What is Web Historian?
“Web Historian” is digital forensics software
created by Mandiant, and available for FREE.
Web Historian allows you to collect, display,
and analyze web history data in a spreadsheet
style view.
It collects web history, cookie history, file
download history, and form history.
Web Historian works with “Internet Explorer”,
“FireFox”, “Chrome”, and “Safari”.
It works with Windows 2000/XP/2003/Vista/7.
Install Web Historian.
Open a web browser like “Internet Explorer”,
“Firefox”, or “Chrome”.
In the “Address Bar” enter “Mandiant”,
and press enter.
On the “Mandiant” home page that opens,
click so select the “Products” link.
On the “Products” page, click the “Free
Software” link.
Scroll down to “Web Historian” ad click
the link.
On the “Web Historian” page, you can either
fill out the information and click the “Download
Now” button, or you can click the “Download
Now” link to just download the file without
registering.
You will then see the file and hash information.
Click the “Download Now” button to start
the download.
On the “Download Information Bar” you
can save the file to your computer before
installing if you like, or as I prefer, just
click the “Run” button.
This will download the file and automatically
start the installer.
Once the download finishes, the “Web Historian
Setup” window will open.
Click the “Next” button.
On the “End-User License Agreement” screen,
read the license agreement, click to select
“I accept the terms in the License Agreement”,
and click the “Next” button.
On the “Destination Folder” screen, click
the “Next” button.
On the “Ready to install Web Historian”
screen, click the “Install” button.
After the installation finishes, on the “Completed
the Web Historian Setup Wizard” screen,
click the “Finish” button.
Now that we have Web Historian installed,
let’s open it for the first time, and go
over how to use the program to analyze web
history.
Click on the Windows “Start” button, “All
Programs”, “Mandiant”, “Web Historian”,
and then click the “Web Historian” link.
The “MANDIANT Web Historian” application
window will open.
The first step in using Web Historian is to
scan the computer for web history files.
Click the “Start Scan” button.
The “Web History Scan” window will open.
Look under where it says “Where do you want
to look for web history?”.
If you have already extracted the specific
individual history file you want to scan,
you would select “History file:”.
If you don’t have the file but only want
to look at a single user on that computer,
you would select “Profile folder:”, and
then select the root of the user profile.
Most of the time, and in this case, we are
going to select “Scan my local system”.
This will search the entire computer for web
history files, and then display the data from
all of them.
You can then filter it out by user or whatever
else you want.
With “Scan my local system” selected,
click the “Start” button.
It will then change to the “Agent Output”
tab, and display information as it scans.
Once the scan is finished, click the “Close”
button.
It will close out to the “Form History”
tab.
Some user/password information may be contained
here, although it doesn’t work with most
new web browsers.
Let’s click on the “Web History” tab.
Here we can see that there are 212 pages of
information, and we are on page 1.
You can type in the page number or use the
forward and back arrows to change pages.
Here is a list of all the web pages that have
been visited along with information such as
the date, URL, User, Browser type, and more.
You can sort by any column that you like by
clicking on the column name.
Let’s click on “LastVisitDate” twice
to sort by the date.
Once sorts with oldest first.
Two will sort with the newest first.
So now looking down the list we can see all
the sites visited.
If you see a link you want to check, you can
right-click on it, and select “Open URL
In Browser”.
Your default web browser will open with the
selected web site.
The “Cookie History” tab, contains information
on web site cookies, and their paths, and
other information.
You will find most of what you need on the
“Web History” tab rather than on the “Cookie
History” tab so we won’t go into that.
Let’s click on the “Download History”
tab.
Here you will have entries showing the source
URL of the file and the directory on your
computer that it was download to.
There is not any right-click open option here.
You can browse through Windows Explorer to
the target directory and then open the file
manually to see what it is.
Let’s find an entry that we want to investigate
further.
Let’s open “Windows Explorer”.
Browse to the location in the TargetDirectory
field.
You won’t be able to browse past C:\users\UserName\AppData\Local\Microsoft\Windows\Temporary
Internet Files\.
Even if it is set to show hidden files these
are still hidden.
In the address bar you need to type in the
next folder name, which in this case is “Content.IE5”.
I will type that in and press enter.
We are now in the hidden folder.
Continue browsing to the file.
Double click on the file to open it.
We now have the knowledge to scan the computer
and open the web history logs in Web Historian.
We can open downloads and web pages to investigate.
Hopefully this will help you investigate problem
internet users, and remind the rest of us
to clear our web history.
