If selected as part of the volume snapshot refinement process, X-Ways Forensics will create HTML previews of Internet browser databases and extract tables as Tab Separated Values files from SQLite databases as child objects of the respective file (m. 6.3.3). The HTML preview is very accessible from the viewer component and may also be used to quickly report on the data extracted. Searches and indexing also benefit from the HTML preview and TSV files generated.
In addition, the extracted data is added to the event list, which may be used to sort browser history chronologically, and more!
RVS Options to Extract Internal Metadata, etc.
Setting the number of maximum rows (100 by default) per HTML table adds a new table that may aide the viewer component to preview the HTML child object. Setting a higher number may be appropriate if exclusively viewing the HTML child object with an Internet browser.
<table style="width:100%; table-layout:fixed"><colgroup><col width="3%"><col width="11%"><col width="22%"><col width="42%"><col width="4%"><col width="4%"><col width="7%"><col width="7%"></colgroup>[table_data]</table>
When “Create previews of browser databases, event logs, and $UsnJrnl:$J” and “Extract tables from various other SQLite databases” are checked as part of the RVS process for applicable artifacts, e.g., Chrome, Firefox, and Edge browser history, XWF will add child objects as virtual files.
Using browser history as an example, there are a few ways to review the information parsed by XWF:
|Events List||Accessible timestamp information that may be examined with existing artifacts in a XWF case. May be marked as notable, then exported as a list.|
|HTML Child Object||HTML child objects are based on the data parsed by XWF and includes information not present in the events list description, e.g., visits, type duration. The HTML child object may be opened in Excel to filter rows, but only after separating the tables into another sheet. May be saved as a HTML or another file type.|
Chrome/Edge child object (History):
History: Id, Time, Title, URL, Visits, Type, Duration, Transition
Keyword searches: Term, URL, Search time
Downloads : Path, URL, Start time, End time, Opened
Firefox child object (places.sqlite):
Bookmarks: Title, URL, Added, Modified
Places: Title, URL, Visits, Last visit, Visit type
|TSV Child Objects||Parsed from SQLite tables, the TSV child objects may be used as data source for Simultaneous Search or to preview the contents of a database for research.|
Chrome/Edge child objects parsed tables from History:
Firefox child objects parsed tables from places.sqlite:
Helpful SQLite resources to consider:
-Heather Mahalik’s blog series on SQLite starting with part 1.
-Dirk Pawlaszczyk’s chapter 5 in Mobile Forensics – The File Format Handbook.
-Lee Reiber’s Mobile Forensic Investigations (2E), Chapter 14.
-Paul Sanderson’s SQLite Forensics.
-Rohit Tamma, Oleg Skulkin,Heather Mahlik & Satish Bommisetty’s Practical Mobile Forensics. Chapter 5, pages 110-115.
-Gianluca Tiepolo’s iOS Forensics for Investigators. Chapter 4, pages 90-107.
-SANS’ SQlite Pocket Reference Guide. https://www.sans.org/posters/sqlite-pocket-reference-guide/
The event list’s super power is the ability to sort and filter various timestamps associated with certain events. This may be helpful when reviewing other information included in a XWF case.
For Internet activity, the events may be filtered by Type.
The following are relevant event list types for information parsed from History or places.sqlite.
|Event List Type||Description|
|Other||End download, source: [URL] (target: [path])|
|Other||Start download, source: [URL] (target: [path])|
|Other||Search term: [search term]|
Notable events may be marked by selecting the event row and:
1. Directory browser context menu | Events | Mark as notable, OR
2. [space bar]
The filtered results may then be selected (Ctrl + A) then exported (Directory Browser context menu | Export list…).
HTML Child Object
Checking “Create previews of browser database, event logs, and $UsnJrnl:J$” will generate the HTML child object. XWF supports several data sources that are described in section 6.3.3(f) of the manual. Chrome’s History HTML child object displays browsing history, keyword searches, and downloads into three distinct tables. The HTML child object also has columns for visits and type duration – columns that are not populated in the events list as of 20.5 SR-2. While the child object may be previewed with the viewer component, my preference is using an Internet browser or Excel.
Opening the HTML child object in Excel may offer additional flexibility through filtering and sorting. However, to ensure the columns are sorted properly, the tables for history, keyword searches and downloads need to be separated into their own sheet.
Quick Excel Tip:
Rather than clicking and dragging a section of rows and columns, you may extend data selection to a blank row or column in Excel using Ctrl + Shift + [🠡, 🠣, 🠤, or 🠢].
1. For the HTML child object, start with the History table by selecting on its label (row 6). Use the extended selection shortcut by pressing Ctrl+Shift and then 🠣🠣. The first 🠣 will select row 6 through 8. The second 🠣 will select rows through the next blank row.
2. With the data selected, copy and paste to another worksheet. Repeat with additional tables.
3. Save as an Excel, or HTML file. Saving it as an HTML file will also generate a directory for its resources.
TVS Child Objects
If checked, XWF will “Extract tables from various other SQLite databases” as TSV child objects and are named after the table (6.3.3g). Consequently, notable search hits may identify a table for further examination.
If a situation requires it, the TSV child objects may be opened in a program of your choice.
Perhaps a preferred tool is not available, or a reporting function is not working. If XWF is part of your toolkit, it may be used to extract Internet browser activity for examination and/or validation of other tools.
As demonstrated, data extracted may be reviewed in an event list, the HTML child object, or the TSV child object. With some practical application of filters, Simultaneous Search, and some Excel know-how, reporting on Internet activity is very manageable with XWF.
It is nice to know you have options.
Ted Smith’s video on Finding and parsing Internet Explorer Index.dat files and Parsing SQLite Database with X-Ways Forensics.