When it comes to computer forensics, investigators often rely on a variety of tools to find the evidence they need. The real challenge is understanding how to use these tools together to make your investigations more efficient while still maximizing your results. In a previous blog post, we discussed the top reasons to use EnCase and IEF together to enable investigators to work through cases more thoroughly and efficiently. In this post, I want to take an in-depth look at how to integrate both tools into your investigations and get the most out of your analysis.
Typical Workflow with EnCase
Most examiners who currently use EnCase will use a workflow similar to the following:
- Acquire the evidence
- Load the image into EnCase
- Search for relevant evidence using some of these methods:
- Keyword searches
- EnScripts
- Hashing
- Carving
- Manual searches in common locations
- Etc.
- Bookmark, comment, and sort your data
- Report your findings
Improved Workflow to with EnCase and IEF
Due to case backlogs and larger datasets, many examiners have had to adapt their workflows by automating the recovery of the most common types of evidence found on a system. This is where IEF can assist in your investigations.
Here is a new workflow that will help investigators better manage their increasing caseloads:
- Acquire the evidence
- Run IEF to automate the recovery of common evidence
- Review the refined results produced by IEF to reduce the data being analyzed
- Bookmark, comment, and tag the relevant evidence
- Load your results into EnCase
- Perform any additional targeted analysis as needed
- Report your findings from both tools in the same EnCase format you’re familiar with
By running IEF on your case, you can analyze a more refined set of data that is easier to manage and will present results to the examiner in a way that will highlight data most relevant to your investigation.
EnCase is an extremely versatile tool that allows investigators to target their search efforts and recover valuable data from known locations. IEF can be used to efficiently recover and analyze large volumes of data, and present results in an easy to interpret format. Both EnCase and IEF were designed to aid investigators in different ways, and can be used together in your investigations.
One of the easiest ways to leverage both tools is by integrating your analysis results into one platform. To help with this, we’ve created a few EnScripts and modules to import your IEF data into EnCase for more unified analysis and reporting.
EnScripts
The team here at Magnet Forensics collaborated with the team at Guidance Software to develop three integration options that allow investigators who use both EnCase and IEF to initiate IEF searches from within EnCase and/or more easily import IEF recovered artifacts into EnCase. The three integration options we have released are:
- IEF to EnCase Connectors – EnScripts that allow IEF searches to be initiated from within EnCase
- IEF Evidence Processor Module for EnCase – Executes an IEF search as one of the pre-processing tasks within EnCase
- IEF LEF Creator for EnCase – An EnScript that imports an IEF search results into EnCase
Integrating these tools into your current processes will help uncover the truth quickly while allowing the examiner to work within which ever tool they are most comfortable with.
IEF to EnCase Connectors
Available for both EnCase versions 6 and 7, the IEF to EnCase Connector allows investigators to launch a command line version of IEF from within EnCase. After creating your case and either previewing, acquiring, or loading your image file into EnCase, click on the IEF to EnCase Connector EnScript and the following options window will be displayed:
These options allow the investigator to choose whether they want to perform a quick, full, or sector level search. You can then select whether you want to export your results to IEF only, to an excel spreadsheet, or you can bring the data back into EnCase as an LEF record. The next options include artifact selection. While the connector doesn’t list every specific artifact available within the IEF application, it does allow the user to select the artifact groups (for a more detailed listed of the supported apps and artifacts see here).
Once you’ve completed configurations, IEF is launched against the evidence and the searching will begin. IEF will automatically search and recover hundreds of known files and locations for data of evidentiary value and present the results in both IEF and EnCase for analysis. From there, investigators can choose to work within either IEF or EnCase to analyze and report on findings.
IEF Evidence Processor Module for EnCase
The IEF Evidence Processor module can also be used to integrate search results from both IEF and EnCase. Unlike the EnScript connector, however, the processor module allows investigator to include an IEF search as a processing activity in EnCase (in the event your investigation includes some pre-analysis processing). Once the module is added to EnCase, investigators will see the module listed as “Internet Artifact Search with IEF by Magnet Forensics” as one of the processing options.
The processor module works extremely well when the examiner has planned to run several processes and searches overnight, then begin analysis in the next day.
IEF LEF Creator for EnCase
The third tool available to help investigators integrate IEF and EnCase is the LEF Creator EnScript. This tool allows investigators to import evidence collected with IEF into EnCase to assist with further analysis. Examiners can then perform additional tasks on an already completed IEF search or quickly verify their findings with a secondary tool.
Once you’ve launched the LEF Creator, simply identify the location of the IEF case folder. The script will pull all the evidence collected with IEF into EnCase as an LEF, which can be searched or analyzed within EnCase. The artifacts recovered from IEF will be reported as records within EnCase where the investigator can proceed to bookmark or search the IEF records together with any evidence already loaded into EnCase. Another benefit of consolidating evidence from multiple tools is the ability to organize data into one uniform report for all of the case stakeholders.
The tools discussed above are designed to complete your examination quickly and efficiently. With growing caseloads and larger sources of evidence to be analyzed, forensic examiners need to find better ways to analyze data quickly without sacrificing the quality of their analysis. Tools such as EnCase and IEF were designed to do just that, and by using these tools together you will not only speed up your investigations but also improve on the finished report or product.
Please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.
Here are some other things you might be interested in:
- Blog: Top 6 Reason to Use EnCase and IEF Together
- New to IEF? Request a free 30-day trial
- Already have IEF? Try our Mobile Module
Jamie McQuaid
Forensics Consultant, Magnet Forensics
