This post is a follow-up to a post I recently did about Internet Explorer’s ‘In-Private’ mode. I received a lot of messages asking about the private browsing modes in Chrome and Firefox and how it may affect digital forensics. This post discusses the Chrome ‘incognito’ mode and the effects it may or may not have on digital forensics.

Chrome’s ‘incognito’ mode is very similar to Internet Explorer’s ‘In-Private’ mode. To access this ‘private’ browsing feature, a user simply chooses the “New incognito window’ from the Chrome menu on the toolbar. Alternatively, a user can use Ctrl+Shift+N to start a new incognito session in a new window. Additional browsing tabs that are opened in that new incognito window will also be in incognito mode.

Here is a description of ‘incognito’ from Chrome’s internal help document:

To illustrate how incognito may or may not affect artifacts, I started with a clean installation of Chrome with no browsing history and immediately opened an incognito window.

I then browsed to several websites, including Google, Gmail, Facebook, Flickr & Yahoo. I logged in to check mail, check some Facebook statuses, sent a few messages and conducted a few web searches.

After some moderate browsing, I ran Internet Evidence Finder and only selected Chrome browser artifacts, webmail, as well as the social networking artifacts. I was greeted with these results:

Almost all of the results found were in the pagefile.sys file. This is quite different from the “In-Private” results in Internet Explorer, but there is a reason for this.

Internet Explorer stores many artifacts as files on the file system, such as the cached webpages, images, etc. whereas Chrome uses a SQLite database to track many of those records. Chrome’s incognito is not making records for the webpages visited or caching the images/pages like Internet Explorer does in “In-Private” mode, but then IE deletes them at the end of the private browsing session, leaving artifacts in unallocated. The result with using Chrome’s incognito is far fewer artifacts ever hitting the disk and ultimately going into unallocated space.

However, what Chrome’s incognito mode cannot control, just like Internet Explorer’s “InPrivate” mode, is what ends up in RAM and the pagefile.sys file (virtual RAM). This is another wakeup call to revisit your workflow and processes to make sure the collection of RAM is a high priority and at the top of your “order of volatility” list.

For fun, I collected the system’s RAM to see what I could find in RAM related to my incognito browsing sessions compared to what I was finding in the pagefile.sys file itself.

In the example above, I used a virtual machine with a small amount of RAM (1024M) and over time it is apparent more artifacts ended up in the pagefile.sys than remained in RAM at any one time. Certainly the total amount of RAM installed as well as the amount of time since the artifact was created in RAM and/or the pagefile.sys file will affect how long it sticks around and can later be found during a forensic examination.

So while Chrome’s incognito mode tends to leave fewer artifacts in unallocated compared to Internet Explorer’s “In-Private” mode, it still can leave lots of important artifacts in memory and in the pagefile.sys file.

As always, I appreciate the feedback, comments or questions.
You can reach me anytime at lance (at) magnetforensics.com

Lance posted a great article on iOS forensics last week detailing common steps and details of an examination of an iOS device, and how IEF can be used once you have that physical image or file system dump.

Today I’d like to present some examples of the deleted data IEF Advanced is able to recover from iOS physical images. This is one of our key strengths on mobile (and PC/Mac) images and I think you’ll be excited about some of the artifacts we’re able to recover that you may have been missing using other mobile forensic tools.

But first, some background. The following data is from an iPhone 3G that was factory reset. A cursory look at the phone would yield no results and it would seem as though this is a fresh phone with no data on it, but as you’ll see below, there are lots of goodies to be found.

First up are Kik Messenger chat messages. As you can see from the screenshot above, there was a wealth of Kik Messenger chat still available on the device to be recovered (929 messages). We also know that this message (and in fact, all 929 of those Kik chat messages) is in unallocated clusters at physical sector 862938. I opened the image file in a hex editor and went to that offset (sector 862938 * 512 bytes per sector = byte offset 441,824,256) and you can see the raw data for the highlighted message below.

Next, let’s take a look at some deleted SMS:

Again, the artifact is from unallocated space on the mobile device. Depending on the type of SMS/iMessage artifact, more or less data is available to be recovered (in this case, a sent date/time, the message, and the partner ID/phone number are available).

Moving along to some email:

Thousands of emails found on this image, with a sanitized sample shown above. Just to be clear (no matter what Lance might try to tell you) this is not my phone.

As you can see above, these are plaintext emails with full header information. This can provide valuable IP address data, just like what you might find in emails from a PC/Mac image.

Next up, a quick look at some recovered voicemails:

To play a recovered voicemail (AMR data) within IEF, click on a record and then click the Play button at the top left of the bottom right pane. This allows you to quickly review the recovered recordings without having to export them first.

Finally, here’s some recovered Safari web browser history:

Again, I’d like to re-iterate that this is not my iPhone.

To recap, all the artifacts that were shown above were recovered by IEF Advanced from the unallocated space of an iPhone which had been “factory reset”.

I’ve always been eager to find deleted data in my examinations and we all know that feeling of being handed a “wiped” or reset device and asked to find that smoking gun. This can mean a lot of tedious, time consuming manual searching, sometimes not knowing what exactly to look for and running the risk of missing critical evidence.

With IEF Advanced (and IEF in general), we hope to help you out in those situations by either finding that smoking gun for you, or providing a starting point that helps you focus your investigation, whether the device has been reset or not. To request a free 30 day trial of IEF Advanced, please click here.

As always, we welcome your feedback and comments; if there are ways we can improve or new artifacts/functionality you want us to take a look at, please let us know.

Thanks for your support!
Jad and the Magnet team 

PROFIT Magazine unveils 14^th annual list of Canada’s Top New Growth Companies

Waterloo, On (September 4, 2013) PROFIT Magazine today ranked Magnet Forensics No. 7 on its 14^th annual PROFIT HOT 50, the definitive ranking of Canada’s Top New Growth Companies. Published in the October issue of PROFIT Magazine and online at PROFITguide.com, the PROFIT HOT 50 ranks young firms by two-year revenue growth.

Magnet Forensics, a global leader in the development of forensic software that recovers data from a broad range of Internet-related communications, made the PROFIT HOT 50 list with two-year revenue growth of 2,727%. 

“This year’s PROFIT HOT 50 companies embody the entrepreneurial spirit,” says Ian Portsmouth, Publisher and Editor-in-Chief of PROFIT Magazine. “They have grown exceptionally fast in a challenging economy, thanks to the ingenuity and determination of the entrepreneurs behind them.”

“Magnet Forensics is proud to be recognized as one of Canada’s fastest growing new companies by PROFIT Magazine, for the 2^nd year in a row”, says CEO Adam Belsher.  “This achievement reflects the strength of our technology and the dedication of our team.”

About PROFIT Magazine

PROFIT: Your Guide to Business Success is Canada’s preeminent publication dedicated to the management issues and opportunities facing small and mid-sized businesses. For 31 years, Canadian entrepreneurs and senior managers across a vast array of economic sectors have remained loyal to PROFIT because it’s a timely and reliable source of actionable information that helps them achieve business success and get the recognition they deserve for generating positive economic and social change. Visit PROFIT online at www.PROFITguide.com.

About Magnet Forensics

Magnet Forensics is a global leader in the development of forensic software that recovers data from a broad range of Internet-related communications.  Our flagship product, INTERNET EVIDENCE FINDER™ (IEF) was created by a former police officer and forensic examiner who recognized the need for an easy-to-use, comprehensive tool to help perform digital investigations.  Since its creation, IEF has quickly become a trusted solution for thousands of the world’s top law enforcement, government, military and corporate organizations – used to recover Internet evidence like chat messages, social media communications, webmail, browser activity (and more) to support their most important investigations. 
For more information about Magnet Forensics visit www.magnetforensics.com

Media Contacts:

Magnet Forensics
Scott Williams, +1-519-503-7967
scott.williams@magnetforensics.com

This blog post is the final in a three part series that discusses the privacy modes of the three major web browsers and what implications it has on digital forensics. You can see the original post for Internet Explorer here, or Google Chrome here.

In this post, I will briefly discuss Firefox’s “Private Browsing” feature. One of the key statements in the Private Browsing description in the Mozilla product page is “Private Browsing allows you to browse the Internet without saving any information about which sites and pages you’ve visited”. Some additional information from the Mozilla Firefox documentation:

What does Private Browsing not save?

• Visited pages: No pages will be added to the list of sites in the History menu, the Library window’s history list, or the Awesome Bar address list.
• Form and Search Bar entries: Nothing you enter into text boxes on web pages or the Search bar will be saved for Form autocomplete.
• Passwords: No new passwords will be saved.
• Download List entries: No files you download will be listed in the Downloads Window after you turn off Private Browsing.
• Cookies: Cookies store information about websites you visit such as site preferences, login status, and data used by plugins like Adobe Flash. Cookies can also be used by third parties to track you across websites. For more info about tracking, see How do I turn on the Do-not-track feature?
• Cached Web Content and Offline Web Content and User Data: No temporary Internet files (cached files) or files that websites save for offline use will be saved.

Private browsing is activated through the ‘File -> New Private Window’ menu option (CTRL+Shift+P). Once activated, the user is presented with the following window/information:

First, here is a baseline of all artifacts found before Firefox was even installed.

After Firefox was installed and immediately put into Private Browsing mode, I did a few hours of Internet browsing and then re-ran IEF with the following results (after the Firefox browser was closed, but before a reboot):

A quick filter was applied to show ONLY the hits in the pagefile and it reveals almost 100% of the hits above were located in the pagefile.sys file (virtual memory).

A dump of memory was then done and analyzed using the same process:

After a reboot and some additional general use (no browsers), I ran IEF again and still found thousands of artifacts in the pagefile.

If you have read the previous two parts to this series (Internet Explorer’s InPrivate and Chrome’s Incognito), then these results should not really be of any great surprise to anyone.

While all three of these browsers try and reduce the amount of information left behind after usage and for the most part stop or minimize the amount of data THEY store, they cannot completely stop or control what ends up in memory and the pagefile.

As always, I appreciate the feedback, comments or questions.
You can reach me anytime at lance (at) magnetforensics.com

Magnet Forensics has released the Internet Evidence FinderTM (IEF) Evidence Processor Module for EnCase® v7. The IEF Evidence Processor Module for EnCase v7 is designed to assist digital investigators with their workflow by allowing them to run Internet Evidence Finder (IEF) from within EnCase, without the need to start IEF separately and point to the same evidence files you already have loaded in EnCase.

This second integration between IEF and EnCase is a follow-up to the previously released IEF Connector for EnCase v6 & v7. This second release was designed as a module that is used in conjunction with the “Process Evidence” feature of EnCase where the user can select any number of ‘modules’ to run against selected evidence.

Download the Tool

If you already use IEF you can download IEF Evidence Processor Module for EnCase v7 directly from the Magnet Forensics website

•  IEF Evidence Processor Module for EnCase v7

EnCase users who don’t currently own a license for IEF can download a free 30-day trial or the full version of IEF with the IEF Evidence Processor Module for EnCase v7 from EnCase App Central.

• 30-day Trial – IEF with Evidence Processor Module for EnCase v7
• Full Version – IEF with Evidence Processor Module for EnCase v7

Using the Tool

Once downloaded and installed, the module will appear in the “Evidence Processor” configuration screen, under the “modules” category.

Clicking on the “Internet Artifact Search with IEF by Magnet Forensics” module name, will display the IEF configuration screen:

From here, the investigator can choose the search type and artifact groups that are searched. In addition, the investigator can choose to have the results only stay in the IEF case file (none) or to be copied into the records tab of EnCase (EnCase Records).

Once the IEF Module is selected and run, an IEF search status screen will be displayed to provide feedback and progress of the search:

Once the “Process Evidence” action completes, and if the investigator selected to have the results copied into the records tab of EnCase, the investigator can view the results by looking in the records tab:

Clicking on the Records object (Internet Artifact Search with IEF by Magnet Forensics) will display all the records:

The investigator can then drill down and look at specific records by viewing the “fields” tab in the lower window:

The investigator can then leverage some/all of the built-in EnCase features, such as index searches, filter & conditions, bookmarking & reporting to refine and find specific records of interest.

As always, I appreciate the feedback, comments or questions.
You can reach me anytime at lance (at) magnetforensics.com

October 19 – 23, 2013
Philadelphia, PA

Featuring renowned keynote speakers, forums and technical workshops, and the largest exhibit hall of products and services in the law enforcement community, the premier event for law enforcement provides thousands of dedicated professionals from across the country and around the world with an exceptional, concentrated forum for learning, collaborating and experiencing new technology.

Read More

This is the fourth in a series of videos created to help forensic professionals get started with some of the new key features in Internet Evidence Finder (IEF) v6.2.

IEF – Ares

This video demonstrates the full Ares artifact support available in IEF v6.2. Parse and carve search terms, shared files, downloaded files, and incomplete file downloads. The expanded Ares coverage in IEF v6.2 provides a broader view of how Ares Peer2Peer was used by showing the name of the file, when it was downloaded, and many other key details.

For all the details on the new features and artifacts in IEF v6.2 check out the product announcement. 

Magnet Forensics has released the Internet Evidence Finder (IEF) Logical Evidence File Creator for EnCase v7. The IEF Logical Evidence File (LEF) Creator is an EnScript designed to create an LEF from a pre-existing IEF case folder. The goal of this EnScript is to allow an examiner who has run IEF separately from EnCase to later incorporate the findings into EnCase v7. Running this EnScript from EnCase v7 creates an LEF that is automatically added into EnCase.

Download the Tool

If you already use IEF you can download IEF Logical Evidence File (LEF) Creator for EnCase v7 directly from the Magnet Forensics website here.

This is the third EnScript released by Magnet Forensics that allows you to integrate IEF into your EnCase workflow. The first one was released in May 2013 and was designed as a stand-alone EnScript for EnCase v6 & v7. You can read the details here.

The second was a module specifically designed to be installed and used as part of the EnCase v7 “Process Evidence” option. You can read more about that EnScript here.

Using the Tool

Let’s assume I have a case where I have run IEF separately from EnCase and searched for Internet artifacts:

Once IEF is completed, I will be presented with the IEF report viewer screen to review the found artifacts:

Let’s now assume there are some artifacts that IEF found that are relevant and I want to include them in my overall EnCase processing/searching/reporting. I can simply run the EnScript from EnCase v7 and it will ask me to point to the IEF case folder (the folder structure that IEF creates and places all the output files in):

Once I have navigated to and selected an existing IEF case folder, the EnScript will create an LEF in that same folder and then try to add it into the current case.

You can now process/review/search/bookmark any of the artifacts that IEF found when you ran it in a stand-alone mode, but have now incorporated the artifacts into EnCase via a logical evidence file.

As always, I appreciate the feedback, comments or questions.
You can reach me anytime at lance(at)magnetforensics(dot)com

There has been a lot of buzz around Tor, Bitcoin, and the so-called “dark web” (or “deep web”) since the FBI shut down the underground website “Silk Road” on Oct 1st.

As many of you already know, Tor is a network of encrypted, virtual tunnels that allows people to use the internet anonymously, hiding their identity and network traffic. Using Tor’s hidden service protocol, people can also host websites anonymously that are only accessible by those on the Tor network. Enter Silk Road.

Silk Road was an online black market where you could buy virtually anything, including but not limited to drugs, weapons, credit card data, contract killers, and more. One of the key “features” of Silk Road was that it was only accessible via the Tor network, hidden from the mainstream web.

With $1.2 billion in sales and nearly a million customers, business was good. The other key privacy aspect of Silk Road is that all transactions on the site were via Bitcoin, a distributed, peer-to-peer, and anonymous digital currency that is based on cryptography principles.

Silk Road is gone but there are other online black marketplaces that will take its place, like the Sheep Marketplace or Black Market Reloaded:

These sites are also only accessible via Tor and use Bitcoin to conduct transactions.

Using Bitcoin is fairly easy. You need a Bitcoin client/digital wallet installed on your computer or mobile device. You then need to obtain bitcoins from a Bitcoin exchange such as Mt. Gox and Bitstamp.

To send someone money, you instruct your Bitcoin client to send an amount of bitcoins to a Bitcoin address which will look something like this: 1N52cffvJp8jZRRamegywrLrD7aLjQbapF.

A transaction message is created and electronically signed by the Bitcoin client using your private key. This transaction is broadcast to the Bitcoin P2P network and is “verified” in a few minutes (sometimes up to 10). Once verified, the transaction is complete.

All Bitcoin transactions are stored publicly and permanently on the Bitcoin network – the balance and transactions of any Bitcoin address are visible to anyone. New addresses can be created for each transaction, however, further increasing the anonymity of Bitcoin transactions.

Support for recovering Bitcoin artifacts was added to IEF in version 6.1 (released this past June). Bitcoin addresses can be recovered from a Bitcoin wallet, as well as queries on the Bitcoin network from log files created by the Bitcoin client software.

Here you can see addresses from a Bitcoin wallet, including labels (if applicable) and whether or not the address has been active. When you create a wallet, a number of addresses are automatically created and put in the “thread pool”.

In this screenshot you can see queries on the Bitcoin P2P network. These may or may not relate to the local user’s activity.

In the IEF Report Viewer, when viewing Bitcoin records, you can right-click on a record and then click “Query Bitcoin Block Chain” to look up more information on that transaction/address on the web.

Above is an example of what you might see for a transaction or address. In this example, you can see the amount of Bitcoin (0.005), dates/times, and the recipient of the transfer.

As you can see, Bitcoin is a tough currency to track or investigate. However, knowing which addresses were in a suspect/victim’s Bitcoin wallet and details about transactions can help you piece the puzzle back together.

I hope you found this post useful and wish you luck in investigations involving these technologies.

Are there specific topics you’d like me to blog about? Please feel free to reach out to me directly at jad(at)magnetforensics(dot)com with any ideas you might have. I’m also always open to and appreciative of your feedback, good or bad, regarding our software and how we can make it better for you.

All the best,
Jad and the Magnet team

In last week’s post, we talked about Bitcoin, Tor and some of the hidden websites only accessible via Tor, such as Silk Road, which was shut down by the FBI on October 1^st.

Well, just over a month later and Silk Road is back online:

You can reach the new site at this link (again, only via Tor) if you’d like to check it out: http://silkroad6ownowfk.onion

It only took a day and they already had over 20,000+ users on the site:

The new admin of the site? “Dread Pirate Roberts”. How’s that possible, he’s been arrested right? Those familiar with the movie “The Princess Bride” will get the joke here – the Dread Pirate Roberts was not one man, but rather a series of individuals who periodically pass the name and reputation on to a chosen successor.

Time will tell how long the new Silk Road lasts, but it’s clear that these secret websites and Tor aren’t going away anytime soon, and neither is the currency that drives these sites, Bitcoin.

We received a lot of positive feedback on the last Bitcoin post and some suggestions for follow-up posts. One of the themes was around identifying Bitcoin wallets, especially on a USB flash drive or other removable media.

First, let’s take a look at the Bitcoin wallet software out there:

As you can see, there are a few different options. This time I’ll focus on the Bitcoin-Qt client, which is a full Bitcoin client and builds the backbone of the network, the standard client used.

If you’re examining an image with the Bitcoin-Qt client present you’ll see a folder structure and files under the Users\[username]\AppData\Roaming\Bitcoin folder similar to this:

Note the “wallet.dat” file and “debug.log”. The wallet.dat file is (you guessed it!) the file containing the wallet data for the user. The debug.log file contains (you guessed it again) debugging information, including communication on the Bitcoin P2P network, including timestamps in some cases.

The wallet.dat file is easy to identify by filename, but backups of the wallet can be made, and can be called whatever the user chooses. If you are examining removable media or other locations where you suspect you are dealing with a Bitcoin wallet file (from the Bitcoin-Qt client), you can check a couple bytes at offset 0×12 for the string “b1” which may identify the file as being a Bitcoin wallet:

Another easy check is to export the file and rename it to “wallet.dat”. Run IEF on that file by using the “Files/Folders” button on the main screen and then unchecking all the artifacts except for the Bitcoin artifact on the artifact selection screen. Here is a sample of what you’d see recovered from the wallet by IEF:

I hope this answers some of the questions you may have had after my last post on Bitcoin forensics.

We’ll do our best to continue bringing you interesting topics in future posts, and as always, I’m eager to hear your suggestions for what you’d like to see in future blog posts. Please feel free to email suggestions, feature requests, and feedback on IEF to jad(at)magnetforensics(dot)com.

Have a great week!
Jad and the Magnet team

Magnet Forensics, the global leader in the development of digital forensic software for the recovery and analysis of Internet evidence from computers, smartphones and tablets, today announced they have won a Companies-to-Watch Award, as part of the annual Deloitte Technology Fast 50™ Awards for its innovative technology, management expertise and early stage growth.

The Companies-to-Watch Award honours early-stage Canadian technology companies in business for less than five years. These companies exemplify many of the winning characteristics of Deloitte Technology Fast 50 ranked companies, which are judged based on the potential they show for future growth.

“Companies-to-Watch are outstanding businesses that show high growth show potential,” said Richard Lee, Deloitte’s National Managing Partner, Technology, Media & Telecommunications. “Companies-to-watch winners often rank in the Deloitte Technology Fast 50 once they have a five-year track record. They are the future technology leaders of Canada.”

Magnet Forensics’ CEO, Adam Belsher, credits the company’s early stage success to a talented team focused on delivering an innovative digital forensics solution—Internet Evidence Finder (IEF)—that enhances the investigative capabilities of public and private sector customers.

“We are honoured to be named one of Deloitte’s Companies-to-Watch,” said Magnet Forensics’ CEO, Adam Belsher, “This award recognizes the hard work and dedication of our team. We’re thankful for the success we’ve achieved, and we’re incredibly proud to be contributing to the important work done by our customers who use our solutions to fight crime, enhance public safety, protect companies from fraud and theft, and ensure workplace safety and respect for their employees.”

To qualify for the Companies-to-Watch Award, candidates must have been operating less than five years. They must also be headquartered in Canada and devote a significant portion of their operating revenues to creating proprietary technology and/or intellectual property.

About the Deloitte Technology Fast 50 - The Deloitte Technology Fast 50 program is Canada’s pre-eminent technology awards program. Celebrating business growth, innovation and entrepreneurship, the program features four distinct categories including the Technology Fast 50 Ranking, Companies-to-Watch Awards (early-stage Canadian tech companies in business less than five years, with the potential to be a future Deloitte Technology Fast 50 candidate,) Leadership Awards (companies that demonstrate technological leadership and innovation within the industry) and the Deloitte Technology Green 15™ Awards (Canada’s leading GreenTech companies that promote a more efficient use and re-use of the earth’s resources in industrial production and consumption.) Program sponsors include Deloitte, Bennett Jones and OMERS Ventures. For further information, visit www.fast50.ca.

Back in March of this year we released a free tool to decrypt the Dropbox filecache.dbx file which stores information about the files in a user’s Dropbox repository (for more details read the blog post, and the Part 2 post).

Paul Henry (Website: http://www.vnetsecurity.com, twitter: @phenrycissp) is a SANS instructor and the lead author and teacher of the FOR559 course, Cloud Forensics & Incident Response. In one of our discussions Paul mentioned the potential value of the config.dbx file, so we started looking into the possibility of decrypting that file as well.

I’m pleased to announce that we’ve now updated the free Dropbox Decryptor tool to also decrypt the config.dbx file. I’ll detail how to use the new tool further down in this post, but first, since you may be wondering what’s in the config.dbx file, especially since it’s encrypted, let’s look at the information you can find in it.

The config.dbx file (after being decrypted ) is a simple SQLite file, like the filecache.dbx file. It contains a number of records, but the most interesting data includes: the registered email address of the Dropbox user (needed when requesting data from Dropbox through a legal request), a list of recently changed files, the Host ID (some kind of host signature), and local path to the user’s Dropbox folder.

Below is a screenshot showing some sample data from a decrypted config.dbx file:

As you can see, the user’s email address is under the (well named ) “email” column, the Dropbox folder is listed under “dropbox_path”, and the Host ID is in the “host_id” column.

The recently changed files data (“recently_changed3” column) is a bit tougher to view. To see the contents of that cell we need to double-click it and open up the window below:

In the expanded cell view we can see a list of recently changed/modified files, prefixed with the Dropbox database/user ID (207727442 in this case) and surrounded by other metadata characters (meaning unknown at this time). There are no timestamps in this set of data, but you can get that from the filecache.dbx file.

As you can see, there are interesting pieces of information in the config.dbx file, especially the registered email address of the Dropbox user, which is vital to have when investigating Dropbox cases. There are other .dbx Dropbox files (photo.dbx, notifications.dbx, etc) which also contain potentially useful information, which we’ll cover another time. The new version of the Dropbox Decryptor tool (v1.2) will decrypt all of these .dbx files.

Using the new Dropbox Decryptor tool is easy; you use it the same as before, but you can now point it at the config.dbx file as well as the filecache.dbx file (see below for a sample screenshot).

The rest of the files/information is still required, and only files from XP and Vista systems are supported.

We have recently been able to do offline decryption of Dropbox files from Windows 7 machines successfully, however, and this support will be added to IEF in the next release. (Dropbox decryption on live Windows XP to Windows 8 operating systems is currently available via IEF Triage.)

We also hope to have decryption for Dropbox files on Linux/Mac operating systems in the future as well.

To download the new Dropbox Decryptor, click here.

If you have an older version of the tool already installed, you can just install this on top the old install. Customers can log-in to the Customer Portal to download the new version to avoid filling the form out.

As always, if you have any questions, suggestions for our software or blog post topics, feel free to reach out to me at jad(at)magnetforensics(dot)com.

Have a great week!
Jad and the Magnet team

At Magnet Forensics our goal is to develop the best possible digital forensics tools. One of the ways we do this is by talking to our customers—we get your feedback, hear stories about how you use our software and learn about your ideas to make our products even better. Through this process we have gained valuable insight on how we can improve IEF; but we have also noticed some commonly asked questions.

To address these questions we are starting a new blog feature called “The IEF Files”. In this blog our rockstar technical support specialist, Matthew Chang, will answer some of your most commonly asked questions, and will share IEF best practices we’ve learned from you and your peers.

We want to hear your questions and stories about how you use IEF, so please submit them toand we will share and answer your questions and stories once a month.

Q: What does it mean when the Last Visited Date/Time field record says “(local) (timezone not converted)” after the time and date?

A: When you first load a case, the IEF Report Viewer will determine if a time zone has been associated with that case. If a time zone has already been set for that case it will be used by default. If the case does not have a time zone associated with it, the IEF Report Viewer will use the global time zone settings, if any. If there are no global settings saved then the IEF Report Viewer will default to UTC/GMT.

The time zone you are using is displayed in the “Date/Time” headers.

Sometimes an artifact’s record is displayed with “(local) (not timezone converted)” in line with the date and time:

This means that IEF has not converted the time zone of that record and it is being displayed with the date/time stamp that was stored in the local time of the machine where the evidence was acquired. IEF determined it was not encoded using the standard UTC system, and because we don’t know the original time zone of that machine, we can’t apply any conversions. As a result, we label the time as “(local) (not timezone converted)”.

Q: I want to use my computer while IEF is running, but it maxes out my CPU resources during a search. Can I do both?

A: Yes you can. IEF will detect the number of data processors you have on your system and then give you the ability to configure how many it uses during a search—allowing you to work while it does.

From the toolbar, go to Tools->Data Processor Settings. A pop-up window will appear where you can choose the maximum number of cores you want IEF to use during the search.

Q: I noticed a [+] sign on some of the artifacts on the Artifact Selection Screen, what is that?

A: The [+] sign indicates that the artifact has multiple “sub-artifacts” or search options available. Examples include, Yahoo! Messenger, Facebook, Internet Explorer, Limewire/Frostwire, and more. Some examples are described below.

Yahoo Messenger

• Search for Yahoo! Messenger usernames on evidence through the “Options” button
• Please ensure that you have selected the image/drive which is to be searched from the Dropdown menu before clicking Find Yahoo! Usernames
• Specify a date range to help reduce false positive hits
• False Hit Filtering: IEF uses many validation procedures to remove false positive hits when recovering Yahoo! Messenger chat logs. In testing recovered data, IEF can be set to different levels of validation, from very strict (more messages filtered out), to least strict (more messages included in report). By default this is set to Medium Strictness

Pictures

• Turn on/off skin tone detection
• Specify saved picture size (use original size or resize it to a max width/height of your choice)

Dropbox

• Enter the user’s Windows login password(s), required to decrypt filecache.dbx.
• Please note: Dropbox decryption is only available on drives/images which had Windows XP installed and in use.

In this webinar, Jad Saliba, Founder and CTO of Magnet Forensics, will take you through a fictional case study involving child luring that leads to murder. You will discover how digital forensics, geolocation artifacts and timeline analysis in particular, can be critical in solving cases like these and where you can look to find the artifacts. The data analyzed will include a PC image and a mobile device image, showing how both sources of evidence can provide valuable insight into what happened, where to start a search for a missing person, and the corroborating evidence to support criminal charges.

If you have any questions after watching the webinar, please send them to webinar@magnetforensics.com and we will respond as soon as possible.
If you haven’t tried IEF, we encourage you to try the fully-functional 30-day free trial on your own cases. Please go to www.magnetforensics.com/trial to download the trial.

Last week we hosted a webinar, “Using Geolocation Artifacts and Timeline Analysis to Solve the Case: A Digital Forensics Case Study”, where we presented a fictional case study and looked at the resulting artifacts from a PC and an Android phone. Thank you to everyone who joined us and for all the great questions asked! This blog post features some of the questions that were asked, including one that we didn’t have time to answer during the webinar.

Without any further ado, here are the questions and answers:

Q: “If using a VPN can you still get Internet history information?”
A: Yes, even when using a VPN the web browser will save history records (on a PC or mobile device) unless the browser settings have been set so that saving browsing history has been specifically turned off. Even in those cases, traces of web browser usage/URLs can be found, as we’ve detailed in previous blog posts.

Q: “With Google now using HTTPS for all search results, will this change the data stored in the Android browser2.db file?”

A: No, the data stored in the web browser history file, browser2.db, will not change. The use of HTTPS for search results just means that the content of the search results that Google serves up will be encrypted for anyone capturing packets on the wire/wirelessly. It doesn’t change how the URLs are formed, so they will continue to contain the search terms unless Google starts to encode the URLs in some way. Additionally, the web page title data stored in the browser2.db SQLite file provides an indication of what the search terms were as well (e.g. “who is buddy the elf – Google Search”).

Q: “Is there a way to ensure the collected messages were not spoofed? (my understanding is that with a rooted phone, one could hypothetically plant any data in the DB)”

A: That is correct, with a rooted or jailbroken phone, the user can access the databases behind various 3rd party applications (or native apps) and could potentially change the data the in the databases for nefarious reasons. There are a number of ways to detect this activity. If you only have the single device to work with, you can check the last modified time of the database and compare that with timestamps in records within the database to see if there are any obvious discrepancies. Within the database, you can find inconsistencies that would point to tampering of the data. For example, for the Google searches in our case study, there are timestamps stored in the URLs along with the timestamps stored by the browser for each record. If someone only changed the timestamp for the record but didn’t realize there was a timestamp in the URL data itself, they may miss that and therefore leave a clue behind. Finally, if you have both devices, you’re in a good spot since you can cross-validate data between the two devices. While you can tamper with the data on your own device, you can’t tamper with the remote data (unless you’re somehow able to remotely get root access to that device as well, in which case all bets are off   ).

Q: “If a fake Facebook page is created and later on removed how can you determine the identity of the person who made the page?”

A: If you have a device that accessed the page while it still existed, you may be able to find artifacts that identify the page. For example, you might be able to find the username or user ID for the profile page, or a group ID, or a URL for the page that was accessed while the page still existed. Once you have one or more of these items, you can request more data from Facebook directly by submitting a request in accordance with their legal process guidelines.

(Please note: Some of the above questions may have been edited for brevity or clarity.)

Again, I’d like to thank everyone who attended the webinar or watched the recording. We hope you found it valuable and look forward to producing more informative webinars. If you have any suggestions for future webinars, please don’t hesitate to contact us with your ideas. You can always reach me by email with any questions, suggestions, or requests at jad(at)magnetforensics(dot)com.

All the best,
Jad and the Magnet Team

Welcome back to the IEF Files! In our second edition we have more commonly asked IEF questions to share with you and one general question based on Snapchat.

Our technical support specialist, Matthew Chang, is eager to hear and answer more of your questions and stories about how you use IEF, so please submit them to, and we will answer and share them in January. Have a safe and happy holiday season.

Q: Can I do an advanced search with key words for all fields in an entire case?

A: Yes you can. Not only can you search the entire IEF case, but you can search using one or multiple keywords. There are three places you can start a search:

To run an advanced search, searching the entire case, including all fields/columns, using one keyword (GREP expressions can be used by checking off the GREP checkbox), click on the “Search” button on the bottom menu of the Report Viewer window or from the Tools menu, Tools>Search, or the shortcut “Ctrl+F”. Multiple keyword lists can also be entered, imported, and saved.

You can also preset keyword lists. The search results are displayed in a new window and can be saved so you can view them again at a later time by going to Search>View Last Search Results.

Q: Can I filter all the artifact results based on a date/time range?

A: Yes, recovered results can be filtered based on date and time. To filter, click on the “Filter” button on the bottom menu of the Report Viewer window, or from the Tools menu select Tools>Filter Results. Click on the “Run Global Date/Time Filter” and select your date/time range using the drop-down calendar.

Filtering allows you to create specific conditions that need to be matched in order for recovered artifacts to be displayed. This includes dates/times as well as all other columns, which you can add by clicking “Add Filter” and selecting from the drop-down menu. You can choose to if you want all conditions to be met or any condition with the “Match All” or “Match Any” buttons.

The filter results are displayed in a new window and are saved so you can view them again at a later time by opening the filter dialog box and clicking “View Last Filter Results”.

Q: How is Snapchat stored, is it in a SQLite database?

A: Unfortunately it is not. Sometimes the “snaps” can be found if they haven’t timed out and been deleted, at that point you need to carve and won’t be able to tie the recover photos/videos back to Snapchat since they are in unallocated space.

Android Snapchat does store some metadata in an XML file that provides info on the snaps that were sent/received, the usernames, timestamps, and other metadata like if a screen shot was taken of the picture, etc. IEF can recover data from this file and/or carve it from unallocated space.

Almost everyone who uses the Internet has a web-based email account. Many people have two or more, so the likelihood of a forensic investigator coming across a case involving webmail communication is very high. While law enforcement examiners can ask service providers for the email contents through a court order, corporate and non-government examiners have to rely on what evidence is left on the computer or mobile device.

The three largest webmail providers are Google’s Gmail, Microsoft’s Hotmail/Outlook.com, and Yahoo Mail. Together they account for well over one billion users. Each provider offers some unique features but they’re generally all quite similar in implementation from a forensics standpoint. In Part One of this blog we will discuss how webmail artifacts are stored and investigated on a PC or laptop, while Part Two will dig deeper into mobile devices and the applications that support webmail.

Browsers

On a PC, most webmail activity is conducted through the browser so it’s no surprise that the majority of your evidence will consist of browser artifacts. Depending on the browser used, the data will be stored differently but typically the cache, history, and cookies are your best sources of evidence. History and cookies will provide dates, times, and sites visited but the data of real evidentiary value is found in the cache. The cache stores web page components to the local disk to speed up future visits. Many emails read by the suspect are found in the cache folders and those locations vary depending on the operating system and browser used.

Internet Explorer

Since Internet Explorer (IE) is installed by default on most Windows installations, it’s likely the most commonly used and should always be searched when looking for webmail—or any browsing artifacts for that matter. Depending on the version of Windows and IE installed, the evidence will be stored in different locations. The locations are listed below:

• WinXP – %root%/Documents and Settings/%userprofile%/Local Settings/Temporary Internet Files/Content.IE5
• Win Vista/7 – %root%/Users/%userprofile%/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5
• Win Vista/7 – %root%/Users/%userprofile%/AppData/Local/Microsoft/Windows/Temporary Internet
• Files/Low/Content.IE5
• Win8/IE10 – %root%/Users/%userprofile%/AppData/Local/Microsoft/Windows/History

Note: Internet Explorer 10 is available on Windows 7 as well. If IE9 was installed and then upgraded to IE10, there will be two sources of evidence (the index.dat file from IE9 and the database within the webcache folder for IE10).

Mozilla Firefox

Firefox is a very popular browser and also stores its cache data in various locations based on the operating system installed. It’s installed as the default browser on many Linux distributions and is available for MacOS-X as well.

• WinXP – %root%/Documents and Settings/%userprofile%/Local Settings/Application Data/Mozilla/Firefox/Profiles/*.default/Cache
• Win7/8 – %root%/Users/%userprofile%/AppData/Local/Mozilla/Firefox/Profiles/*.default/Cache
• Linux – /home/%userprofile%/.mozilla/firefox/$PROFILE.default/Cache
• MacOS-X – /Users/%userprofile%/Library/Caches/Firefox/Profiles/$PROFILE.default/Cache/

Google Chrome

Google Chrome is also one of the top 3 browsers used today. It is available for Windows, Linux, and MacOS-X. Google also makes the Chromium open source project available to Linux users and runs very similar to the regular Chrome package with some minor differences ⁱ.

• WinXP – %root%/Documents and Settings/%userprofile%/Local Settings/Application Data/Google/Chrome/User Data/Default/Cache
• Win7/8 – %root%/Users/%userprofile%/AppData/Local/Google/Chrome/User Data/Default/Cache
• Linux – /home/%userprofile%/.config/google-chrome/Default/Application Cache/Cache/
• MacOS-X – /Users/%userprofile%/Caches/Google/Chrome/Default/Cache/

While the other browsing artifacts will show evidence of visiting the site, the cache folders will show the actual contents of the page or message, which is significantly more important when dealing with webmail artifacts. One caveat to mention is that typically you won’t find a cached page of any messages sent (only read) by the suspect since the message is typed on screen and then sent by the user without actually viewing the message outside of the text box or script. The only time the sent messages are cached is when the suspect views the HTML message in the “Sent Messages” folder after sending.

It is important to note that these will not be the only places to search for webmail artifacts. System memory/pagefile.sys are sometimes the only place to find webmail artifacts such as Gmail, and volume shadow copies/restore points, and hibernation files, all contain valuable historical data that can be used in conjunction with the evidence found in the areas above.

While the cached pages can be manually parsed and viewed using traditional forensics tools, Internet Evidence Finder (IEF) will automatically pull the relevant browsing data from all the common browsers that a suspect might have used and sort it into specific categories based on the webmail service provider. They can then be viewed within the report viewer for quick and easy analysis.

In the example below we have found Gmail fragments in memory at physical sector 248188 using EnCase. All the data is there but as memory is typically a sector level search, it is not easily searched or organized.

Once the image or drive is analyzed with IEF, Report Viewer will sort any evidence found by the service provider. IEF then automatically parses the sender/receiver details, the subject, and the date of the message into columns for fast sorting and then displays the contents of the message in the window below. With the same data we used in our EnCase example, IEF has analyzed the evidence and pulled all the relevant data into Report Viewer for easier searching.

Review of the relevant artifacts reveals not only browser artifacts of the messages that were opened by the user but IEF also parses many of the emails that were not opened by the suspect and simply displayed by the inbox or folder view of the webmail in the browser. Many times this type of information can be found in memory, pagefile.sys, or hiberfil.sys. Since the message in this example wasn’t opened by the user during the given browsing session, IEF is unable to show the contents of the message in this circumstance, however it will give a better picture of what resided in the user’s inbox at the time of viewing.

Overall, webmail artifacts are an important part of many investigations. Either as a primary source of information or as corroborating evidence, webmail can be found in the browser artifacts or memory of most PCs or laptops.

Stay tuned for our follow-up blog on webmail artifacts on mobile devices and other applications.

Please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.

Jamie McQuaid
Forensics Consultant, Magnet Forensics

ⁱ For more detail on Chromium and its differences, see:
https://code.google.com/p/chromium/wiki/ChromiumBrowserVsGoogleChrome

University of Waterloo, DC 1304
January 28, 2014 from 11:30 AM – 1:30 PM
RSVP here

McMaster University, Careport Center
January 23, 2014 from 10:00 AM – 4:00 PM

Conestoga College, Recreation Center
January 22, 2014 from 10:00 AM – 1:00 PM