One of the easy-to-use and valuable features of Internet Evidence Finder (IEF) is how the tool rebuilds web pages. IEF has the ability to reconstruct web pages from the browser history and cache as they were seen by the user. While viewing your case in Report Viewer, you might have noticed a category under “IEF Refined Results” called “Rebuilt Webpages”.

The Report Viewer is able to use the information gathered from a search to reconstruct web pages as they were viewed by the user using information on the image/hard drive. Any CSS information available will be used to format the page and display it for the examiner.

There are three methods to view the retrieved information:

• Original – This is the data retrieved from a search without any attempts at reconstructing the web page
• Rebuilt – When this option is selected, Report Viewer will attempt to reconstruct the web page as it was originally viewed by using files from the cache folder
• Report – This option provides a report of what files are used when Report Viewer reconstructs a web page.

Here’s an example of Report Viewer displaying the original web page with no rebuilding:

Here’s an example of the Report Viewer displaying the same page after it has been rebuilt:

Finally, here’s the Page Rebuild Report which can provide the investigator with details on how the Report Viewer rebuilt the given web page. This page will list the date/time the page was rebuilt and locations for all the relevant files used to rebuild the web page.

If the examination machine is connected to the Internet and there are any embedded scripts/code in the web page, there is the potential that additional data may be inadvertently pulled from the Internet into the rebuilt web page by these scripts. This is a result of the natural way browsers behave when provided the HTML code. If you want to ensure that no additional data is pulled down into the rebuilt page, be sure that your examination machine is disconnected from the Internet before rebuilding the web page. In any case, if data is pulled down from the Internet, it will not modify the evidence files in your IEF case. To remedy this situation if it occurs, just close the case, disconnect from the Internet, and reopen the case/rebuilt web page.

IEF also gives you the option to execute any JavaScript found on the recovered web page; however this feature is disabled by default to prevent the possibility of any malicious scripts being run. To enable this feature, from the Report Viewer, select “Edit” from the top left pull down menu and check the “Enable HTML Scripts in Browser” option. Refresh the page and the scripts will be run.

You might have also noticed the option to “Enable Downloading Images from Web”. When checked, this feature will pull additional images for particular artifacts recovered, such as the Facebook profile image for a profile that was found on the machine (which is publicly available and can be pulled down without logging into Facebook). This option is not associated to rebuilding web pages and is disabled by default.

Rebuilding web pages in IEF is a unique feature which allows investigators to get a better understanding of what the suspect might have viewed when looking at the given website. As with any investigation, the examiner must use caution when analyzing any results, but with the right knowledge and understanding of how these features work, they can use these options to their advantage to complement their investigation and how it is reported to their stakeholders.

Please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.

Jamie McQuaid
Forensics Consultant, Magnet Forensics

Previously we discussed webmail artifacts and how they relate to traditional host-based forensic analysis and focused on how Internet Evidence Finder (IEF) analyzes the browser artifacts and provides the results in an easily sortable report, helping the investigator identify any relevant evidence.

But what about other sources of webmail evidence?

Forensic investigations have moved beyond just desktop PCs or laptops since most people now access email from their mobile devices as well. What started out as a tool for only the most serious business person has now spread to even the most casual consumer. IEF is able to analyze email found on the two most commonly used platforms, Android and iOS.

There are many forensic tools that specialize in mobile acquisitions. Cellebrite, XRY, and Oxygen are excellent resources to acquire the large variety of mobile devices and connectors. Much like previous versions of IEF, IEF Advanced focuses on the analysis of the acquired data and leaves the imaging to the other tools. Once the image is acquired, IEF will analyze all of the common outputs from the mobile acquisition tools (dd, raw, img, bin, 001, ima, vfd, flp, bif) as well as all the EnCase formats (E01, L01, Ex01, Lx01).

Focusing on the analysis allows IEF to specialize in the artifacts that are found within an image and produce the best results whether the evidence is found on a suspect’s PC or mobile device.

IEF can handle both physical and logical mobile images for iOS and Android, but a physical image is always preferable when possible in order to carve out deleted artifacts stored in unallocated space. If a logical image is acquired, unallocated space is not captured and therefore cannot be searched.

Android/iOS Mailbox, Gmail Application

Emails are handled differently on a mobile device than webmail is on a traditional PC. Typically on a PC, webmail is handled through the browser, and most of the evidence is found in browser artifacts or memory. Howerver, with mobile devices, there is typically a native mailbox application for all of a user’s email accounts, whether they are webmail or server based.

For iOS the native mailbox is stored as a SQLite database here:
/private/var/mobile/Library/Mail/Protected Index and Envelope Index

For Android it is also stored as a SQLite database here:
/data/data/com.google.android.email/databases/EmailProvider.db

IEF is able to parse and carve the native email clients for both iOS and Android devices by accessing the SQLite database that stores the messages and structures the sender/recipients, CC/BCC, date/time, subject, status, message content, and attachment for each message recovered from the native application into the IEF Report Viewer.

Email can also be stored in a dedicated application if one exists, as is the case with Gmail.

Many mobile devices have a dedicated mail application for Gmail or other popular webmail accounts. This provides users with enhanced features available to Gmail based webmail that might not be available if the native mailbox is used.

The Gmail application is stored as a SQLite database for Android devices here:
/data/data/com.google.android.gm/databases/mailstore.%GmailUserID%@gmail.com.db

In addition, make sure to search the mobile browser activity for additional webmail that may have been accessed through the browser and wasn’t setup in either the native or custom mailbox application, such as the Gmail app.

Webmail has extended far beyond the traditional browser and your investigation should as well. With mobile database applications storing messages from multiple webmail accounts and new application artifacts being created regularly, it is difficult for an investigator to know where to look for all potential evidence, let alone have the time to search everywhere for each case. Tools such as IEF expedite that process greatly and help investigators understand the bigger picture when it comes to Internet evidence—and the number applications that store the evidence only continues to grow.

As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.

Jamie McQuaid
Forensics Consultant, Magnet Forensics

This video demonstrates how Internet Evidence Finder (IEF) v6.3 can now perform hash analysis for all the pictures in a case. Importing, exporting and categorization are all discussed and how it can improve your searches for known pictures.
New PhotoDNA technology by Microsoft is also included for all law enforcement customers who investigate child exploitation cases.

For all the details on the new features and artifacts in IEF v6.3 check out the product announcement.

This video demonstrates the new mobile chat artifacts supported in Internet Evidence Finder (IEF) Advanced v6.3. Support for AIM, BBM, LINE, Grindr, Growlr, Textplus, Touch, Viber, QQ Chat, and WeChat has been included for iOS and Android mobile devices. The video walks the user through many of the new artifacts and how IEF can help your mobile chat investigations.

For all the details on the new features and artifacts in IEF v6.3 check out the product announcement.

This video walks the user through a typical investigation involving Amazon’s Kindle Fire tablet, now supported in Internet Evidence Finder (IEF) Advanced v6.3. Additional artifacts including the Silk browser are discussed as well.

If you would like to view more information regarding support for this artifact, see our blog post, or for all the details on the new features and artifacts in IEF v6.3, check out the product announcement.

New with version 6.3, Internet Evidence Finder (IEF) now supports native volume shadow copy mounting and analysis. In this video, we demonstrate what this means to your investigations and how to maximize the artifacts found in the images you’ve already acquired.

If you would like to view more information regarding support for this new feature, see our blog post, or for all the details on the new features and artifacts in IEF v6.3, check out the product announcement.

Forensic investigators are well aware how common hashing algorithms such as MD5 and SHA-1 help them confirm that their forensic image is an exact copy of the original disk or volume. This assists the investigator with the image’s admissibility into court and helps maintain the integrity of the evidence.

Hashing is also used as an investigative tool within the file system to help quickly identify certain known good or bad files. While metadata such as file names can be changed, any two identical files will result in the same hash value. Hash lists can be imported into forensic tools such as EnCase or FTK and then compared with the files on a given system to identify any common matches. This is an excellent technique if the investigator is looking for specific malware, intellectual property, or in child exploitation cases, illicit images.

Law enforcement agencies have been using hashing as an investigative technique for years. Hash databases of known illicit images recovered from cases are often built by agencies to help investigators quickly locate known child exploitation images. Applications/scripts such as C4All and NetClean Analyze assist with locating and categorizing/pre-categorizing (using known hashes) pictures found in a case. Investigators can categorize these illicit pictures into tiers of severity or as non-relevant, but it can be difficult to maintain and/or share these categorizations with other agencies. Project Vic is spearheaded by ICMEC and DHS and is an initiative to create a standardized, shared, central hash database that investigators can use to locate and/or categorize child exploitation images.

New in version 6.3, Internet Evidence Finder (IEF) can be used to hash all the images in a case allowing investigators to identify and categorize pictures which are known to be illicit. This new release allows hash sets to be imported into IEF to be used for identifying images and hashes of recovered pictures can be exported for use in other products. (Additionally, pictures can now be exported to a folder without needing to create a report and keeping filenames intact.)

Investigators can import their own custom hash sets or use sets obtained from other sources such as Project Vic to help speed up analysis of their evidence.

Adding hash sets in 6.3 is simple, just open the Tools menu and select Hash Sets. From here you can choose to import multiple sets either from Project Vic in XML format or any other set in a line separated text format (one hash per line). Each list can be assigned a category by the investigator to indicate/differentiate multiple categories of images. 

Once the search is complete, results will be displayed in the IEF Report Viewer for analysis. Investigators can choose to filter based on the category of the hashes that were imported into IEF, allowing you to quickly view only images that have been categorized or of a specific category.

Not only does IEF now calculate MD5 and SHA-1 hashes for all pictures in a case, it also incorporates new technology created by Microsoft to combat the spread of child pornography, PhotoDNA. Available for law enforcement customers, PhotoDNA is calculated much like a hash but instead of computing the value for the entire image, the photo is converted into black and white, and broken down into smaller sections. Those sections are then analyzed for gradients or edges identifying similarities between images that might not be exactly the same but share similar characteristics. This assists when comparing images of different sizes or alterations in colour. This technique is similar to how fuzzy hashing is able to distinguish similarities in other files or documents by tools such as ssdeep that wouldn’t otherwise match using traditional hashing algorithms. PhotoDNA is being implemented into all of Microsoft’s cloud technology (OneDrive, Hotmail, Bing) and is also being used by the National Center for Missing & Exploited Children (NCMEC). Facebook and Twitter have licensed the technology for their online services as well.
Go to www.magnetforensics.com/photodnaregistration to request access.

Hashing is a valuable forensic tool for investigators working with large datasets that need to be scaled down and with locating and pre-categorizing child exploitation images. With the addition of picture hashing, the ability to import hash sets and export picture hash values, we hope that these new features in version 6.3 of IEF will help investigators work more quickly and efficiently with their cases and most importantly, combat child exploitation.

To all those working in this extremely important but devastating field, we thank you for the work you do and will continue to do our best to assist you in your investigations through our software.

Please feel free to contact me with any questions/suggestions regarding these new features at jad(at)magnetforensics(dot)com.

All the best,
Jad and the Magnet Team

June 1-4, 2014
Myrtle Beach, SC

The Sixteenth Annual International Techno Security Conference will be held June 1-4 in sunny Myrtle Beach at the Myrtle Beach Marriott Resort. This conference promises to be The international meeting place for IT Security professionals from around the world. The conference will feature some of the top speakers in the industry, and will raise international awareness towards increased education and ethics in IT security.

Read More

May 19-22, 2014
Las Vegas, NV

It’s no exaggeration to say that CEIC is the biggest digital-investigations conference of its kind and the only one to offer hands-on lab sessions and training for practical skills development. From sessions on acquiring evidence from mobile devices to international e-discovery to cyber security intelligence, there’s simply no other training or seminar series available that packs so much relevant and practical information from so many expert speakers into a single four-day period.

Read More

April 29-30, 2014
Olympia, London

Forensics Europe Expo is the premier dedicated international forum for the entire forensics sector and supply chain, bringing together over 160 conference delegates with over 3000 attendees and 70+ international exhibiting companies. The event provides the entire forensics sector with the definitive source of education, best practice, training and networking that is critical for staying up to date about the latest innovative forensics products, services and practices.

Read More

April 28-May 9, 2014
Orlando, FL

IACIS is a non-profit, volunteer organization wholly dedicated to training, certifying and providing membership services to computer forensic professionals around the world. ​IACIS provides a wide array of professional services and training for computer forensic practitioners and those aspiring to acquire certification in the discipline.

Read More

April 28-30, 2014
Leesburg, VA

The U.S. Cyber Crime Conference is continuing the 12 year tradition of success established by the former DoD Cyber Crime Conference. To keep up with the global cyber threat, the conference is expanding its objective and direction to empower the civilian, defense, and government digital forensics communities (legal, IT, and Criminal Investigative) to team together in the battle against cyber crime.

Read More

We are pleased to announce that Internet Evidence Finder (IEF) v6.2 has been validated by the United States Defense Cyber Crime Institute (DCCI). DCCI is the research, development and evaluation arm that tests tools tailored to the specific requirements of digital forensic examiners and incident responders. DCCI is a part of the Department of Defense Cyber Crime Center (DC3).

Our customers are always interested in 3^rd party reviews and examples of how IEF can be used in their digital investigations.

The DCCI report evaluated IEF on 42 different criteria to determine the circumstances under which computer crime investigating agents assigned to Defense Criminal Investigative Organizations (DCIOs) may employ IEF for digital forensic investigation and analysis.

Findings included:

• IEF is forensically sound and does not modify evidence files upon reading them
• IEF successfully produces the same results after being run against the same dataset multiple times
• IEF successfully recovered data from a number of Internet related artifacts including: Hotmail, SkyDrive, Skype, Yahoo, AOL, Facebook, Gmail, Google Documents, Limewire, Dropbox, Twitter, Hushmail and more
• IEF supports searching raw, E01, Ex01, vmware virtual disks, folders and more

Having IEF validated by the US DCCI is another big vote of confidence for our team.  We are committed to incredibly high standards and pride ourselves on developing quality products that deliver accurate results. External validation helps confirm that we continue to be on the right track. We look forward to the US DCCI review of our latest, and most feature-packed release of IEF to date, IEF v6.3.

The DCCI report is available to U.S. federal, state, local law enforcement agencies and law enforcement officials from Australia, Canada, England, & New Zealand.  To download the report users can go to https://dfilink.net/.

Our thanks go out to the DCCI and DC3 folks for selecting IEF to go through this rigorous validation process.

We appreciate your support!
- Jad and the Magnet Team

While most forensic examiners spend the majority of their time analyzing the evidence from their case, one of the most important steps in the investigative process – reporting – is often rushed. Reporting your findings to stakeholders should never be overlooked because finding the “smoking gun” won’t matter if your audience doesn’t understand your results. Whether you’re reporting to a judge, jury, legal team, human resources, or management, your report should be tailored to your audience. Some will better understand a written report whereas others might prefer an oral presentation, or a combination of the two. Providing multiple options for reporting is essential in the digital forensics field since many of your stakeholders will not be very technical or have a forensics background.

Internet Evidence Finder (IEF) has multiple reporting and exporting options to assist an investigator present their findings. By default, IEF will organize all of the artifacts found within the Report Viewer for further analysis by the investigator, but after completing your examination by bookmarking, filtering, and searching any relevant artifacts, you are also provided with several options to provide your stakeholders.

Create A Report

IEF creates an easy-to-read and navigate HTML report from any artifacts selected within the Report Viewer. It will include your organization’s logo in the top left corner and list all the artifacts along the left side, similar to how the Report Viewer is displayed.

To create a report in IEF, from the Report Viewer, select File then Create Report. You will be provided with options to choose what artifacts to include in your report and whether you want IEF to automatically thread all the chat messages together for each conversation.

Once your report is completed, you may share these findings with any stakeholders or colleagues. If the investigator wishes to report on just the artifacts that he or she has bookmarked, after making their selection, they can open the Bookmarks Report which will open a new Report Viewer window populated with just those items that were bookmarked. They can then choose to create a report or export the evidence into a different format.

Exporting

If you would prefer exporting your data in another format so that it can be used in a custom pre-built report used by your organization, or you wish to further examine the data outside of IEF with another application or tool, you are provided with several options. IEF supports the export of all or partial artifacts in a CSV, tab-separated, Excel, HTML, PDF, or XML formats. New in version 6.3, IEF also supports the exporting of all pictures in a case while maintaining the original filename so that they can be analyzed with additional forensic tools.

Exporting data in the Report Viewer is very similar to creating a report but you have the choice of exporting all artifacts, some artifacts that have been bookmarked or filtered, or a single artifact if it is of evidentiary value.

Merging Cases

Sometimes an investigator might have run a search in IEF on two separate pieces of evidence from the same case and now have two IEF reports they wish to merge into one. The Report Viewer allows investigators to merge cases by going to “Import IEF Case” under the File options in the Report Viewer. You can then select which case you wish to merge with the one that is already open. IEF will merge the databases of the two cases into a new case file which can then be examined, exported, or reported as previously discussed.

Portable Cases

Another exporting option for investigators is to create a portable IEF case. These are extremely useful if you want to share your findings with another investigator, lawyer, or HR, and they wish to make their own bookmarks or edits but don’t have a licensed version of IEF. Another useful scenario is if you are lucky enough to have an analyst assisting with your investigation, they can use IEF to run the initial search on the image, or other type of digital evidence, and then pass the portable case to one or more investigators who can then examine the results with Report Viewer without needing an additional IEF license.

IEF provides several options for investigators to export or report their findings. Whether you create your own custom reports within your organization or use the predefined HTML report with Report Viewer, IEF provides enough options and customizations to work with most scenarios. Portable cases allow the investigator to collaborate when necessary without the challenge managing licenses or separate IEF installations. Reporting your findings is a crucial step in the investigative process and it is essential for your stakeholders to understand the evidence presented to them so that they can make informed decisions based on your findings.

As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.

Jamie McQuaid
Forensics Consultant, Magnet Forensics

After winning the Forensic 4cast award for Computer Forensic Software of the Year in 2013, we are excited to announce that Internet Evidence Finder (IEF) has once again been nominated in this category for 2014. What’s even more exciting is that our star software product has also been nominated for Phone Forensic Software of the Year.

Having just launched IEF Advanced with mobile search capabilities in June 2013, we are thrilled to be considered for Phone Forensic Software of the Year, as it validates how quickly we’ve been able to impact investigations in the mobile forensics world.

Thank you to everyone who voted for us last year, and we hope you will support us again in 2014!

We promise to continue to give you the best forensics tools available so you can accomplish your goals: fight crime, protect company assets and guard national security.

We would appreciate your continued support - vote for IEF!

Waterloo, ON., April 22, 2014—Branham300 today ranked Magnet Forensics Inc. to its 21^st annual list of the Top 250 Canadian ICT Companies, as ranked by revenue.  The Branham300 list illustrates the depth and breadth of innovative technologies developed in Canada, and is widely considered to be a leading source of intelligence on Canada’s ICT industry.

Magnet Forensics, a global leader in the development of software solutions that recover Internet-related evidence from computer hard drives and mobile phones, was also named to the Top 20 Movers and Shakers.

“Magnet Forensics is thrilled once again to be named to the Branham300 list  in two different categories”, said CEO Adam Belsher. “We continue to execute on our mission by providing the best digital forensics tools, so our customers can accomplish their mission: Fighting crime. Protecting company assets. Guarding national security.”

About Magnet Forensics Inc.
Magnet Forensics is a global leader in the development of software solutions for digital forensic professionals that assist them in building the best possible cases.  Our flagship software, Internet Evidence Finder (IEF) was developed by a former police officer and forensic examiner who recognized the need for an easy to use, comprehensive tool to help perform digital investigations.

Since its creation, IEF has quickly become a trusted solution for thousands of digital forensics professionals in the world’s top law enforcement, government, military and corporate organizations in over 90 countries, used to recover a broad range of Internet-related communications. Court-admissible evidence recovered by IEF from computers, smartphones and tablets can include webmail, browser history, social networking and cloud applications, P2P files and instant messaging communications; and has been used to support a wide-variety of investigations including cybercrimes, child exploitation, terrorism, human resource disputes, fraud, and intellectual property theft.

Media Contact:
Lindsay Cournoyer
lindsay.cournoyer@magnetforensics.com
(519) 342-0195

About Branham Group Inc.

Branham Group Inc. is a leading industry analyst and strategic marketing company servicing the global Information and Communication Technology (ICT) marketplace. Branham Group assists ICT Technology companies and related institutions in achieving market success through its custom consulting services (Planning, Marketing and Partnering), and through its multi-client research subscription programs (Digital Health, Green IT and Cloud). Branham also produces an annual listing of the top ICT companies in Canada (www.branham300.com) and monitors over 450 Digital Health vendors (www.branhamgroup. com/digitalhealth).

Caseloads for examiners are growing far beyond anything manageable with manual tools and traditional forensic processes. Investigators must find a way to maximize their time and energy by accelerating their investigations without compromising on quality. Part of our mission is to make this possible. Often this can be achieved by using multiple tools from your digital forensics tool kit, however knowing how to best combine these tools in the investigative process is critical. We partnered with Guidance Software, the creator of Encase Forensic, to demonstrate how the combination of Internet Evidence Finder (IEF) and EnCase Forensic can yield more powerful results in digital forensic investigations. Learn more here.

We partnered with Guidance Software to demonstrate how combining Internet Evidence Finder (IEF) and EnCase Forensic can help investigators yield more thorough results in their investigations. If you missed this blog, you can read it here.

We wanted to expand even further on this collaboration to provide three integration options that allow investigators who use both EnCase and IEF to initiate IEF searches from within EnCase and/or more easily import IEF recovered artifacts into EnCase.

Integrating these tools into your current processes will help uncover the truth quickly while allowing the examiner to work within whatever tool they are most comfortable with to achieve the best results. Learn more here.

In this new video, we show you how Internet Evidence Finder (IEF) digs deeper and searches wider to uncover more evidence than ever before – faster. Learn how IEF helps digital forensic investigators bring the truth to light.

SANS and Magnet Forensics teamed up recently to collaborate on a case study of Intellectual Property (IP) theft. This webinar will walk you through an IP theft case study, investigating many of the common methods and artifacts that an internal employee might use to steal valuable data from your organization, including mobile devices and cloud storage artifacts.  Watch this webinar.