Guidance Software and Magnet Forensics have been collaborating to help investigators combine two great tools – Internet Evidence Finder (IEF) and EnCase Forensic – to maximize the time spent on cases and achieve more thorough results.

This webinar focuses on a big challenge in digital forensic investigations – building a solid timeline to prove a suspect was behind the keyboard when critically important activity took place.  Learn how to develop an investigative timeline that incorporates clues and artifacts from cloud, mobile, and social media systems using EnCase Forensic and IEF from Magnet Forensics. Watch this webinar.

When a child’s safety is on the line, how do you get to key internet forensics evidence quickly enough to begin building your case?

Designed for digital forensics investigators who may work on child exploitation cases, this internet forensics webinar will give you the tools and techniques needed to find key internet evidence (like pictures, web searches and chat apps) at every stage of the investigation. We’ll take you from obtaining your search warrant, to recovering internet forensics artifacts from a suspect’s computer and mobile phone, to producing an understandable report that can be passed off or presented in court.

Led by Jad Saliba and Jamie McQuaid from Magnet Forensics who’ll be demonstrating how to use Internet Evidence Finder, you’ll learn how to:

• Identify a suspect online using chat and IP address details that can be later used in obtaining a search warrant.
• Triage data onsite/find key pieces of internet evidence, like illicit pictures using hash values, to assist in making an arrest.
• Perform a full internet forensics investigation back in the lab to find all of the relevant internet evidence for your case, including Skype, Kik Messenger, Google searches, pictures, P2P files and more.

// ]]>

June 1-4, 2014
Myrtle Beach, SC

The Sixteenth Annual International Techno Security Conference will be held June 1-4 in sunny Myrtle Beach at the Myrtle Beach Marriott Resort.

Visit us at Booth 703/704 and don’t miss Jad Saliba’s presentations on June 3.

Free IEF Training on Sunday June 1

Attend a FREE IEF Training Lab session plus receive a FREE six month IEF term license.

When: Sunday, June 1: 12-1pm, 1-2pm, or 2-3pm  (on a first come, first serve basis)

Where: Tides 1 Conference Room, Myrtle Beach Marriott Resort (Myrtle Beach, South Carolina)

We look forward to seeing you there!

Read More

May 19-22, 2014
Las Vegas, NV

It’s no exaggeration to say that CEIC is the biggest digital-investigations conference of its kind and the only one to offer hands-on lab sessions and training for practical skills development.

To find out more about IEF, visit us at Booth 800 and stop by the AppCentral Station. Jad Saliba will be presenting on May 19, 20 and 22. View the agenda here.

Read More

Last week we made the trip across the pond to Olympia, UK for the Forensics Europe Expo.  This was a new conference for the Magnet Forensics team, and I was excited to present on how Geolocation Artifacts and Timeline Analysis can help solve digital forensics investigations.

During the session, I used a fictional case study (involving child luring that led to murder) to demonstrate how different tools and techniques can be used to analyze evidence recovered from computers and smartphones at different stages of an investigation; including tips on how to start a search for a missing person, and find evidence needed to support criminal charges.

If you’re interested, you can see my presentation slides here:

The presentation seemed to spark a conversation among IEF users at the Expo about how they have used IEF Timeline (one of our visualization tools built into our software) in their own cases and investigations.

One gentleman told me about a case where he had used our timeline tool to prove a particular person was, in fact, the user on a system.  As we all know, it’s often easy to determine what was done on a computer, but when you have to tie the actions to an actual person in the real world, things become much more difficult.

In this particular case, the suspect’s defense was that someone else had been behind the keyboard when the actions in question occurred. But with IEF Timeline, the investigator was able to identify a number of key events in the order they occurred, confirming that the computer user was in fact the suspect they had in custody.

If you’re interested in learning more about IEF Timeline, and how it can benefit your cases and investigations, here are some good resources:

-        IEF Timeline Blog Post by our CTO, Jad Saliba

-        IEF Timeline Demo Video

-        Webinar: Using Geolocation Artifacts & Timeline Analysis to Solve the Case: A Digital Forensics Case Study

Cheers!

Jamie McQuaid
Forensics Consultant, Magnet Forensics

August 11-14, 2014
Dallas, TX

Providing Professionals the Instruction, Information and Strategies They Need to Protect Child Victims and Prosecute their Offenders. A nationally and internationally-recognized conference for professionals from the fields of law enforcement, prosecution, child protective services, social work, children’s advocacy, therapy, and medicine who work directly with child victims of crime.

Read More

August 4-8, 2014
Fairfax, VA

The purpose of GMU 2014 is to provide training to all levels of the cyber-enforcement community from security specialists to Law Enforcement personnel. Training attendance is open to everyone in the Digital Forensics, Incident Response and Information Security Community. Law enforcement, government employees and contractors employed by Law Enforcement (and supporting) agencies should also attend.

Read More

With the release of our next version of Internet Evidence Finder (IEF), we will be introducing a new business application and operating system artifacts module that enables the recovery of a host of new artifact types, including:

• Corporate Email and Instant Messaging artifacts including Outlook OST & PST files, mbox email archives, and Microsoft Lync/OCS IM
• Document files including .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx
• Operating System artifacts including user accounts, USB device history, lnk files, pre-fetch files, shellbags, jumplists, event logs and more
• IEF will carve for most of these artifacts whenever possible

Why are we adding non Internet-related artifacts to Internet Evidence Finder?

We know that listening to our customers is the best way we can learn how to improve. Over the past couple of years, hundreds of customers have asked us to expand on the types of artifacts that IEF can recover to include documents, email and other common OS artifacts.

Truth be told – when these requests first started coming in, we weren’t sure if they were a fit for the IEF concept, as it’s been primarily an Internet forensics tool. Then we realized that delivering the functionality our customers want and need to make their lives easier (the ability to find more evidence with one tool) is what we want and need to do. You spoke; we listened, and added in these features and artifacts for you.

This is why customer feedback is so important to us – we use it to shape what we do. Thank you (and keep it coming)!

— Jad and the Magnet Forensics team

IEF will soon be able to recover common OS Artifacts, including:

Example of OS Artifacts ready for analysis in IEF Report Viewer:

Recover the following existing and deleted documents from allocated or unallocated space:

Example of documents ready for analysis in IEF Report Viewer:

Recover email from Outlook OST/PST files and MBOX email archives, as well as email fragments from the browser-based Outlook Web App: 

Example of emails recovered from Outlook and MBOX files in IEF Report Viewer:

Recover chat messages, call logs and file transfers from Microsoft Lync (Office Communicator):

Example of Lync artifacts ready for analysis in IEF Report Viewer:

BlackBerry Messenger (BBM) started as the original mobile messaging application geared towards business users and productive consumers. Originally available only on BlackBerry devices, BBM has since gone cross-platform and is now also available to Android and iOS users. This expansion has grown the BBM user-base despite declining consumer interest in BlackBerry devices. Popular in markets beyond just North America, BBM is even the number one mobile chat application in countries such as Indonesia and South Africa.

Forensic analysis of BBM

Analysis on BlackBerry devices can be difficult due to the challenges of imaging these devices and gaining root access, however the analysis of BBM artifacts is relatively straightforward for both Android and iOS devices.

The information is stored in a SQLite database called master.db and can be found in the following locations:

For Android:

/data/data/com.bbm/files/bbmcore/master.db

For iOS:

/private/var/mobile/Applications/%GUID%/Library/bbmcore/master.db

The master.db database contains several tables providing a wealth of information around a user’s BBM contacts, invitations, messages, file transfers, profiles, as well as any GPS data if enabled on the device. This data is unencrypted on the device and can be viewed with any SQLite viewer.

The image below shows a wealth of information surrounding a BBM conversation between two parties including the message content, timestamps for sent and received, status, state (whether the message has been delivered, read, etc.), PINs, participants, and attachments (if any).

BBM for iOS and Android has also recently been updated to include BBM Channels. Previously only available on BlackBerry devices, BBM Channels allows the user to subscribe to various “channels” of interest such as a famous person, brand, or organization, etc. Users can interact with that channel by posting or responding to comments and questions.

There are various tables located within the master.db file containing details about the channels to which the user has subscribed. Tables Channels, ChannelPosts, and ChannelComments might be of evidentiary value depending on your investigation and certainly warrant a further look.

Recovering BBM artifacts with Internet Evidence Finder (IEF)

Added to version 6.3, IEF is able recover BBM evidence from both iOS and Android devices. IEF parses data from the master.db database and displays the information to the investigator within the report viewer under categories for BBM Messages, Profiles, and Contacts.

From there, IEF will parse the display name, PIN number, personal message, last update date/time, profile picture/avatar, location, and time zone details from any profiles and contacts listed in the master.db. IEF will also display the type, status, state, display name, PIN, sent/received date/time, content, conversation ID, participants, and attachments for any messages it recovers. IEF will also carve any message data it finds in unallocated space, recovering potentially valuable deleted conversation details.

Overall, the recovery of BBM artifacts on iOS and Android is a relatively straightforward process and can be quite useful for an investigator dealing with potential mobile chat evidence. IEF is able to parse and carve the most valuable data from the master.db database helping the investigator recover the necessary evidence quickly and efficiently.

As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.

Jamie McQuaid
Forensics Consultant, Magnet Forensics

When a child’s safety is on the line, how do you get to key internet forensics evidence quickly enough to begin building your case?

Designed for digital forensics investigators who may work on child exploitation cases, this internet forensics webinar will give you the tools and techniques needed to find key internet evidence (like pictures, web searches and chat apps) at every stage of the investigation. We’ll take you from obtaining your search warrant, to recovering internet forensics artifacts from a suspect’s computer and mobile phone, to producing an understandable report that can be passed off or presented in court.

Led by Jad Saliba and Jamie McQuaid from Magnet Forensics who’ll be demonstrating how to use Internet Evidence Finder, you’ll learn how to:

• Identify a suspect online using chat and IP address details that can be later used in obtaining a search warrant.
• Triage data onsite/find key pieces of internet evidence, like illicit pictures using hash values, to assist in making an arrest.
• Perform a full internet forensics investigation back in the lab to find all of the relevant internet evidence for your case, including Skype, Kik Messenger, Google searches, pictures, P2P files and more.

// ]]>

Scar de Courcier of Forensic Focus caught up with our CEO, Adam Belsher, at the Forensics Europe Expo in April. Adam addresses questions about the challenges that Digital Forensic Investigators face today and how Internet Evidence Finder (IEF) is helping them uncover the truth in their investigations. He also shares his thoughts on why the future of Magnet Forensics is so bright. Read the full interview.

Anthony Reinhart, Communitech’s writing guru, interviewed our CEO Adam Belsher for a deep dive on what has made Magnet Forensics so successful in just two years. With an amazing and dedicated team, not to mention a digital forensic investigation tool – Internet Evidence Finder –  that has been embraced world-wide, Magnet Forensics is indeed poised to tackle a ‘billion dollar market.’

Here’s the full article and interview:

Five years ago, Jad Saliba was a Waterloo Region cop with a knack for programming and a desire to use it to catch bad guys.

Today, the company he founded – now called Magnet Forensics – is running out of office space in downtown Waterloo, with 40 employees, zero outside funding, a global customer base and revenue in the double-digit millions.

The rocket ride began in 2011 after Saliba decided to stop giving away his specialized data-recovery software, called Internet Evidence Finder, for free to other law enforcement agencies. He left policing and jumped into entrepreneurship, teaming his technical prowess with the business smarts of Adam Belsher, a former executive with Research In Motion (now BlackBerry).

The pair haven’t looked back since.

With Belsher at the helm as CEO, fast-growing Magnet now stands poised to capitalize on what Inc.com recently called “a billion-dollar market in the making,” as the Internet of Things adds billions of connected devices – each one a potential source of forensic evidence – to our daily lives.

I sat down to catch up with Belsher this week in the company’s fifth-floor offices on King Street South, which he might soon have to vacate and sublet when it reaches its fire-code capacity.

The last time we spoke, just over two years ago, he and Saliba were the only employees of what was then called JADsoftware.

Q – Can you give me a quick update on the company?

A – Magnet was founded in 2009, and at that point it was one employee, the founder, Jad.

I joined in 2011, and in 2012 we hired our first employee. Currently we’re at 40 employees.

Revenue went from hundreds of thousands of dollars to double-digit millions this year.

We’re profitable and haven’t taken any external investment to date, but are considering for the future.

We moved in here in October of 2012, and I think we were 20 people or so. We’re at fire code at 47, so we really can add only another seven in this location.

Q – Where does Magnet sit among competitors in the global field of digital forensics?

A – There are a few companies that do a subset of what we do, around web browser forensics, for example – Chrome, Internet Explorer, Firefox and things like that – that focus specifically on recovering data from those types of applications.

There are other niche companies that will recover two or three different types of chat applications.

There is really only one player, that’s based in Russia, a small private company, that actually closely resembles our feature set.

Our real claim to fame is that we get the deleted data. There are companies that can get stuff that’s found in a file or in a folder and recover that data because it hasn’t been deleted, but the core of our IP and capabilities is how you get the deleted data.

Once it’s deleted, it’s messy. It’s in places on a hard drive that aren’t well known, and you actually have to take those different fragments of data and pull them together to see what the original data looked like, or at least a piece of it.

We get a wide array of different types of artifacts, so we support 450 different types, whereas somebody else will say ‘I support the five browsers.’

We support a lot of different artifacts and applications, and we support them across tablets, computers and smartphones, so we’re cross-platform and cross-operating system – Mac, Windows, Android, iOS – and then we get to the real nuggets of potential evidence, which is the deleted stuff.

The bad guys are trying to cover their tracks, so a lot of the key evidence can be found in the deleted data.

Q – Back to the bad guys, I noticed you offer a lot of detailed information on your website about where evidence might reside on a device. Doesn’t this help criminals cover their tracks?

A – For us, there are three core elements: Helping people fight crime, and that’s typically law enforcement and government; helping corporations protect their assets, so they can track down people who are trying to leak intellectual property or deal with a data breach; and the third pillar is helping guard national security, so we work with various intelligence customers that are dealing with terrorism and things like that.

The way we go to market and generate content is through use cases. So, if you’re doing a child exploitation investigation, here are the things you should look for, here’s where you can find them (in fact, we’re doing a webinar this week on that). If you’re doing an investigation around intellectual property theft, here are some of the different kinds of data that get left behind.

Our goal is to become thought leaders, so we spend a lot of time on content creation and creating these use cases. It’s less about, ‘Hey, our product is great and here are all the things it does.’ It’s more like, ‘Here are the things you may be doing in your job; let us tell you what kind of data can be really important,’ and at the end we kind of say, ‘Here’s the product.’

Q – Why has thought leadership become so important, in addition to having a good product?

A – There’s just so much noise in the market today, with everything from direct email coming at you to video marketing to social media, and a lot of it’s geared around, ‘Here’s my product, here’s what it does.’

I think the companies that are doing well are spending time on that whole inbound marketing idea, where you create the content and let people find you. So you make sure you’re creating stuff that’s relevant, that people are searching for.

There’s a bit of strategy in creating the content that people are searching for, but it’s giving them something that’s educational and valuable, rather than the product pitch.

Tell a story.

Q – What factor more than any other explains Magnet’s ability to grow without having to take on debt or outside investment?

A – I really credit Jad. Early on, his overhead was low because he was living at home and basically created a product and gave it away for free. It solved a specific pain point, and that created a bunch of momentum and goodwill that allowed us to eventually start charging for it.

So it was ‘create something that solved a real problem.’ He didn’t go and raise a bunch of money and hire 20 people, but it was about determining; is there a market opportunity for this? What value does it bring to the customer, and what is that value, and how do you monetize it?

From then on, I would say having a great product and great quality is a big thing.

We, unlike other startups, were pretty balanced in terms of R&D and sales and marketing. In some companies that are very engineering-focused – and at a certain point, you need to be; you need to be MVP (minimum viable product)-ready – you see a lot of companies that lag in sales and marketing.

It’s kind of like, ‘If we build a great product, people are going to buy it,’ but there’s a lot to be said for getting some great marketing so you know how to position a product, and which markets you’re going to go after, and what’s the value proposition, and getting people out there and knocking on doors.

It’s that healthy balance between R&D and the front end of the business to generate revenue, and we’ve kind of forced ourselves to say, ‘We’ve got to generate revenue to make sure we can pay the salaries.’

We want to be in a good position where, at the point we take funding, we’re in a great negotiating position, by focusing on the top line and driving profitability.

You have to make really tough decisions because you don’t have $5 million or $20 million in the bank.

It forces us to be really disciplined about what’s the market opportunity; who’s going to buy it; what are they going to pay for it; what’s the competitive landscape; is there IP we need to be concerned about.

Q – Does it creep you out a bit, just as a person, that the machines appear to be taking over?

A – I know there’s a lot of stuff, especially in the U.S. with the Snowden stuff and all the NSA collection activity and things like that, and I know a lot of people are up in arms around privacy, and different people have different views.

At the end of the day, people have to realize that if they’re doing something online, or with some kind of connected device, that you’ve got to assume that whatever you do, somebody can either see that, read that, recover that.

Don’t put anything out there that you don’t want the world to know, because it’s possible people can get it.

People are using encryption and things like that, but the problem with a lot of those technologies is, they’re not really optimized for performance.

Look at people who are using any of the Google services; they’re collecting metadata on what people are doing. I find that the majority of people will sacrifice privacy for convenience.

Google Now is a great example. You’re on Google in your house, and you’re mapping out your route to your next appointment, and you have an Android phone. As soon as you get into your car, it pulls up your mapping application on your Android phone and says, ‘Do you want to take this route?’ It’s just so well-integrated, and I think a lot of people like that convenience.

Q – Is there an investigation involving by Magnet software that stands out as the most gratifying for you?

A – There’s been a bunch, and I don’t know if this is in the public record, so I’m not going to give specifics. But there is some stuff we’re waiting on that will hit the transcripts of the court case, hopefully soon.

If you think back to the last 12 months, and you think to different types of terrorism-related incidents in the U.S., specifically – and I would say mass shootings, as well – we’ve been involved in those types of cases.

In a couple of them we’ve been really pivotal in the prosecution, in terms of the data that we found.

More generally, probably every couple of weeks, we get an email, typically from someone in law enforcement, that says, ‘Because of your software, I was able to get a conviction of this pedophile.’ One said, ‘We originally didn’t have enough to go on and he was going to get five years, but we found all this child pornography and they guy is getting 40 years.’

We’ve seen that degree of magnitude in terms of sentencing, which is pretty gratifying.

The stuff that really hits home for a lot of us, especially those of us who are parents, is the child exploitation stuff, where you help them catch a pedophile or help a child who’s being abused by family. Those are the ones that really pull on the heartstrings and kind of keep us going.

We’re involved in corporate ones, but they’re less personal. Somebody’s stealing confidential information, or there’s some kind of HR misconduct or whatever.

Homicides, terrorism-related stuff, a lot of fraud-related cases – at the end of the day, almost every investigation has a digital element. Even if it’s something like a burglary, there’s a chance that somebody did some research on their computer before they did that, whether they were trying to look at the location, or were using Google Maps or satellite or whatever.

There’s literally almost no investigation that doesn’t have some kind of digital element to it, which positions us in a really interesting kind of perspective.

Q – What has Magnet gained from starting and staying in Waterloo Region?

A – I think a big part of it is the engineering and software development talent. That’s a really great reason to be here.

I would say the other thing is, I do really believe that Communitech and the ecosystem have really helped, whether it’s bringing in industry thought leaders, providing mentors for new startups, connecting startups to fundraising.

It’s really packaging up a bunch of the things that, as a new company, you need to think about, and offering different sessions on whether it’s intellectual property, or patents, or how you raise money, or how you use social media to market your product.

I think what’s unique is that Communitech takes that kind of role and ownership to pull all those resources together; to harness all those resources. I kind of call it the glue.

That’s a big reason why we’re still in Waterloo, because there’s the support, there’s the ecosystem, and Communitech has helped raised the profile of the community, especially after BlackBerry’s downturn, which is really, really important.

If this were other parts of Canada, it would be a hard thing to keep people anchored here.

The cost of living is fairly reasonable in the community, so being here gives you a great quality of life at an affordable price, with access to talent. And for the most part, you don’t feel like you’re missing out on something.

There’s the Valley syndrome, where people say ‘we’ve got to be in the Valley.’ I’ve done business there; I’ve never lived there, but I really have no desire [to be there], or feel I’m missing out on something.

I’m sure there’s a certain pace there; there’s a lot of networking and things like that, but I think Communitech does a pretty good job of bringing those people from all over the world to the community, and you can hear right from them, with private sessions and all of that. Like Geoffrey Moore at the Tech Leadership Conference; that’s awesome.

After listening to customer feedback over the last few years, the Magnet Forensics team has worked diligently to add a host of new features to Internet Evidence Finder (IEF) to help our customers recover and analyze more artifacts.

In June of 2013, we added a Mobile Artifacts Module to enable the recovery of Internet and application data from iOS and Android smartphones and tablets. And in June of 2014, we will introduce a new Business Applications and OS Artifacts Module to further expand the types of artifacts you can find with an IEF search.

As IEF has evolved as a product, we’ve had to change the way we name and organize licensing for the various editions and artifact modules. With the up-coming introduction of the Business Applications and OS Artifacts Module, we felt it was the right time to re-structure your IEF purchasing options.

The Goal: Give our customers the power to customize their IEF license(s) to meet their investigative needs (and budget) by adding artifact modules.

We realize that these changes may cause some confusion, so here’s a quick rundown of what we offer today, and how we will be packaging IEF moving forward…

We currently offer five editions of IEF:

1. IEF Standard
2. IEF Advanced
3. IEF Triage
4. IEF Standard + Triage Bundle
5. IEF Advanced + Triage Bundle

Starting in June, we will offer three editions of IEF:

1. Internet Evidence Finder
2. Internet Evidence Finder Triage
3. Internet Evidence Finder Bundle (includes IEF and IEF Triage)

Which you can then customize by adding-on two (optional) artifact modules:

1. IEF Mobile Artifacts Module
2. IEF Business Applications & OS Artifact Module

Your new options are best summarized in the following table:

* IEF Triage supports live system investigations for Windows computers. Mobile artifacts module is not supported with Triage.

Selecting the IEF Edition That’s Right for You:

IEF, IEF Triage or IEF Bundle

Selecting the right IEF edition depends on the types of investigations you work on:

IEF

• Designed for use in a lab environment on a forensics workstation
• Recovers 260+ unique Internet artifacts from Windows or Mac file systems
• Pricing starts at $1,549

IEF Triage

• Designed for use on live systems in the field
• Recovers 260+ unique Internet artifacts from Windows or Mac file systems
• Runs directly from the USB thumb drive on a target computer, and is particularly valuable for running a quick search on-scene, taking a live RAM capture, and/or checking for disk encryption
• Pricing starts at $1,799

IEF Bundle (incl. standard IEF license and IEF Triage)

• Designed for investigators (or forensic teams) who work in a lab environment and in the field on live systems
• Get both our standard and triage licenses together on a single USB dongle for added convenience and costs savings (use both IEF editions without having to pay for two separate licenses)
• Pricing for the bundle starts at $1,999 (save 58% compared to the cost of purchasing and maintaining two separate licenses)

IEF Add-on Artifact Modules

You’ll soon be able to add-on one, or both of our artifact modules to customize your IEF license(s). Here’s more information on what our artifact modules will include, and how they can be used with other tools.

Mobile Artifacts Module:

• Recover 165+ types of mobile artifacts from iOS and Android powered smartphones and tablets, including more 3rd party mobile apps than you can recover with traditional mobile forensic tools (because of our innovative approach to carving evidence from deleted space)
• This module is designed to analyze images acquired from mobile phones via popular mobile forensic tools like Celebrite’s UFED, Micro Systemation’s XRY and Accessdata’s MPE+
• Add the Mobile Artifact Module to your IEF License for $600

Business Applications and OS Artifacts Module:

• Recover Business and OS artifacts from computers and mobile devices, including: corporate email and instant messaging artifacts like Outlook OST & PST files, mbox email archives, and Microsoft Lync/OCS IM; documents like .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx; and operating system artifacts like user accounts, USB device history, lnk files, prefetch files, shellbags, jumplists, event logs and more
• This module extends IEF’s search capabilities to include recovery of business application artifacts, so you can get a more complete view of the user’s activity on a computer and/or mobile device
• Add the Business Applications and OS Artifact Module to your IEF license for $600

Pricing

* First Year SMS Included with License

IEF Pricing and Licensing FAQ

What is happening to IEF Standard?

IEF Standard is the name that we have used to describe our standard Internet Evidence Finder license. Starting in June, we will still refer to this version as our ‘standard license’ informally, but are dropping the word ‘Standard’ from the product name – so it will just be ‘Internet Evidence Finder’. Rest assured; our standard license is not changing. We just want to keep it simple with the name!

What is happening to IEF Advanced?

IEF Advanced is the name that we have used to describe a bundle that will soon combine IEF with our Mobile Artifacts Module.  Starting in June, we will drop the word ‘Advanced’ from the product name. All of the features previously included with IEF Advanced will now come with our standard IEF license and the Mobile Artifacts Module. The price to purchase a license and SMS will remain the same.

If you have already purchased an IEF Advanced license, your license is still valid.  Your IEF Advanced license is exactly the same as a new IEF license with the Mobile Artifacts Add-on Module. All of the features, including the price of annual SMS remain the same.

Why are you offering these add-on artifact modules?

We work closely with customers to identify opportunities to improve IEF. Expanding the breadth of artifacts IEF supports is a very common request. We’ve learned from experience that each time we decide to tackle new initiatives (like introducing support for mobile or business application artifacts) we must expand our support and development team to ensure the quality of IEF remains the same.

In the spirit of full disclosure, adding support for new artifact categories is a huge financial commitment for Magnet Forensics. We were faced with some tough decisions:

Do we add the new artifacts into IEF, and then increase the price of an IEF license and SMS for all customers?

Or, do we let our customers customize their IEF license(s) by purchasing the optional, add-on modules that they want/need?

After considering both possibilities, we decided to go with option #2, as we believe that giving you the choice to customize your license to meet your needs is the best way to handle things moving forward.

I already own an IEF Advanced license. What do these changes mean to me?

If you have already purchased an IEF Advanced license, it is still valid. Your IEF Advanced license is exactly the same as a new IEF license with the Mobile Artifacts Add-on Module.  All of the features, including the price of annual SMS remain the same.

If I already own an IEF license, how do I get these add-on artifact modules?

As a current IEF customer you can add either artifact module to your existing IEF license at anytime. To purchase, please contact us at sales@magnetforensics.com or call +1 (519) 342-0195.

On Wednesday, May 28th, Magnet Forensics CTO, Jad Saliba and Forensics Consultant, Jamie McQuaid hosted a webinar on investigating child exploitation cases. Attendees learned how to identify a suspect online using chat and IP address details, triage data onsite to find key pieces of evidence, and perform a full forensics investigation back in the lab to find all of the relevant internet evidence.

If you’d like to watch the webinar replay, you can do so here.

This webinar generated great discussion, and a lively Q&A which we’ve re-capped for you below:

Pictures/Hashing

Q: Can a quick search for one picture hash be done in Internet Evidence Finder?

Yes, if you have either an MD5, SHA-1, or PhotoDNA hash of an picture you wish to search for, IEF will allow you to quickly search for that hash either from an already completed IEF report or it can be added the same way as an entire hash list prior to initializing your search.

Q: Can IEF detect hidden images such as steganography?

It depends how the images are hidden. IEF will find pictures embedded in documents and other files as well as carve them out of unallocated space but it is unlikely to identify anything like a picture concealed inside another picture or something similar if the picture data has been modified and/or encrypted or encoded.

Q: What do the Skin Tone values in IEF mean/ represent?

IEF has a feature which allows investigators to filter images based on the percentage of skin tone colours found in the picture. When viewing pictures in IEF Report Viewer, move the slider to your desired skin tone percentage and IEF will automatically filter out any pictures below that threshold. This will help prioritize pictures that likely have nudity or eliminate pictures that do not include people altogether depending on your chosen skin tone percentage.

Q: Will the hash value change if the photo is cropped or resized?

Yes, typical hashing algorithms such as MD5 or SHA-1 will give a completely different result if one bit is changed in the file or photo. While useful for some applications, this poses a challenge for anyone doing child exploitation cases. Technology such as PhotoDNA and techniques like fuzzy hashing help combat these issues by recognizing slight changes to pictures and files and allows investigators to compare similar files that might have only been changed slightly.

Q: Are there any website that share hash sets?

There are quite a few sites that share hash lists depending on the types of hash lists you are looking for. NSRL maintains hash lists of common known files such as those installed by various versions of Windows or other software.

If you are interested in hash lists to assist in child exploitation investigations such as Project Vic, we would recommend you reach out to those groups directly as the distribution of those lists are dependent on a number of factors such as location and are restricted to only those who are authorized by those groups.

Q: What is PhotoDNA?

PhotoDNA is a technology developed by Microsoft that computes hash values of images in order to identify alike images, similar to fuzzy hashing. It is primarily used in the prevention of child exploitation images and works by computing a hash that represents an image. This hash is computed such that it is resistant to alterations in the image, including resizing and minor colour alterations. It works by converting the image to black and white, breaking it into a grid, and looking at intensity gradients or edges.

PhotoDNA is currently used with Bing and OneDrive, as well as Twitter, Facebook and the National Center for Missing & Exploited Children, to whom Microsoft has donated the technology. PhotoDNA picture hashing is available in IEF to all law enforcement agencies, and those assisting law enforcement agencies in child exploitation investigations.

Live Analysis

Q: When doing live triage, how do you prevent writing to suspect’s machine? Is everything run and stored on the USB drive running IEF?

IEF Triage accesses the evidence at a low level using the $MFT and file system avoiding modification to most of the system, however there will be record of the USB dongle being connected to the machine and running the application will make modifications in memory which should be documented by the investigator performing the live analysis.

The IEF Report and exported files are stored on the USB dongle by default but the investigator can choose another export destination if he or she wishes.

Q: Can you use IEF Triage for Apple devices?

IEF Triage is currently only able to be run on Windows systems; however IEF is able to analyze HFS+/HFSX filesystems as well as iOS artifacts with the Mobile module.

Q: Can a IEF Standard be used to do a triage search?

IEF Triage and IEF Standard are separate products. Triage is designed to be run on a live system while Standard is designed to be installed on the forensic examiner’s computer to examine images or files of interest. We do offer a bundle that includes both IEF Triage and Standard.

Skype

Q: In order to obtain Skype IP addresses, does the user in question have to send a file or simply engage in a chat?

Once a conversation is initiated by two people over Skype, the IP address info is stored in the chatsync folder. A few messages might need to be sent before it is populated; however, no files need to be transferred in order for it to appear.

Q: How is the IP address obtained if the user is behind TOR or another service?

If the suspect has setup TOR correctly and has Skype traffic going through the TOR client, then Skype will show the TOR exit node, however, often users don’t have the client properly configured and only pass browser data through TOR. If this is the case then Skype will still show the suspect’s actual IP address.

Chat

Q: Does IEF find image attachments and match them up with chats from apps like Kik?

Yes, IEF with the mobile module does support the recovery of Kik Messenger attachments as well as the chat conversations.

Q: Will IEF recover WhatsApp conversations?

Yes, IEF with the mobile module can recover WhatsApp conversations and carve for deleted messages, and also recover WhatsApp encrypted backups.

Q: Is the new SnapChat text chat functionality captured with the newest version of IEF?

Not in the current release but we will be adding support for this very soon.

Q: Have you had any exposure to snapchat picture recovery?

Yes, IEF with the mobile module can recover Snapchat pictures if they have not been deleted, and also recover logs that detail transfers that have occurred on Snapchat even if the pictures have been deleted. Once deleted, Snapchat pictures can be carved from unallocated space but it’s not possible at that point to tie them back to Snapchat.

Q: How is chat threading supported in IEF?

Chat threading was added to IEF version 6.2. It is currently supported for Skype and WhatsApp. We will continue to add threading for additional chat artifacts in the future.

Browsers

Q: How would you determine that someone actually went to a webpage and that it just wasn’t a page that accidentally opened up?

There are a number of indicators that an investigator can rely on to determine if a site was intentionally visited or simply an ad or redirect from another site. For example, TypedURLs will show any page or path typed by the user in Internet Explorer or Windows Explorer.

Often it is up to the investigator to determine how a URL was accessed. Timeline analysis and actually visiting the URL listed can help determine how the page was visited by the user.

Timeline

Q: Is there a way to see an entire file path in IEF Timeline which has been cut off due to space?

Usually you can expand the column to see additional data, but we are working on several improvements around displaying data in IEF Timeline and will make this and other operations easier in future releases.

Ready to make IEF a part of your digital forensics toolkit?

Read about the new IEF editions, modules and pricing in a blog post here.

IEF Wins Forensic 4cast Award for Computer Forensic Software of the Year!

After winning the Forensic 4cast award for Computer Forensic Software of the Year in 2013, Internet Evidence Finder (IEF) has taken home the same award for the second straight year.

Announced last night at the SANS DFIR Summit in Austin, Texas, Magnet Forensics Founder and CTO, Jad Saliba accepted the award on behalf of the Magnet Forensics team.

‘We could not be more excited that IEF has won Computer Forensic Software of the Year for 2014, and would like to thank everyone in the forensics community who voted for us again this year,’ said Saliba.

‘Our customers are very vocal about the things they’d like to see included in IEF, and we strive to add the features and functionality that will make their lives easier. Our customers really help to shape what we do—so we want to share this award with you!’

ABOUT MAGNET FORENSICS & INTERNET EVIDENCE FINDER (IEF)

Magnet Forensics is a global leader in the development of forensic software that recovers data from a broad range of Internet-related communications for computer and mobile investigations. Our flagship software product, INTERNET EVIDENCE FINDER™ (IEF) was created by a former police officer and forensic examiner who recognized the need for an easy-to-use, comprehensive tool to help perform digital investigations.  Since its creation, IEF has quickly become a trusted solution for thousands of the world’s top law enforcement, government, military and corporate organizations—used to recover evidence like chat messages, social media communications, webmail, browser activity (and more) to support their most important investigations.

Digital forensics has evolved from the examination of computers, storage and documents to the analysis of data from the Internet, smartphones and networks. This evolution has greatly expanded the scope of the forensic investigator’s responsibilities, not narrowed it.

Analyzing documents to prove their authenticity has been one of the cornerstones of computer forensics and is still an important part of the investigative process to this day. Whether you’re investigating documents in a fraud case, an IP theft, or from a malware/phishing intrusion, proper document analysis is essential to help uncover the truth in many investigations.

Most documents have two primary sources of evidentiary value to examiners depending on the investigation: the content of the document itself, and the metadata around the creation and modification of the file. Analyzing the content of a given document is relatively straightforward and very dependent on the case you’re investigating. For example, the content of an Excel spreadsheet containing financial records would be far more valuable to investigate for a potential fraud case, versus a malware or phishing investigation, where the focus would be around searching for malicious scripts or links. The biggest challenge will be to recover any deleted documents from unallocated space, as sometimes the files are fragmented and/or overwritten, which means the full content of a document may not be recovered.

More often than not, the metadata around a particular document can be just as important, if not more, than the contents of the file itself. Details around when the file was created, last edited – and by whom – can be quite valuable for an investigator trying to determine the authenticity of a document, or to verify its contents. The metadata included with a document depends on the individual document being analyzed. Typically you’ll find the MAC times for the file, as well as the created and last edited time for the document, which is often more accurate than the MAC times; this is especially true if it was shared between computers and drives. The original author and last person to edit the document are also included, along with the document title when available.

Internet Evidence Finder (IEF) is well known for its ability to excel at recovering Internet artifacts from chat, social networking and browsers including webmail. New with IEF v6.4, we’ve expanded those capabilities to include desktop email as well. Microsoft Outlook is the most popular email client used in the enterprise today, and IEF is now able to parse PST and OST files for email evidence. IEF has also added support for the MBOX mail format commonly used by other email clients such as Mozilla Thunderbird. Finally, support for the enterprise instant messaging program Microsoft Lync, formerly known as Office Communicator, has also been included.

Outlook Forensics

Outlook stores email, contact and additional data that it receives from POP, IMAP, or Exchange servers in PST and OST archives for its users. IEF will search for these files anywhere on the user’s system but they are typically stored in the following locations:

Windows XP

ROOT\Documents & Settings\%userprofile%\Local Settings\Application Data\Microsoft\Outlook

Windows 7

ROOT\Users\%userprofile%\AppData\Local\Microsoft\Outlook

IEF will recover emails, contacts, appointments, journals, notes and tasks from Outlook, plus it will also give the investigator the option to extract any attachments related to these artifacts. Additionally, IEF will also search the user’s browser history for any evidence indicating that the user might have used Outlook Web Application (OWA), and can now also recover traces of email content and other metadata from OWA usage.

Sometimes when conducting forensic examinations, investigators can lose sight of the fact that they’re investigating the actions of a person, not a computer. Almost every event or action on a system is the result of a user either doing something (or not doing something) at a particular time to create that event. It’s important for an investigator to understand how those events on a system correlate to the actions of somebody in the real world.

New with the Business and OS artifacts module in Internet Evidence Finder (IEF) v6.4, we’ve added a number of valuable Windows operating system artifacts that will help investigators gain insight into details about a system and its users. IEF will now search for File System Information, Jump Lists, LNK Files, Network Share Information, Operating System Information, Shellbags, Startup Items, Timezone Information, USB Devices, User Accounts, Windows Event Logs and Windows Prefetch Files. These artifacts can be broken down into two categories: system artifacts and artifacts focused around a user’s activity. Here we will discuss artifacts based around user activity and how they are relevant to your investigation.

The artifacts that we will discuss are: Jump Lists, LNK files, Shellbags, USB Devices and Prefetch files.

Jump Lists

Jump lists were added to Windows 7 and later systems to provide a list of recently accessed files and documents associated with a given application. Previously, examiners only had access to a short list of recently accessed files, but jump list artifacts provide details on recent files for each application, giving investigators a lot more information and timestamps around what the user was doing on a system.

IEF will now recover jump list details from the automaticDestinations-ms and customDestinations-ms files, providing details around the application, recent files and timestamps, as well as several other items of potential forensic value.

One unique artifact included in jump lists is the AppID field that is a CRC64 hash of the application path. For more information on calculating AppID values, see a great write up from the Hexacorn blog here. While it’s possible for the investigator to calculate the AppID value, IEF uses a predefined list of commonly known application paths to provide examiners with the potential application associated to the jump list.¹

LNK Files

LNK files are commonly known as shortcuts on Windows systems. Forensically, they provide volume, path and timestamp details around both the LNK file and the targeted shortcut. For example, when examining a shortcut that links to notepad.exe, the LNK file will contain details on the:

•  path of notepad.exe
•  serial number of the volume where notepad.exe is located (as well as MAC addresses of any network locations)
•  timestamps surrounding when notepad.exe was first and last accessed through the LNK file

The LNK file will also contain details on the MAC times of notepad.exe itself, which can be quite useful if the original file cannot be found or accessed on a system.

IEF will recover all the relevant details from LNK files found on a system including the path, volume and timestamp details mentioned above. Much of this data can be correlated with other artifacts, such as jump lists and prefetch files, to help investigators build an excellent timeline of a user’s activity on a system.

Shellbags

Shellbags have become a popular topic for forensic examiners trying to trace the activities of a user on a Windows system. Harlan Carvey and Dan Pullega have written great posts on the topic and should certainly be read by any investigator looking to dig deeper into shellbag analysis.

In a nutshell, shellbags help track views, sizes and positions of a folder window when viewed through Windows Explorer; this includes network folders and removable devices. Forensically, this will help investigators build a timeline of events as a user might have traversed through a system going from folder to folder; it may also help refute claims that a suspect might not have known certain files or pictures were present on a system.

Additionally, shellbags will be structured differently depending on how a user accessed the folder in question (whether they were accessed through the start menu, a sidebar, etc.).

IEF will pull shellbag artifacts from the UsrClass.dat registry hive at the following two locations:

HKCR\Local Settings\Software\Microsoft\Windows\Shell\Bag

HKCR\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

USB Devices

Analyzing USB devices is a common technique used by forensic examiners to determine what removable media has been plugged into a system. The steps on how to gather USB device history, and tie it back to a user, is well documented by SANS for both Windows XP and Vista/7. There are several registry keys of value to the investigator if they wish to gain as much insight as possible about USB devices:

HKLM\System\CurrentControlSet\Enum\USB

HKLM\System\CurrentControlSet\Enum\USBSTOR

HKLM\System\MountedDevices

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Also, the setupapi.log contains additional timestamp information that could be valuable to investigators. IEF will search these locations for USB details, and provide investigators with a list of devices that have connected to the system, as well as any potential timestamp or user details that it could recover.

Sometimes examiners might come across an Android device or something similar that uses the MTP (Media Transfer Protocol) drivers instead of USB mass storage drivers. These devices should be examined differently than a typical USB device since there will be no information about them in the USBSTOR or MountPoints2 registry keys.

Combining your USB/MTP analysis with other artifacts, such as shellbags and LNK files, will help investigators piece together the actions of a user on the system. From accessing particular files and applications on a system, to connecting an external device and browsing through explorer to those locations, these artifacts will track a user throughout an incident whether it’s an IP theft investigation, malware intrusion or something similar.

Prefetch Files

Windows creates a prefetch file (ending in the .pf extension) when an application is run from a particular location for the very first time. This is used to help speed up the loading of applications, but for investigators these files contain some valuable data on a user’s application history on a computer.

Prefetch files contain the name of the application and then an eight character hash of the location where the application was run. For example, the prefetch file for notepad.exe would appear as NOTEPAD.EXE-F01516D55.pf, where F01516D55 is a hash of the path from where the file was executed.

Prefetch files will contain timestamp details on when the application was first and last run, as well as frequency. For Windows 8, prefetch files now contain up to eight different timestamps for when an application was previously run, giving investigators several additional timestamps to help build a timeline of events on a system.

The location of the executable can be just as important as any timestamp data. For example, if I’m working on a malware investigation and I find a prefetch file for lsass.exe in the Windows\system32 folder, I wouldn’t think too much of it. If I found a prefetch file for the same executable in either a temp directory or anywhere else on the system, I would certainly investigate that file further as that’s not expected behaviour for this file.

IEF will parse details for prefetch files from the ROOT\Windows\Prefetch folder and display them in the Report Viewer, including any additional timestamps for Windows 8 files.

Overall, there is a wealth of user activity found in these artifacts. Investigators can often piece together information from one artifact with another, which provides an excellent timeline of events on how a user traversed the system over a given time –  so don’t try to analyze these artifacts as individual pieces. The data should be pieced together from multiple sources for an examiner to understand the complete picture.

There is an abundance of additional information about these artifacts and they are well documented in the links I referenced above. Keep an eye out for some additional blogs where I will dig deeper into each one of these artifacts to give you some additional insight into their value in your investigations.

Here are some other resources worth taking a look at:

• Blog: Finding and Analyzing Windows System Artifacts with IEF
• More Information about IEF
• Webcast: Attend an IEF Demo
• Try it:
  • New to IEF – Request a 30 day trial of IEF
  • Current IEF Customers  - Get a 30 day trial of Business Applications and OS Artifacts Module

As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.

Jamie McQuaid
Forensics Consultant, Magnet Forensics

New with the Business and OS artifacts module in Internet Evidence Finder (IEF) v6.4, we have added a number of valuable Windows operating system artifacts that will help investigators gain insight into details about a system and its users. IEF will now search for File System Information, Jump Lists, LNK Files, Network Share Information, Operating System Information, Shellbags, Startup Items, Timezone Information, USB Devices, User Accounts, Windows Event Logs and Windows Prefetch Files. These artifacts can be broken down into two categories: system artifacts and artifacts focused around a user’s activity. Here we will discuss system artifacts and how they are relevant to your investigation.

System artifacts include File System Information, Network Share Information, Operating System Information, Timezone Information, User Accounts and Windows Event Logs. Event logs are unique as they contain details about what is happening on the system as well as user activity.

File System Information

Most forensic investigators are familiar with the common file systems and their storage structures that enable investigators to analyze and recover data; Brian Carrier’s book File System Forensic Analysis[i] illustrates this best.

IEF supports the analysis of a wide range of file systems for both PCs and mobile devices including FAT, NTFS, ExFAT, EXT2, EXT3, EXT4, HFS+, HFSX, and YAFFS2. The File System Information artifact gives investigators additional details about the installed file system for all volumes and partitions found on their drive or image being analyzed. Details include the file system type, volume serial number, capacity, sector and cluster information, including several other indicators that might be of value in your examination.

With the release of Internet Evidence Finder v6.4, Magnet Forensics adds to its list of Internet and mobile-supported artifacts, and introduces a new Business Applications and OS Artifacts Module to enable the recovery of more evidence with an IEF search.

IEF v6.4 Resource Centre:

• Blog & Video: Investigating User Activity with Windows Artifacts in IEF
• Blog & Video: Finding and Analyzing Email with IEF
• Blog: Finding and Analyzing Document Files with IEF
• Blog: Finding and Analyzing Windows System Artifacts with IEF
• Customers: Upgrade to IEF v6.4
• Ready to try IEF v6.4? Download a Free Trial

June 18^th, 2014 - Magnet Forensics, the global leader in the development of software solutions that recover and analyze digital evidence found on computers, smartphones and tablets, today announced the release of Internet Evidence Finder® (IEF) v6.4. This release adds support for new Internet and mobile artifacts, and introduces an add-on module to enable the recovery of evidence from the use of 58 business and operating system applications.

Business Applications and Operating System Artifacts Module

The Business Applications and OS Artifacts Module ads support for the recovery of 42 types of business application artifacts, and 16 types of Windows operating system artifacts. With the increasing size and complexity of investigations, there is more pressure than ever for forensics professionals to find ways to streamline the investigative process and quickly get to relevant evidence. When added to an IEF license, this new module will expand the types of evidence that can be found by an IEF search beyond Internet artifacts, provide all evidence in a single consolidated report, and give the digital forensics professional a more complete view of user activity on a computer using a single search.

Artifacts supported in the new Business Applications and OS Artifacts Module include;

• Corporate Email and Instant Messaging Artifacts
  • Outlook OST & PST files
  • mbox email archives
  • Microsoft Lync/OCS IM
• Document File Artifacts
  • .pdf
  • .doc & .docx
  • .xls & .xlsx
  • .ppt & .pptx
• Windows Operating System Artifacts
  • User accounts
  • USB device history
  • lnk files
  • Prefetch files
  • Shellbags
  • Jumplists
  • Event logs
  • Mounted network shares
  • Startup items
  • Time zones
  • OS and file system info

*IEF will carve for most of these artifacts whenever possible*

For more details on supported Business & OS artifact types, click here.

Also Included in This Release:

Support for new Internet artifacts, including:

• Google Analytics Cookies
• eMule GUIDs

Updated support for existing Internet artifacts, including:

• Firefox Private Browsing
• Twitter

Support for new mobile artifacts, including:

• Yahoo Mail
• Google Hangouts
• Firefox
• TigerText
• Burner

Learn More:

• Blog & Video: Investigating User Activity with Windows Artifacts in IEF
• Blog & Video: Finding and Analyzing Email with IEF
• Blog: Finding and Analyzing Document Files with IEF
• Blog: Finding and Analyzing Windows System Artifacts with IEF
• Customers: Upgrade to IEF v6.4
• Ready to try IEF v6.4? Download a Free Trial

IEF Pricing and Licensing Options

As part of the release of IEF v6.4, Magnet Forensics is introducing changes to the naming and organization of licensing for the various IEF editions and artifact modules. The changes are intended to provide customers greater flexibility to customize their IEF license(s) to meet their investigative needs and budget. The table below summarizes the new IEF licensing and pricing:

For further details, read our blog post on Understanding the New IEF Editions and Modules