Let’s talk about the exciting new LACE Carver integration with Analyze DI Pro.
Once you have the proper license, you can head over to your Downloads page on MyGriffeye.com and go to the LACE Carver download.
Once the app package has been downloaded, we can go back to Griffeye and install it under Settings –> Plugins –> and click on the ‘Install’ button, selecting the file we just downloaded from the internet.
Once the file is fully extracted and the plugin has been installed you can head over to the Analyze Forensic Marketplace, where we now have LACE Carver integration.
Now let’s open a new case and check out the additional processing features available to us. The first thing you’ll notice is we have an additional selection, Physical Media. The LACE Carver integration allows Griffeye Analyze DI to point directly to a physically connected device.
Notice that when we select the device, we can either look at it on the physical level or the logical level, whichever you prefer. None of my physically connected devices are write-blocked, so I’m going to use a forensic image file that I’ve already created.
Once I select the image file, notice it gives me additional options on how to process this forensic image. If I select ‘Import Forensic Image’, I get the standard Analyze DI Import, which does not get unallocated files. But if I select ‘Carve Forensic Image with LACE’, it handles the entire processing of the EO1 file to include valid files and unallocated and deleted files. It also gives me several carving options and an Advanced button if I want to further refine what I’m looking for – it could be images, videos, documents, deleted files, unallocated files, and some other file formats.
Because we chose the integrated LACE Carver to handle the forensic image file import, there’s no need to bring in an additional folder containing carved unallocated files. It’s all contained in the same source ID in this investigation. So, we can continue to process our case as we normally would.
The Integrated LACE Carver will begin to carve the forensic image. Now remember, this is getting valid files as well as deleted and unallocated files. Once the LACE Carver has completed processing the forensic image file, the results will be imported into the Griffeye case, as it normally would. Using the Integrated LACE Carver to process our forensic image, we found 33,804 files as a part of our investigation.
Now let’s take a look at a case I created using the same forensic image file, but selecting the standard import, not using the LACE Carver.
I was only able to find 1,893 files in that forensic image. Now let’s take a look at the information we have within the case, about our files. In the grid view, the unallocated column now contains checkboxes on all the files that were found in unallocated space, as well as the physical file location or physical sector where that file was found.
We also now have the ability to filter files that we found in unallocated space by going over to our filters, the File tab, and to the unallocated filter, and select ‘Is Unallocated’, and now we filter down to just the files we’ve found in unallocated space.
Thanks for watching. If you have any questions or comments, hit us up in the forums or send an email to [email protected].