±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33166
New Yesterday: 0 Visitors: 72

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Reviews

2015

Reviews - 2015

Magnet IEF


  Posted Thursday November 26, 2015 (15:57:16)   (3773 Reads)

 

Reviewed by Steve Robles

Internet Evidence Finder (referenced hereinafter as "IEF") is a computer and mobile forensics tool developed by Jad Saliba of Magnet Forensics, formerly JAD Software. I first began experimenting with this tool in 2011 when the company I was working for began looking for a more efficient solution to analyzing web artifacts, specifically Internet activity and chat communications. While I was initially impressed with the functionality of the software, I was not completely sold on the product because I was utilizing other tools that had similar features and capabilities. It wasn’t until early 2015 when I began using the full version of IEF, and my only regret was not pushing for the purchase sooner.

My name is Steve Robles and I am the former Assistant Director of Digital Forensics of a computer forensics firm located in northern California. I recently decided to start my own digital forensics company where I plan to utilize IEF as a computer and mobile forensics solution. I graduated magna cum laude from Champlain College with a bachelor’s degree in computer forensics and digital investigations. I have received certifications in computer forensics, as well as mobile forensics, and have testified as an expert witness in both areas. Additionally, I have presented on these topics for numerous organizations. Prior to receiving my degree, I worked for a high-tech renewable energy company in southern California and served six years in the United States Air Force. Shortly after adding IEF to my arsenal of tools, I enrolled in the IEF Essentials training course where I gained an even deeper understanding and appreciation for IEF.

Throughout my career I have utilized numerous tools for forensic analysis. Those familiar with the field of computer and mobile forensics know there is no "one-tool-to-rule-them-all" solution. Numerous variables including file system, type of media, desired production, time allotted, encryption status, etc. will help determine the best tool for the job. The tools I have most experience with are AccessData’s Forensic Toolkit (FTK) and Cellebrite’s Physical Analyzer. I also have experience with Black Bag’s Blacklight product, which I found is a great tool for analyzing Apple devices. AccessData’s Mobile Phone Examiner Plus has saved me on more than one occasion, and Guidance Software’s Encase product I find to be especially useful when rebuilding RAIDs or gaining access to encrypted hard drives (with credentials and the Decryption Suite Module). All in all, all tools have their strengths and weaknesses, and IEF is not immune to this fact; regardless, IEF is quickly becoming one of my preferred tools for forensic analysis.

As I mentioned previously, I attended the IEF Essentials training shortly after purchasing IEF, and overall I thought the training was excellent. The information was well presented and the demos were applicable and informative. After receiving the IEF training, I felt much more comfortable with the product and began looking for more ways to integrate IEF into our workflow. What I was constantly impressed with throughout the training was how easy IEF is to operate and navigate. Not that I am all about what is easy, but if there is one phrase I took away from the military (besides “shut up and color”) it is “smarter, not harder,” and I think that phrase describes this product perfectly.

When the product is first launched, there are five options: Drives, Files and Folders, Images, Volume Shadow Copy, and Mobile. The Drives option allows for processing of attached physical drives and/or logical partitions. The Files and Folders option allows for processing of network locations or specific files or folders which is especially useful in circumstances where more than one user exists on a system, but the main concern is in regards to the activity of one particular user. Configuring IEF to process the user’s folder rather than the entire hard drive can potentially save hours of unnecessary analysis.

Compatibility with a wide range of images is another key feature of IEF. IEF’s Image option supports the following image formats: EnCase images (.E01, .Ex01, .L01, .Lx01), Forensic Toolkit (FTK) .AD1 images, Virtual Machine images (.vdi, .vhd, .vmdk, .xva), DMG images, and archive formats (.tar, .gz, .cpio, .zip, .z01). Raw ‘dd’ images (.raw, .dd, .img, .ima, .vfd, .flp, .bif, .bin, .dmg, .dmp) and segmented raw ‘dd’ images (.000, .001) are also supported.

In IEF version 6.3 (current version 6.7), IEF added support for Volume Shadow Copy mounting and analysis from drives and images. I was happy to see Magnet Forensics add this functionality to IEF due to the wealth of deleted or forgotten information typically found within Shadow Copies. Once detected, IEF displays each Shadow Copy and allows the user to expand and select the desired sub-folders for analysis. To the right of the Volume Shadow Copy option is the Mobile option. As of the writing of this review, IEF supports Android, iOS, Windows, and Kindle collections.

Similar to other forensic tools, IEF will also allow multiple sources of evidence within a single case. This is especially helpful when dealing with multiple computers and devices from a single user. Depending on the type of evidence selected, the user will be asked to specify the search level. Available search levels are Full, Quick, Sector Level, and Custom. In my experience, for most forensic examinations, I recommend the Full search level option be selected. Alternatively, if the user is more interested in the low-hanging fruit and time is of the essence, then the Quick search level may be sufficient.

IEF is capable of identifying dozens of potentially relevant artifacts. Ultimately the evidence selected for analysis determines which artifacts are discoverable. By default all artifacts are selected for identification. Individual artifacts can be selected or deselected by checking or unchecking the artifact’s corresponding check-box. To select or deselect entire groups of artifacts, double-click the artifact group name. Allowing the user to configure identifiable artifacts not only allows for a more efficient processing, it also enables the user to conduct a more targeted and thorough review. Artifact search profiles can also be saved for future use.

Following the artifact selection window is a case information window where the user can specify the case destination, case number, examiner name, evidence numbers, and set up keyword alerts. To enable keyword search alerts, check the Enable Keyword Search Alerts check-box then click the configure button to specify which keywords should generate the alert. Keywords can be input manually or imported from a keyword list (one keyword per line). Regular expressions can also be input manually.

Additional case configuration options can be selected from the Tools menu at the top of the screen. From the Tools menu, several options are given including Set Search Speed, Logging, Pop-Up Warnings, Settings, and Hash Sets. The Set Search Speed option allows the user to specify the number of logical cores IEF will utilize for processing. If conducting other reviews or processing on the same machine, it might be a good idea to reduce the number of cores utilized by IEF so other applications are not bogged down.

In most cases, it is not necessary to modify any options under Logging as these options are utilized mostly for debugging and support-assisted troubleshooting. It should also be noted that if logging is enabled, slower processing times may be experienced. Pop-up Warnings can also be managed from the Tools menu. By default, the user will be prompted with pop-ups relating to Yahoo, Case Information, Picture Size, Artifact Profiles, and Image Selected as File warnings. The Settings option allows the user to enable or disable hibernation and deduplication. By default, Remove Duplicates is enabled. Also accessible through the Tools menu are the hash set options. IEF will allow configuration of Media Hash Sets (which are typically used by law enforcement) or File Hash Sets (white lists). After reviewing the configuration options and inputting the case information, click on the Find Evidence button and the case will begin processing. A word from the wise, as with most forensic tools, take the estimated Remaining Time with a grain of salt.

As soon as processing begins, the user can begin reviewing processed data which is another feature of IEF that I am more than satisfied with. Data presentation in the results window is clean and easy to navigate. Artifacts identified during the processing phase are categorized and listed on the left side of the window. The right side of the window is split with the top right section containing a detailed list of corresponding artifacts and the bottom right section contains additional information pertaining to the artifact selected in the top right of the window. The information available in the bottom right section of the window varies depending on the type of artifact selected in the top right section of the window. For example, when a Skype Chat Message is selected for review, the top right section of the window contains columns for the Chat ID, Profile Name, Author, Recipient(s), From Display Name, Message Sent Date/Time, Message, Message Status, Message Type, Source, Location, and Evidence Number. The bottom right section of the window contains three data views, Details, Hex, and Text each representing the artifact in a different syntax.

IEF will automatically attempt to identify relevant artifacts within the case. These results are located within the IEF Refined Results section in the left side of the window. To bookmark these results, or any artifact for that matter, right-click an artifact and select Bookmark and Tag As. Users can also bookmark an artifact by left-clicking on an artifact within the Bookmark (star icon) column. The tagging feature allows for additional organization of bookmarked artifacts and allows for easy access to tagged groups from within the Bookmark window. The Bookmarks window can be accessed by clicking on the Bookmarks button at the base of the window.

One of IEF’s more powerful features is the search feature. The search feature is accessible by clicking on the Search button at the bottom of the review window. Similar to the Keyword Search Alerts window, individual keywords can be input from the Search window as well as keyword lists. Regular expressions can also be added. IEF has also made accessible through this feature a list of pre-defined regular expressions which can aid in searches for credit card numbers, email addresses, IP addresses and phone numbers. Additionally, keywords can also be saved from this window for future use.

IEF’s filtering capabilities are another powerful feature. To access the filtering feature, simply click on the Filter button at the bottom of the review window. The Filter window gives several options including the option to run a Global Date/Time Filter which will allows the exclusion all data outside of a given time period. Filters can be created for virtually any IEF attribute. The user also has the option to create filters that will only affect certain artifacts. Created filters can also be saved from this window and imported for future use.

The Timeline feature is incredibly useful for the analyzing events chronologically. When first accessing the Timeline feature, keep in mind, depending on the size of the case, it may take several minutes for the Timeline to load all of the case artifacts. Once loaded, the user can select one or more categories from the left side of the screen to be displayed chronologically in a stacked format on the right side of the screen. This view allows the user to easily analyze user activity at any point in time. All or only selected artifacts can be easily exported from this view by selecting the appropriate option from the file menu. A view of the timeline itself can also be exported in .png format.

If geographical information is relevant to the investigation, IEF has the World Map feature. IEF will essentially search all case artifacts for geographical information and plot the identified locations on a map. The World Map feature is accessed by clicking on the World Map button at the base of the review window. Identified geographical information can also be exported in .kmz format for use with Google Earth.

One feature that has vastly improved, in my opinion, is IEF’s reporting functionality. From what I can recall when I was first introduced to IEF, I felt the reporting system was a bit cumbersome. The reporting system is now one of my favorite features of the product. From the File drop-down menu, the user can create an easy to navigate HTML report detailing every artifact in the case by selecting the Create Case Report option. The user also has the option of creating an Artifact Report from this menu. The main differences between these two reports is the Case Report will contain all artifacts and is only available in HTML format. The Artifact Report will allow the user to select which artifacts will be included in the report and can be output as one of the following formats: CSV, Excel, HTML, PDF, Tab-Separated, XML, or XML with External Files. Artifact Reports can also be generated by right-clicking on an artifact category and selecting Create Artifact Report. This can be performed from the main review window or from the Bookmarks window.

One other reporting-type feature definitely worth mention is the Create Portable Case feature. I have used this feature several times in the past. This feature enables the recipient to review and interact with the data at a level similar to the examiner’s. The portable case is created with all the necessary case files as well as an executable to IEF’s Report Viewer which is used to review the portable case’s content.

IEF has come a long way, and in my opinion has successfully achieved status as a top-tier forensic solution. The software is loaded with features that allow for speedy processing, efficient review, and effortless reporting and if you couldn’t tell, I am a fan. Thank you Jad and the rest of the team at Magnet Forensics for the blood, sweat, and tears that went into this product. I look forward to what you have in store for us in the future.

IEF Essentials Training from Magnet Forensics is a three-day course that can either be studied in class or online. You can find out more and sign up here.

 

  Printer Friendly Format