Internet Evidence Finder - IEF

What it does

Simply put, IEF is a software application that can search a hard drive or files for Internet related artifacts. It is a data recovery tool that is geared towards digital forensics examiners but is designed to be straightforward and simple to use.


IEF v4 searches the selected drive, folder (and sub-folders, optionally), or file (memory dumps, pagefile.sys, hiberfil.sys, etc) for Internet artifacts. A case folder is created containing the recovered artifacts and the results are viewed through the IEF v4 Report Viewer where reports can be created and data exported to various formats.


IEF has gone through a great deal of revisions and transformations in its journey to Version 4. There is also now a Portable Edition of IEF v4.


It can currently find:
  • Facebook® Chat
  • Facebook® Web Page Fragments
  • Facebook® Email “Snippets”
  • Facebook® Emails
  • Facebook® Status Updates / Wall Posts
  • Twitter® Status Updates
  • GoogleTalk® Chat
  • Gmail® Email Fragments
  • Gmail® Email “Snippets”
  • Yahoo!® Messenger Chat
  • Yahoo!® Webmail Chat
  • Yahoo!® Messenger – Non-Encrypted Chat
  • Yahoo!® Messenger – Group Chat
  • Yahoo!® Messenger Diagnostic Logs
  • Yahoo!® Webmail
  • Internet Explorer 8® (IE8) InPrivate/Recovery URLs
  • MSN®/Windows Live Messenger® Chat
  • Hotmail® Webmail
  • Messenger Plus!® Chat Logs
  • Firefox® places.sqlite History Artifacts
  • Firefox® formhistory.sqlite Artifacts
  • Firefox® sessionstore.js Artifacts
  • AOL® Instant Messenger Chat Logs
  • MySpace® Live Chat
  • Bebo® Live Chat
  • Limewire.props Files
  • Limewire® v5.2.8 to v5.5.16 Search Keywords
  • Limewire®/Frostwire® v4.x.x Search Keywords
  • Frostwire.props Files
  • mIRC® Chat Logs

To find out the details for each artifact, click on them below:

Facebook® Chat Messages

Description: Messages sent and received using the Facebook® live chat feature. Information found with the message can include the Facebook® profile ID used to send/receive the message, the from/to names and ID’s, and the date/time (in UTC) that the message was sent. However, there are a few different formats of Facebook chat and not all formats include all this data. Possible locations: Live memory dumps, the pagefile.sys/hiberfil.sys files, temporary Internet files, the $Logfile (a special NTFS file used for recoverability purposes), file slack space, and unallocated clusters
Estimated Likelihood of Recovery: High

Facebook® Page Fragments

Description: Facebook® related web pages, including but not limited to the Inbox page, emails, photo galleries, groups, and so on. Most recovered items will be fragments and not the complete page, but attempts are made to recover the entire page and filter out false positives. A header is added to the fragment to aid in viewing the page in its original format. Possible locations: Live memory dumps, the pagefile.sys/hiberfil.sys files, temporary Internet files, and unallocated clusters
Estimated Likelihood of Recovery: Low to Medium

MSN®/Windows Live Messenger Chat Messages

Description: Chat messages sent/received using Windows Live Messenger®. Located messages are exported into text files for MSN protocol fragments or into a report file for regular chat log messages. MSN protocol fragments usually only include a line of chat and sometimes the sender’s email address, immediately prior to the message.
Prior versions of IEF attempted to recreate the original log files but the new method of searching for individual messages enables much more chat to be recovered.
(Note: The Windows Live Messenger® search option is backwards compatible with MSN Messenger®, and these two program names are used interchangeably in IEF.)
Possible locations: MSN/WLM chat log files, live memory dumps, the pagefile.sys/hiberfil.sys files, file slack space, and unallocated clusters
Estimated Likelihood of Recovery: High

Yahoo!® Chat Messages

Description: Chat messages sent and received using Yahoo!® Messenger. These chat messages are logged in an encrypted format that requires the local username to decrypt the message. The username is usually the first half of the email address used to log-in (e.g. if the log-in email address is jasonho@yahoo.com, then the username is jasonho). IEF v4 can decrypt messages that have not been deleted without requiring a username, however. When searching unallocated space or memory dumps, etc., a number of false positives are unavoidable due to the format of these chat logs and because there is no way to determine if a chat log was decrypted successfully or not.
IEF uses a number of validations to filter out these false positive hits and now with v4 you can specify an acceptable time frame and the filtering strictness to further filter out false hits.
Possible locations: Yahoo! Messenger chat logs, live memory dumps, the pagefile.sys/hiberfil.sys files, the $Logfile (a special NTFS file used for recoverability purposes), file slack space, and unallocated clusters
Estimated Likelihood of Recovery: Medium to High

GoogleTalk® Chat Messages

Description: Messages sent or received using GoogleTalk® live chat within Gmail® webmail. Information found with the message can include the message ID, the Sender/Recipient email addresses, and the sender/recipient’s ID. Dates and times are not available to recover at this time. This search option may also recover chat left behind from other chat programs that utilize the ‘Jabber’ chat protocol (the sender/recipient ID will be your clue, containing an abbreviated name of the client used by that person). Possible locations: Live memory dumps, the pagefile.sys/hiberfil.sys files, file slack space, and unallocated clusters
Estimated Likelihood of Recovery: Low

Yahoo!® Webmail Chat Messages

Yahoo!® Webmail Chat Description: Messages sent or received using the live webmail chat found in Yahoo!® Webmail. Information found with the message can include the Status number, the version number and vendor ID, the session ID, and the Sender/Recipient usernames. Dates and times are not available in this type of artifact to recover at this time.
Possible locations: Live memory dumps, the pagefile.sys/hiberfil.sys files, and possibly on other areas of a hard drive
Estimated Likelihood of Recovery: Low

Gmail® Email

Description: This search will recover Gmail® email fragments left behind in live memory. Information found will vary and this search does not parse any information out. IEF will do its best to clean up the located fragment and convert encodings into a more readable format. Some fragments will be of the folder view with the sender name/address, subject, and first segment of the body of the email.
Please see the “Gmail Parsed Email Snippets” search for a parsed version of this search.
Possible locations: Live memory dumps, the pagefile.sys/hiberfil.sys files, and possibly unallocated clusters
Estimated Likelihood of Recovery: Low to Medium

Limewire® v5.2.8 – v5.5.16 Search History

Description: Search keywords left behind in live memory by Limewire® (tested with Limewire® v5.2.8 – v5.5.16). Search keywords/terms that are recovered have an associated number indicating how many search results were returned for that search term at the time the keyword was left in memory. The recovered search terms are search keywords that were entered by the local user. Other search keywords that were passed through the client (“Incoming Searches”) from other clients on the P2P network are not recovered. Possible locations: Live memory dumps, the pagefile.sys/hiberfil.sys files, and possibly unallocated clusters
Estimated Likelihood of Recovery: Low

Limewire.props files

Description: This search finds fragments of Limewire.props files. These files contain configuration data for the Limewire® peer to peer file sharing client and can include geo-locations, recent downloads, and many other useful items. Possible locations: Limewire configuration folders, live memory dumps, the pagefile.sys/hiberfil.sys files, and unallocated clusters
Estimated Likelihood of Recovery: Medium to High

IE8 InPrivate/Recovery URLs

Description: These artifacts are URLs visited during “InPrivate” browsing in IE8 and URLs that are saved in Internet Explorer recovery files (used to recover tabs in the event of a crash). At this time, there is no known method of distinguishing between these two types of URL artifacts, but if the location of the artifact is in an IE8 recovery file, it is not from InPrivate browsing. Also found with the URLs is a page title or description, but this is not always present. Possible locations: IE8 recovery files, live memory dumps, the pagefile.sys/hiberfil.sys files, file slack space, and unallocated clusters
Estimated Likelihood of Recovery: High

Yahoo!® Messenger Group Chat

Description: Messages sent or received in Yahoo!® Messenger Group chat rooms. Information found within these fragments can include the date/time, the username that sent the message, and the message itself. The name of the Yahoo! Messenger group that the message is sent within is not present in these artifacts for recovery. Possible locations: Live memory dumps, the pagefile.sys/hiberfil.sys files, and unallocated clusters
Estimated Likelihood of Recovery: Low to Medium

Yahoo!® Webmail email

Description: Email messages, email compose pages, and folder views from Yahoo!® webmail fragments. Multiple types of Yahoo!® webmail interfaces are supported, including ‘Classic view’ and the newer Yahoo!® Webmail view. These recovered artifacts may be complete in some cases but much of the time they will be partial fragments. Possible locations: Temporary Internet files, live memory dumps, the pagefile.sys/hiberfil.sys files, and unallocated clusters
Estimated Likelihood of Recovery: Medium to High

Hotmail® Webmail email

Description: Email messages, contact listings, and folder views from Hotmail® webmail fragments. These recovered artifacts may be complete in some cases but much of the time they will be partial fragments. Possible locations: Temporary Internet files, live memory dumps, the pagefile.sys/hiberfil.sys files, and unallocated clusters
Estimated Likelihood of Recovery: Medium to High

AOL® Instant Messenger chat logs

Description: AOL® Instant Messenger (AIM) chat logs. The entire log is searched for, not individual messages. Possible locations: AIM chat log files, live memory dumps, the pagefile.sys/hiberfil.sys files, and unallocated clusters
Estimated Likelihood of Recovery: Medium

Messenger Plus!® chat logs

Description: Messenger Plus!® is an add-on for Windows Live Messenger®/MSN Messenger® that adds a number of features to the chat program. The logs it creates are different from the traditional MSN/WLM chat logs and it also provides an option of encrypting the chat logs. Encrypted chat logs can not be recovered at this time, but some of the encrypted chat can be recovered in the MSN/WLM search as MSN protocol fragments. Possible locations: Messenger Plus! chat log files, live memory dumps, the pagefile.sys/hiberfil.sys files, and unallocated clusters
Estimated Likelihood of Recovery: Medium

MySpace® chat

Description: Messages sent or received in MySpace® live chat. Information found within these fragments can include the status of the message, the date/time, the sender ID, target ID, and the message itself. Some user info is also recoverable, such as the real name/username associated to a MySpace ID, image URL, and other information. This information is saved to a ‘User Info’ report. Possible locations: Live memory dumps, the pagefile.sys/hiberfil.sys files, and unallocated clusters
Estimated Likelihood of Recovery: Low to Medium

Bebo® chat

Description: Messages sent or received in Bebo® live chat. Information found within these fragments can include the status of the message, the date/time, the sender username, target username, and the message itself. Possible locations: Live memory dumps, the pagefile.sys/hiberfil.sys files, and unallocated clusters
Estimated Likelihood of Recovery: Low to Medium

Non-encrypted Yahoo!® Messenger chat

Description: Non-encrypted chat messages left behind by Yahoo!® Messenger. These messages are artifacts from the actual Yahoo!® Messenger chat window. No username(s) are required to recover these messages. Messages of this type include the sending user name, the date/time (local time, not UTC), and the message itself. The recipient is not found in these fragments but can usually be ascertained by viewing the chat conversation. Possible locations: Live memory dumps, the pagefile.sys/hiberfil.sys files, and unallocated clusters
Estimated Likelihood of Recovery: Low to Medium

Facebook® Email “Snippets”

Description: This search will recover Facebook® email “snippets” (previews of a full email message). This artifact is left behind when a user is viewing their Inbox or Sent Messages folder in their Facebook® account. It can include the Subject line, Original Author user ID, Recent Authors user IDs (the participants of the email conversation), Time Last Updated (the last time a message was posted in the thread), thread ID (ID# of the message in the user’s mailbox), and the “snippet” itself. Possible locations: Temporary Internet files, live memory dumps, the pagefile.sys/hiberfil.sys files, file slack space, and possibly unallocated clusters
Estimated Likelihood of Recovery: Medium

Gmail® Email “Snippets”

Description: This search will recover Gmail® email “snippets” (previews of a full email message). This artifact is left behind when a user is viewing the Inbox folder in their Gmail® webmail account. It can contain the email addresses included in the message, the subject, file names of attachments, the date/time (in local time), read/unread status, and the “snippet” itself. Possible locations: Live memory dumps, the pagefile.sys/hiberfil.sys files, file slack space, and possibly unallocated clusters
Estimated Likelihood of Recovery: Medium

Frostwire.props Files

Description: This search finds fragments of Frostwire.props files. These files contain configuration data for the Frostwire® peer to peer file sharing client and can include geo-locations, recent downloads, and many other useful items. Possible locations: Frostwire configuration folders, live memory dumps, the pagefile.sys/hiberfil.sys files, and unallocated clusters
Estimated Likelihood of Recovery: Medium to High

Twitter® Status Updates

Description: This search will recover Twitter® status updates. This artifact is left behind in several formats when a user is updating their status or viewing another person’s status update. It can include the Name of the user, the screen name, created time, status ID#, where the status was updated from, geo-tags, if the update is a “retweet”, the profile image URL of the user, and the text of the status update. Possible locations: Temporary Internet files, live memory dumps, the pagefile.sys/hiberfil.sys files, file slack space, and possibly unallocated clusters
Estimated Likelihood of Recovery: Medium

Limewire®/Frostwire® Search Keywords

Description: Search keywords left behind in live memory by version 4 of Limewire® and Frostwire® (tested with most Limewire/Frostwire v4 clients). Search keywords/terms that are recovered have an associated number indicating how many search results were returned for that search term at the time the keyword was left in memory. The recovered search terms are search keywords that were entered by the local user. Other search keywords that were passed through the client (“Incoming Searches”) from other clients on the P2P network are not recovered. Possible locations: Live memory dumps, the pagefile.sys/hiberfil.sys files, and possibly unallocated clusters
Estimated Likelihood of Recovery: Low

Firefox® places.sqlite History Artifacts

Description: This is a first-of-its-kind search that recovers browsing history URLs from the places.sqlite files Firefox® uses to store browsing history and other information. The entire SQLite file is not required, only the individual entries. Due to the format and nature of this artifact, some parsing must be done to separate the URL and web page title items. Sometimes this parsing will be incorrect, in this case please see the unparsed column for the original data. Recovered items include the parsed URL, parsed web page title, visit count, whether or not the URL was typed by the user, last visited time (in UTC), and the unparsed URL/web page title. Note 1: Parsing live (undeleted) places.sqlite files is better done with other Firefox history parsing software as there is more information to be found in these files and the URL/title can be parsed more accurately, but this search is very useful for live memory dumps and deleted records, records in the pagefile.sys/hiberfil.sys files, etc.
Note 2: if any of the individual items for each recovered record were not recovered or contain garbage information, that record should be verified as it may not be reliable information and could be a false positive hit.
Note 3: This search recovers artifacts from Firefox v3.5 to v4.0b8. It does not recover artifacts from Firefox v3.0.x as those older versions use a different database format. Firefox v1-2 do not use the places.sqlite file and therefore are not supported in this search.
Possible locations: Firefox profile folders, live memory dumps, the pagefile.sys/hiberfil.sys files, file slack space, and unallocated clusters
Estimated Likelihood of Recovery: High

Firefox® formhistory.sqlite Artifacts

Description: This is a first-of-its-kind search that recovers query history from the formhistory.sqlite files Firefox® uses to store web page form entry history (e.g. a search entered into Google or other search engine). The entire SQLite file is not required, only the individual entries. Recovered items include the fieldname (the name of the textbox the where the query was made), the value (the text that was entered into the textbox on the web page, e.g. the search term entered), number of times used, the date/time (UTC) the query was first made, and the date/time (UTC) was last made.
Note 1: At this time, IEF only recovers the fieldnames “q” and “query” (commonly used in search engines such as Google) and “searchbar-history” (searches made from the Google toolbar). Other fieldnames may be added in the future.
Note 2: if any of the individual items for each recovered record were not recovered or contain garbage information, that record should be verified as it may not be reliable information and could be a false positive hit.
Note 3: This search recovers artifacts from Firefox v3.0.x to v4.0b8. Firefox v1-2 do not use the formhistory.sqlite file and therefore are not supported in this search.
Possible locations: Firefox profile folders, live memory dumps, the pagefile.sys/hiberfil.sys files, file slack space, and unallocated clusters
Estimated Likelihood of Recovery: High

Firefox® sessionstore.js Artifacts

Description: This search will recover URLs from the sessionstore.js file Firefox® uses to store URLs to facilitate recovering from a web browser crash. The entire sessionstore.js file is not required, only the individual entries. Recovered items can include the URL, the web page title, and the referring URL. Some items will have the web page title while some will only have the referring URL. Possible locations: Firefox profile folders, live memory dumps, the pagefile.sys/hiberfil.sys files, file slack space, and unallocated clusters
Estimated Likelihood of Recovery: High

Facebook® Status Updates / Wall Posts

Description: This search will recover Facebook® Status Updates and Wall Posts. These can be from the local user or from other users on Facebook. Recovered items can include the User ID and Name of the person making the status update or wall post, and the text of the update/post itself. This artifact does not contain the date/time that the update or post was made. Possible locations: Temporary Internet files, live memory dumps, the pagefile.sys/hiberfil.sys files, file slack space, and unallocated clusters
Estimated Likelihood of Recovery: High

Facebook® Emails

Description: This search will recover emails sent or received on Facebook®. Recovered items can include the Logged In User ID (the ID of the person logged in to Facebook when the email was sent/received), the subject of the email, the recipients of the email, the Last Updated Time (last time a message in the thread was added), the Original Author, the Thread ID#, the Time Rendered (local time), the Author’s User ID and Name, whether or not it was sent from a mobile device, any attachments, and the message. Possible locations: Temporary Internet files, live memory dumps, the pagefile.sys/hiberfil.sys files, file slack space, and unallocated clusters
Estimated Likelihood of Recovery: Medium

mIRC® Chat Logs

Description: This search will recover mIRC® chat logs and other logs (e.g. connection logs) saved by mIRC®. Each session located with these log fragments is saved separately into text files. Possible locations: mIRC log folders, live memory dumps, the pagefile.sys/hiberfil.sys files, and unallocated clusters
Estimated Likelihood of Recovery: Low to Medium

Yahoo!® Messenger Diagnostic Logs

Yahoo!® Messenger Diagnostic Logs Description: This search will recover the diagnostic logs saved by Yahoo! Messenger. These logs are created when a user attempts to report a problem with Yahoo! Messenger to Yahoo! Support by selecting the Help menu in Yahoo! Messenger and clicking “Report a Problem to Yahoo!”. They contain a wide variety of information including chat messages, user actions, files transferred, and more. A good number of these events have been tested and are parsed by IEF v4. There are some events that are not parsed at this time, but by checking the “Include unparsed entries” option in IEF, these events will still be included with some info being partially decoded.
Possible locations: Yahoo! Messenger program log folders, live memory dumps, the pagefile.sys/hiberfil.sys files, and unallocated clusters
Estimated Likelihood of Recovery: High

Requirements

IEF v4 has been tested on Windows XP, Windows Vista, Windows XP 64-bit, Windows Server 2008 64-bit, and Windows 7 (32-bit and 64-bit). It does not support running on Windows 2000 or Windows 9x.
IEF has been tested with and works on single ‘dd’ image files, physical drives connected via a write blocker or otherwise, Encase® PDE mounted images, FTK® Imager v3 Image Mounting, and files (such as pagefile.sys and hiberfil.sys, and memory dump files). IEF is also compatible with Mount Image Pro (tested with version 3.26.522).
Links to image mounting software:
AccessData FTK Imager v3
Download a trial version of Mount Image Pro
Visit the Mount Image Pro website

System requirements are minimal; if you have the required hardware for the operating system you are running, you can run IEF. However, a fast CPU and at least 2GB of RAM is recommended.
The speed of the storage device being searched (or containing the files being searched) will make a large difference in speed as well. A RAID 0 or SSD set-up is recommended.

Notice regarding artifact recovery

Please remember: IEF is, in essence, an automated data recovery tool. If the data does not exist, is fragmented/damaged (or in a format not tested by JADsoftware Inc.), or a special circumstance is complicating the search process, the data/artifacts will not be recovered. Some artifacts will also be easier to find, more abundant, or more likely to be recovered than others.
There will be recovered false positive hits in some cases, or partially recovered artifacts. This is due to the inherent nature of artifact recovery.

IEF V4 Portable Edition

With the release of IEF v4, a Portable Edition has been introduced.
The Portable Edition comes on a larger thumb drive (8GB at this time), can run directly from the thumb drive without being installed, and includes features to search Volume Shadow Copies on a live Windows Vista or Windows 7 (32 and 64 bit) system.
The Volume Shadow Copy searching is available in the Quick Search and Full Search – Sector Level searches. Both searches require that the Microsoft Volume Shadow Copy Service administrative command-line tool (vssadmin.exe) and the Microsoft utility mklink.exe (used to create symbolic/hard links) are present on the live system. If they are not present on the system, the volume shadow copies can not be enumerated (or mounted in the Quick Search). Please also note that these executables can not be copied from one system to another.
The Volume Shadow Copy portions of both searches are covered in the IEF v4 User’s Manual.
The Portable Edition is not available for download, but the files can be sent on special request to test out the functionality in demo mode. Please send a message using the Contact page to request a trial copy.
Portable Edition screenshots:
The Quick Search:




The Full Search – Sector Level search:

IEF Report Viewer

With the release of IEF v4 comes a new component, the IEF Report Viewer. The Report Viewer allows for more control over which results are included in the final report, provides sorting and column rearrangement, multiple export formats, and can produce a complete, easy-to-use, easy-to-navigate HTML report that includes all the artifacts recovered.
IEF v4 provides an option at the end of a search to immediately load the case folder into the Report Viewer. If you don’t choose to open the case in the Report Viewer at that time, you can run the IEF Report Viewer later and you’ll be prompted to open the case.
Screenshots:
Here is a view of the main screen:

All items are checked by default, which means if you export search results or create a report, everything will be included.
To sort the results on different columns, simply click the column header. The arrows in the header will turn green to indicate if the sorting is ascending or descending.
You may uncheck individual items or entire search categories, and if you save the case (File -> Save Case), your selections will be saved. Also, if you sort any search results and then save the case, the sorted items will be saved in that sorted order and will be in that order when the case is loaded at a later date.
Un-checking an item never deletes it, only the “Checked” state changes.

Below is a screenshot showing the File menu.



In this menu you can save the case, export a single category, export all the categories, or create a report.
The export formats currently available are CSV (Comma Separated Values), Tab-delimited (a.k.a. Tab Separated Values, or TSV), HTML, or Excel (this option requires that you have Microsoft Excel installed on your system).
If a search contains individual exported files, you must use the HTML Export to create a report and export all the files belonging to that search category. The exported files will be linked into the HTML file. With large reports, be sure to save the report to a newly created subfolder in order to contain all the files being exported.
If you select Create Report, a complete HTML report is created for all the checked search categories/sub-items, including any files belonging to the search results.

Home Edition

A Home Edition is being developed for the home user, with reduced features and a reduced purchase price. Please stay tuned.

Trial Keys / Additional Evaluation of IEF v4

On a case by case basis, a trial key can be obtained for either the Standard or Portable Editions of IEF v4. Please send a message using the Contact page to request a trial key.

IEF v3 Support

Support for IEF v3 will continue until May 2011, but no new features will be added.

Upcoming features

  • Multi-threading

Licensing

Due to the amount of time required to develop, maintain, and support IEF, it is no longer free to Law Enforcement and the purchase price has increased. However, a substantial discount is provided for law enforcement, accessible through the Law Enforcement Portal.


轉自JAD

0 意見: