Monday, March 21, 2005

Red Cliff Releases Web Historian

On Friday, security consultancy Red Cliff posted an announcement of their new Web Historian tool. Web Historian parses Web browser history files and presents the information in a manner useful to a host-based forensic investigator. The program requires the Microsoft .NET Framework and runs only on Windows systems.

Prior to using Web Historian, I had used Scott Ponder's IE History and Keith Jones' Pasco. Previously IE History was free, but required sending an email to the developer. Now IE History costs $50 and is "limited to Law Enforcement and Corporate Security." Web Historian improves upon Pasco, and the new tool probably benefitted from Keith Jones' input, as he now works for Red Cliff.

I downloaded and installed Web Historian. The program prompts the user for a Web history file to parse, or gives the option of searching a specified location for Web history files. I chose the latter option and directed Web Historian towards the c:\Documents and Settings folder where I expected to find Web history files.



After searching the folder, Web Historian presented its results in an Excel spreadsheet. It showed one tab for each Web history file it parsed. First it showed results from a history.dat file generated by Firefox.



The second tab showed Internet Explorer history.



This sort of information is incredibly useful. Web Historian is built to accommodate forensic investigations as it can parse whatever Web history file you specify, within the limits of its ability to recognize the format. I expect people to begin migrating to this new free tool as they learn more about it. Web Historian is packaged with a help file that explains program usage and other functions. Try it out!

1 comment:

Anonymous said...

I have successfully used NetAnalysis from Digital Detective for this sort of work. It does cost $100 though.
(http://www.digital-detective.co.uk/)

It allows for automated reconstruction of cached web pages (useful for webmail) and custom SQL filtering for big record sets such as cyber cafe PCs.

I know the author but am not involved in the company.