Blog

Web-based review for Internet Evidence Finder™

Internet Evidence Finder (IEF)™ by Magnet Forensics™ is an automated evidence search and recovery tool that parses and carves hundreds of different types of digital forensic artifacts from allocated and unallocated space. It is rapidly gaining popularity and is used by thousands of digital forensics experts around the world to find, analyze and present digital evidence. Recently Magnet Forensics has announced the release of Magnet AXIOM, an integrated version of IEF technology that allows experts to work more efficiently and also includes support for smartphones and tablets.

Tracks Inspector now supports IEF & Magnet AXIOM xml reports so that now, in addition to the existing capability for forensics evidence formats and exports from UFED™, XRY™ and Oxygen™, the experts can also make their IEF™ results available instantly to non-technical investigators via the Tracks Inspector forensic & collaborative web-based review and analysis platform. Typical forensic artifacts extracted with IEF, such as internet history (normal, deleted and in-private browser url’s), reconstructed html pages and web emails, chats etc. are presented in Tracks Inspector’s easy to access and user friendly evidence galleries and dashboards.

Screen Shot 2016-04-22 at 11.36.33A Tracks Inspector case can consist of tens or even hundreds of evidence units, e.g. laptop images, smartphones, just a bunch of folders or xml report from UFED, XRY, Oxygen and now also IEF. The screenshot illustrates how a IEF xml report is presented to the user, displaying IEF case information, examiner etc. Tracks Inspector standard triggers will notify users about interesting patterns in the data. For instance, a trigger may indicate that an IOS backup of an iPhone is present. A detective may then prompt a digital forensics expert to analyze this backup with IEF and upload the outcome as an XML report into the same case as a new evidence unit.

Screen Shot 2016-04-22 at 11.37.20Imagine investigators have been working on a medium size investigation for months and have just performed search at different locations. Now they have 20 laptops, some USB pens and 40 smartphones. Analyzing all of these evidence units with a tool like IEF may be relatively easy, but it is still cumbersome and will take a digital forensics expert days to process on a single forensic workstation. There are several challenges in this scenario.

Will the expert look for actual evidence and only present relevant findings to the investigators? If so, this process will very likely take several weeks and not days. Does the expert know exactly what to look for? How well does he know the case? Alternatively, if the expert presents a complete IEF report for each evidence unit to the investigators, how are these reports distributed? Which investigator will look at what? Send the reports to everyone? Send it how? Via email, put it on a fileserver, on a USB storage device? How can investigators collaborate? How can you track progress?

A process that relies on manual distribution of intermediate results and collection of analysis outcomes takes time and is prone to errors. It will also require the investigators to have a workstation with reader software installed and they are expected to know how that works. Meanwhile, during the first days after the search the investigators have no clue what’s in the evidence and they are the ones that have to interview the suspects as soon as possible.

Screen Shot 2016-04-22 at 11.49.03By first loading the evidence units in Tracks Inspector, investigators can directly start with their investigation. Evidence units that look promising and that have triggered internet history, selected mobile phone apps or smart phone backup can then be prioritized for IEF analysis by a digital forensics expert. The analysis results in the form of IEF xml reports can be added to the same case as new evidence units. Investigators are notified by the system when new evidence units are added to their case.

Customer trials with the new Tracks Inspector version are expected to start in May. Based on customer feedback support for new IEF artifacts will be added in the Tracks Inspector software. If you are a Tracks Inspector customer and would like to participate in a customer trial to give feedback, please contact us or our partner via email or use our contact form.