Welcome back to the IEF Files! In our second edition we have more commonly asked IEF questions to share with you and one general question based on Snapchat.
Our technical support specialist, Matthew Chang, is eager to hear and answer more of your questions and stories about how you use IEF, so please submit them to, and we will answer and share them in January. Have a safe and happy holiday season.
Q: Can I do an advanced search with key words for all fields in an entire case?
A: Yes you can. Not only can you search the entire IEF case, but you can search using one or multiple keywords. There are three places you can start a search:
To run an advanced search, searching the entire case, including all fields/columns, using one keyword (GREP expressions can be used by checking off the GREP checkbox), click on the “Search” button on the bottom menu of the Report Viewer window or from the Tools menu, Tools>Search, or the shortcut “Ctrl+F”. Multiple keyword lists can also be entered, imported, and saved.
You can also preset keyword lists. The search results are displayed in a new window and can be saved so you can view them again at a later time by going to Search>View Last Search Results.
Q: Can I filter all the artifact results based on a date/time range?
A: Yes, recovered results can be filtered based on date and time. To filter, click on the “Filter” button on the bottom menu of the Report Viewer window, or from the Tools menu select Tools>Filter Results. Click on the “Run Global Date/Time Filter” and select your date/time range using the drop-down calendar.
Filtering allows you to create specific conditions that need to be matched in order for recovered artifacts to be displayed. This includes dates/times as well as all other columns, which you can add by clicking “Add Filter” and selecting from the drop-down menu. You can choose to if you want all conditions to be met or any condition with the “Match All” or “Match Any” buttons.
The filter results are displayed in a new window and are saved so you can view them again at a later time by opening the filter dialog box and clicking “View Last Filter Results”.
Q: How is Snapchat stored, is it in a SQLite database?
A: Unfortunately it is not. Sometimes the “snaps” can be found if they haven’t timed out and been deleted, at that point you need to carve and won’t be able to tie the recover photos/videos back to Snapchat since they are in unallocated space.
Android Snapchat does store some metadata in an XML file that provides info on the snaps that were sent/received, the usernames, timestamps, and other metadata like if a screen shot was taken of the picture, etc. IEF can recover data from this file and/or carve it from unallocated space.
