This is the fifth blog post in a series of six about the new features included in IEF v6.5
In the fouth blog post in this series, I highlighted all of the new analysis features included in IEF v6.5. This post will go more in-depth into enhancements made to our bookmarking feature, that will allow you to effectively organize the evidence involved in your case, and present reports that are customized to your requirements.
Bookmarking and Editing Comments
We’ve had many requests to add the capability to comment on individual artifact entries that have been bookmarked in IEF Report Viewer. With the release of v6.5, you can now bookmark an entry by right-clicking on it, then selecting ‘Bookmark and Edit Comment’. This will automatically save the item, and allow you to comment on it.
Adding comments directly to an entry can be used for a variety of reasons: you can add comments to highlight important information about a particular artifact, include additional information that may not be listed in the artifact details view, or leave a note for another investigator you’re collaborating with on the case. Here’s an example:
When you share your findings with another investigator using IEF’s Portable Case feature (that allows them to see all recovered evidence in IEF Report Viewer), they can also edit the comments to add their thoughts, which makes collaborating with other stakeholders quick and painless:
Bookmarking and Tagging
When using IEF v6.5 to analyze evidence, you can now add customized tags to bookmarked items based on the evidence contained in your case. Does your case involve two suspects? Were there multiple people using the computer you’re analyzing? Under these circumstances, creating custom tags for individuals, or for categories of evidence allow you to quickly sort evidence into manageable blocks of data.
Adding a Tag is easy: all you have to do is right-click on the bookmarked item you want to tag, click on ‘Tag As…’, then add the item to a pre-existing category, or create a new one. And if your evidence pertains to multiple suspects, you can tag an item into multiple categories.
In the below example, I’ve created tags for two suspects:
Sorting by Tags and Comments
There are multiple ways to quickly sort your evidence by the tag categories you created. When you are viewing evidence within the bookmark view, one way is to sort items by Bookmark Tag. This will show you all of the evidence in your case that has been tagged. As you can see in the following example, you can also see the beginning section of any comments that may have been added to a bookmarked item:
If you want to get even more granular in your searching and viewing of tagged evidence, IEF v6.5 allows you to view only the evidence with a specific tag.
You also have the option to create reports that show all of the evidence related to a specific bookmark tag. For example, if you wanted to create a separate report showing evidence that relates to one suspect, here’s what it could look like:
Timeline Tagging and Commenting
There are multiple ways you can use IEF Timeline for tagging and commenting on individual artifact entries. You can create comments and tags within IEF Timeline the exact same way you can in IEF Report Viewer. Right clicking on any individual entry within timeline allows you to choose to either “Bookmark and Edit Comment”, “Bookmark and Tag as.”, or if the item is already bookmarked you will have the options to only “Edit Comment” or “Tag As.”
Once again, you can tag items into one or multiple tag categories. Similar to IEF’s bookmarking feature, any tags or comments you add to a bookmark, will be automatically transferred to IEF Report Viewer.
Another great option to view Timeline information on one suspect (or tag category) is to follow the steps mentioned above in the “Sorting by Tags and comments” by viewing evidence in relation to one (or more) tag. Once you are viewing only one (or more) tags, you can then view a timeline for only that tag(s).
As shown above, the new Tagging and Commenting functionality offered in v6.5 is a dramatic advancement from the traditional Bookmarking features in earlier releases. Tagging and Commenting allows you as an investigator to not only dive deeper into your evidence, but also to customize your reports based on categories of data important to your case.
Please let me know if you have any questions, suggestions or requests. I can be reached by email at ryan(dot)duquette(at)magnetforensics(dot)com.
Here are some related resources you might also be interested in:
- Read the next blog in our series: Recovering Evidence from F2FS File Systems with IEF
- New to IEF: Request a 30-day trial
- Current customers: Upgrade to IEF v6.5
Ryan Duquette
Senior Manager of Forensics, Magnet Forensics
