Track Internet Use - View History of Web Sites Visited with Web Historian [Tutorial]

Uploaded by JAGTutorials on 19.12.2011

What is Web Historian? “Web Historian” is digital forensics software created by Mandiant,
and available for FREE. Web Historian allows you to collect, display, and analyze web history
data in a spreadsheet style view. It collects web history, cookie history, file download
history, and form history. Web Historian works with “Internet Explorer”, “FireFox”,
“Chrome”, and “Safari”. It works with Windows 2000/XP/2003/Vista/7. Install Web
Historian. Open a web browser like “Internet Explorer”, “Firefox”, or “Chrome”.
In the “Address Bar” enter “Mandiant”, and press enter. On the “Mandiant” home
page that opens, click so select the “Products” link. On the “Products” page, click the
“Free Software” link. Scroll down to “Web Historian” ad click the link. On the “Web
Historian” page, you can either fill out the information and click the “Download
Now” button, or you can click the “Download Now” link to just download the file without
registering. You will then see the file and hash information. Click the “Download Now”
button to start the download. On the “Download Information Bar” you can save the file to
your computer before installing if you like, or as I prefer, just click the “Run” button.
This will download the file and automatically start the installer. Once the download finishes,
the “Web Historian Setup” window will open. Click the “Next” button. On the
“End-User License Agreement” screen, read the license agreement, click to select “I
accept the terms in the License Agreement”, and click the “Next” button. On the “Destination
Folder” screen, click the “Next” button. On the “Ready to install Web Historian”
screen, click the “Install” button. After the installation finishes, on the “Completed
the Web Historian Setup Wizard” screen, click the “Finish” button. Now that we
have Web Historian installed, let’s open it for the first time, and go over how to
use the program to analyze web history. Click on the Windows “Start” button, “All
Programs”, “Mandiant”, “Web Historian”, and then click the “Web Historian” link.
The “MANDIANT Web Historian” application window will open. The first step in using
Web Historian is to scan the computer for web history files. Click the “Start Scan”
button. The “Web History Scan” window will open. Look under where it says “Where
do you want to look for web history?”. If you have already extracted the specific individual
history file you want to scan, you would select “History file:”. If you don’t have the
file but only want to look at a single user on that computer, you would select “Profile
folder:”, and then select the root of the user profile. Most of the time, and in this
case, we are going to select “Scan my local system”. This will search the entire computer
for web history files, and then display the data from all of them. You can then filter
it out by user or whatever else you want. With “Scan my local system” selected,
click the “Start” button. It will then change to the “Agent Output” tab, and
display information as it scans. Once the scan is finished, click the “Close” button.
It will close out to the “Form History” tab. Some user/password information may be
contained here, although it doesn’t work with most new web browsers. Let’s click
on the “Web History” tab. Here we can see that there are 212 pages of information,
and we are on page 1. You can type in the page number or use the forward and back arrows
to change pages. Here is a list of all the web pages that have been visited along with
information such as the date, URL, User, Browser type, and more. You can sort by any column
that you like by clicking on the column name. Let’s click on “LastVisitDate” twice
to sort by the date. Once sorts with oldest first. Two will sort with the newest first.
So now looking down the list we can see all the sites visited. If you see a link you want
to check, you can right-click on it, and select “Open URL In Browser”. Your default web
browser will open with the selected web site. The “Cookie History” tab, contains information
on web site cookies, and their paths, and other information. You will find most of what
you need on the “Web History” tab rather than on the “Cookie History” tab so we
won’t go into that. Let’s click on the “Download History” tab. Here you will
have entries showing the source URL of the file and the directory on your computer that
it was download to. There is not any right-click open option here. You can browse through Windows
Explorer to the target directory and then open the file manually to see what it is.
Let’s find an entry that we want to investigate further. Let’s open “Windows Explorer”.
Browse to the location in the TargetDirectory field. You won’t be able to browse past
C:\users\UserName\AppData\Local\Microsoft\Windows\Temporary Internet Files\. Even if it is set to show
hidden files these are still hidden. In the address bar you need to type in the next folder
name, which in this case is “Content.IE5”. I will type that in and press enter. We are
now in the hidden folder. Continue browsing to the file. Double click on the file to open
it. We now have the knowledge to scan the computer and open the web history logs in
Web Historian. We can open downloads and web pages to investigate. Hopefully this will
help you investigate problem internet users, and remind the rest of us to clear our web