±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 5
New Yesterday: 4
Overall: 27628
Visitors: 38

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Internet Evidence Finder (IEF) review

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Internet Evidence Finder (IEF) review

Post Posted: Wed Jan 30, 2013 10:26 am

Please use this thread for discussion of BitHead's "Internet Evidence Finder (IEF)" review.
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus
Google+: www.google.com/+ForensicFocus
LinkedIn: www.linkedin.com/in/jamiemorris 

jamie
Site Admin
 
 
  

Re: Internet Evidence Finder (IEF) review

Post Posted: Wed Jan 30, 2013 1:02 pm

First of all, that was a great review by Bithead!!! Thank you sir.

I've been using IEF since the early versions (2-3 days searching) and the changes are significantly for the better!

It helps to streamline the workload in a wonderful way. I am one of those 3-letter agency forensic guys that is over-worked and under-trained with the workload of 5-6 examiners...

Having said that, it is important for me to streamline and get work product out as soon as possible.

However, I'd like to add that all findings must be verified in the final report. Meaning that while I use IEF, RegRipper, Bulk Extractor, and other tools to accelerate the process. I always create keyword lists from the results I get from these tools in order to confirm the findings and implement them into one single report.

If I can't confirm these findings with my major platform (mostly EnCase 6) I either:

1) Study why and try different methods.

2) Reach to the vendor/writer.

3) Reach to the community.

4) Not include it in my final report.

I normally run Full Search (On Windows Machines) with IEF and so far, I have been able to confirm findings that I need to implement in my final report. (As well with RegRipper and Bulk Extractor!).

Good Job IEF and thanks again BitHead!  

Shaman
Member
 
 
  

Re: Internet Evidence Finder (IEF) review

Post Posted: Sat Feb 02, 2013 12:52 pm

I did not want to imply that results cannot be verified with IEF. I was merely writing that it is very difficult to look at the bulk numbers returned for any two programs and to compare them. Additionally it is difficult to compare results when two tools use different names for results.  

BitHead
Senior Member
 
 
  

Re: Internet Evidence Finder (IEF) review

Post Posted: Sun Feb 03, 2013 11:08 am

Great review and I concur with what you've written... particularly:

" As IEF recovers more and more artifacts, I believe there is a need for more documentation about what artifacts are recovered, how the artifacts are recovered, and how the artifact is parsed (i.e., where did IEF get the Tag information?)"

It would be great if that information was indeed there for the analyst to review so that we can then duplicate the search for manual verification; i.e. What are the search parameters used to obtain X. I've contacted Jad before with some suggestions of what I would like to see added to IEF and he certainly seemed open and welcoming to input from the forensic community.

I can also add that running IEF has become a de facto standard in my shop, right alongside indexing with FTK and various other software. I was interviewed for a Law Enforcement Magazine (of course only part of what one says actually gets printed, though they did a pretty good job) regarding the use of IEF - it has become an invaluable tool which has made our job easier, as long as analysts don't use it as a push-button forensics tool, but take the time to verify their findings.
_________________
Twitter: twitter.com/forensicranger 

ForensicRanger
Senior Member
 
 
  

Re: Internet Evidence Finder (IEF) review

Post Posted: Sun Feb 03, 2013 2:19 pm

i think they should publish the details on all the artifacts they reverse, but they never will.

its not about the good of the community, its about the money. =)


on another note:

why do you always index in FTK? Why index at all except when its needed (which in my experience and opinion is rare)?

what other software are you running in your shop?  

EricZimmerman
Senior Member
 
 
  

Re: Internet Evidence Finder (IEF) review

Post Posted: Sun Feb 03, 2013 3:08 pm

- EricZimmerman
i think they should publish the details on all the artifacts they reverse, but they never will.

its not about the good of the community, its about the money. =)



Well, it is about the good of the community in the sense that they offer a good product; certainly as they are corporate entity, it is also about the money...

- EricZimmerman


on another note:

why do you always index in FTK? Why index at all except when its needed (which in my experience and opinion is rare)?

what other software are you running in your shop?


My post was way too broad... We don't index every image (way too much overhead), but only when necessary. The main tools for computer forensics are FTK and EnCase; I recently started using X-Ways (part of a course I'm taking) but it is not used in our shop.

We do use FTK quite a bit and when it's determined that a drive is to be imaged, we index it to allow for investigators to come in, go through the image and bookmark what they deem necessary as part of their investigation.
_________________
Twitter: twitter.com/forensicranger 

ForensicRanger
Senior Member
 
 
  

Re: Internet Evidence Finder (IEF) review

Post Posted: Sun Feb 03, 2013 3:12 pm

Ah. I pretty Mich only use X-Ways.

Did you take their training or?  

EricZimmerman
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next