One of the easy-to-use and valuable features of Internet Evidence Finder (IEF) is how the tool rebuilds web pages. IEF has the ability to reconstruct web pages from the browser history and cache as they were seen by the user. While viewing your case in Report Viewer, you might have noticed a category under “IEF Refined Results” called “Rebuilt Webpages”.
Image may be NSFW.
Clik here to view.
The Report Viewer is able to use the information gathered from a search to reconstruct web pages as they were viewed by the user using information on the image/hard drive. Any CSS information available will be used to format the page and display it for the examiner.
There are three methods to view the retrieved information:
- Original – This is the data retrieved from a search without any attempts at reconstructing the web page
- Rebuilt – When this option is selected, Report Viewer will attempt to reconstruct the web page as it was originally viewed by using files from the cache folder
- Report – This option provides a report of what files are used when Report Viewer reconstructs a web page.
Here’s an example of Report Viewer displaying the original web page with no rebuilding:
Image may be NSFW.
Clik here to view.
Here’s an example of the Report Viewer displaying the same page after it has been rebuilt:
Image may be NSFW.
Clik here to view.
Finally, here’s the Page Rebuild Report which can provide the investigator with details on how the Report Viewer rebuilt the given web page. This page will list the date/time the page was rebuilt and locations for all the relevant files used to rebuild the web page.
Image may be NSFW.
Clik here to view.
If the examination machine is connected to the Internet and there are any embedded scripts/code in the web page, there is the potential that additional data may be inadvertently pulled from the Internet into the rebuilt web page by these scripts. This is a result of the natural way browsers behave when provided the HTML code. If you want to ensure that no additional data is pulled down into the rebuilt page, be sure that your examination machine is disconnected from the Internet before rebuilding the web page. In any case, if data is pulled down from the Internet, it will not modify the evidence files in your IEF case. To remedy this situation if it occurs, just close the case, disconnect from the Internet, and reopen the case/rebuilt web page.
IEF also gives you the option to execute any JavaScript found on the recovered web page; however this feature is disabled by default to prevent the possibility of any malicious scripts being run. To enable this feature, from the Report Viewer, select “Edit” from the top left pull down menu and check the “Enable HTML Scripts in Browser” option. Refresh the page and the scripts will be run.
Image may be NSFW.
Clik here to view.
You might have also noticed the option to “Enable Downloading Images from Web”. When checked, this feature will pull additional images for particular artifacts recovered, such as the Facebook profile image for a profile that was found on the machine (which is publicly available and can be pulled down without logging into Facebook). This option is not associated to rebuilding web pages and is disabled by default.
Rebuilding web pages in IEF is a unique feature which allows investigators to get a better understanding of what the suspect might have viewed when looking at the given website. As with any investigation, the examiner must use caution when analyzing any results, but with the right knowledge and understanding of how these features work, they can use these options to their advantage to complement their investigation and how it is reported to their stakeholders.
Please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.
Jamie McQuaid
Forensics Consultant, Magnet Forensics
Clik here to view.
