In this post, I want to go over a few of the new features that were introduced in IEF v6 that are subtle, but significant additions to IEF v6.
Jad recently explained the new powerful Timeline viewer that was introduced, so I will skip over that in this post.
Virtual Disk support
IEF v6 introduced parsing support of several common virtual disk structures. Now you can choose “Images” from the initial screen and point directly to a VMDK or VHD file just like an E01 or dd image.
IEF v6 even supports loading snapshot versions of VMDK disks.
DMG image and HFS+/HFSX file system support
IEF v6 can now natively load and parse DMG images, commonly used in the OSX environment. You can also now load image files that contain HFS+ and/or HFS+ file systems and IEF will parse them for all the supported artifacts just like an NTFS image.
Multi-core support
Time to break out the multi-core workhorses☺. IEF v6 now takes advantage of multi-core machines and significantly improves processing times. There is an option on the main menu that let you limit the number of cores IEF will use (default setting is to use up to eight, if available).
Network share support
IEF v6 now fully supports parsing data on remote storage that is accessible through a network SMB share. Any mapped or UNC path can be used to access remote files by selecting the initial “File/Folders” option.
You can even load administrative shares such as \\remotehost\c$ as long as you have the correct credentials to view the remote host’s administrative hidden share(s).
Auto-update feature
When used on a computer that has Internet access, IEF will now automatically check for updates upon startup and prompt you to download them, if available. For computers located in labs and secure locations, this “auto-check” can be turned off you (Tools->Auto-check) and you can download the latest version from the customer portal anytime.
As always, if you have any comments, suggestions or questions,
you can contact me directly at: lance (at) magnetforensics.com
