Track Internet Use – View History of Web Sites Visited with Web Historian [Tutorial]

What is Web Historian? “Web Historian”
is digital forensics software created by Mandiant, and available for FREE. Web Historian allows
you to collect, display, and analyze web history data in a spreadsheet style view. It collects
web history, cookie history, file download history, and form history. Web Historian works
with “Internet Explorer”, “FireFox”, “Chrome”, and “Safari”. It works with
Windows 2000/XP/2003/Vista/7. Install Web Historian. Open a web browser like “Internet
Explorer”, “Firefox”, or “Chrome”. In the “Address Bar” enter “Mandiant”,
and press enter. On the “Mandiant” home page that opens, click so select the “Products”
link. On the “Products” page, click the “Free Software” link. Scroll down to “Web
Historian” ad click the link. On the “Web Historian” page, you can either fill out
the information and click the “Download Now” button, or you can click the “Download
Now” link to just download the file without registering. You will then see the file and
hash information. Click the “Download Now” button to start the download. On the “Download
Information Bar” you can save the file to your computer before installing if you like,
or as I prefer, just click the “Run” button. This will download the file and automatically
start the installer. Once the download finishes, the “Web Historian Setup” window will
open. Click the “Next” button. On the “End-User License Agreement” screen, read
the license agreement, click to select “I accept the terms in the License Agreement”,
and click the “Next” button. On the “Destination Folder” screen, click the “Next” button.
On the “Ready to install Web Historian” screen, click the “Install” button. After
the installation finishes, on the “Completed the Web Historian Setup Wizard” screen,
click the “Finish” button. Now that we have Web Historian installed, let’s open
it for the first time, and go over how to use the program to analyze web history. Click
on the Windows “Start” button, “All Programs”, “Mandiant”, “Web Historian”,
and then click the “Web Historian” link. The “MANDIANT Web Historian” application
window will open. The first step in using Web Historian is to scan the computer for
web history files. Click the “Start Scan” button. The “Web History Scan” window
will open. Look under where it says “Where do you want to look for web history?”. If
you have already extracted the specific individual history file you want to scan, you would select
“History file:”. If you don’t have the file but only want to look at a single user
on that computer, you would select “Profile folder:”, and then select the root of the
user profile. Most of the time, and in this case, we are going to select “Scan my local
system”. This will search the entire computer for web history files, and then display the
data from all of them. You can then filter it out by user or whatever else you want.
With “Scan my local system” selected, click the “Start” button. It will then
change to the “Agent Output” tab, and display information as it scans. Once the
scan is finished, click the “Close” button. It will close out to the “Form History”
tab. Some user/password information may be contained here, although it doesn’t work
with most new web browsers. Let’s click on the “Web History” tab. Here we can
see that there are 212 pages of information, and we are on page 1. You can type in the
page number or use the forward and back arrows to change pages. Here is a list of all the
web pages that have been visited along with information such as the date, URL, User, Browser
type, and more. You can sort by any column that you like by clicking on the column name.
Let’s click on “LastVisitDate” twice to sort by the date. Once sorts with oldest
first. Two will sort with the newest first. So now looking down the list we can see all
the sites visited. If you see a link you want to check, you can right-click on it, and select
“Open URL In Browser”. Your default web browser will open with the selected web site.
The “Cookie History” tab, contains information on web site cookies, and their paths, and
other information. You will find most of what you need on the “Web History” tab rather
than on the “Cookie History” tab so we won’t go into that. Let’s click on the
“Download History” tab. Here you will have entries showing the source URL of the
file and the directory on your computer that it was download to. There is not any right-click
open option here. You can browse through Windows Explorer to the target directory and then
open the file manually to see what it is. Let’s find an entry that we want to investigate
further. Let’s open “Windows Explorer”. Browse to the location in the TargetDirectory
field. You won’t be able to browse past C:usersUserNameAppDataLocalMicrosoftWindowsTemporary
Internet Files. Even if it is set to show hidden files these are still hidden. In the
address bar you need to type in the next folder name, which in this case is “Content.IE5”.
I will type that in and press enter. We are now in the hidden folder. Continue browsing
to the file. Double click on the file to open it. We now have the knowledge to scan the
computer and open the web history logs in Web Historian. We can open downloads and web
pages to investigate. Hopefully this will help you investigate problem internet users,
and remind the rest of us to clear our web history.

Comments 47

Leave a Reply

Your email address will not be published. Required fields are marked *