Review: Internet Evidence Finder (IEF) v4

Review Date 21 August 2011

Internet Evidence Finder (IEF) from Canadian based Jad Software has not been around for long but it has established itself as a hugely useful tool in the computer investigator’s armoury.  The first version was released by Jad Saliba in March 2009 and word spread that this was a simple to use Windows tool to easily extract internet evidence such as email and web chat fragments from any given drive, folder, or file. Since then the scope of IEF has widened considerably with IEF v4 now also extracting artefacts from social media use such as Facebook, Twitter and Bebo, along with file sharing applications such as LimeWire, GigaTribe and FrostWire. The full list of features is listed on the manufacturer’s website.

IEF v4 was a major release and saw a major increase in price. This was painful especially for the smaller players in the industry, but Jad responds that “the reason for the price increase was due to the additional features and time and effort put into version 4. After consulting with many people in the industry, it was clear that IEF was severely under-priced and some input we have received indicates it may still be undervalued. The feedback has been very supportive with most people being understanding of the price changes, stating that there is no other software in the market that has the features or abilities of IEF, or for a lower price.”

This popularity is due to its simplicity  and the value of the evidence that it extracts. IEF can be run on a local drive, a mounted physical or logical drive (FTK Imager 3 is very useful here) or across selected files (memory dumps or raw image files for instance) and folders . They are five basic steps involved;

1. Decide on the type of search you wish to run. The five search options are:

Quick: searches pagefile.sys, $Logfile (NTFS), common areas and deleted MFT resident files
Full: same as Quick, but also searches Volume Shadow Copies, hiberfil.sys, unallocated areas and, optionally, file slack
Full (sector level): searches entire physical drive. Can be used on non-Windows file systems
Unallocated clusters: this search is only available on NTFS volumes and can optionally include searching file slack
File / folders: Searches selected files (e.g., memory dumps, raw image files, etc) or folders, optionally to include sub-folders.

It’s a little confusing to have two different searches named ‘Full’. Let’s hope there’s some logical renaming of search categories in a future release. I’d always choose the full (sector level) search if the circumstances allowed. This is the most exhaustive search, but as a consequence also takes the longest time. That’s fine if you have the time and can let the search run overnight, but if you only have time for triage or then the ‘Quick’ search or the targeting offered by the ‘File/Folders’ search may be better options.


Figure 1: select the search type

Figure 1: select the search type (click to enlarge)

2.  Decide on which items to search for. Again for completeness sakes I would tend to leave all options checked unless of course you are limited to search for a particular type of data. With Yahoo chat messages you will be prompted to enter the Yahoo messenger user name, without which its not possible to decrypt Yahoo messages. Conveniently IEF v4 has introduced a function where it can quickly return the Yahoo messenger usernames from any given drive.

Figure 2: select the items to search for

Figure 2: select the items to search for (click to enlarge)

 3. The third step is to select the source. If you’ve selected the full (sector level) search then here you will be able to select a physical drive. If other types of searches have been chosen you can chose either files or folders or drive volumes, as in the picture below.

Figure 3: select which item to search over

Figure 3: select which item to search over (click to enlarge)

 4. At this step you select the output folder where the results are to be saved, and chose whether to ignore output errors during search and whether you want verbose logging.

5. The final step is to enter case information, then hit start which displays the search progress, with time elapsed and an estimate of time remaining. If necessary the search can be paused. So far, so good. Couldn’t be much easier could it?

Regarding performance, don’t expect it to finish quickly if like me in the example I’ve used in the illustrations, you choose to search for every type of artefact. My testing was run a Windows 7 64-bit machine, with a i7-920 processor, 12GB of RAM and the operating system running from an SSD drive. With the ‘full search’ option being run over a 160GB E01 image mounted using FTK Imager, the search took just over 5 hours. So, when searching for all types of internet evidence this is certainly a process you may want to run over night or over the weekend.

When IEF has finished searching, you can view the results via the IEF Report viewer, as shown below. Here you can go through the results and select those that you’d export to either CSV, tab-delimited, HTML or Excel format for ease of external manipulation and presentation.

Figure 4: results report

Figure 4: results report (click to enlarge)

When the results did come back, they raised an eyebrow:

Full search (sector level)

Gmail email fragments: 4
IE8/9 InPrivate/Recovery URLs: 6704
Gmail parsed email snippets: 7
Facebook status updates/wall posts: 8

Quick search

Gmail email fragments: 0
IE8/9 InPrivate/Recovery URLs: 7892
Gmail parsed email snippets: 0
Facebook status updates/wall posts: 0

Full search

Gmail email fragments: 5
IE8/9 InPrivate/Recovery URLs: 30410
Gmail parsed email snippets: 13
Facebook status updates/wall posts: 7

Why did the Full Search (sector level) which searches the entire physical drive find fewer items than the Quick Search and the ‘normal’ Full Search? After an exchange of emails with Jad about this seeming discrepancy it turns out that the differences in results are due to the way that IEF handles duplicate results. In the words of Jad : “All of the searches de-duplicate, but only on sources that are the same (i.e. while searching file “xyz” any duplicates found within that file are de-duplicated, but if a hit inside “xyz” is found in the next file, “abc”, the first hit would not be discarded, only subsequent matching hits would be). However, when searching a physical drive at the sector level, the source never changes (source is always PhysicalDrive#) so once an item is found, any subsequent matching hits on that drive would be discarded.”

I mentioned to Jad that I think IEF could benefit from explaining its methodology in the manual/help file, and hopefully this will be implemented in the near future. After all, if we’re producing forensic evidence it’s of real importance that we able to understand and explain how our tools work.

In summary, there is no other tool on the market which does what IEF does; and IEF does what it does wonderfully simply, though a few additions to the manual would be useful. If you need to recover and analyse internet evidence then you need Internet Evidence Finder.


IEF Requirements
IEF must be run on Windows XP, Windows Vista, or Windows 7 (32 or 64 bit versions). A minimum resolution of 1024×768 is required. IEF v4 will not run on Windows 2000 or below. System requirements are minimal; if you have the required hardware for the operating system you are running, you can run IEF. However, a fast CPU and at least 2GB of RAM is recommended.The speed of the storage device being searched (or containing the files being searched) will make a large difference in speed as well. A RAID 0 or SSD set-up is recommended.

As at the date of this review, IEF v4 Standard Edition costs $499.99 CAD (Canadian dollars) and the Portable Edition costs $574.99 CAD. Each license purchase includes 1 year of support and updates. The renewal fee for the Standard and Portable Editions is currently $199 per license. The purchase fee and renewal fee for Law Enforcement is discounted. Full details are available at