Working more efficiently with Internet Evidence Finder and EnCase Forensic

Jamie McQuaid
Forensics Consultant, Magnet Forensics

Forensic investigators understand that one of the biggest challenges to their cases is time management. As examiners, we would love to spend three months or more on a single case without any other distractions to ensure that every stone is overturned and every detail met with precision, but this is not the reality. Caseloads continually grow far beyond what one person or team can handle and we require the proper processes and tools to manage these cases quickly and efficiently without compromising quality.

Typically, digital forensic investigations are all conducted in a similar manner whether it’s a corporate policy violation, a network intrusion, or a child exploitation case done by law enforcement. The examiner begins by identifying the scope of the investigation and all the evidence to be collected. He or she then acquires the evidence in a forensically sound manner so that the integrity of the data is maintained throughout the entire process. Next, the data is searched for artifacts and analyzed to identify any relevant evidence on the system or device. Finally, once all the evidence is collected and analyzed, the examiner reports his or her findings to the relevant stakeholders for the case, which may include a judge or jury, legal or HR team, or management.

While it might only seem like one step in the forensic process, most workflow models tend to group many of tasks into the analysis phase. The key to an efficient and well-organized investigation is to breakdown the analysis into smaller tasks that can be improved and made more efficient. So instead of jumping between artifact collection and analysis throughout this phase, examiners can recover all the relevant artifacts prior to beginning analysis so that they are easily accessible. This allows them to continue their investigation uninterrupted.

While each step of the process is important and has its own challenges for investigators, the majority of the examiner’s time is spent during the analysis phase. This is because they need to be thorough in their investigation and searching for all the potentially relevant artifacts is often time consuming. Depending on the file system and the artifacts being searched, this is often a manual process. This is why investigators use various tools to help speed-up and automate some of the manual tasks of evidence analysis.

Adding Internet Evidence Finder to your Workflow

Internet Evidence Finder (IEF) is one of these tools and has become the most widely used for the recovery of Internet evidence. Leaving the acquisition part of the process to other tools, IEF focuses around the analysis phase of the investigative process and helps the examiner speed-up their investigation by:

  • Automatically searching for artifacts in unstructured data sources such as unallocated space, pagefile.sys, and volume shadow copies
  • Organizing the recovered artifacts into relevant categories and display them as meaningful information
  • Enabling the investigator to conduct a thorough and efficient analysis of the collected data through searching and filtering, or using visualization techniques such as timelines, mapping, rebuilding webpages and chat threads
This method allows the investigator to analyze all the artifacts at once without jumping back and forth between searching for the related artifact and analyzing the data. It also allows for the recovery of even more artifacts that an examiner might not have thought to look for by collecting everything at the onset of the investigation.

Maximizing Results with IEF and EnCase

A great example of how IEF can be used within your current process is to start by acquiring the evidence with EnCase either locally through the use of write blockers in a lab setting, or over the network using EnCase Enterprise if you are in a corporate setting. Once acquired, running your initial search with IEF will recover any of the artifacts that you need for analysis and help organize them for easy interpretation. After you’ve completed your analysis and gathered all the relevant evidence, this data can easily be imported back into EnCase for validation or further analysis if needed. Integration between EnCase and IEF is effortless through the use of EnScripts and LEF creation tools that assist the investigator with inputting and exporting between the two applications.

Caseloads for examiners are growing far beyond anything manageable with manual tools and traditional forensic processes. Investigators must find a way to maximize their time and energy by accelerating their investigations without compromising on quality. Finding ways to work smarter, not harder, is essential to keep-up with the increasing workload. Tools like IEF and EnCase allow investigators to maximize their analysis time and minimize time spent on repetitive tasks.

As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.

No comments :

Post a Comment