±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 32909
New Yesterday: 2 Visitors: 135

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars



Webinars - 2017

E3: Universal Overview

  Posted Thursday October 05, 2017 (12:09:06)   (3172 Reads)
Presenter: Cassie Castrejon, Tech Support Team Lead, Paraben

Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.


Today’s tutorial will go over everything that Paraben’s E3 Forensic Platform has to offer.

The E3 platform does a variety of forensic analyses, including iOT Mobile, hard drive data, X-Box data, Fitbit data, Alexa app data – you name it, we can do it. E3 Universal includes all of our tools, which includes mobile tools and hard drive analyses tools. The mobile tool is called E3:DS. It stands for Devices Seizure. It does logical and physical imaging of mobile devices. It also includes JTAG analysis as well. The hard drive analysis tool is called E3:P2C. This is formerly our P2Commander product. This includes deployable P2C and P2X Pro. It also includes NEMX, which is our network email examiner, and EMX with it, which is our email examiner. Also includes INTERNET/CHAT. This is all included with the E3 Universal package.

E3 Universal has a variety of features, including data triage, file system data, email data, network email data, chat data, image files/image types, smartphone support, feature phone support (which would be like your burner phones or your [foot] phones, we have over 27,000 supported devices and counting), GPS support, iOT support. With that support, we have powerful analysis with searching, sorting, illicit image identification, app data parsing, SQLite data parsing, bookmarking, reporting, and data review platform.

We will be going over computer forensics investigation during this tutorial, where we will analyze data triage, analyze the hard drive data, analyze email data, analyze chat data, graphic files and types, searching, sorting, and reporting. For our mobile forensic investigation overview, we will go over parsed data, recovered data, app data, SQLite data, cloud data import (which is a super cool feature), searching, and reporting.

Alright. So let’s get started. Once C3 is fully loaded, I’d like to go ahead and close out of this window. And I like to create new cases. The new case window will appear. Go to Case Properties. The case name we’re going to call ‘E3 Universal’. And then you can add additional information here. And dropdown boxes work great – they auto-populate. So you only have to do this one time, and then click the dropdown box, and you’re good to go.

I will be saving this case in my default location, so I’m just going to go ahead and click Save. The Add New Evidence window will appear. I know that the image I acquired is a virtual image, so I’m going to go ahead and detect all this and click OK. And then, I’m going to load my image, and I’m going to call this ‘Hard Drive’. The Auto-Exam wizard will open – I highly recommend you do this. This will allow you to sort through your data files much more efficiently and effectively.

The first question is ‘Would you like to sort the data into categories and provide a list of data in each category?’ We do, so that, by default, is checked ‘Yes, sort data’. Then you can export any data. Just check the boxes into the sorted categories. ‘Would you like to remove duplicate data?’ Absolutely. ‘Do you want to do any searches?’ You can load words via text file or you can use predefined search terms that we supply for you. And then, it asks you if you would like to generate a report on the end of it. I don’t typically like to do this, because I like to go through each side, the case content, and the sorted files to bookmark my artefacts, and then create my report manually. And the last option is ‘Do you want to include Triage Data with your report?’ And if you select a report, you can absolutely click that checkbox.

I’m going to go ahead and start that Auto-Exam and let it run on my backend while we get started with this case.

Now that the Auto-Exam has completed, what I like to do is of course check – you can verify by going to the Completed tab and sorting that it has finished. Also, you can view your sorted files over on the Sorted Files tab. So we’re going to expand this and go to Hard Drive. You can see my partition, it’s FAT partition. What I like to do is use the Start Counting Folder Content, because that’ll allow me to view all of the contents with the In and Total, and not have to go through each individual file.

We’re going to look under Partition0 under our FAT content, and this’ll give you the – if you expand this out to [06:13] – it’ll give you the total of how many artefacts or important information is in that. So for instance, if we need to go look at documents, we see we have a Word document, the ‘History of impressionism’, and that’ll give you a total of one within that folder. So you don’t have to search through blank folders just to find what you need. The sorted files is also a great way for you to identify the type of artefacts that you will soon need to view potential for … in this case we have two email databases. We have an Exchange database and then we have a Gmail database.

If you skip the Auto-Exam upon importing the virtual hard drive or hard drive image, you can always go to Case Content, you can mark that, go to the Analysis tab, go to Content Analysis, and then, right there, you can sort for data. So we’re going to go back to our sorted files, we’re going to investigate these email databases. So if you double-click on, for instance, the Exchange database, it’s going to take you exactly to where that Exchange database is located within that image. If we double-click on it – and you can expand it as well over here – and we see we have three specific people within this database that we’re going to look at.

There’s a ton of information within the Exchange databases. You can see the in-place archiving, you can see the administrator mailbox. Just go through and see what you need. And we’re going to do Jenny. And the most important folder within this database is the top information store. This is going to give you their inbox, their outbox, their deleted items, their sent items, their calendars, their contacts, etc. Now, if we go into John, we’re going to expand him out, and again, we’re going to go to top information store. And then, Inbox – it’s still going to show you the correspondence back and forth between individuals. Eric Spencer though is a little more unique. We’re going to just keep going – information store – and in his inbox, you can see that there’s bolded items. The bolded items means that it has not been read. Really great to know. If you click on that, you can get the header information … if you expand this up a bit … you can get the header information, which is very important in some cases. You can show it via text, via HTML, and raw HTML.

Another great thing to mention is you can see this is the general properties of that email we clicked upon, and that’s going to show you the message flags as well, and this also shows that no, it has not been read, it was normal priority, it doesn’t have any attachments.

If you need to view an email with an attachment, we have a good example up with John. And we’re going to go to his inbox, and you can see right here there’s an attachment icon. To view that attachment, all you’re going to have to do is go down to the bottom, click Attachment, and it’s going to show you ‘flowers’. So you’re going to click on ‘flowers’, and you’re going to go over to the thumbnail, because a jpeg is a picture, and you’re going to be able to view that attachment.

Now, let’s go view that Gmail database. I’m going to go back to my sorted files tab, I’m going to go back to my email, and I’m just going to click on this, Gmail.pst. And we’re going to do both of those. Clicking both these options may take a little more time, and can be a little more resource-intensive. This isn’t a true Gmail database, because as you can see, the extension ends in a .pst, which is associated with Outlook. Regardless, we’re going to go ahead and double-click on that, and then we’re going to expand down, and there, you can see unread emails, attachments … this is a Word doc, you can open up that Word doc. And you can open with – it’ll suggest something you should open it with, and then that’ll open up within Microsoft Word. We’re going to go ahead and close this out, and continue on.

We’re going to go back to our sorted files, and we see that there’s a chat database. It’s a Skype database. Also, if you just were to double-click on this database, it’s going to say would you like to mount it as a Skype database, and we’re going to say yes, to continue. Once that database is mounted, we’re going to double-click on that to expand, and we’re going to double-click on our database. Now you can see the profile name. It also associates it with his email over here, some really great information, his contacts, call history, no file transfer, and contact [PIDs]. So this is also a great way to locate IP information if you need it.

Because I don’t want to have to go through each individual folder within this database, I’m going to just click on this database and start counting folder content, and that’s going to give me where all of these … where each folder has some data. I’m going to clear out of that, messaging, looks like our money … looks like the cache folders have the most information within them. If you need to see the PNG image, you’re going to want to click on File View, and that’s just going to give you that image. Again … and then you have the database store as well.

Now we’re going to go back to our sorted files. And we’re going to go to Graphics. This Graphics will show you all of the graphics within the hard drive image, and the great part about this is if you double-click on one of the graphics, it’s going to show you exactly where it is to where you can bookmark it for your report, if it’s an artefact that you need. We’re going to just bookmark this real fast and click OK. Your bookmarks are going to show up right here. Whenever you need to access that bookmark, it’s going to take you to that exact location of it. That’s also great for reporting as well. Another way to add this file to your report without bookmarking is go ahead and right-click on this, and then you just want to check ‘Add to Report/File Export’. And that’ll go ahead and add that to your report as filed. If you need to view this picture, you just want to ‘Open With’, and then Photos, and that is going to bring up the photo that we had bookmarked and added to our report.

Now we’re going to go ahead and search for a few things. We’re going to go back to that Analysis tab, and we’re going to go to Advanced Search. There are many searching options – you can do text search, hex search, Boolean, regular expressions, and simple search. You can also use Load Words, and you can use a predefined list, which is our child pornography search term list if you’re doing a child pornography case. Or you just can type one in. I’m going to type in ‘Nikky’ and we’re going to see where that leads us.

The reason why we didn’t get any results for this search ‘Nikky’ is because, as you can see, we are just searching specifically the Skype database. Now, if we were to go back to the FAT image and go to search … we’re going to try that again. And as you can see, there’s 10 hits. And we just go down, expand out, and it’s going to give you all of the information that you need, where the hits are, how many places. You can double-click, it’s going to bring up the text viewer, and you can see ‘Nikky’ is right there, so on and so forth. This is a great way to conduct your searches. You can right-click and add to the report or you can bookmark the data.

Within the search you have many different options. Up here, on your data, you can generate a search result report upon that search data. I’m going to go ahead and show you how to generate a report upon the data that we added to the report. I’m going to go ahead and click Generate Report. That is under the Analysis tab. We’re going to click on that. Because this is a hard drive image, some of the options for different types of reports are greyed out.

To get a better understanding and overview of the Reports Wizard and to get detailed information upon it, go to our YouTube channel and view our YouTube reporting tutorial.

For this report, I’m just going to go ahead and select the HTML Investigative Report. There are options over here that you can modify – my name, the bookmarks, include all bookmarks, only the bookmarks to be added to the reports, file system types, if you want to export those as well you have the ability, so on and so forth. So I’m just going to click Finish.

My report is done. I’m going to go ahead and click OK. And as you can see, it has the bookmarks that I have, and the information, that image that we added to the report will be right there. We’re going to go ahead and close out of this. And then, I noticed on our hard drive itself, if you go into the root, we have a mini Android device seizure case file. Now, this will open within the E3 product – you just have to right-click, Open With, and we’re going to open it up with our E3. And what that’s going to do is that’s going to mount it to this case. I’m also going to show you another way to mount a different image.

Again, we love the Parabens Auto-Exam wizard. We’re going to go ahead and just start that Auto-Exam on this mini Android dump. It’s completed quickly. And then we’re just going to expand that out. And as you can see, it’s an E3 case – there’s our cellphone. This is a very small case. But it still gives you the important information that you potentially might need.

After reviewing this, there aren’t any artefacts that I need, so I’m just going to go ahead and go back to my Evidence tab, make sure that’s highlighted, I’m going to remove this evidence. That does not remove it off of the hard drive. As you can see, it’s still there. It’s just not added as evidence. We’re going to go ahead and add a different mobile acquisition so you can see the full scope of the E3 product.

Because we’ve already acquired the phone, we’re going to add it as evidence. We’re going to go to Paraben Tools, E3 Mobile case file/DS cases. This is going to open up, and we are going to do the smartphone. We’re just going to leave it as smartphone. And that’s going to be added to our case. The Auto-Exam wizard is going to go ahead and open, we’re going to start that Auto-Exam, and while that’s running, we are going to get into this case. We’re going to OK out of all of those. This is an iPhone acquisition. You can tell, first of all, by the file structure. It’s very different than an Android file structure. Also, you can tell by the properties of the phone that the manufacturer is Apple, you can get the firmware, if there’s a SIM present, etc.

So we’re going to get into that phone. And I’ll show you a ton of information. But I’m going to do my folder counting because I don’t want to sort through all of these folders again.

If these pop-up windows bother you – just as a side note – you can put it as ‘Do not show this message again’. Normally, I’m really busy with acquisitions and doing a variety of things, so I like these pop-up windows, because it tells me when like for instance, the counting folder content job is completed.

I clicked OK out of that. Now we’re going to view the parsed data of the iPhone. So we’re going to expand upon that, and this is going to show you all of the data that we parse with the iPhone. So it’s going to give you Voice, Properties, Messages, Bookmarks, History, etc. Folder count here is really great, so we don’t have to look into folders that we don’t need. So we’re going to expand this out. There recordings database is a SQLite database which we can get into. Properties, it’s going to give you the complete properties of the phone, including phone number, password protected, the model number, so on and so forth. Messages – messages are the outbox of the iPhone. The bookmarks – that’s bookmarked. So on and so forth.

Now we’re going to look at the parsed recovered data. We’re going to click on that. And this was an unknown format, therefore we cannot open it. The installed applications will give you application data. If you click on that, installed applications list. So they have Facebook and messenger installed on this iPhone. The permissions list – this’ll say if it’s suspected by malware, what it has access to. There is much more information within the var folder – for instance, keychains, if you find that of interest. What I’m going to do now is I’m going to completely close out of this case and open up an Android case, and show you the differences between an iPhone and an Android boot loader and logical image. So we’re just going to go ahead and close.

I’m now going to just go ahead and open a recent case. This case is about almost a hundred gig. So it’s going to take a while to open. I have three different types of acquisitions within this case file. First is the boot loader acquisition, the second one is the cloud import data, and the third one is a logical acquisition. So let’s dive into the boot loader acquisition. I’m just going to go ahead and expand all of this out. Again, it’s going to take a minute, because it’s a rather hefty acquisition. And with boot loaders, you’ll see the full flash and then the file system flash. It’s going to look different than a logical acquisition.

If you go to the Sorted Files tab, I already ran the Auto-Exam wizard, and you can see just how much information is within these three acquisitions. There’s six emails … email files, there’s chats, there’s a ton of databases and graphics. So we’re going to back to the Case Content tab, and then we’re going to expand upon the Full Flash, and the Full Flash gives the raw partition images. Also, there’s the file system, and this is where we find most of our data. If you go to the data folder and expand upon that … let’s go ahead and start counting our folders. And then, if you go down to data, this is where you’re going to find a lot of your SQLite databases. I’m going to go ahead and expand this so we can see the total count of the file folders themselves. And we’ll scroll down to something interesting …

Some hot apps currently are [Next Plus] or Text Now, Text Free. So we’re going to go ahead and explore the textPlus SQLite database. So we’re going to go ahead and expand this out. Then we’re going to go to databases, we’re going to expand the databases, and the nextplus database is the database we want, even though it’s textPlus, the database is called nextplus. So we’re going to go ahead and expand that, we’re going to drill down into it. And there are all the tables for that. Another way to view the tables and see if they contain any data is to expand it. Now, you can see our messages database has all of the messages that were sent through textPlus. There’s also call logs. So the call log database, if you scroll over, will give the numbers of the other people calling … conversations, you can drill down into that. Contact methods that they use, etc.

Now that you have a brief overview of how a boot loader acquisition looks, we’re going to go ahead and go down to our logical acquisition. We’re going to expand upon that. Again, it takes a moment. And we’re going to drill down into this acquisition. Now, this is an Android backup of the identical phone. So because this phone couldn’t get [root], which is why we had to do the boot loader method, it still can perform a backup, but it’s not going to obtain the same amount of data, because it can’t get [root].

Again, you can see the installed applications, the permission list, and she has 92 apps on her phone. So this’ll take a while. And you can see all of the apps. She has the TextNow, textPlus, she has Nextdoor, a ton of things. Bumble, she has Tinder, WhatsApp, she has her Fitbit. So she has a lot of data on this phone.

And now we’re going to show you the authentication data. This authentication data bin file will need to be exported, so you just want to export to a folder. And then, you’re able to use our cloud analysis tool … so if you go to Evidence, Import Cloud … you will be able to add that authentication data file to this, and what it does is it will resolve the credentials for you to pull down the cloud information. If you already have the authentication data, just add an account. You can scroll to what type of data you need. The login account, which is normally the email address and then the password. Once all of that is completed, you just use the authenticate, and you can pull down that data. We’re going to go ahead and close this, because we already have one imported for us.

We’re going to go ahead and open up the cloud acquisition. And it’s going to show us all of the cloud data that we imported. So she has a Facebook, she has Google Maps, she has a Gmail, she has a Google Drive, and she has a Twitter account. So for instance, if you needed to see her newsfeed, the newsfeed is going to go ahead and be pulled down from the cloud.

Again, if you want to search within all of these, you actually can click on the main file folder and go to Analysis, and you can do advanced search, and it’s going to search all three of those acquisitions. So in those three acquisitions, we’re going to search for the name Tiffani. With an ‘I’.

Because it’s searching all three acquisitions and there’s a ton of data for it to go through, you can go down to the Running tab here, and you can see that this data is running, and again, this is why I like those pop-up windows, because I can go do something else while this is searching. And then, once it’s done searching, those notifications pop back up.

While that continues to process, I’d like to show you some of our cooler iOT stuff that we do. We process Fitbit, [Creepy Bear], Alexa, we process a ton of iOT stuff.

I’m going to go ahead and show you some Fitbit data. So I’m going to click on data, and I like to sort these by name. And then we’re going to scroll down and find the Fitbitfolder. Alright, so there’s our Fitbit, and we’re going to go ahead and double-click on that to expand it. That’ll take us down here to where it’s at. Conveniently, it’s under our textNow database, which we actually do get data out of as well. So we’re going to expand upon our Fitbit mobile, and we’re going to go down to databases. And you can see, there’s activity database, there’s a ton of databases. So we’re just going to go to the main Fitbit database and expand upon that. And you can see, by all of the tables within that, there’s a lot of information within there.

If we go to the profile database and expand upon that, that’s going to give you the user profile of the person wearing the Fitbit, and where they’re from, their stride, their BMI, it will give you a lot of information. Of course, if you go back up to the databases, you can go to the activity database, and that’ll give you foot count, steps, and whatnot. So really great to know where this is, so you can explore what type of data you need.

Now we’re going to go ahead and go to our Generate Report. Generating reports for mobile acquisitions is a wee bit different than like a hard drive acquisition or a tom-tom or a drone. They have different types of reports. You can again fill out all this pertinent information to add to your report. And then the mobile data review report is also called our Kick-Ass Report.

This hyperlink will bring up a PDF of what data is included within the report. And here is an example of the report. Gives you the explanation summary, the device information, the case data, the installed applications, contacts, calls, profiles, examination conclusion. You get the gist of it. And again, if you need more information, please view the reporting tutorial found on Paraben’s YouTube channel.

This will conclude our E3 Universal tutorial. Thank you all for watching, and I hope you have gained some great information. Please reach out to us if you have any questions. We would be more than willing to answer them for you.

End of Transcript


  Printer Friendly Format