At Magnet Forensics our goal is to develop the best possible digital forensics tools. One of the ways we do this is by talking to our customers—we get your feedback, hear stories about how you use our software and learn about your ideas to make our products even better. Through this process we have gained valuable insight on how we can improve IEF; but we have also noticed some commonly asked questions.
To address these questions we are starting a new blog feature called “The IEF Files”. In this blog our rockstar technical support specialist, Matthew Chang, will answer some of your most commonly asked questions, and will share IEF best practices we’ve learned from you and your peers.
We want to hear your questions and stories about how you use IEF, so please submit them toand we will share and answer your questions and stories once a month.
Q: What does it mean when the Last Visited Date/Time field record says “(local) (timezone not converted)” after the time and date?
A: When you first load a case, the IEF Report Viewer will determine if a time zone has been associated with that case. If a time zone has already been set for that case it will be used by default. If the case does not have a time zone associated with it, the IEF Report Viewer will use the global time zone settings, if any. If there are no global settings saved then the IEF Report Viewer will default to UTC/GMT.
The time zone you are using is displayed in the “Date/Time” headers.
Image may be NSFW.
Clik here to view.
Sometimes an artifact’s record is displayed with “(local) (not timezone converted)” in line with the date and time:
Image may be NSFW.
Clik here to view.
This means that IEF has not converted the time zone of that record and it is being displayed with the date/time stamp that was stored in the local time of the machine where the evidence was acquired. IEF determined it was not encoded using the standard UTC system, and because we don’t know the original time zone of that machine, we can’t apply any conversions. As a result, we label the time as “(local) (not timezone converted)”.
Q: I want to use my computer while IEF is running, but it maxes out my CPU resources during a search. Can I do both?
A: Yes you can. IEF will detect the number of data processors you have on your system and then give you the ability to configure how many it uses during a search—allowing you to work while it does.
From the toolbar, go to Tools->Data Processor Settings. A pop-up window will appear where you can choose the maximum number of cores you want IEF to use during the search.
Image may be NSFW.
Clik here to view.
Q: I noticed a [+] sign on some of the artifacts on the Artifact Selection Screen, what is that?
A: The [+] sign indicates that the artifact has multiple “sub-artifacts” or search options available. Examples include, Yahoo! Messenger, Facebook, Internet Explorer, Limewire/Frostwire, and more. Some examples are described below.
Image may be NSFW.
Clik here to view.
Yahoo Messenger
- Search for Yahoo! Messenger usernames on evidence through the “Options” button
- Please ensure that you have selected the image/drive which is to be searched from the Dropdown menu before clicking Find Yahoo! Usernames
- Specify a date range to help reduce false positive hits
- False Hit Filtering: IEF uses many validation procedures to remove false positive hits when recovering Yahoo! Messenger chat logs. In testing recovered data, IEF can be set to different levels of validation, from very strict (more messages filtered out), to least strict (more messages included in report). By default this is set to Medium Strictness
Pictures
- Turn on/off skin tone detection
- Specify saved picture size (use original size or resize it to a max width/height of your choice)
Dropbox
- Enter the user’s Windows login password(s), required to decrypt filecache.dbx.
- Please note: Dropbox decryption is only available on drives/images which had Windows XP installed and in use.
Clik here to view.
