by Gerald Prock


This work is about a created program, which can automatically evaluate and validate browser history data from a disk image. The mentioned image can be a RAW-image of a partition or an entire hard disk. This will be read only mounted from the created program and after that analyzed for the existing user and browsers. The following browser are supported:

When the search through the data source is complete, the found browser history directories will be copied to a temporary folder. After that all files will be evaluated and also the according user and operating system type will be saved. All found URLs and cookies will be checked for their validation through downloading of the corresponding address and comparing them with the local data. The found data will be stored in a SQLite-database and at the end of the program a XML-file will be created out of it. The hierarchy of this file can be defined at the start of the application. The created program was written in Bash and can be executed on any GNU|Linux operating system. In addition a Live-CD with the program was created and enclosed to this work. This enables to review a computer without removing the harddisk or starting the operating system.

Program structure: