Skip to end of metadata
Go to start of metadata
NetAnalysis Tutorials

Solutions to frequently asked questions and queries about NetAnalysis:

Page: Bookmarking URL Records — As you review and analyse the data, you may identify records which are of evidential value or relevant to the particular investigation.  The bookmark field is set by the forensic examiner and contains a string which can be used to identify or describe a record.  The bookmark string appears in the Advanced Report and is commonly used to annotate particular records when they are of evidential value to your case.
Page: Configuring Agency and Examiner Name in the Printed Reports — NetAnalysis stores the name of the Forensic Scientist / Examiner and Agency information within each Workspace file.  This information is displayed in Reports and Web Page Rebuilding Audit Logs.  This information can be changed as desired.  When NetAnalysis is first installed and run, it reads the registry to identify the Registered User and Company / Agency details for the Operating System.  This information is then stored in the NetAnalysis user configuration file.  As each Workspace is generated, the default values from the configuration file are read and saved to the corresponding fields in the Workspace.
Page: Decoding Internet Explorer Cookies — NetAnalysis has its own built-in cookie decoder.  It can be activated by clicking on the Cookie Decoder button on the toolbar or from the following menu: View » Cookie Decoder.
Page: Exporting — Exporting data from NetAnalysis is a relatively easy process.  Table 1 outlines the current export options.
Page: Finding the Evidence — It is important to be able to quickly identify the Internet history records that can prove your case.  NetAnalysis has a number of different ways to do this:
Page: How to Recover Mozilla Firefox Cache and Rebuild Cached Pages — Rebuilding a web page from the data contained within a suspect's Temporary Internet Files (also known as the Cache) can be one of the strongest pieces of evidence available.  NetAnalysis was the first forensic software to include the functionality for rebuilding web pages from an offline cache.
Page: Installing a Licence Key File — NetAnalysis can use a licence key file to activate the full functionality of the software.  The licence key file is normally sent to the end user by email and is contained within a zip archive.  The licence key file (netanalysis.lic) must be extracted from the zip archive and installed.  In previous version of NetAnalysis, the licence key file was copied to the installation folder so that it was in the same physical location as the NetAnalysis.exe executable file.  In version 1.5x and later, you must install the Licence Ley File using the Licence Key Management Utility as explained below:
Page: Installing NetAnalysis — The following procedure will guide you through installing NetAnalysis for the first time.  Please ensure that you close all other applications before starting.
Page: Matching Keywords with Cached File Entries — During a forensic examination you may identify a number of relevant files in the cache belonging to Internet Explorer and wish to identify which Internet web sites the files belong to.  If you have a list of cache file names, you can use the Keyword List function in NetAnalysis to match the items to the corresponding URL entries.
Page: Practice Files — To assist you in getting to know the NetAnalysis user interface, and to practise using the software in a safe learning environment, we have provided some sample data.  Working through the examples will help you get up to speed with using our software effectively within a forensic environment.
Page: Time Zone Configuration — In a forensic examination, establishing the time zone from the suspect system is one of the first tasks for a forensic examiner.  If this information is not established at an early stage and taken into account, then the validity of all date/time values may be brought into question due to the way operating systems and browser applications store date/time information.

Below are the 315 labels used in NetAnalysis v1.x listed alphabetically. Click on a label to see its associated content.
A
access, addons, agency, apple, archived-history, articles, ascii, audit, autofill, autofill_dates, autofill_profile_emails, autofill_profile_names, autofill_profile_phones, autofill_profiles, autofill_profiles_trash
B
backend, binary-plist, bookmark, borwser, browser, bug
C
c2body, cache, cached, caching, change-log, changelog, chrome, chromeappsstore, column, comma, config, configuration, content-prefs, cookie, cookies, corrupt, credit_cards, csv
D
data, database, dataset, date, decode, decoder, decoding, deleted, demo, deprecated, df, digital, dongle, dongles, download, downloads, dst
E
encoding, error, errors, evaluation, evidence, example, expire, expired, explorer, export, exporting, extensions
F-G
faq, faqs, favicons, field, fields, file, file-location, filter, filtering, finding, firefox, firefox-12, firefox-13, fix, forensic, forensics, formhistory, gmt, google, guide
H
help, history, history-index, home, host, hostname, howto, hstex, html, http, http-request, http-response, hub
I-J
icon_mapping, ie, ie7_logins, ietld, ietldcache, index-dat, info, inprivate, inprivate-filtering, install, interface, internet, internet-explorer, introduction, invalid, issue, jet
K
kb-blog, kb80003, kb80004, kb80013, kb80014, kb80019, kb80020, kb80024, kb80025, kb80026, kb80027, kb80028, kb80029, kb80030, kb80031, kb80032, kb80033, kb80034, kb80039, kb80041, kb80042, kb80043, kb80044, kb80049, kb80051, kb80053, kb80054, kb80061, kb80062, kb80067, kb80070, kb80071, kb80072, kb80073, kb80074, kb80079, kb80080, kb80084, kb80085, kb80087, kb80092, kb80093, kb80096, kb80097, kb80098, kb80100, kb80103, kb80104, kb80106, kb80107, kb80113, keyboard, keyfile, keyword_search_terms, keywords
L-M
last-modified, leak, licence, licence-id, licensing, lkf, lkmu, localtime, location, login-data, logins, mdac, meta, microsoft, move, moz-page-thumbs, mozilla, msie
N-O
new, news, notes, nt, opera, operators, options, os
P
page-thumbnail, page-transitions, pages, pages_content, pages_segdir, pages_segments, pdf, pdfcreator, permissions, places, plist, practice, presentation, privacie, problem, processing, properties, proprties, purchase
Q
queries, query-manager, quick-start
R
random-cookie-names, rdp, read-only, rebuild, rebuilding, records, recover, recovery, reference, registry, release, release-notes, remote, reporting, reports, restriction, results, reviewing
S
safari, schema, scheme, search, searching, segment_usage, segments, setup, shortcut, signons, size, slkf, solve, sql, sqlite, start, static, status, structured-query-language, summary, support, supported
T
tabbed, technical, temporary-internet-files, thumbnail, thumbnails, tif, time, timestamp, timezone, timezones, timstamp, tolken_service, toolbar, top-sites, tour, transfer, transition, tsv, tutorial, tutorials, type, tz
U
ui, understand, update, upgrade, upgraded, upgrading, uri, url, url-interpretation, url-record, urls, usb, user-interface, utc
V-Z
v1_37, verification, virtual, visit_source, visits, vista, vmware, wal, warning, warnings, web-page-image, web-page-thumbnail, web_app_icons, web_apps, webpage, windows, workspace, write-ahead-logging