Learn how Internet Evidence Finder (IEF) complements EnCase and/or FTK

I thought I would spend some time explaining how Internet Evidence Finder (IEF) can complement the investment you have made in EnCase and/or FTK . The world of forensics has certainly changed over the past 5 years with much more evidence being found in Internet-related artifacts like Facebook, Twitter, Gmail, Skype, Google Talk, Yahoo Messenger and many others. In addition, the way we use computers has changed over the past few years with “always-on” broadband connections being ubiquitous. More and more daily tasks and communications are happening in the “cloud”. This has caused Internet–related artifacts to become an essential part of every investigation.

The myriad and continually changing ways to share information via social media has resulted in a goldmine of potential evidence: profiles, lists of friends, group memberships, messages, chat logs, tweets, photos, videos, tags, GPS locations, check-ins, login timetables and more.

We have consolidated what we believe are the top 5 reasons to consider putting IEF into your toolbox to complement EnCase and FTK .

Save precious time by getting to the evidence quickly. IEF is a targeted single search that gives you the ability to search all 220 artifacts in a few easy steps. IEF does all the heavy lifting for you and recovers the Internet-related data without any manual intervention. You can get up and running in less than 1 minute and the data starts populating in the report viewer in real-time. Just “Set it and forget it”.

For example, we ran a Full search with Internet Evidence Finder (IEF) on a computer with the following specs: Intel i7-3770 3.80GHz CPU (4 cores, 8 logical processors), 16GB RAM, 2TB Seagate 7200rpm SATA drive (contained the evidence files), Windows 8 64bit OS. It took 4 hours, 4 minutes, and 44 seconds and recovered 122,985 Internet related artifacts. The search summary is pictured above.
Dead simple to use.IEF takes the need of having an extensive forensics background out of the equation. The operator only needs to answer a few simple questions that do not require deep technical knowledge.
Only 3 steps and you are recovering the evidence. First pick your drive or image, then select the artifacts to search for, and then view the results in a standardized report. The learning curve is very minimal and you don’t need extensive training to feel confident in using the product.

Point it at the drive, file/folder, or forensic image.

Select which Internet artifacts to search for. They are all checked by default.

Click “FIND EVIDENCE” and the results start populating the report viewer in real-time.
Tools to make it easier to find the key evidence. IEF can rebuild webpages into their original form which is often critical in court for a jury or judge. Other capabilities include pulling out the search engine keywords the subject used on the major search engines. In addition, IEF can refine picture results by skin tone, categorize visited URLs, and decode Facebook URLs.
Standardized reporting that’s easy to understand and explain. IEF will produce a well-documented report in all the common formats every time. Easily create a report in pdf, excel, html, csv, tab-delimited formats, or create a portable case and share it with others like prosecutors that don’t have IEF.
Find evidence that you didn’t know was there. IEF can recover over 220 Internet-related artifacts including social networking sites, webmail, cloud artifacts, instant messaging history, web browser history (including private browsing), P2P file sharing apps, iOS backups, and pictures & videos. IEF’s search algorithm was purpose built for recovering data from today’s Internet communication sites and applications. Our expertise is in the recovery of Internet-related artifacts and keeping up with the constant changes of these Internet artifacts. It doesn’t matter if the artifacts are in unallocated space or where they normally logically exist, IEF will make it as simple as possible and grab all the artifacts it can find no matter where they are.