3 Ways to Make IEF and EnCase Work Better Together

Jamie McQuaid, EnCE, Magnet Forensics

As forensic examiners we all use a variety of tools to conduct our investigations. Because the types and needs of every case vary, so must the tools that support them. We all have our favorites but typically an investigator’s toolbox will be filled with a variety of tools to assist with every scenario we encounter.

Investigators are always taught to use the best tool for the job and to work through cases thoroughly and efficiently. Internet Evidence Finder (IEF) has become a valuable tool for those of us working on cases requiring the analysis of Internet evidence and large volumes of data. IEF is specifically developed to intelligently recover Internet related artifacts from Windows, Mac, Linux, iOS, and Android devices enabling investigators to analyze large amounts of case data quickly and efficiently.

In the past couple of years, thousands of forensic examiners have started using IEF in combination with EnCase, IEF has become particularly popular with law enforcement customers. Beginning last year we started working with our customers to get an understanding how they use both of these tools when working on a case. What we learned was that a typical investigative workflow using EnCase and IEF looks something like this:
  1. Acquire with EnCase
    • Acquire your evidence with EnCase, whether it’s a hard drive, memory, mobile device, or even logical evidence such as files or folders.
  2. Search with IEF
    • Run an IEF search against acquired image or logical file structure
    • The IEF search is an automated process that will intelligently identify and recover data from hundreds of types of Internet and mobile artifacts
  3. Analyze IEF Search Results
    • IEF automatically organizes all the search results in a structured report that can be viewed in IEF Report Viewer or imported directly into EnCase
    • The IEF Report Viewer allows you to quickly analyze evidence to identify any artifacts of value in your investigation using searches, filtering, and visualization tools like timelines and mapping
  4. Validate IEF Results with EnCase
    • Use EnCase to validate artifacts recovered by the IEF search (using the file offsets/physical location provided by IEF)
  5. Analyze Further with EnCase
    • Import IEF search results into EnCase
    • Use the intelligence gained from the IEF to target and prioritize a more detailed analysis of the data with EnCase
  6. Prepare Report
    • Report your findings using a common reporting format that includes evidence from all sources and forensic tools
Based on what we learned from our customers, the team here at Magnet Forensics then collaborated with the team at Guidance Software to develop three integration options that allow investigators who use both EnCase and IEF to initiate IEF searches from within EnCase and/or more easily import IEF recovered artifacts into EnCase. The three integration options we have released are:

  • IEF to EnCase Connectors - EnScripts that allow IEF searches to be initiated from within EnCase
  • IEF Evidence Processor Module for EnCase – Executes an IEF search as one of the pre-processing tasks within EnCase
  • IEF LEF Creator for EnCase - An EnScript that imports an IEF search results into EnCase
Integrating these tools into your current processes will help uncover the truth quickly while allowing the examiner to work within whatever tool they are most comfortable with to achieve the best results.

IEF to EnCase Connectors

Available for both EnCase versions 6 and 7, the IEF to EnCase Connector allows investigators to launch a command line version of IEF from within EnCase. After creating your case and either previewing, acquiring, or loading your image file into EnCase, click on the IEF to EnCase Connector EnScript and the following options window will be displayed,

These options allow the investigator to choose whether they want to perform a quick, full, or sector level search. You can then select whether you want to export your results only to IEF, to an excel spreadsheet, or to bring the data back into EnCase as an LEF record. The next options include artifact selection. While the connector doesn’t list every specific artifact available within the IEF application, it does allow the user to select the artifact groups (Multimedia, Chat, Email, Browser History, P2P, Mobile Backups, Cloud, Social Networking, and Game Console). Once all the options are set, IEF is launched against the evidence and the searching will begin. From there, the investigator can choose to work within whatever tool he or she is comfortable with as both EnCase and the IEF Report Viewer have their own strengths to assist with evidence analysis and reporting.

Try IEF and the IEF to EnCase Connector:

IEF Evidence Processor Module for EnCase

We also offer a processor module that works just like the EnScript connector but if your investigation includes any pre-analysis processing activities in EnCase, the processor module allows examiners to include an IEF search as one of these activities. Once the module is added to EnCase, the investigator will see the module listed as “Internet Artifact Search with IEF by Magnet Forensics” as one of the processing options.

This works extremely well when the examiner has planned to run several processes and searches overnight and begin analysis in the morning maximizing their productivity and not waiting for any labor intensive processes or tasks to finish.

Get a Free Trial of IEF with the Evidence Processor Module for EnCase v7 from EnCase App Central http://www.guidancesoftware.com/appcentral/pages/product.aspx?cat=GuidanceSoftware&pid=180010079WS&k=internet%20evidence%20finder

IEF LEF Creator for EnCase

The third tool available to help investigators to better integrate IEF and EnCase is the LEF Creator EnScript. This tool allows investigators to import all the evidence collected with a previous IEF search into EnCase to assist with further analysis. This will help examiners perform additional tasks on an already completed IEF search or quickly verify their findings with a secondary tool.

Just point the EnScript to the location of the IEF case folder and press ok. The script will pull all the evidence collected with IEF into EnCase as an LEF which can then be searched or analyzed within EnCase. The artifacts recovered from IEF will be reported as records within EnCase where the investigator can proceed to bookmark or search the IEF records together with any evidence already loaded into EnCase. Another benefit of consolidating evidence from multiple tools allows the investigator to organize the data into one uniform report for all of the stakeholders for the case.

Try IEF and IEF LEF Creator

At the end of the day, your investigation is about getting the most thorough results possible, using the best tool, or tools, for the job. We want to make sure you have access to everything that is required to complete your investigation efficiently and effectively. It’s essential that the tools and resources you use make your job easier while also maximizing the evidence recovered and analyzed in a timely manner. Integrating IEF and EnCase seemed only natural for many of our investigations and we hope that these scripts and processes do so for you as well.

As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid@magnetforensics.com.

Jamie McQuaid
Forensics Consultant, Magnet Forensics

No comments :

Post a Comment