±Forensic Focus Partners
±Your Account
Site Members:
 New Today: 2
|
 Overall: 36453
|
 New Yesterday: 3
|
 Visitors: 139
|
±Latest Articles
±Latest Videos
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Interesting but definitely coincidence, we weren't working with them on anything related to 7zip. I'll pass the info to our devs though as maybe we're both doing something wrong to get a similar problem. I'm pretty sure they know the issue already, it just takes a bit of time to build and test the fix to make sure it works.
Internet Evidence Finder (IEF) and CyberLink .7z files
Page 1, 2 Next
-
Chris55728 - Senior Member
Internet Evidence Finder (IEF) and CyberLink .7z files
Posted: Jun 12, 17 16:38
For those of you that use IEF, I'm not sure whether you're aware of a current issue regarding what appear to be 7-Zip files associated with CyberLink products.
I'm running the latest version of IEF (6.9.0.5983) across an EnCase image which grinds to an almost complete standstill when it hits .7z files associated with CyberLink. I currently have a 'Data1.7z' file (located in the \SWSetup\APP\Applications\CyberLink\CyberLink_LLUBB2\12.0.6.4925\src' directory) that is causing the problem. I've got 6 of 8 cores available but usually only 1 or 2 are actually in use which again seems to be a problem with the way that IEF is processing the file. If I use 7-Zip to open the file separately, this works without any problem at all.
I logged a call with Magnet Support and have received a reply (on 05/06/2017) stating that the development team is already working on the issue and as soon as there was an update they would be in touch so there's clearly some sort of issue.
My next step is to step backwards through previous releases of IEF to see if/when this problem was introduced.
It would be interesting to hear whether other individuals have also encountered this problem and what, if anything, they've managed to do to get around it.
Cheers,
Chris
I'm running the latest version of IEF (6.9.0.5983) across an EnCase image which grinds to an almost complete standstill when it hits .7z files associated with CyberLink. I currently have a 'Data1.7z' file (located in the \SWSetup\APP\Applications\CyberLink\CyberLink_LLUBB2\12.0.6.4925\src' directory) that is causing the problem. I've got 6 of 8 cores available but usually only 1 or 2 are actually in use which again seems to be a problem with the way that IEF is processing the file. If I use 7-Zip to open the file separately, this works without any problem at all.
I logged a call with Magnet Support and have received a reply (on 05/06/2017) stating that the development team is already working on the issue and as soon as there was an update they would be in touch so there's clearly some sort of issue.
My next step is to step backwards through previous releases of IEF to see if/when this problem was introduced.
It would be interesting to hear whether other individuals have also encountered this problem and what, if anything, they've managed to do to get around it.
Cheers,
Chris
-
AmNe5iA - Senior Member
Re: Internet Evidence Finder (IEF) and CyberLink .7z files
Posted: Jun 12, 17 17:28
Someone from my office had experienced this issue. Today, after waiting about 7 days, he finally cancelled IEF, restarted the computer and attempted to run it again. With your update he has decided to cancel it altogether and await an update from Magnet.
Thanks
Thanks
-
Chris55728 - Senior Member
Re: Internet Evidence Finder (IEF) and CyberLink .7z files
Posted: Jun 13, 17 12:45
Just done a bit of testing with previous versions of IEF.
Exported 15 x .7z files from a forensic image I have, including the 'Data1.7z' that was causing grief, and ran older versions of IEF across just those files with the following results:
v6.8.8.5013 - completed in 1m 17secs (all available cores utilised)
v6.8.9.5711 - completed in 1m 17secs (all available cores utilised)
v6.8.9.5774 - completed in 1m 17secs (all available cores utilised)
v6.9.0.5983 - still running, no idea when/if it's going to finish, only one or 2 of the available cores utilised
I've also checked the release notes for v6.9.0 and one of the new features is "Magnet IEF now supports searching of compressed .7z files."
The above is true as more artefacts have been recovered thus far in v6.9.0 than in previous versions.
There's obviously some sort of issue with the way that IEF uncompresses the .7z files that slows things down to such an extent that it's unusable.
The only alternative until Magnet get their act together and release an update that either fixes the problem or removes the compressed .7z support is to go back to the previous version (6.8.9.5774).
The only updates from v6.8.9.5774 to v6.9.0.5983 are as follows:
New features:
• Skype for Windows: This release includes message and date carving updates to support
Skype version 7.33 for Windows.
• Magnet IEF now supports searching of compressed .7z files.
• iOS iMessage/SMS/MMS: This release includes iMessage/SMS/MMS carving updates for iOS 10.
Fixed issues:
• Certain email messages were incorrectly displayed as hits for both EML(X) Files and MBOX Emails.
• Windows Network Profiles: Incorrect information displayed for the last connected date
If you can live without the above then v6.8.9.5774 is the way to go at present.
Cheers,
Chris
Exported 15 x .7z files from a forensic image I have, including the 'Data1.7z' that was causing grief, and ran older versions of IEF across just those files with the following results:
v6.8.8.5013 - completed in 1m 17secs (all available cores utilised)
v6.8.9.5711 - completed in 1m 17secs (all available cores utilised)
v6.8.9.5774 - completed in 1m 17secs (all available cores utilised)
v6.9.0.5983 - still running, no idea when/if it's going to finish, only one or 2 of the available cores utilised
I've also checked the release notes for v6.9.0 and one of the new features is "Magnet IEF now supports searching of compressed .7z files."
The above is true as more artefacts have been recovered thus far in v6.9.0 than in previous versions.
There's obviously some sort of issue with the way that IEF uncompresses the .7z files that slows things down to such an extent that it's unusable.
The only alternative until Magnet get their act together and release an update that either fixes the problem or removes the compressed .7z support is to go back to the previous version (6.8.9.5774).
The only updates from v6.8.9.5774 to v6.9.0.5983 are as follows:
New features:
• Skype for Windows: This release includes message and date carving updates to support
Skype version 7.33 for Windows.
• Magnet IEF now supports searching of compressed .7z files.
• iOS iMessage/SMS/MMS: This release includes iMessage/SMS/MMS carving updates for iOS 10.
Fixed issues:
• Certain email messages were incorrectly displayed as hits for both EML(X) Files and MBOX Emails.
• Windows Network Profiles: Incorrect information displayed for the last connected date
If you can live without the above then v6.8.9.5774 is the way to go at present.
Cheers,
Chris
-
mcman - Senior Member
Re: Internet Evidence Finder (IEF) and CyberLink .7z files
Posted: Jun 13, 17 18:11
Hey guys,
Thanks for the heads up and sorry for the problems with 7z. We just added support for 7z in IEF 6.9 and AXIOM 1.1.1 (our latest releases). It looks like if there's a ton of 7z files (or a certain type of 7z) in the image, it's grinding to a halt (basically it hits a timeout threshold for each of them making the search take forever).
We're working on a fix for it to add in our next release so it should be fixed soon but if you're coming across this, I would do as Chris mentions and run the last version (IEF 6.8.9 or AXIOM 1.1.1). It isn't happening for all 7z files but certain types seem to be jamming everything up.
Thanks again for the heads up and feel free to reach out if you have any questions.
Jamie McQuaid
Magnet Forensics
Thanks for the heads up and sorry for the problems with 7z. We just added support for 7z in IEF 6.9 and AXIOM 1.1.1 (our latest releases). It looks like if there's a ton of 7z files (or a certain type of 7z) in the image, it's grinding to a halt (basically it hits a timeout threshold for each of them making the search take forever).
We're working on a fix for it to add in our next release so it should be fixed soon but if you're coming across this, I would do as Chris mentions and run the last version (IEF 6.8.9 or AXIOM 1.1.1). It isn't happening for all 7z files but certain types seem to be jamming everything up.
Thanks again for the heads up and feel free to reach out if you have any questions.
Jamie McQuaid
Magnet Forensics
-
redcat - Senior Member
Re: Internet Evidence Finder (IEF) and CyberLink .7z files
Posted: Jun 13, 17 20:09
I just saw this in the EnCase 8.05 Release Notes:
Known Limitations found in Version 8.04:
FOR-6647: Parsed 7-Zip files do not display physical size, initialized size, or file extents. Instead, they display the default value of 0.
Coincidence?
Known Limitations found in Version 8.04:
FOR-6647: Parsed 7-Zip files do not display physical size, initialized size, or file extents. Instead, they display the default value of 0.
Coincidence?
-
mcman - Senior Member
Re: Internet Evidence Finder (IEF) and CyberLink .7z files
Posted: Jun 13, 17 20:46
- redcatI just saw this in the EnCase 8.05 Release Notes:
Known Limitations found in Version 8.04:
FOR-6647: Parsed 7-Zip files do not display physical size, initialized size, or file extents. Instead, they display the default value of 0.
Coincidence?
Interesting but definitely coincidence, we weren't working with them on anything related to 7zip. I'll pass the info to our devs though as maybe we're both doing something wrong to get a similar problem. I'm pretty sure they know the issue already, it just takes a bit of time to build and test the fix to make sure it works.
-
pcstopper18 - Senior Member
Re: Internet Evidence Finder (IEF) and CyberLink .7z files
Posted: Jun 14, 17 20:34
I want to say to all that this is one of the most helpful exchanges I have seen in a while. I use IEF regularly and have not had any issues with their support team. Having said that, this exchange is great example of teaming to solve an issue and alert everyone without overblowing things on anyone's part:
Here is the issue I found and what I've done to check it out. Does anyone have it?
Yeah I do, does the vendor know?
Yes we know, here is what we are doing about it.
Good to know. Here's a work around.
And this, in my opinion is how things should work.
Thanks all!
_________________
Preston Coleman, MFS, GCFE, EnCE
"The only thing necessary for the triumph of evil is for good men to do nothing" - Edmund Burke
Here is the issue I found and what I've done to check it out. Does anyone have it?
Yeah I do, does the vendor know?
Yes we know, here is what we are doing about it.
Good to know. Here's a work around.
And this, in my opinion is how things should work.
Thanks all!
_________________
Preston Coleman, MFS, GCFE, EnCE
"The only thing necessary for the triumph of evil is for good men to do nothing" - Edmund Burke