Review date 14 April 2013
I last reviewed Internet Evidence Finder (IEF) in August 2011; back then the software was at version 4 and just two years on from its initial freeware status when it was, of course, a much simpler proposition. It was produced by JadSoftware which was run by Jad Saliba, who did everything – he wrote the code, tested it, provided technical support and he was also responsible for order fulfilment. Since then JadSoftware became Magnet Forensics, reflecting that the operation wasn’t just Jad any more; there are now 18 engineers working on the product along with the trappings of a larger company; a VP of Marketing, a CEO, a Director of Forensics and so on. This period of growth saw IEF being completely re-written forming a more stable development framework enabling new features to be more reliably added – an aspect that current IEF users will be familiar with in the form of regular updates and enhancements.
Other enhancements to the latest version include the ability to support Mac file systems, the introduction of a visual timeline and the elimination of the previous requirement to mount an image. Of version 6.0 Jad says “With v6 we raised the bar in terms of the performance and capabilities of IEF and are excited to hear feedback from our customers. It is the culmination of our work over the past 12 months and we are so excited to get it into our customers hands.”
Using the Virtual PC application provided for Windows 7, I set up a new Windows XP virtual PC. I created two users, and alongside Internet Explorer 8 I used the latest versions available of the Mozilla Firefox and Google Chrome browsers. I didn’t change the browser’s default settings, or add any extensions or plug ins. I also installed the latest version of Skype and as base protection I installed and ran Microsoft Security Essentials. With this set up I visited a number of sites in each browser using both of the user accounts. Google and Bing searches were made, Gmail and Yahoo web mail was read and composed, Facebook and Twitter accounts were visited, posts made and direct messages checked. Skype was installed and logged into, a Skype call was made and a single chat message was sent. Following this ‘evidence generation’ I shut down the virtual machine, opened up IEF (which still has a splash screen which you need to click to make it disappear - I wonder why?) clicked ‘Images’ as the search location and navigated to the .vhd file containing the XP operating system I had just shut down.
Picture 1: choose the search location
I chose to search the entire contents of the image including the MFT, unallocated clusters, pagefile.sys and hiberfil.sys. I then selected a limited amount of areas for IEF to search for including Chrome, Facebook Activities, Facebook Chat , Facebook Email, Facebook Email ‘Snippets’, Facebook Pictures, Facebook Status Updates/ Wall Posts/ Comments, Facebook Web Page Fragments, Firefox, Gmail, Google Translate, Google Docs, Google Drive, Internet Explorer v5-9, Internet Explorer v7-10 In Private/ Recovery URLs, Parsed Search Queries, Pictures, Rebuild Web, Skype, Twitter, Webpage Recovery and Yahoo Mail. There are over 220 artefacts supported by IEF, with the current list published here.
One of the issues that some have had with IEF in the past was that it did seem to be rather slow in parsing a forensic image. This has been addressed in v6 with it now being capable of multi-threaded operation, utilising multiple processor cores. If anything this was too successful, as when I tested an early version of IEF v6 it used every core the processor had which all maxed out at a constant 100% usage. This did indeed make for much faster processing but didn’t allow for the use of the computer for much else while IEF was working through an image. This issue was subsequently addressed in the latest version where it is now possible to choose the number of cores you wish IEF to work with.
My search took about 20 minutes over this 2.5GB image. Search duration obviously lengthens with larger images, and one small thing I’d like to see implemented here would be an option once a search has finished to automatically save the results and shut down the computer. Save power, money, and maybe a tree or two.
The Skype call and message were accurately recovered, as were all my Skype contacts together with their addresses and other details (if they had provided them in their Skype profiles), which was an unexpected bonus.
Examining the results of the internet history searches brought me a reminder to check that time offsets have been taken into account with history being displayed in UTC though I am in a BST (British Summer Time) time zone which is one hour ahead of UTC. Once the time zone had been correctly set I found that internet history was reported accurately in terms of searches made, sites visited, time and date of the last visit and the user who was logged in at the time. The web page rebuilding tool was especially impressive, as the screen shot of the UK Yahoo web page below illustrates. If viewing the IEF results on an internet connected machine, the view of the rebuilt web page is enhanced considerably by enabling the option to download images from the web (this is found under the Edit button).
Picture 2: rebuilt web page in IEF v6.0
The report view of the above Yahoo web page is shown below:
Picture 3: report view of the rebuilt page
When I was creating evidence I visited my Gmail and Yahoo web mail accounts and accessed Twitter and Facebook. In IEF I selected the options to search for these artefacts though none came back. Internet history reported by IEF showed that these sites were visited by me at specific times but no pages were rebuilt. This is not a failing of IEF. Simply put, recent versions of these web services do a good job of not caching content. This is great for users’ security and privacy, but is less good for forensic investigative work. However all is not lost; when examining an older image you may find cached material from earlier versions of such sites when more was cached, or you may find extracts in RAM captures, page files and hibernation files. This wasn’t the case in my testing however – the operating system I imaged had only been in light use for an hour or so, which may account for this.
An interesting point about Facebook is that while text content was not cached a lot of photographs from my timeline were. Of note is that pictures from photo albums that are on my current timeline were cached and discovered by IEF even though I did not click or view them when I was on Facebook. This pre-fetch feature of Facebook is a reminder that although artefacts of note may occur under a user’s profile, that just because they are there that is no indication that the user had ever seen them or was aware of their presence.
As IEF now extracts and presents an increasing amount of material that hasn’t necessarily been derived from internet use, I wonder if it will change its name. Perhaps it should? One such example here is the recovery of pictures. IEF carves pictures out of a forensic image or disk, alongside associated metadata where available. Once this has been done the option of skin tone analysis is available as seen below, where I’ve set the skin tone percentage to 50% on the slider. This could speed an investigator’s search for illicit pornographic material. The metadata of the highlighted picture in the gallery is listed in the details below it.
Picture 4: gallery view of carved pictures, with skin tone percentage being used
Searching through results is straight-forward as is creating filters using the very simple filter manager as shown in the picture below.
Picture 5: constructing a filter with four conditions
Now onto two features that present information visually, which can be useful in showing behavioural patterns that can be difficult to discern otherwise. The first is the World Map which extracts GPS data from pictures and geographic data from Google Maps and Google Maps tiles. As far as I’m aware the data set I created didn’t contain such data, so all I got was a World Map with no plotted points. Still, I can see this could be a useful feature. The other visual feature and new for v6 is the Time Line which allows the viewing of IEF search results in a graphical timeline. This allows the investigator to drill down to isolate webmail, chat messages, browser history and so on during a specific time-frame, zero-in on specific dates in time, and see spikes in a user’s online activity. This is implemented very well but personally I’m yet to be convinced of the usefulness of this feature. Perhaps it’ll become apparent to me with further use.
Picture 6: IEF World Map
Picture 7: Time Line
IEF does plenty more that I haven’t touched upon including the parsing of iOS backups and, in the triage version, Dropbox decryption. I found the help file to be thorough enough and the listing ‘Estimated Likelihood of Recovery’ of the dozens of artefact types it searches for to be useful.
Out of interest I ran the latest version of the well-known cleaning tool CCleaner (version 4.00.4064) against the XP virtual machine I used in this test, set to secure wipe (1 pass) Internet Explorer, Chrome and Firefox internet history. I then re-imaged the virtual machine and re-ran IEF over it. You may or may not be surprised to learn that it managed to return around 50% of the internet history that was there prior to running CCleaner. From this test, I believe it is prudent not to trust CCleaner to do a thorough job. Your results may differ and it’s certainly a topic worthy of further research.
During research for this review I spoke with Jad Saliba, who mentioned that a particular current focus of Magnet Forensics’ R&D efforts have gone into Mac OS and iOS and he told me to “stay tuned for some very exciting updates over the coming months”. We’ll see. I look forward to new features but I’d like the focus to be on ensuring that what they do already is as good as possible. I occasionally hear of people who have, for example, dedicated Skype extraction tools or an application that solely extracts internet history who say that their product is better in some way than IEF. This may or may not be the case; as ever in this field, it is up to the examiner to check and verify results produced. Everything that I threw at IEF in this test, it reported back fully and accurately. I’d certainly recommend using the trial version of IEF to see how it could fit in to your tool chest; a simple to use tool that searches for and clearly presents a very wide range of user data.
Version tested: Internet Evidence Finder 6.0.0.0421. At the date of this review the price of IEF is US $1200.00. Web site: http://www.magnetforensics.com/
Review by Jonathan Krause. Comments can be emailed to firstname.lastname@example.org