This is the fourth blog post in a series of six about the new features included in IEF v6.5
With the release of IEF v6.5, we’ve added a number of key features to help you analyze evidence more efficiently. In this blog post, I’ll highlight some of the main features and demonstrate how they can help with your current investigations.
Added Hashing Support
Earlier this year, we introduced hashing support to IEF, allowing investigators to easily categorize known files or import Media Hash sets into their cases. With the release of IEF v6.5, we’ve expanded our hashing support by providing users with the ability to add File Hash sets.
In particular, you can now import hash sets from the National Software Reference Library (NRSL) Whitelist, which is hash values that represent known-good operating system files. . The NSRL Whitelist is commonly used by forensic practitioners to eliminate unaltered standardized files from an investigation. The latest NSRL release includes hash values for many Windows operating systems and other applications. Adding this hash list to the File Hash Sets within IEF will filter out files known not to provide evidentiary value, dramatically reducing the amount of data recovered you will need to analyze.
Bookmarking Comments and Tags
With the release of IEF v6.5, users will now be able to add text comments and/or tags to bookmarked artifacts. This increased functionality allows you to better manage your evidence for quicker review and reporting.
Bookmarking, tagging and adding comments to individual artifacts allows you to effectively keep track of evidence and create reports based on the particulars of your case. For instance, users could use bookmarking tags to track and manage evidence relating to a particular suspect. Investigators can then sort bookmarks by tag to quickly and efficiently analyze evidence that relates to a particular grouping. By incorporating comments, investigators can share important insights on bookmarked artifacts. For an in-depth look at bookmarking and tagging in IEF, check our blog on Adding Tags & Comments to Bookmarks in IEF Report Viewer.
Timeline Improvements
A number of new capabilities have been added to IEF’s Timeline feature to make artifact analysis easier. When viewing data in Timeline, users can simply click on an artifact to instantly view the artifact in Report Viewer. This allows investigators to quickly access additional information, about a particular file, that is not available within the Timeline View.
We have also included the tagging and comment functionality in the Timeline view. Similar to the bookmarks, the tags and comments created within Timeline will automatically be added to the case in Report Viewer.
Finally, users can now hide individual columns of data within Timeline, allowing them to exclude non-relevant data and focus only on artifacts important for their case. There are two methods for hiding individual file columns from the Timeline Users can either access the “Show and Hide Columns” option in the Tools menu, or right click on the individual artifact column (listed in the All Results section) and add that column to the Hide Column list.
Multi-level Searching
We have added multi-level searching capabilities to IEF, a feature that many of our customers have asked for. Prior to v6.5, users were limited to conducting only single keyword searches.. Investigators can now run multi-level searches, meaning they can use the results of an initial keyword search to run a subsequent search. This can be done by adding a list of keywords in the Tools/Search area, or by adding a single keyword to the search box.
Once you run an initial keyword search in IEF, a new Search Hits window will appear with your results. From here, you can now run a secondary search by adding a keyword into the search bar. Conducting a secondary search will narrow down your search results and show only those the results that contain the initial and search results.
Please let me know if you have any questions, suggestions or requests. I can be reached by email at ryan(dot)duquette(at)magnetforensics(dot)com.
Here are some related resources you might also be interested in:
- Read the next blog in our series: Adding Tags & Comments to Bookmarks in IEF Report Viewer
- New to IEF: Request a 30-day trial
- Current customers: Upgrade to IEF v6.5
Ryan Duquette
Senior Manager of Forensics, Magnet Forensics
