the System Info folder, as seen in
item 1, to expand it and view the contents. Next, click DriveMan from the list of
programs that appear, as seen in item 2 below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 14

Lab 03: Live Acquisition

3. Once you have DriveMan selected, you will see a description of the tool in the right
pane, as seen in item 1. To open the program, click START AS ADMIN highlighted in
item 2 below.

4. The Drive Manager application will open and will instantly list all the drives currently
connected to the computer. The application has several options that can be used to
gather information and perform actions on each drive. In this exercise, we will be
using the Disk Info option. To begin, let us click the drive bearing the drive letter (C:)
as seen in item 1 below. Once you have the (C:) volume selected, click the Disk Info
option from the toolbar highlighted in item 2 below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 15

Lab 03: Live Acquisition

5. The Disk info window will provide details about the selected drive. Here you can find
the hard drive’s serial number, the volume serial number, the total size of the hard
drive in bytes, the allocated and unallocated clusters, the physical disk name, and
whether the drive is fixed or removable. This information is essential when trying to
account for all the disk space as well as getting drive serial numbers. The physical
serial number is also good for evidence documentation and chain of custody.

Drive Manager has many other useful features. For more information
on the other uses, you can click on the Help menu option on the main
Drive Manager window.

6. Now that you have reviewed the disk’s details, it is time to look at the contents to
get a better understanding of the data within it. Close the Drive Manager
information before moving to the next task.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 16

Lab 03: Live Acquisition

Using FTK Imager to Identify Windows User Directories

Now that you are familiar with the DART interface, let us look at a few of the tools. The
first one we will use is FTK Imager. You should already be familiar with FTK Imager from
our first and second labs. In this exercise, we will use FTK Imager to go a bit deeper and
show you how to browse to and identify the users’ files and folders.

1. DART should already be open. If it is not, reopen it and click on the Acquire category
highlighted below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 17

Lab 03: Live Acquisition

2. Click the + beside the folder called Image and then select FTK Imager by clicking it,
as highlighted in items 1 and 2 below. Verify that FTK Imager is selected by looking
at the right pane in the DART window highlighted in item 3 below. This is where you
will see the description of the selected tool. If your description is correct, then let us
go ahead and click START AS ADMIN as seen in item 4. This will launch FTK Imager
lite, which is a portable version of this powerful tool.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 18

Lab 03: Live Acquisition

3. Now that you are in FTK Imager, let us load the Physical Drive 0 that has Local Disk (C:)
volume. To do this, navigate to File > Add Evidence Item as highlighted in items 1 and
2 below.

4. You will be brought to the Select Source window. Let us select the Physical Drive radio
button and then select Next, as seen in items 1 and 2, to proceed to the Select File
window.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 19

Lab 03: Live Acquisition

5. In the Select Drive window, you will have the option to select which drive you want
to preview. Select PHYSICALDRIVE0 from the dropdown menu as seen in item 1
below, then click Finish once you have verified that you selected the correct drive,
as seen in item 2.

In some cases, ‘Physical Drive 0’ may be a secondary storage hard drive

and may not have the folder structure for an operating system, It is very
uncommon but possible. Ensure the correct drive is selected.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 20

Lab 03: Live Acquisition

6. If you did everything correctly, you will now be back at FTK Imager’s main window
with PHYSICALDRIVE0 listed under the Evidence Tree Pane. We will now browse the
hard drive and view its contents. To begin, click the + sign beside PHYSICALDRIVE0 as
seen below. This will expand the tree and display the different partitions on the
drive.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 21

Lab 03: Live Acquisition

7. Now that you can see all the partitions, you can determine which partition is the
main data partition that contains the operating system and user files. To do this, use
the name and the size of the partition. The size can be seen in square brackets
beside the name of the partition, as seen below. The larger partitions normally
contain user-created files and operating systems. In the example below, the
partition called Basic data partition (2) is the largest partition. When you compare
this to the size of the other partitions, you can see that it is 35038MB while the
nearest partition size is 9215MB.

On the right, in square brackets, it shows that the partition called Basic
data partition is 35038MB. Which is calculated at 1024KB to 1MB.
35038MB divided by 1024KB equals = 34GB.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 22

Lab 03: Live Acquisition

8. Let us click the + beside Basic data partition (2), seen in item 1, to expand the
partition and view the file system. The file system in the screenshot below is called
NONAME [NTFS], which indicates that the partition uses the New Technology File
System (NTFS) file system. Let us expand the partition by clicking the + beside
NONAME [NTFS], as seen in item 2. This will reveal three folders. There is the orphan
folder, and it contains deleted files that were recovered but have no parent folder.
Next is the root folder that contains the operating system and user files. The final
folder is the unallocated space that represents free space as files.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 23

Lab 03: Live Acquisition

9. Let us expand the folder called root by clicking the + sign beside it, as seen in item 1.
Now that you expanded the root directory, you should begin seeing filenames and
folders that are a bit more familiar. This is the root directory of the Windows operating
system, and it is represented as the C:\ drive. In this lab, we will only focus on the
users’ folders. To get to these folders, look for the folder called Users in the tree pane
as seen in item 2 below and click the + sign beside it.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 24

Lab 03: Live Acquisition

10. Now that you have expanded the Users folder, you will see the list of user profile
folders bearing the name of their associated user. There are also some default user
folders created by the Windows operating system for various reasons. In addition,
there are several registry files that contain many valuable artifacts. Finding and
examining the registry files will be covered in a different lab. For now, let us expand
the folder called Administrator by clicking the + beside it as seen below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 25

Lab 03: Live Acquisition

11. You will now see some more familiar folders. These folders are the same folders that
the user would see in the navigation pane of the Windows File Explorer. The
comparison can be seen below.

FTK Imager Tree pane Windows File Explorer

By default, system folders are hidden from the user. Using FTK Imager
to view a hard drive will show all hidden folders and files that are
stored on a hard drive to include deleted ones. For example, the folder
AppData contains files created by different applications installed on
the computer. It is not shown in the image on the right, but it is visible
within FTK Imager.

12. You will also see several folders that you might not be familiar with. Feel free to
browse these folders and familiarize yourself with their contents.
13. Being able to identify the user folders is a vital first step towards associating an
individual with the contents of a folder. In the next exercise, you will need to
remember these folders and how to get to them, as they will contain the majority of
user-created data. Let us close FTK Imager by clicking the X at the top-right corner of
the FTK Imager window.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 26

Lab 03: Live Acquisition

Using TreeSizeFree to Get Drive Information

Let us look at another program in DART. This tool is called TreeSizeFree and is used to
help get a better understanding of what files are on a computer and where to find them.

1. Let us begin by closing FTK Imager by clicking the X at the top-right corner of the FTK
Imager window. DART should still be open from the last exercise; return to it. You
will need to go back to the Incident Resp. category and expand the System Info
folder again by clicking the + sign beside it, as seen in items 1 and 2 below. Click the
TreeSizeFree application from the list of tools that appear when the folder is
expanded, as seen in item 3.

To verify that you have selected the correct tool, read the tool
description in the pane on the right as seen in item 4.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 27

Lab 03: Live Acquisition

2. Now that you have TreeSizeFree selected, let us run it by clicking START AS ADMIN
as highlighted below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 28

Lab 03: Live Acquisition

3. The TreeSizeFree main window will appear as seen below. To begin a folder scan,
click the Scan dropdown menu option as seen below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 29

Lab 03: Live Acquisition

4. You will see several options there. The options will include all the disk drives that are
attached to the computer. It will also give you the ability to scan a specific folder of
your choice. In this exercise, we will be scanning the Local Disk (C:) volume to
identify the largest files. To do this, click the Local Disk (C:) option as highlighted
below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 30

Lab 03: Live Acquisition

5. The scan will begin as soon as you click the disk drive. If you did everything correctly,
you will see data like those in the screenshot below. Let us focus on the users’
directories as this is where the average user will store most of their data. Using
TreeSizeFree, click the arrow beside the directory called Users to expand it and view
the source of the largest files in this folder hierarchy. TreeSizeFree will show you the
size of the files in each sub-directory each time you expand a tree item. This is great
for narrowing down the specific location of large files.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 31

Lab 03: Live Acquisition

6. Next, expand the folder called Administrator and look at the size of the contents of
these folders.

Files and Folders that appear grayed out are known as ‘hidden files
and folders’. A hidden file or folder doesn’t primarily appear in the
Windows File Explorer to help prevent important data from being
accidentally deleted by users.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 32

Lab 03: Live Acquisition

7. This method of searching through the file system based on the volume of data is a
great way to focus your investigation on areas that might be of interest. This method
is great for finding out if certain files were downloaded and where caches of illicit
data are stored/hidden on a subject’s system.
8. In this exercise, we have reason to believe that a user was using file-sharing software
and downloaded a video file to their Downloads folder at C:\ > Users >
Administrator > Downloads. Using TreeSizeFree, browse to the mentioned folder
and note the name of any video files you see there.
9. Now that you have learned how to navigate the data based on size and the
commonly known file paths, let us learn how to gather some other important system
information. First, let us close TreeSizeFree by clicking the X at the top-right corner
of the TreeSizeFree window.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 33

Lab 03: Live Acquisition

Using WinAudit to Get Drive Information

The live acquisition process can be daunting if you are new to it or unsure what kind of
data you want to capture for future analysis. There are several tools available that can
help to make the data capture process a lot less confusing. In this exercise, you will be
using one of the tools that are great for this job. This tool is called WinAudit and is a
free-to-use tool that captures a ton of helpful information that aids in understanding the
computer and its users better.

1. Let us begin by launching WinAudit. To do this, go back to the DART main window
and click the category called Incident Resp., seen in item 1 below. In the tree pane,
expand the System Info folder by clicking the + beside it, and then click the
application called WinAuditu as highlighted in items 2 and 3 below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 34

Lab 03: Live Acquisition

2. If you did everything correctly, you should see the description of the selected tool in
the right pane highlighted in item 1 below. Once you have verified that you selected
the right option, click the START AS ADMIN button highlighted in item 2 below.

3. You will see the window below; it is the main window for WinAudit v2.29. It is very
easy to use. The options highlighted below are the main functions of this simple tool.
Let us begin by clicking the Options button highlighted in item 1 below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 35

Lab 03: Live Acquisition

4. The Options menu allows you to choose what data you want to be collected when
you run the audit. Look at the many categories available. It gives you an idea of the
types of data that will be collected and allows you to narrow your scope if you only
want to focus on certain areas. For now, we will leave the default options selected.
Let us just click Apply highlighted below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 36

Lab 03: Live Acquisition

5. Now that we are back at the main window, let us run an audit. To run the audit, click
the Audit button highlighted below.

6. The process will begin; its duration is dependent on the hardware specifications of
the host. In the bottom-left corner of the main window, you will see the word
Auditing… along with an animation as highlighted below. This is an indication that it
is still gathering data.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 37

Lab 03: Live Acquisition

7. Once the audit is done, you will see the familiar navigation pane. In this tool, it is
called Categories pane, and, as usual, it is on the left side of the window, as
highlighted below. This pane contains the various categories of captured data.

8. For this exercise, we will be exporting the results as you normally would when
collecting live data. Before we do this, though, let us take a quick look at some of the
data.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 38

Lab 03: Live Acquisition

9. If you notice, the System Overview category is already being displayed. In this
category, you can find operating system and computer information such as the
NetBIOS name, the operating system version, the hard drive size, and the total RAM,
among others, as highlighted below. This is the top of the audit report you
generated. To view the other categories, you can scroll down in the window. It is
quite lengthy!

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 39

Lab 03: Live Acquisition

10. Now let us look at the Installed Software category by clicking Installed software in
the Categories pane highlighted in item 1 below. This will show you a neat pie chart
that shows the difference between the operating system software that is installed
by default (called Active Setup highlighted below) and the software that was
manually installed by the user (called Programs highlighted below).

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 40

Lab 03: Live Acquisition

11. Still, in the Installed Software category, scroll down in the right pane to view a list of
the installed software from both the Active Setup and Programs categories. Browse
until you see the Installed Programs heading. This will provide detailed information
about the manually installed programs. As you can see in the highlighted area, the
name, version number, the install date, and the source of the installed program are
all listed along with lots of other data. Please note that the type of data captured for
each application can vary.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 41

Lab 03: Live Acquisition

12. As you can see from the audit, the type of data collected is voluminous. For now, let
us save what we have captured so that it can be reviewed later. To do this, go back to
the toolbar and click Save as highlighted below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 42

Lab 03: Live Acquisition

13. The Save Document window will appear, allowing you to browse to the location to
which you want the file to be downloaded. Always remember to store the file on a
different volume than the one you are performing the live analysis on. In this
exercise, we will be saving the data to the Evidence Repository (E:) volume. To do
this, navigate to Evidence Repository (E:) > FOR_LAB_003 and click New Folder as
highlighted below.

14. Name the new folder FOR_LAB_003_Audit and double-click it to open. Now that we
have the location, let us name the file. Give it the name FOR_LAB_003_Audit, as
highlighted below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 43

Lab 03: Live Acquisition

15. Next, let us save it as an HTML file. To do this, click the Save as type dropdown
menu highlighted in item 1. From the dropdown menu, click Web Page (Include
images) (*.htm;*.html) as highlighted below.

16. Now that you have the right path, name, and format selected, you can click Save as
highlighted in item 2 below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 44

Lab 03: Live Acquisition

17. Now you have successfully saved the report to an HTML file in your evidence drive.
This data can later be reviewed and used to assist in examining the computer. It can
also be reviewed immediately using your onsite forensic workstation to gather the
information that can lead to the recovery of additional evidence items.
18. Let us move on to one of the most important digital forensic artifacts on any
computer, the browsing history. First, let us close WinAudit by clicking the X at the
top-right corner of the WinAudit window.

To view the html report, browse to the folder you saved it and
double-click the file you created called FOR_LAB_003.htm

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 45

Lab 03: Live Acquisition

Using Browser History View to View and Capture Browsing History

As you have seen in the previous exercises, the live analysis is all about quickly accessing
some data for use before shutting the computer down. In some investigations, you may
need to see if the user accessed certain websites. You may also want to check if they
performed certain web searches. Web history is one of the artifacts that is going to
provide you with this information.

1. One of the tools we use to view this history in a live environment is

BrowsingHistoryView. This is another lightweight tool that can get the job done
quickly. In this lab, you will learn how to open, view, and save the web history of a
host. Let us begin by going back to the DART main window and click the Forensics
category as highlighted below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 46

Lab 03: Live Acquisition

2. Now that you can see the list of Forensics tools in DART, click the + beside the
Browser folder and then click BrowsingHistoryView 64-bit as highlighted in items 1
and 2. As usual, look at the right pane highlighted in item 3 below to verify that you
have the right program selected. After you have verified this, click START AS ADMIN
as highlighted in item 4.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 47

Lab 03: Live Acquisition

3. The BrowsingHistoryView software should now be open. You will be presented with
the main window and a pop-up window called Advanced Options that appears in
front of the main window. In this exercise, we will leave everything as the default
and click OK as seen below.

The Advanced Options window gives you more flexibility.

You can filter the web history by dates, browser, and the
user account you want to target.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 48

Lab 03: Live Acquisition

4. The BrowsingHistoryView software will now present you with all the browsing
history it finds. You will see a window like the one below. As you see, there are
several columns that provide useful data. The columns provide data about the
specific URL that was visited, the title of the web page, the time it was visited, the
number of times it was visited (Visit Count), any redirections (Visited From), the
name of the web browser and the username of the person who accessed it. The
column titles are highlighted below.

5. You can scroll through the list to see if you are familiar with some of the websites
that this user visited. Now let us export this browsing data to our Evidence
Repository (E:) volume. To do this, begin by clicking Edit from the Menu Bar and
then clicking Select All highlighted below. This will highlight all the historical artifacts
that the software collected.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 49

Lab 03: Live Acquisition

6. Next, click File in the File Menu and click Save Selected Items as highlighted in items
1 and 2 below.

7. The Select a filename to save window will appear, allowing you to browse to the
intended destination. Let us browse to the folder you created earlier called
FOR_LAB_003. To do this, navigate to Evidence Repository (E:) > FOR_LAB_003.
Click the New Folder icon as highlighted below.

As we regularly mention, always ensure that the captured data is

stored to the external drive and not on the one you are examining.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 50

Lab 03: Live Acquisition

8. Name the new folder FOR_LAB_003_BrowsingHistory and click Open as seen in items
1 and 2 below.

9. Now let us give the file the name FOR_LAB_003-BrowsingHistory as highlighted in

item 1 below. Let us choose the file format of the browsing history report we want
to capture. To do this, click the dropdown menu in the Save as type field and click
HTML File - Vertical (*.htm;*.html) to save the export as an HTML file as highlighted
in items 2 and 3 below.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 51

Lab 03: Live Acquisition

10. Once you have all the right options selected and you have verified that the file is
being saved to the correct path, click Save as highlighted in item 2 below to export
the history. Your HTML file will now be saved in the selected path awaiting your
review.

To view the report, browse to the folder that you saved it in and double-
click the file you created called FOR_LAB_003_BrowsingHistory.htm.

11. BrowsingHistoryView is the last program we will look at in this lab but feel free to
review other programs in DART. There are password revealers, IM parsers, networks
scanners, and much more. Once you are done, please close the open programs by
clicking the X at the top-right corner of the windows.

1/14/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 52