Many people have Internet Evidence Finder (IEF) in their toolbox to help identify specific Internet-related artifacts/behavior of a particular user for investigative purposes. IEF can also be used to help identify activity that is typically associated with malware.

Depending on the version of the operating system, each user’s Internet History is located in a subfolder somewhere under their profile, i.e. c:\Users\ or c:\Document and Settings\.

One profile that is missing from the areas listed above is the user profile used for the SYSTEM account. The SYSTEM account is not a normal account and is not one that is used for interactive logons (totally different than the Administrator account).

The Security ID (SID) for the SYSTEM account is always S-1-5-18. One of the common non-Internet-related artifacts that is left behind by some malware is the existence of the recycle bin for the SYSTEM account.

Another quick and easy thing to look at is the existence of Internet–related activity by the SYSTEM account. The SYSTEM profile is located under the c:\Windows path, typically at “c:\Windows\System32\Config\systemprofile\”. Typically, the SYSTEM account should not be browsing the Internet, especially Facebook

If you are an Internet Evidence Finder (IEF) Triage user (running IEF on a live running un-trusted machine), it is recommended that you check the entire drive\partition by choosing the “Drives” option from the initial screen.

If you want to search just selected files/folders, it is recommended you use the “native browser” (this is the default view) to display and choose the paths you want to scan since with this option IEF does not rely on the OS to enumerate files & folders, it instead parses the file system itself by going to the physical disk level. This prevents a kernel-level rootkit from hiding files & folders from the OS view.

Using IEF, when using a “Full Search” type, this path is automatically checked:

After choosing the partition and the “Full Search” option, IEF will scan all the files and folders looking for common Internet-related artifacts. Internet activity by the SYSTEM account will look something like below and should be examined closely as a sign of activity by malware.

As always, if you have any comments, suggestions or questions,
you can contact me directly at: lance (at) magnetforensics.com

The Canadian Digital Media Network (CDMN) announced the winners of the inaugural CDMN Moonshot Awards. Magnet Forensics was honoured with the Dynamic Company of the Year award at CDMN’s Canada 3.0 conference.

The Awards, presented in four categories, were developed to recognize Canadian companies that create jobs and wealth for Canada through innovation in digital media. The Moonshot Awards also acknowledge companies that contribute to the Canada 3.0 “Moonshot Goal: that anyone can do anything online by the year 2017.”

Read More

October 19 – 23, 2013
Philadelphia, PA

Featuring renowned keynote speakers, forums and technical workshops, and the largest exhibit hall of products and services in the law enforcement community, the premier event for law enforcement provides thousands of dedicated professionals from across the country and around the world with an exceptional, concentrated forum for learning, collaborating and experiencing new technology.

Read More

September 8 – 11, 2013
Summerlin, NV

The HTCIA conference is THE premier event for those in law enforcement or private industry who investigate high technology crime. Re-connect with your colleagues, network with your peers, exchange best practices and preview technology and services from leading providers in the industry.

Read More

August 12 – 15, 2013
Dallas, Texas

Providing Professionals the Instruction, Information and Strategies They Need to Protect Child Victims and Prosecute their Offenders.

A nationally and internationally-recognized conference for professionals from the fields of law enforcement, prosecution, child protective services, social work, children’s advocacy, therapy, and medicine who work directly with child victims of crime.

Read More

July 30 – August 1, 2013
Las Vegas, Nevada

The Black Hat Briefings have become the biggest and the most important security conference series in the world by sticking to our core value: serving the information security community by delivering timely, actionable security information in a friendly, vendor-neutral environment.

Read More

June 6th, 2013 – Magnet Forensics, the global leader in the development of forensic software for the recovery of Internet artifacts, recently collaborated with Guidance Software to develop an integration between Internet Evidence Finder™ (IEF) and EnCase® v7, the IEF to EnCase® Connector. This new connector enables investigators that use both EnCase® and IEF to initiate IEF searches from within EnCase® and easily import the resulting IEF artifacts into EnCase® for comparison with other relevant case data. The IEF to EnCase® Connector integration is now available for download free of charge on the Magnet Forensics website at www.magnetforensics.com.

The powerful search capabilities of Magnet Forensics’ IEF software simplifies the recovery of social networking, online chat, web browsing history, and other Internet activity from computer hard drives and live memory captures, including deleted data. With support for over 220 Internet artifact types, IEF enables investigators to recover, analyze and report more evidence in less time.

Guidance Software is the leading provider of forensic investigations software and hardware solutions, and its EnCase software is used extensively by government, corporate and law-enforcement authorities worldwide for forensic investigations. The company recently launched the EnCase® App Central Developer Network, a new development community focused on fostering technology partnerships that enable digital investigators to find more evidence, faster using the EnCase platform.

“With the IEF to EnCase Connector integration, investigators can obtain the highest quality evidence with the minimum level of effort. Whereas most investigations require the use of multiple digital forensic tools, the IEF to EnCase Connector integration streamlines workflow for cases where both EnCase and IEF are required. Through the EnCase App Central Developer Network, Guidance Software has done an excellent job of providing digital forensic investigators with access to enhanced capabilities and technologies. Throughout the process, Guidance Software provided its expertise and support, making it possible for us to develop an integrated solution for the tens of thousands of EnCase users worldwide. We encourage other software vendors to offer their products via the EnCase App Central Developer Network,” said Adam Belsher, CEO of Magnet Forensics.

“EnCase has been designed and delivered as an open platform from the very beginning, enabling users to enhance its functionality with their own custom add-on apps,” said Alex Andrianopoulos, vice president, Marketing for Guidance Software. “With the EnCase App Central Developer Network, we extend the power of EnCase by leveraging the capabilities and features of market leading apps like Internet Evidence Finder by Magnet Forensics.”

For more information on EnCase® App Central and the EnCase App Central Developer Network please visit: http://www.guidancesoftware.com/appcentral

For more information about Internet Evidence Finder and the IEF Integration for EnCase: http://www.magnetforensics.com/internet-evidence-finder-enscript-for-encase-v6-v7/

About Guidance Software, Inc.

Guidance Software is recognized worldwide as the industry leader in digital investigative solutions. Its EnCase® Enterprise platform is used by numerous government agencies, more than 65 percent of the Fortune 100, and more than 40 percent of the Fortune 500, to conduct digital investigations of servers, laptops, desktops, and mobile devices. Built on the EnCase Enterprise platform are market-leading electronic discovery and cyber security solutions, EnCase® eDiscovery and EnCase® Cybersecurity, which enable organizations to respond to litigation discovery requests, proactively perform data discovery for compliance purposes, and conduct speedy and thorough security incident response. For more information about Guidance Software, visit www.guidancesoftware.com.

EnCase®, EnScript®, FastBloc®, EnCE®, EnCEP®, Guidance Software™ and Tableau™ are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other trademarks and copyrights referenced in this press release are the property of their respective owners.

About Magnet Forensics

Magnet Forensics is a global leader in the development of forensic software that recovers data from a broad range of Internet-related communications. Our flagship product, INTERNET EVIDENCE FINDER™ (IEF) was created by a former police officer and forensic examiner who recognized the need for an easy to use, comprehensive tool to help perform digital investigations. Since its creation, IEF has quickly become a trusted solution for thousands of the world’s top law enforcement, government, military and corporate organizations – used to recover Internet evidence like social media communications, webmail, browser activity (and more) to support their most important investigations. For more information about Magnet Forensics visit www.magnetforensics.com.

Guidance Software, Inc.
Brigitte Engel, +1-626-229-9191
newsroom@guidancesoftware.com

Magnet Forensics
Scott Williams, +1-519-503-7967
scott.williams@magnetforensics.com

Full disk encryption (FDE) is becoming more and more common, especially in the corporate environment. Many IEF users have asked how they can leverage the power and simplicity of IEF with encrypted drives so I thought I would briefly explain some of the options available to process drives that may have FDE.

Internet Evidence Finder can natively read and parse EnCase evidence files (E01, Ex01, L01 & Lx01) and dd images, but it does not have anyway of decrypting evidence files that contain a copy of an encrypted source drive that may be using BitLocker, PGP, McAfee or other FDE solutions. If you point IEF to an evidence file that contains an encrypted source drive, IEF will process it like a non-encrypted drive looking for artifacts, but it will likely find none if the entire drive (or volumes) is encrypted.

To use the power of Internet Evidence Finder with encrypted drives, you will need to use a tool that has the ability to present a decrypted version of the data to the Operating System, then IEF can parse the decrypted version of the data. The most common tool is the Physical Disk emulator or network share feature within EnCase.

EnCase v6 & v7 has the ability to decrypt several of the common full disk encryption solutions. In the example above, a disk that is encrypted with BitLocker is immediately identified and the user is prompted for credentials that allow EnCase to virtually decrypt the data and present that data to the examiner in an unencrypted form for analysis.

This data, while still encrypted on the disk (and in the evidence file) is presented in a decrypted state for analysis:

You can use this feature inside of EnCase to present the unencrypted version of this data to the Operating System by using either the Physical Disk Emulator (PDE) or Network Share feature of EnCase. The difference of the two options is this:

• “Mount as Emulated Disk” (PDE) takes the evidence file and presents the physical device as if it was a locally attached drive. The device will show up in Computer Management console and as far as the OS is concerned, it’s the same as a physical hard drive being connected to the examiner machine.
• “Mount as Network Share” presents each object on the disk (and volume) and its own logical object. For example, it will actually present “Unallocated” space as a file object, so you can use a third part tool to point specifically at that file (object).

Either of these options will work with IEF, but understanding the difference between the two will help guide you to which option you choose inside Internet Evidence Finder. For example, if you choose to present the data via the PDE feature, then in IEF you would want to choose the “Drives” option to process the entire drive, in its unencrypted form.

When using the Network share option, you would want to use the “Files & Folders” option inside IEF because every object (including unallocated space) is presented as a file to the OS. Notice the files shown in Windows Explorer when the encrypted drive is mounted and presented to the OS using the “Network Share” option:

Notice there are actually files called Unallocated Clusters and FAT, whereas these are normally part of the volume and not shown in Windows Explorer. When using this option (Network Share), you would want to use the “Files & Folders” option in IEF to process all the presented data from the encrypted drive.

The search results will show the ‘file’ named Unallocated for artifacts found within Unallocated Clusters:

Using either of these two options (Network Share or Emulated Disk) will allow you to use Internet Evidence Finder against your evidence like you do with unencrypted drives.

As always, if you have any comments, suggestions or questions,
you can contact me directly at: lance (at) magnetforensics.com

In this episode our Founder & CTO Jad Saliba discusses the newly announced mobile phone features coming soon to Internet Evidence Finder™ (IEF).

This episode is available as both a video or audio-only broadcast.

In March 2013, Facebook reportedly had just over 1 billion users worldwide. Founded in February 2004, it can be considered one of the grandfathers of social networking. Nearly ten years later and even though hundreds of other social networking sites, Facebook is still a very popular social medium.

As a forensic investigator, Facebook can be used as an online resource when conducting an investigation and can be a wealth of information. It can provide a glimpse into a person’s life, provide a mechanism to obtain photos of potential subjects, friends & family. Timeline comments can provide geographical information of where a particular person was on a specific date and they can reveal the identity of close friends and other details not readily apparent.

I recently assisted in a theft/stolen property case where we were able to get a complete family history and an idea of how the person lived by looking at photos and connecting family members together. Facebook provided us with links that allowed us to look up residence information based on connections and family ties. It also provided phone numbers that were listed in comments and later tied to fraudulent ads on Craigslist.

Facebook can also provide a wealth of information as a forensic artifact when conducting host-based forensics. In the past few years there have been several high-profile cases that involved Facebook artifacts even though the crime was not associated with traditional ‘computer-related’ offense. For example, here is a recent case where Facebook messages were found on a victim’s computer (and later on the suspect’s computer) and used to identify a suspect in a murder case.

“Riverside County sheriff’s Investigator Tony Pelato, a computer forensics expert, said he found Facebook chat messages in Guzman’s computer between Santhiago and Leal, inviting Leal to buy some liquor and meet her at a park near Roanoke Street where Leal was killed. The chat messages were written minutes before the shooting.”
Read more

Or this one:

“According to state police, detectives interviewed a young man named Bryan Butterfield a day after Cable was reported missing. Butterfield told police that someone had created a phony Facebook account in his name, and police traced it to Dube’s parents’ house in Orono.

Cable was frequently contacted by the fake Butterfield and agreed to meet with him at the end of her road to get some marijuana the night she went missing, according to the state police affidavit.

Social media’s role in Nichole’s disappearance and death was a wakeup call for students, many of whom have become paranoid about online contacts, said Pattershall, Cable’s friend.”
Read more

Generally there are six specific categories of artifacts that can be individually identified when examining a computer hard disk:

1. Facebook Chat

   This artifact is most commonly found in memory as JavaScript Object Notation (JSON) text in a running computer and/or in the pagefile.sys & hiberfil.sys file(s).

2. Facebook Messages

   Facebook Chat and Messages are now the same artifact. But in older versions of Facebook these were two different artifacts. This artifact is most commonly found in memory of a running computer and/or in the pagefile.sys & hiberfil.sys file(s).

3. Facebook Wallpost/Status Update/Comments

   HTML that is carved from temporary internet files/web cache and memory

4. Facebook Webpage Fragment

   A fragment of HTML that is carved from temporary internet files/web cache and memory

5. Facebook Pictures

   A picture with a specific filename pattern found in temporary internet files/web cache. The filename contains three sets of numbers such as:

   ‘1221785571_1221785571_10150672801465915_n.jpg’

   The second set of numbers can indicate the Facebook UserID the photo belongs to and it can be queried through Facebooks ‘graph’ API here:

   https://developers.facebook.com/tools/explorer

6. Facebook URLs

   A URL in any web related (browser) artifact that references Facebook URLs. These artifacts commonly reference other Facebook users or specific Facebook activity

   “https://www.facebook.com/photo.php?fbid= 201526933901245715&set=at.10150672801465915.448027.507140714.552175374.1221785571&type=1& theater”

   201526933901245715 is the photo ID
   10150672801465915 is the album ID
   1221785571 is the user ID

   Viewed photos will appear in the cache file with the name:
   ‘1221785571_1221785571_10150672801465915_n.jpg’

   Viewing messages for profile currently being used:
   http://www.facebook.com/messages/joey.flowes

As always, if you have any comments, suggestions or questions,
you can contact me directly at: lance (at) magnetforensics.com

IEF Standard v6.1 is now available for download.

New Features In This Release Include:

1. New Artifacts
   • Bitcoin, Instagram, IE cookie.txt files, IE Type URLs
   • Carving for Internet Explorer 10
   • Integrated Dropbox Decryption – Decrypt the Dropbox filecache.dbx files from within an image (previously only supported on live systems with IEF Triage or with the standalone Dropbox Decryptor Tool)
2. Updated Artifacts
   • Google Map Tiles, Facebook, Hotmail, QQ Chat, Safari, parsed search queries
3. Reporting and Timeline Updates
   • Reports can be exported in XML format
   • Customizable report summary screen
   • Evidence Bookmarking added to Timeline
   • Timeline now supports imported TLN files from 3rd party apps

IEF Software Mainstays Include:

• Powerful Search Capabilities: Single search for 230+ Internet artifacts
• Find Evidence Quickly: Get immediate search results, work with found data right away
• Simple to Use: Get to key evidence in 3 easy steps
• Comprehensive Reporting: Create standardized and straightforward reports
• Built-in Intelligence: Web Page Rebuilding and more

Pricing and Availability

Pricing for IEF Standard starts at $999 USD.

Download a free trial of IEF Advanced by going to www.magnetforensics.com/trial

For both IEF Standard and IEF Advanced network licensing is now available as an alternative to Dongle or ESD licensing.

Existing customers with a Software Maintenance & Support (SMS) subscription can upgrade to IEF v6.1 for free by visiting our customer portal.

Customers without an SMS subscription can email sales@magnetforensics.com or call 519-342-0195 for pricing.

Building on our commitment to assist thousands of customers, in the world’s top law enforcement, military, government and corporate organizations, recover data from a broad range of Internet-related communications, Magnet Forensics has launched a new edition of its industry-leading forensic software, INTERNET EVIDENCE FINDER™ ADVANCED. IEF Advanced extends the powerful evidence search and recovery capabilities of IEF to iOS and Android powered mobile devices.

IEF Advanced

IEF Advanced offers support for mobile devices in addition to including all of the features of IEF Standard. IEF Advanced adds support for 125+ mobile artifacts in addition to the 230+ computer artifacts already supported by IEF Standard, bringing the total number of IEF supported artifacts to 355+. IEF Advanced is ideal for investigators working on cases that involve both computers and mobile devices.

IEF Advanced – Benefits

1. Find More Evidence on Mobile Devices – Find evidence that you didn’t anticipate was there and that can’t be recovered by other mobile forensic tools. IEF Advanced recovers data from native and 3rd party mobile apps, including deleted data.
2. Save Time – IEF Advanced automates the recovery of native and 3rd party app data on mobile devices, reducing time consumed by manual carving and parsing.
3. Respond Faster – Quickly identify important evidence to provide preliminary insights to key stakeholders and focus the rest of your investigative work.
4. Integrate Analysis of Mobile and Computer Evidence – IEF Advanced consolidates reporting for all computers and mobile devices related to your investigation into a single case file.

IEF Advanced – Key Features

iOS and Android Support:

1. Carving & Parsing of artifacts from a file system dump or physical image using existing tools like Cellebrite’s UFED
   1. Carves deleted app data from unallocated space
2. Supported artifacts include;
   1. Native Phone Apps
      • SMS
      • Email and Gmail
      • Voicemail
      • Browsers – Safari and Chrome
      • Mapping – Apple Maps and Google Maps
      • Pictures
      • Notes
      • Phone – call logs
   2. 3rd Party Apps
      • Chat Apps – Whats App, Kik Messenger, Snapchat, Gtalk, Skype
      • Social Networking – Facebook, Instagram, Foursquare, Twitter
      • Cloud – Dropbox
   3. Supported Mobile OS Versions
      • iOS 3 and greater
      • Android 2.3 and greater

IEF Software Mainstays Include:

• Powerful Search Capabilities: Single search for 355+ Internet artifacts
• Find Evidence Quickly: Get immediate search results, work with found data right away
• Simple to Use: Get to key evidence in 3 easy steps
• Comprehensive Reporting: Create standardized and straightforward reports
• Built-in Intelligence: Web Page Rebuilding and more

Learn More:

• IEF Advanced
• IEF Standard and Advanced Artifacts Supported
• Introducing IEF Advanced

Pricing and Availability

Pricing for IEF Advanced starts at $1,449 USD.

Download a free trial of IEF Advanced by going to www.magnetforensics.com/trial

For both IEF Standard and IEF Advanced network licensing is now available as an alternative to Dongle or ESD licensing.

Free Upgrade to IEF Advanced for Current IEF Standard & IEF Triage Customers

As an extra benefit, current IEF customers with an active SMS subscription can upgrade their previously purchased IEF Standard & IEF Triage Licenses to IEF Advanced at no additional cost (licenses purchased prior to June 26, 2013). At the time of your next SMS renewal you can choose Standard/Triage or Advanced SMS depending on which edition you would prefer to use.

Existing customers with a Software Maintenance & Support (SMS) subscription can upgrade to IEF Advanced by visiting our customer portal.

I recently received a few questions about the effects of running Internet history sanitation tools such as CCleaner, when examining a computer looking for internet related artifacts. CCleaner is a product from a company identified as Piriform (www.piriform.com), and a version is freely available online and commonly used to ‘sanitize’ user activity. From the online documentation, CCleaner is said to protect privacy by cleaning out Internet browsing history and temporary internet files.

I have personally run into CCleaner on several cases when examining digital evidence and found it to have a varying degree of effectiveness, depending on exactly the types of artifacts you are trying to find/recover after its use. CCleaner has the ability to clean and remove information from several different locations, including the registry, the recycle bin and even wipe the disk. For this article, I am focusing on its effectiveness against the ability to recover Internet related history after CCleaner has been run.

Using a well-used test machine (Windows 7) with several different types of Internet related artifacts, I ran Internet Evidence Finder (IEF) using the default options to get a baseline of the artifacts that existed before running CCleaner. The test machine had artifacts from Chrome, Firefox and Internet Explorer 10, as well as numerous other application such as P2P, webmail, etc. Here is a snapshot of the just the web related artifacts found before running CCleaner.

I then installed CCleaner on the test machine, just as a suspect would, accepting the default installation options. From the CCleaner interface, the following options were enabled by default.

I then ran CCleaner and received confirmation that it cleaned several locations related to Internet hisotry.

After running CCleaner, I then rebooted the test machine and reran Internet Evidence Finder (IEF) using the same default options and was still able to find almost all the artifacts that had been identified before running CCleaner. In fact, some of the artifacts in some categories went up, likely caused by artifacts existing in memory before the reboot and then when the computer was shut down and rebooted, those artifacts were flushed to disk (pagefile).

As many are aware, Internet artifacts are commonly found in memory (which I did not examine in this example), and ultimately end up on disk in the form of the pagefile or hibernation file. Many tools such as CCleaner, have minimal effect on these files and therefore many of the commonly sought after artifacts can still be found.

This example should be a clear example and illustration of how important the collection of RAM can be regardless of the type of investigation. It is also a good demonstration showing the importance of searching for Internet-related artifacts even when you may find evidence of ‘sanitation’ tools being used by the suspect. There are several other freely available ‘sanitation’ tools available, each with different varying results. The point of this post is to illustrate that the potential benefits of running a search for Internet related artifacts is well worth the effort, even when you fear they may have been ‘sanitized’.

As always, if you have any comments, suggestions or questions,
you can contact me directly at: lance (at) magnetforensics.com

Read more: Part 2: Oh no, the suspect wiped free space to get rid of the digital evidence

With the launch of IEF v6.1 we have added a host of new features that we’re really excited about. We listened to feedback from our customers and delivered a great new set of mobile device forensic features as part of the new IEF Advanced Edition. Also driven by customer feedback is the addition of the new network licensing option that makes it easier to manage IEF across multiple locations. We’ve tried to organize these new features, editions and licensing options to provide customers with added flexibility and choice, but we realize that new options can also cause a little confusion. So here’s a quick rundown of how the licensing works for each of these new offerings.

IEF v6.1 – IEF Standard, IEF Advanced or IEF Triage

1. IEF Standard – Recover 230+ unique Internet artifacts from Windows or Mac file systems. Pricing for IEF Standard Licences starts at $999.
2. IEF Advanced – IEF Advanced includes all IEF Standard features and adds the ability to recover 125+ mobile Internet artifacts from iOS & Android powered smartphone/tablets. Pricing for IEF Advanced Licenses start at $1499.
3. IEF Triage – IEF Triage is a portable solution that brings the power of IEF Standard into the field. Designed to run directly from the USB thumb drive on a target computer. IEF Triage is particularly valuable for running on-scene quick searches in the field, taking a live RAM capture, and checking for disk encryption. Pricing for IEF Triage Licenses start at $1350.

Current IEF Customers – As a special thanks to our loyal customers, we’ve decided to give a free upgrade to IEF Advanced to all existing IEF Standard and IEF Triage customers, with an active SMS contract. We want to you to be able take advantage of all the new mobile forensic features without having to purchase a new IEF Advanced License. Thanks for your support and please keep sharing your ideas and feedback.

New Customers – New customers can choose from IEF Standard, IEF Advanced or IEF Triage depending on which edition best meets your needs and your budget. For customers considering IEF Standard or IEF Advanced but who would like the flexibility to be able to also do live system investigations we are now offering Triage bundles that allow customers to add Triage capability to an IEF Standard or IEF Advanced License without having to buy and maintain a separate Triage license. Pricing for the Standard-Triage Bundle starts at $1549 and pricing for the Advanced-Triage Bundle starts at $1999.

Upgrading to IEF Advanced v6.1 from Previous Versions of IEF Standard or IEF Triage

The IEFv6.1setup.exe file is available for download through the in-app updater or from the Magnet Forensics Customer Portal – http://www.magnetforensics.com/support/customers/. This installer has everything you need to run either IEF Standard or IEF Advanced. The IEF Advanced features are unlocked with a valid licence key. Two types of license keys will unlock IEF Advanced features:

1. New IEF Advanced licence
2. Standard or Triage license keys purchased prior to the launch of IEF v6.1 (June 26, 2013) with an active SMS subscription will also unlock IEF Advanced. This enables all IEF customers with an active SMS subscription to upgrade to IEF v6.1 and get access to the IEF Advanced features.

Customers that have purchased IEF Standard or Triage licenses prior to June 26, 2013 who don’t have a current SMS subscription can purchase a new SMS subscription to upgrade to IEF Advanced.

Network Licensing

Network licensing is available for IEF Standard and IEF Advanced. The IEF network licensing application is designed to be run on a network connected host within an organization (LAN/WAN) that is “always on” and available. The normal IEF client application can then be installed on as many computers as necessary and configured to receive a “virtual” license from the license server each time the IEF application is started on one of the computers. This eliminates the need for teams and workgroups to share physical IEF USB dongles that must be connected to each examination machine. Network licensing is not available for IEF Triage or the Standard/Advanced –Triage Bundles. Cost for a network license or USB dongle licenses are identical.

As always, if you have any comments, suggestions or questions,
you can contact me directly at: adam (at) magnetforensics.com

This article is a follow-up from one I did last week on when a person may use a sanitation tool such as CCleaner to “clean” their Internet history and other activity. In that article, I discussed how many artifacts are left behind even when the subject uses CCleaner using the default “cleaning” options:

In the previous article and example, I did not use the “wipe free space” option under the “advanced category. This option is not selected by default, but I received a lot of feedback and questions from readers about the results if the user uses the “wipe free space” option.

Selecting this option causes CCleaner to wipe unallocated clusters and while that may sound horrible from a forensic perspective, it commonly does not turn out that way. There are a few limitations to wiping “free space”. The most important is related to the size of a cluster on that file system. The default cluster size for an NTFS volume is 4,096 bytes. This means that every file, regardless of size (excluding NTFS resident files), will get the minimum of 4096 bytes on disk to store data. Where this comes into play is when a subject deletes a file and a new small file is created and occupies a cluster where there were some artifacts. If the new file is smaller than 4096 bytes, there could be quite a bit of data left behind in the file slack space that is still accessible to forensic tools and is not wiped using the “wipe free space” option.

The second and probably more important fact is that many artifacts get placed into RAM, which make their way into the pagefile. As mentioned in the previous article, CCleaner (and many other “sanitation” apps) do not affect the pagefile (or hiberfil.sys) where many of the artifacts are likely to be found. Obviously, mileage will vary depending on how long after the artifacts were created until a wipe of free space and an evidence collection is performed, but from an artifact & evidence perspective the wiping of free space will likely remove some Internet artifacts, but many are left behind in other areas.

Here are the results of running IEF to find Internet artifacts before I ran CCleaner (on the left), then I ran CCleaner with the “wipe free space” option selected and ultimately rebooted the computer (to simulate a shutdown at the end of the day), then re-ran IEF to find artifacts after the wipe option was used (right side).

CCleaner options and progress during the ‘cleaning’ process:

The point I made in the first article still remains valid in this example. The subject can use all sorts of ‘sanitation’ or anti-forensic techniques, but there are many artifacts left behind in areas that these consumer-level tools do not address or affect, that even when used, a full Internet artifact analysis is still worthwhile and likely to produce results.

As always, if you have any comments, suggestions or questions,
you can contact me directly at: lance (at) magnetforensics.com

Owners and entrepreneurs understand that rare energy experience when passion produces profit, stimulates growth and attracts talent. It takes a particular kind of entrepreneur, the kind movies are made about.
Jad Saliba, ex-Waterloo Region Police officer, cancer survivor, computer geek, passionate guardian of civil society and founder of JADsoftware is that kind of entrepreneur.
In 2006, Officer Saliba was the family bread winner, father to three adorable children and a dedicated husband to a beautiful wife. In 2007, life slammed Saliba into a tailspin. He was diagnosed with cancer at the age of 26; through the next year he went through the ups and downs of chemotherapy. His dream of police work, raising a family, and watching his kids grow, was in jeopardy.
But throughout his ordeal, he maintained his dream of fighting bad guys. And at the end of his cancer therapy, Saliba was provided an opportunity that would change his life forever.

(By John Rohr, Exchange Magazine)

Read More

Sometimes when I reflect back to what IEF did back in its very early stages (and what it looked like! Long-time users will remember how ugly it was at the beginning, and I believe Matt Shannon of F-Response still has a screenshot of it in one of his blog posts from 2009 ), it’s hard to believe where it’s at today. 2012 was a pivotal year for us as we built an amazing team, both on the development and sales/marketing side. We transformed IEF and moved quickly, adding huge features like web page rebuilding, Dropbox decryption, web video recovery, cloud support, and many more.

Last week I was at the SANS DFIR Summit in Austin, Texas (home to some great food and great bars!). I was extremely proud, honored, and at the same time humbled to receive the Forensic 4cast award for “Computer Forensic Software Tool of the Year” for Internet Evidence Finder (IEF). The other two nominees (Volatility and 4n6time) are excellent software tools and it was an honor to be nominated in the same category as they were.

I accepted the award, but it really belongs to my team. Without them, IEF would not be where it is today, simple as that. They are a hard working, talented bunch who share my drive and passion to support law enforcement in their investigations as well as corporate investigators and incident responders in theirs.

Finally, I and our team really want to thank you, our customers and supporters. Thank you for nominating us and voting for us; this award means a lot to everyone on the team and without your nomination or vote, we couldn’t have won. I’d also like to thank Lee Whitfield for his time and effort in putting the Forensic 4cast awards together, and providing some very cool awards (see picture above ).

We will continue to work hard to improve, innovate, and add more features/artifact support to IEF this year, especially on the mobile side where we have some very cool developments on the way. As always, if there are specific areas or items you want us to focus on as we develop IEF, please don’t hesitate to contact us or me directly.

Again, thank you for your support!
Jad and the Magnet team

As a follow-up to my recent posts about a suspect using CCleaner in an attempt to hide their Internet activity, I received several emails asking about Internet Evidence Finder’s ability to recover InPrivate browser artifacts that I wanted to address.

Here is the link to Part one and Part two of my original CCleaner posts as well as a video Jad shot a while back explaining some of the behaviors of ‘InPrivate’ Browsing and the artifacts left behind.

InPrivate Browsing is a feature of Internet Explorer that was first introduced in IE version 8, beta 2 (August 2008). InPrivate is really several features, with the most common being known as ‘porn mode’ which is designed to allow the user to browse the Internet without the browser storing Internet history and webpage cache information, as it typically does. This feature was really designed for public computers where traditionally without the use of “InPrivate” a person’s browser history could be viewed by anyone else who has access to that user account profile. For example, an Internet café, where a user rents a computer for a time period and then a subsequent user, could view the history and view the cached data that was stored on disk during the previous user’s browser activity.

A description of InPrivate on an IE8 wiki page states:

“InPrivate Browsing in Internet Explorer 8 helps prevent one’s browsing history, temporary Internet files, form data, cookies, and usernames and passwords from being retained by the browser, leaving no easily accessible evidence of browsing or search history. InPrivate Filtering provides users an added level of control and choice about the information that third party websites can use to track browsing activity. InPrivate Subscriptions allow you to augment the capability of InPrivate Blocking by subscribing to lists of websites to block or allow.

“As with other private browsing modes there are ways that information about a browsing session can be recovered.”

I highlighted two parts of the description that are very accurate and important. The first is that InPrivate mode was not designed as anti-forensics. It was intended to provide some privacy features so that the user’s browsing activity could not be easily accessible. The use of “easily accessible” does not apply to digital forensics. The second is the disclaimer that there may be ways to recover the browser activity that was generated during an InPrivate session.

InPrivate mode is activated in Internet Explorer by selecting Tools-> InPrivate Browsing (Ctrl+Shift+P). Depending on the version of IE, the word “InPrivate” will appear either in the title bar or address bar, as shown below. Any links or action that opens/spawns additional tabs will also be “InPrivate” mode.

InPrivate mode may not be exactly what you were expecting. As forensic examiners, we sometimes expect a feature that advertises itself with the goal of protecting a user’s privacy to also hinder us during a forensic examination. The reality of InPrivate mode is that Internet Explorer actually still creates data on the disk related to the user’s browsing activity. Cached files are still placed in the typical “Temporary Internet Files” subdirectories, and although the user’s history is not visible from the Internet Explorer UI, URLs are still recorded in the index.dat file(s).

When IE is closed, the files that were cached on the filesystem are then deleted (not wiped). In addition, many (if not all) of the artifacts that were generated by the user’s browser session were at some point in memory and ultimately make their way to the pagefile, which InPrivate mode has zero effect on.

To demonstrate this, I installed Windows 7 from the original installation media. With zero web browsing history after the installation, I immediately entered InPrivate mode and browsed to Facebook, Gmail and Yahoo Mail.

Here is an example of the files created on the file system during an InPrivate session (note the path):

When the browser was closed, the above files were deleted and the folder was left with only a few files:

A forensics look after IE was closed and a reboot reveals this:

A quick scan with Internet Evidence Finder reveals tons of artifacts, many of them in the pagefile and unallocated:

So, does Internet Explorer ‘InPrivate’ mode do what it’s supposed to? Sure, it does conceal a user’s browser history from UI and common tools, pretty much as advertised.

Does it pose a severe threat to forensics? Not so much…

There are a couple of very important factors that can affect your outcome and your mileage may vary based on these factors:

• Collection of RAM!, Collection of RAM!, Collection of RAM!
• The time period between the InPrivate session being closed and the forensic examination (since data is now in unallocated).
• The amount of new file system activity between the InPrivate browser session and the forensic examination, since this will affect how long the data in unallocated remains without being overwritten.
• The amount of memory usage/activity between the InPrivate browser session and the forensic examination, since this will affect the pagefile.

As always, I appreciate the feedback, comments or questions.
You can reach me anytime at lance (at) magnetforensics.com

As of January 2013, Apple announced it had sold over 500 million iOS devices. While iOS seems to be the leading operating system for tablets worldwide, Android continues to be the leading operating system for mobile phones worldwide.

Regardless of the statistics, if you are an active forensic examiner, chances are very high you will need to conduct an examination of an iOS mobile device (if you haven’t several times already). This article will discuss some of the steps involved and areas of interest when conducting an analysis of an iOS device for Internet related activity.

Handset Passcodes

Depending on the version of iOS, different passcode lengths and complexities are supported.

1. A simple four digit passcode
2. A complex numeric passcode
3. A complex alphanumeric passcode or passphrase

In many cases, you will need the passcode in order to obtain a physical image or a file system dump. Depending on the iOS version, device hardware version and passcode complexity, the passcode can sometimes be obtained by the forensic tool (such as Cellebrite) using a bruteforce attack.

Physical memory dump vs. file dump vs AFC file backup

Depending on the type of investigation, the tools you have available and the version of the iOS phone you need to examine, you may have a choice whether to conduct a physical memory extraction, a file system dump or an Apple File Connection (AFC) backup.

When possible, it would be recommended to obtain a full physical memory extraction since that will likely contain data that the file system dump & AFC backup does not (deleted file system data, etc.).

Physical memory image

This would typically be accomplished using a tool such as Cellebrite, XRY, Lantern, Elcomsoft, MPE or the Zdziarski method¹. The result of using one of these tools would either be a bit stream (dd) or a DMG image file that could then be analyzed manually or using a forensic analysis tool.

File system dump

A file system dump, which is a subset of a physical image, could be performed by several well-known tools such as Cellebrite, Blacklight, Oxygen or XRY.

AFC backup

Apple file connection (AFC) is used with iTunes to conduct a device backup and can be used to perform a backup of data from the device. For example, EnCase v7 can acquire an iOS device using this technology (requires iTunes to be installed, but not running). An examiner can also look for backups on a computer the device has previously been connected to as another step to analyze data from the device without having access to the device itself.

Windows XP:

c:\Documents and Settings\\Application Data\Apple Computer\MobileSync\Backup

Windows Vista/7/8:

c:\users\\AppData\Roaming\Apple Computer\MobileSync\Backup

OSX:

~/Library/Application Support/MobilSync/Backup

Depending on the version of iOS & iTunes, the backup can be protected with a password, which is used to encrypt the backed up data. This password is independent from the device passcode.

File System Encryption

Figure 1: http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf

Starting with iOS 4 Apple began providing data protection for user data by encrypting the user partition. With the introduction of the iPhone 3GS (and continuing to the current iPhone 5 hardware device), Apple began including a hardware key that is used as part of the encryption process. This means that the physical device is needed in order to get all the components (keys) to successfully decrypt files that are protected with this level of encryption. iOS 5 introduced an additional layer of protection by encrypting files with individual keys.

Apple has defined four levels (classes) of protection for user data:

NSFileProtectionNone

The file has no special protections associated with it. It can be read from or written to at any time.

Available in iOS 4.0 and later.

Declared in NSFileManager.h.

NSFileProtectionComplete

The file is stored in an encrypted format on disk and cannot be read from or written to while the device is locked or booting.

Available in iOS 4.0 and later.

Declared in NSFileManager.h.

NSFileProtectionCompleteUnlessOpen

The file is stored in an encrypted format on disk and must be opened while the device is unlocked. Once open, your file may continue to access the file normally, even if the user locks the device.

Available in iOS 5.0 and later.

Declared in NSFileManager.h.

NSFileProtectionCompleteUntilFirstUserAuthentication

The file is stored in an encrypted format on disk and cannot be accessed until after the device has booted. After the user unlocks the device for the first time, your app can access the file and continue to access it even if the user subsequently locks the device.

Available in iOS 5.0 and later.

Declared in NSFileManager.h.

The default class for all files that are not otherwise assigned to a different data protection class is NSFileProtectionNone. This level uses individual keys for each file, but the keys are protected with a single system key so all the user data can be easily ‘erased’ during a reset (not really erased, it just deletes the system key and therefore the individual keys and data can never be recovered), but the key is easily viewed forensically since the system key can easily be obtained, without the need of the hardware key on the device itself. This level is not really meant to protect data, but rather provide a quick way to render data unreadable/unrecoverable. Each installed user application can dictate what class level to store the data generated by that application, but many use the default.

The other levels of data protection incorporate the use of the hardware key that is unique for each particular device. This means that while you may be able to collect a physical image of an iPhone 4 or 5 and read the image file system, you cannot view unencrypted versions of the files themselves. If you have the device passcode and can obtain a file dump, you can however analyze the logical files, but will not be able to search unallocated.

iOS Decryption with IEF 6.1.1

Internet Evidence Finder 6.1.1 introduced the ability to search an iOS image and files that may be protected with data encryption by providing the keys that are obtained by Cellebrite during the physical extraction process. IEF now looks for the associated .UFD file that the UFED creates during a physical extraction. The necessary keys are recorded in the .UFD file and IEF can now use those keys to decrypt data that is protected by only the system key.

Loading an iOS image into Internet Evidence Finder

Mobile phone support was added in IEF v6.1 and loading an image of an iOS device is very similar to loading an image of a hard drive. From the main splash screen, simple choose the “Mobile” option, iOS, then “Images”. You can point IEF directly to a bin, dmg or dd file.

Loading a file dump into Internet Evidence Finder

If you have obtained a logical file dump, you can follow the same steps as above, but instead choose the “File Dump” option and select the root folder that contains all the files you want to analyze. From this point you can continue to add more smartphone images, hard drive images or files you want to search before proceeding to the artifact selection page.

Once completed, IEF will display all the found artifacts placed in their respective categories:

Loading iOS backup files into Internet Evidence Finder

iOS backup files are normally found on a computer hard drive. Therefore, to include iOS backup files in the artifact search, select the computer hard drive from the main “Images” option, then be sure and select the “iOS backups” option from the artifact selection screen:

Summary

Depending on how you have acquired data from the iOS device, you have three distinct options to analyze it with IEF.

Physical Image (bin file from Cellebrite, DMG from Lantern or other ‘dd’ type image)

Use IEF Advanced and choose the ‘iOS’->’Images’ option. If you used a Cellebrite UFED to extract the physical image and have the associated .UFD file, make sure it is in the same directory as the cellebrite physical image file (.bin) and IEF will automatically look for the .UFD file and use any keys that are present to decrypt user data.

File Dump

Use IEF Advanced and choose the ‘iOS’->’File Dump’ option, point IEF to the root of the file dump folder.

iOS Backup Files

Use IEF Standard or IEF Advanced and choose the ‘iOS Backup’ from the Mobile Backups artifact category.

As always, I appreciate the feedback, comments or questions. You can reach me anytime at lance(at) magnetforensics(dot)com. Special thanks to Ryan Kubasiak from Blackbag Technologies for some of the detailed iOS encryption information and document references.

___________

¹Jail breaking could be another option, but is outside of the scope of this article and will not be discussed.

Today I’m pleased to announce a new free tool and a guest blog post from James Morris of the Queensland Police Service in Australia.

James came to me a couple weeks ago with a request to help him get some data out of X-Ways and into IEF Timeline for the purpose of visualizing the data. As most people involved in digital investigations know, being able to view a set of events or activities on a visual timeline can greatly assist in understanding a user’s actions and explaining what has occurred to other stakeholders including supervisors, attorneys, and jurors.

In the interest of helping James and other X-Ways users, I started to develop a tool that would convert TSV data exported from X-Ways into a standard TLN file that could then be loaded into IEF Timeline. James provided some sample TSV exports and feedback and the end result was a tool that makes the TSV-to-TLN conversion quick and easy.

James has been kind enough to write a tutorial which I’ve posted below. His contact information is at the bottom of the post should you need to contact him (any support requests should go through the Magnet support site however, and please don’t spam James ).

I would like to extend a thank-you to James for his help with this project and I hope other X-Ways users find it to be of value.

Here is the download link for the tool: Download TSV to TLN Converter

Tutorial for X-Ways TSV to TLN – IEF Timeline Viewer

X-Ways Forensics is a forensic computing application that provides a number features to its users. One of these features is the Events pane. After completing a Refine Volume Snapshot (RVS) operation, you can click on to this pane and view the events based on Timestamp and the other filtering options X-Ways is renowned for.

When you have just found the key events that will make your case, you can export these into a Tab Separated Value (TSV) file for use in an Excel Spread sheet.

Fig. 1 – X-Ways Forensics events selected for export to TSV format.

Right mouse click on the selected items and select Export List.

The Export List options will come up where you can select the TSV format. You can choose the fields that will be exported out into the file, similar to the items outputted in the Report Tables.

As a minimum Select the Timestamp, Type, Category, Description, Name, Path, Type, Evidence object and Owner.

Fig. 2 – Right mouse click for Export list and options to select for export

Make sure the file has the TSV extension on the end.

In Excel 2010 the exported file appears as:

Fig. 3 – Excel 2010 with the exported data from X-Ways Forensics 

If you wanted to do more with this information such create a timeline you would need to get this exported information into another format. The last few years have introduced the use of the TLN or Timeline format as defined by Harlan Carvey.  From the script by Kristinn Gudjonsson the following information describes the TLN format - 

# The format was described in this blog post:
# http://windowsir.blogspot.com/2009/02/timeline-analysis-pt-iii.html
#
# And a better and more up-to-date description:
# http://windowsir.blogspot.com/2010/02/timeline-analysisdo-we-need-standard.html

https://code.google.com/p/log2timeline/source/browse/lib/Log2t/input/tln.pm?spec=svnef4ca959e05dbea35059daac81ffad704ec7ec6c&r=ef4ca959e05dbea35059daac81ffad704ec7ec6cMore information about the script can be read here –

With the data exported from X-Ways Forensics extra value added content can be generated in the way of a visual timeline. Selecting pertinent entries from the event pane and showing them graphically rather than in spread sheets is now possible.  The screenshot below is an example of some test internet data as a visual timeline using a new tool from Magnet Forensics.

Jad Saliba from Magnet Forensics has kindly taken the challenge to produce a tool that converts the X-Ways generated TSV file into the TLN format. The generated TLN file can then be imported into IEF Timeline Viewer and the events viewed as a time line, giving you a visual representation of events against a time period.

The features of this tool include a timezone adjustment  converter. This will read your timestamps and convert them back to UTC/GMT from the specified timezone. You will need to do this so that the timestamps will display correctly in IEF Timeline due to the timezone settings within the application.

To convert the X-Ways Forensics TSV file to TLN format, open the TSV to TLN executable available from the Magnet Forensics website.

Browse to the folder containing the TSV file and select it.

The TSV file selected has entries in it of files dated in the year 1829. Obviously these file entries are erroneous. The Timezone  Adjustment has been selected to reset the entries from the selected data timezone back to UTC. Daylight savings offsets do not apply to this timezone (UTC +10 Brisbane).

Timestamp dates before 1 January 1990 are converted to the Unix time value “1000000” in the TLN file in the converter. IEF Timeline will then filter out these lines from the TLN file so that are not displayed in the resulting timeline.

Once the file is converted to TLN format, open IEF Timeline and load the TLN file into the program.

The screen will open to the show a visualisation of the entries exported from X-Ways Forensics where you can add value to your examination.

As with the IEF case data, the timestamp and other fields are available to show the records that make up that part timeline.

Tutorial Summary –

• X-Ways Forensics offers TSV export from the Events pane that can lend itself to timelines
• Magnet Forensics has created a TSV to TLN format convertor so that timelines can be viewed in IEF Timeline
• To create a X-Ways Forensics TSV for TLN conversion –
  • Complete the RVS operation
  • Go to the Events Pane and filter the entries for export
  • Export the entries and select the Timestamp, Type, Category, Description, Name, Path,  Type (under the Ext.), Evidence Object
  • Of these fields Timestamp, Type, Category are REQUIRED to translate to the TLN format fields. All other fields are put in the Description field of the TLN format.
  • Export the file and save it with a TSV extension.
  • Open the TSV to TLN Convertor
  • Navigate to the folder with the TSV file.
  • Remember to adjust the entries to UTC via the time adjustment option in the tool
  • Click GO!
  • The file will be saved in the same folder as the TSV.
  • Open IEF Timeline and load the newly created TLN file
  • Sit back and behold the time line visualisation.

James Morris
Investigative Computer Analyst
Electronic Evidence Examination Unit
Fraud and Cyber Crime Group
State Crime Command
Queensland Police Service, Australia
morris.jamesc (at) police.qld.gov.au 

Again, a big thanks to James for this walkthrough. If you have any questions or other suggestions/feedback, you can contact me at jad (at) magnetforensics.com.

Here’s the download link again (same as the one further up ): Download TSV to TLN Converter

Hope to see you at Blackhat later this week!