Embed Size (px)
Citation preview
Software Forensics Tool Report On
“INTERNET EVIDENCE FINDER”Submitted By:
Nandish k chauhanEnrollment No:110280723011
Semester: III, M.E(Information Technology)
Nikita k chauhanEnrollment No: 110280723012
Semester: III, M.E(Information Technology)
Submitted to:Information Technology Department,
L.D.College Of Engineering, Ahmedabad-15
L.D. COLLEGE OF ENGINEERING
AHMEDABAD – 380015
CERTIFICATE
This is to certify that the work presented in the seminar entitled
“Internet Evidence Finder”
Have been carried out By
Nandish k chauahn & Nikita k chauhan
Enrollment No.:110280723011 & 110280723012
Under my guidance as a partial fulfillment of requirements to
Award
ME Information Technology
By Gujarat Technological University, Ahmedabad
Date:
Acknowledgement
I wish to thank all who helped me in this seminar work.
I thank my Head of the department prof D.A parikh for helping me in sorting out the procedural work and his guidance.
Books, Internet and computing facilities have been a treasure in developing this seminar, so words of gratitude for the staff of library and computer department of L.D.College of Engineering, Ahmedabad.
Abstract
IEF is designed to help users in a range of fields conduct thorough, effective computer investigations while preserving the forensic integrity of the data. Used for a variety of investigations including cybercrimes, violent crimes, property crimes, white-collar crimes and street crimes, IEF has become the standard in digital forensic software.
Our INTERNET EVIDENCE FINDER (IEF) software recovers social networking, online chat, web browsing history, and other Internet activity from computer hard drives and live memory captures, including deleted data. We currently support over 160 websites and applications.
Internet Evidence Finder (IEF) is a computer forensics product that can search a hard drive, live RAM, or files for Internet-related evidence. A data recovery solution designed with digital forensics examiners/investigators in mind, IEF is also used by IT security professionals, litigation support personnel, incident response teams, cyber security specialists and corporate investigators.
IEF can recover data from social networking communications, instant messenger chat histories, popular webmail applications, web browsing history, and peer-to-peer sites and online communications.
INDEX
1. Introduction …………………………………………………………….. 1
1.1 Overview ………………………………………… 11.2 Requirement of IEF ……………………………… 21.3 IEF program Requirements ……………………… 3
2. About IEF ………………………………………………………………. 42.1 Features ………………………………….42.2 Benefits ………………………………….42.3 How IEF works………………………….52.4 screen shots ……………………………..5
3. Conclusion………………………………………………………………..8
References
1. INTRODUCTION
The tool has been designed by its developers to aid analyzers with the discovery of relevant forensic data, the identification of suspicious files and activities and the management of the information
Forensics – Digital forensics is the process of investigating equipment - to determine if the equipment has been used for illegal, unauthorized, or unusual activities
Data stored on two types of data layers.
Active Data - Information readily available as normally seen by an OS Inactive Data - Information that has been deleted or modified
1.1 Overview
IEF is a digital forensics tool developed by the Magnet Forensics for investigating the data on artifacts. IEF is a software application that can search a hard drive or files for Internet related artifacts. It is a data recovery tool that is designed for digital forensics examiners but also designed to be straightforward and simple to use. Internet Evidence Finder is designed to find Internet-related data or files on a hard drive as part of a digital forensics investigation.
The basic operation of IEF is intended to be simple. Select a drive/image/file(s)/folder(s) to be searched, select the artifacts to search for, select an output/case folder, and run the search.
INTERNET EVIDENCE FINDER™ (IEF) software recovers social networking, online chat, web browsing history, and other Internet activity from computer hard drives and live memory captures, including deleted data.
IEF software mainstays include:
Single Search for 160+ Digital Artifacts Search in 3 Easy Steps for Fast Results Web Page Rebuilding iOS Backup Support Rich & Comprehensive Reporting
1.2 Requirements of IEF
In this section we are going to represents main five reasons for need of Internet Evidence Finder. These five reasons are as below:
1.) IEF is comprehensive. Recover data from 60+ commonly used artifacts. Find more evidence in more location on computer hard drive and live
memory. First to support new artifacts types , so you be confident you found all
results.
2.) IEF is easy to use. Run a search in 3 easy steps. Suitable for all levels of examiners, regardless of tech experience. Set it and forget it ; then come back to key evidence.
3.) IEF speeds up investigation You can star work straight away. Focus on your investigation quickly. Improve case turn around and times get through your backlogs.
4.) IEF presents results in an understable way. Use keyword to search the narrow results to what’s relevant. Explore evidence into a report , then hand it off to investigator.
5.) IEF reduce your overall budget spend ‘Many-in-one’ tool eliminates need to buy multiple products. Easy-to-use technology means less money spent on training. Less man hours spent on manual recovery of evidence.
1.3 IEF program requirements
IEF must be run on Windows XP, Windows Vista, or Windows 7 (32 and 64 bit versions). A minimum resolution of 800x600 is required. IEF v5 will not run on Windows 2000 or below. IEF must be run on a computer with .NET framework 4.0 or newer. IEF v5 will not run on a computer with a .NET framework less than 4.0 (or 2.0 for IEF Triage).IEF Report Viewer must be run on a computer with .NET framework 2.0 with Service Pack (SP) 2 or newer. IEF v5 Report Viewer will not run on a computer with a .NET framework less than 2.0 Service Pack 2. System requirements are minimal; if you have the required hardware for the operating system you are running, you can run IEF. However, a fast CPU and at least 2GB of RAM is recommended. The speed of the storage device being searched (or containing the files being searched) will make a large difference in speed as well. A RAID 0 or SSD set-up is recommended. There is the possibility that Anti-Virus software may interfere with IEF’s operation. If you receive errors or crashes when running IEF, it is recommended to disable your AV before trying to perform a search with IEF.
2. About IEF
2.1 Features of IEF
General features of IEF:o Entire logical or physical driveso Unallocated space/deleted datao Selected files including live RAM captures, pagefile.sys, hiberfil.sys files (with
full decompression) and moreo Entire user-selected folders and subfolderso Special areas of the NTFS file system
Features of latest version of IEF V5.7:
Picture & video analysiso Carving/parsingo Skin tone & body part detectiono EXIF data
Chrome Incognito & Firefox Private Browsing History
Carbonite & Google Maps Artifacts
Web History Categorization
Support for Ex01, Lx01 & L01 Images
Dates and times now converted to local or specified time zone
2.2 Benefits of IEF
1. Robust Search & Dependable ResultsIEF can recover more types of data than any other solution, which makes it more likely to
uncover critical evidence. You can do a single search and find all Internet-related evidence without having to try keywords, manually carve data, or run individual scripts. It’s the closest thing to a “Find All Evidence” button. With our patent-pending technology, IEF finds more forms of Internet artifacts and filters out false positives. IEF is able to recover data from not only deleted data, but also live RAM captures, which often hold vital evidence.
2. Accelerate Investigations & Reduce Case BacklogWith the ever-growing hard drive capacities and the explosive growth in both case loads
and complexity, organizations and agencies of all kinds require an accurate and comprehensive solution for recovering data. IEF is a rapid automated solution that saves a tremendous amount of time and allows you to work on other parts of the investigation while it’s searching. It’s as
straightforward as hitting search and coming back to a comprehensive report to review the results.3. User Friendly
Both experienced and new forensic examiners/investigators find the IEF user interface flexible, intuitive and easy to use. And because its reporting options are as impressive as it analytical capabilities, producing professional reports for both internal or external audiences is equally simple and straightforward. Time is of the essence and that is why there is no complex configuration or setup.4. The Gold Standard in Data Recovery
IEF is considered the defacto standard for the recovery of data and is used by thousands of the most prestigious national security agencies, law enforcement teams, and corporations around the world.
5. Court AdmissibleThe reporting feature that’s built into IEF provides the information examiners require to
manually verify all results.
2.3 How IEF Works
The basic operation of IEF is as follows: Data is read from a drive or file in chunks (either at the sector level or the file level, depending on the type of search being run). Each chunk is searched for keywords or patterns that correlate to the artifacts being searched for, and any hits are validated and saved to the respective case file. Artifacts that can’t be saved in a report file are saved to individual files and linked to a report file.
2.4 Screen shots
Conclusion
• Internet Evidence Finder– Obviously focuses on Internet Evidence– Does a tremendous job with Web browser history
• IE, Firefox, Safari and Chrome– Also great on different types of communication
• Chats, Skype, Face book and Twitter– Very fast considering how much evidence it finds– You can review the findings while it is still working– Makes a really nice HTML report with active hyperlinks
References:
http://www.magnetforensics.com/products/internet-evidence-finder/http://www.slideshare.net/Magnet_Forensics/internet-evidence-finder-top-5-reasonshttp://forensiccontrol.com/resources/reviews/internet-evidence-finder-ief-v4/http://forensicsource.blogspot.in/2012/02/internet-evidence-finder-vs-netanalysis.html
