I had an opportunity earlier this year to interview Jad Saliba of JadSoftware.com discussing his Internet Evidence Finder tool. You can view that interview here. Hopefully, SANS Computer Forensic Blog readers enjoyed the 15% discount that Jad offered exclusively to SANS CF blog readers and have taken the time to implement this tool into your forensic toolkit. This post is part of a series and will introduce functionality of IEF v3.3. You can download the most recent version (v3.5.1 at time of this article) from JadSoftware.com. Just a brief recap of what IEF will search for on a mounted drive/folder. Facebook chat, Yahoo! chat (IEF must have chat username to decode), Windows Live Messenger chat, Google Talk chat, AIM logs, hotmail webmail fragments, yahoo! webmail fragments, etc. For a full listing of supported artifacts and limitations visit here
IEF has a nice step-by-step wizard to guide you through the process of selecting your source drive/file, your output folder, other options, etc. The great thing about IEF is that if you only have a live memory dump, the hiberfil.sys or the pagefile.sys you can use it as your source file to search for that forensic nugget. If your forensic image is an .E01 you will need a mount image utility (i.e. Mount Image Pro) to mount the forensic image and then point IEF to that drive letter.
We can view the results in the directory
IEF also creates a text log file that shows what items were searched and a brief summary of the results once IEF is complete. You will notice in the log start and abort times. (Author’s Note: Process aborted for demonstration purposes)
Let’s take a closer look at row# 30: C: 119827947 http://www.tech-recipes.com/rx… *** None found **
Using your favorite hex editor let’s take a look at sector 119827947 and we see the IE 8 InPrivate Browsing URL.
Internet Evidence Finder is a good, inexpensive forensic tool to assist the examiner/analyst with parsing internet artifacts that are an important piece of the computer forensic examination. If your examinations include searching for internet artifacts, IEF will help you streamline the process and give you a nice output for reporting and presentation purposes. In Part III of the IEF series, we’ll take a closer look at artifacts of what IEF is reporting and how we validate our findings. Stay tuned…
