It’s been a little over a week now since we released IEF v5.7 and the response has been great. We are truly fortunate to have great customers and people who support us and the work we do. Nothing makes us happier than the success stories we get back from our customers; you are the reason we work hard to improve the software, so that it works hard for you.
I thought it would be helpful to go into more detail on a few key features in v5.7. I hope you find this useful and feel free to contact us for more info. In no particular order:
Browser Activity (including Chrome Incognito/Firefox Private Browsing)
This is an exciting new artifact that requires a bit of background info. The Browser Activity artifact recovers browser-related URLs, including Chrome Incognito and Firefox Private Browsing URLs, HTTP request artifacts from multiple browsers, and regular web browsing. Yes, even though Chrome and Firefox do a much better job in their “private browsing” modes than IE, the URLs can still be found in live RAM, the pagefile.sys/hiberfil.sys files, and possibly unallocated space. (On an unrelated note, I love how all the browsers advertise their private browsing modes as being good for “shopping for a birthday present”…I don’t think there are many people out there who saw private browsing as a great way to hide their gift shopping, but maybe I’m just jaded.) Image may be NSFW.
Clik here to view.
But I digress…So, these artifacts do not include the usual data we hope and expect to see with browser history, they won’t have meta data like the Windows username, dates/times, etc. And while the intended use for this artifact is to recover private/incognito browsing, various types of browsing activity will be recovered due to the nature of this artifact. Please note when viewing results that some recovered URLs can be from background browser processes related to certificate authorities, etc. Those will be fairly obvious, however. You won’t be seeing searches for “clown porn” or other obvious user activity being launched by the browser on its own, of course…That being said, this artifact is meant to assist with intelligence gathering and to recover browsing history when dealing with extreme cases where only private browsing was used or other forms of anti-forensics were employed. I wouldn’t hang my hat on web history from this artifact alone but it’s a great resource when dealing with a savvy suspect.
Google Maps
We also think this will be a very interesting new addition for many people. It’s a bit of a two-fold feature. We first filter all recovered web history for Google Maps URLs, and then parse out any interesting data that is present, such as the location/address the user entered, the starting point/destination of a route, latitude and longitude coordinates, the route type of the search, any additional addresses in the route, the date/time the search was performed, and more. Sometimes more or less fields are present, depending on how and where Google Maps was accessed.
The second thing we do is carve through all data (pagefile.sys/hiberfil.sys file, unallocated clusters, etc) for Google Maps URLs and parse the data out of the URL much like how we do it in the above scenario. The nice thing about this part of the search is that even if a URL is not identifiable as belonging to a specific browser’s web history (fragmented, missing data, etc), we can still find it and parse out the relevant map usage details.
These artifacts could be very useful in missing children and luring cases where a child may have obtained Google Map directions to a suspect’s location or meeting point. In these cases, data indicating if some kind of public transit route (bus, train, etc.) was queried could be very valuable in quickly tracking down the whereabouts of the child.
Web History Categorization
Finally, I’ll talk a bit about the new web categorization we’ve added in IEF v5.7. Essentially what we are doing here is filtering all the recovered web history records for dating sites (Match.com, Plenty Of Fish, eHarmony, etc), classifieds sites (Craigslist, Backpage, etc), cloud services (Dropbox, Skydrive, Google Drive, etc), social media sites (Facebook, Twitter, LinkedIn, etc), and Web Chat sites (Chatroulette, Omegle, Tinychat) and placing those URLs in quick-reference categories for you to view. Our intention is to help you get to the important, relevant records faster and easier.
That’s all for now, there’s many more new artifacts/features in v5.7 which I may cover in a later blog post. In the meantime, please upgrade to v5.7 if you are a current user of IEF to take advantage of these new additions, or if you are on an older version of IEF (or have never used IEF), please download a trial now!
As always, please feel free to let us know what you think or share with us your ideas for continuing to improve IEF.
Thanks and have a great end-of-the-week! (and to our US customers, Happy Thanksgiving!)
Jad