Internet Evidence F...
 
Notifications
Clear all

Internet Evidence Finder (IEF) review

12 Posts
6 Users
0 Likes
932 Views
Jamie
(@jamie)
Posts: 1288
Moderator
 

Please use this thread for discussion of BitHead's "Internet Evidence Finder (IEF)" review.

 
Posted : 30/01/2013 9:26 pm
(@shaman)
Posts: 10
Active Member
 

First of all, that was a great review by Bithead!!! Thank you sir.

I've been using IEF since the early versions (2-3 days searching) and the changes are significantly for the better!

It helps to streamline the workload in a wonderful way. I am one of those 3-letter agency forensic guys that is over-worked and under-trained with the workload of 5-6 examiners…

Having said that, it is important for me to streamline and get work product out as soon as possible.

However, I'd like to add that all findings must be verified in the final report. Meaning that while I use IEF, RegRipper, Bulk Extractor, and other tools to accelerate the process. I always create keyword lists from the results I get from these tools in order to confirm the findings and implement them into one single report.

If I can't confirm these findings with my major platform (mostly EnCase 6) I either

1) Study why and try different methods.

2) Reach to the vendor/writer.

3) Reach to the community.

4) Not include it in my final report.

I normally run Full Search (On Windows Machines) with IEF and so far, I have been able to confirm findings that I need to implement in my final report. (As well with RegRipper and Bulk Extractor!).

Good Job IEF and thanks again BitHead!

 
Posted : 31/01/2013 12:02 am
(@bithead)
Posts: 1206
Noble Member
 

I did not want to imply that results cannot be verified with IEF. I was merely writing that it is very difficult to look at the bulk numbers returned for any two programs and to compare them. Additionally it is difficult to compare results when two tools use different names for results.

 
Posted : 02/02/2013 11:52 pm
ForensicRanger
(@forensicranger)
Posts: 122
Estimable Member
 

Great review and I concur with what you've written… particularly

" As IEF recovers more and more artifacts, I believe there is a need for more documentation about what artifacts are recovered, how the artifacts are recovered, and how the artifact is parsed (i.e., where did IEF get the Tag information?)"

It would be great if that information was indeed there for the analyst to review so that we can then duplicate the search for manual verification; i.e. What are the search parameters used to obtain X. I've contacted Jad before with some suggestions of what I would like to see added to IEF and he certainly seemed open and welcoming to input from the forensic community.

I can also add that running IEF has become a de facto standard in my shop, right alongside indexing with FTK and various other software. I was interviewed for a Law Enforcement Magazine (of course only part of what one says actually gets printed, though they did a pretty good job) regarding the use of IEF - it has become an invaluable tool which has made our job easier, as long as analysts don't use it as a push-button forensics tool, but take the time to verify their findings.

 
Posted : 03/02/2013 10:08 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

i think they should publish the details on all the artifacts they reverse, but they never will.

its not about the good of the community, its about the money. =)

on another note

why do you always index in FTK? Why index at all except when its needed (which in my experience and opinion is rare)?

what other software are you running in your shop?

 
Posted : 04/02/2013 1:19 am
ForensicRanger
(@forensicranger)
Posts: 122
Estimable Member
 

i think they should publish the details on all the artifacts they reverse, but they never will.

its not about the good of the community, its about the money. =)

Well, it is about the good of the community in the sense that they offer a good product; certainly as they are corporate entity, it is also about the money…

on another note

why do you always index in FTK? Why index at all except when its needed (which in my experience and opinion is rare)?

what other software are you running in your shop?

My post was way too broad… We don't index every image (way too much overhead), but only when necessary. The main tools for computer forensics are FTK and EnCase; I recently started using X-Ways (part of a course I'm taking) but it is not used in our shop.

We do use FTK quite a bit and when it's determined that a drive is to be imaged, we index it to allow for investigators to come in, go through the image and bookmark what they deem necessary as part of their investigation.

 
Posted : 04/02/2013 2:08 am
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

Ah. I pretty Mich only use X-Ways.

Did you take their training or?

 
Posted : 04/02/2013 2:12 am
ForensicRanger
(@forensicranger)
Posts: 122
Estimable Member
 

I don't want to hijack this thread - check your PM )

 
Posted : 04/02/2013 2:20 am
MagnetForensics
(@magnetforensics)
Posts: 40
Eminent Member
 

i think they should publish the details on all the artifacts they reverse, but they never will.

its not about the good of the community, its about the money. =)

Eric,

Thanks for your feedback and we plan on improving and expanding our documentation.

I do feel your comment about it being about the money is unfair.
While I was in law enforcement, I gave the software away for free for almost 2 years to law enforcement, for no reason other than I wanted to help others in their investigations. I also only used my evenings and weekends off to develop the software, at the expense of my free time and family time. Which I've never complained about; if IEF has helped out in even just one child exploitation case, it's all been worth it.

I wish I was independently wealthy and could do this all for free, publishing all the details for others to use in their software, but we now have a team of engineers and researchers and spend hundreds of thousands of dollars every year on the R&D behind IEF, with no government grants or funding behind us. I couldn't have taken IEF to where it is today on my own (or in my spare time), and unfortunately good engineers/developers don't work for free, they have families to feed as well. So yes, we need money to continue to develop IEF and continue our R&D efforts. Even so, we continue to develop and release free tools like Encrypted Disk Detector, Google Maps Tile Investigator, and Web Page Saver.

My contribution to the community is building the best possible products to help with investigations and I couldn't have advanced IEF to where it is now (or where it will be in the future) alone.

Regards,
Jad

 
Posted : 04/02/2013 9:41 pm
EricZimmerman
(@ericzimmerman)
Posts: 222
Estimable Member
 

Oh it wasn't a jab at you! =) it was more a matter of fact type post vs a slight against you not giving away your intellectual property.

I know you have a business to run and businesses stay in business by making money.

i apologize if my comment came across differently.

as a side note, we have and use IEF triage =)

 
Posted : 04/02/2013 9:51 pm
Page 1 / 2
Share: