IEF


→ Internet Evidence Finder v3.5.2


What it does

The Internet Evidence Finder (IEF) searches the selected drive, folder (and sub-folders, optionally), or file (memory dumps, pagefile.sys, hiberfil.sys, etc) for Internet artifacts.

It can currently find:

  • Facebook® live chat messages
  • Facebook® page fragments
  • MSN/Windows Live Messenger® chat
  • Yahoo!® chat
  • Yahoo!® Webmail chat
  • GoogleTalk® chat
  • Gmail® email
  • Limewire® ver 5.2.8 – 5.5.14 Search History
  • Limewire.props files
  • IE8 InPrivate/Recovery URLs
  • Yahoo!® Messenger Group Chat
  • Yahoo!® Webmail email
  • Hotmail® Webmail email
  • AOL® Instant Messenger chat logs
  • Messenger Plus!® chat logs
  • MySpace® chat
  • Bebo® chat
  • Non-encrypted Yahoo!® Messenger chat
  • Facebook® Email “Snippets”

Depending on the items selected, IEF creates a report containing the search results or creates individual files containing the data found.

Facebook® Chat Messages
If this item is checked, IEF will search for messages sent and received using the Facebook® live chat feature. Facebook® Live Chat can be found in live memory, pagefile.sys/hiberfil.sys files, and on the hard drive in allocated and unallocated space. Information found with the message can include the Facebook® profile ID used to send/receive the message, the from/to names and ID’s, and the date/time (in UTC) that the message was sent. However, not all messages found include all this data. An HTML file is also saved to the ‘Facebook Live Chat’ folder to assist in looking up Facebook ID’s. Located messages are exported into a CSV or TSV file format in the ‘Facebook Live Chat Report’ folder.

Facebook® Page Fragments
If this item is checked, IEF will search for any Facebook® related web pages, including but not limited to the Inbox page, emails, photo galleries, groups, and so on. Most recovered items will be fragments and not the complete page, but attempts are made to recover the entire page and filter out false positives. A header is added to the fragment to aid in viewing the page. Facebook® page fragments can be found in live memory, pagefile.sys/hiberfil.sys files, and on the hard drive. Items found in this category are exported to files in the ‘Facebook pages’ folder with an .htm extension. An ‘index.htm’ file is also created in that folder; it lists source / output files along with hyperlinks to the output files.

MSN®/Windows Live Messenger Chat Messages
If this item is checked, IEF will search for chat messages sent/received using Windows Live Messenger®. Windows Live Messenger/MSN chat log files and chat fragments are found in live memory dumps, the pagefile.sys/hiberfil.sys files, and on the hard drive in allocated and unallocated space. Information found with the messages varies. If a Windows Live Messenger chat log file is found, a MessageLog.xsl file is created to aid in viewing the log file(s). Located messages are exported into text files (MSN protocol fragments), HTML files (incomplete logs), or XML files (complete logs) in the ‘Windows Live Messenger chat’ folder. An ‘index.htm’ file is also created in that folder; it lists source / output files along with hyperlinks to the output files. An option is available that will save all located chat log messages into one CSV or TSV report file. (Note: The Windows Live Messenger® search option is backwards compatible with MSN Messenger®, and these two program names are used interchangeably in IEF.)

Yahoo!® Chat Messages
If this item is checked, IEF will search for chat messages sent and received using Yahoo!® Messenger. This search option will recover chat logs found in live memory dumps, the pagefile.sys/hiberfil.sys files and allocated/unallocated space on a hard drive. The Yahoo!® Messenger local username must be provided to decrypt the messages (e.g. if the login email address used is chippy@yahoo.com, the username would usually be ‘chippy’). The remote username is not stored in the logs and is not recoverable. If multiple accounts are used on the same computer, you can provide IEF with all the usernames and a report file will be created for each one. A number of false positives are unavoidable, especially when multiple account logs are on the system as there is no way to determine if a log was decrypted successfully or not. Located chat messages are exported into a CSV or TSV file in the ‘Yahoo chat’ folder.

GoogleTalk® Chat Messages
If this item is checked, IEF will search for messages sent or received using GoogleTalk® live chat. These messages are left behind in live memory, pagefile.sys/hiberfil.sys files, and possibly on the hard drive. Information found with the message can include the message ID, the Sender/Recipient email addresses, and the sender/recipient’s ID. Dates and times are not available to recover at this time. This search option may also recover chat left behind from other chat programs that utilize the ‘Jabber’ chat protocol (the sender/recipient ID will be your clue, containing an abbreviated name of the client used by that person). Located messages are exported into a CSV or TSV file format in the ‘GoogleTalk’ folder.

Yahoo!® Webmail Chat Messages
If this item is checked, IEF will search for messages sent or received using the live webmail chat found in Yahoo!® Webmail. These messages are left behind in live memory, pagefile.sys/hiberfil.sys files, and possibly on the hard drive. Information found with the message can include the Status number, the version number and vendor ID, the session ID, and the Sender/Recipient usernames. Dates and times are not available to recover at this time. Located messages are exported into a CSV or TSV file format in the ‘Yahoo Webmail Chat’ folder.

Gmail® Email
If this item is checked, IEF will search for Gmail® email fragments left behind in live memory. The fragments may be also found in the pagefile.sys/hiberfil.sys files and possibly the hard drive. Information found will vary and no proper format has been determined at this time. IEF will do its best to clean up the located fragment and convert encodings into a more readable format. Some fragments will be of the folder view with the sender name/address, subject, and first segment of the body of the email. Located Gmail® fragments are exported into a text file format (.txt) in the ‘Gmail’ folder. An ‘index.htm’ file is also created in that folder; it lists source / output files along with hyperlinks to the output files.

Limewire® Search History 
If this item is checked, IEF will look for search keywords left behind in live memory by Limewire® (tested with Limewire® v5.2.8 – 5.5.14). They are also found in the pagefile.sys/hiberfil.sys files and possibly unallocated space on the hard drive. Search keywords/terms that are recovered have an associated number indicating how many search results were returned for that search term at the time the keyword was left in memory. The recovered search terms are search keywords that were entered by the local user. Other search keywords that were passed through the client (“Incoming Searches”) from other clients on the P2P network are not recovered. Located search keywords are exported into a CSV or TSV file format in the ‘Limewire Search History’ folder.

Limewire.props files
If this item is checked, IEF will look for fragments of Limewire.props files. Fragments of these files are found in live memory, the pagefile.sys/hiberfil.sys files and on the hard drive in allocated and unallocated space. These files contain configuration data for the Limewire® peer to peer file sharing client and can include geolocations, recent downloads, and many other useful items. Located file fragments are exported into .txt (text) files in the ‘Limewire.props files’ folder. An ‘index.htm’ file is also created in that folder; it lists source / output files along with hyperlinks to the output files.

IE8 InPrivate/Recovery URLs
If this item is checked, IEF will look for URLs visited during InPrivate browsing in IE8 and URLs saved in Internet Explorer recovery files. These URLs are left behind in live memory, the pagefile.sys/hiberfil.sys files and on the hard drive in unallocated space. At this time, there is no known method of distinguishing between these two types of URL artifacts. Also found with the URLs is a page title or description, but this is not always present. Located URLs and titles/descriptions are exported into a CSV or TSV file format in the ‘IE8 InPrivate and Recovery URLs’ folder.

Yahoo!® Messenger Group Chat
If this item is checked, IEF will look for messages sent or received in Yahoo!® Messenger Group chat rooms. These chat messages are left behind in live memory, the pagefile.sys/hiberfil.sys files and possibly on the hard drive. Information found within these fragments can include the date/time, the username that sent the message, and the message itself. The name of the Yahoo! Messenger group that the message is sent within is not available to recover. Located messages are exported into a CSV or TSV file format in the ‘Yahoo Messenger Group Chat’ folder.

Yahoo!® Webmail email
If this item is checked, IEF will search for Yahoo!® webmail left behind in live memory, pagefile.sys/hiberfil.sys files, and on the hard drive in allocated and unallocated space. Multiple types of Yahoo!® webmail interfaces are supported, including ‘Classic view’ and the New Yahoo! Webmail view. Recovered email messages, email compose pages, and folder views are located and saved to .htm (HTML) files in the ‘Yahool webmail’ folder. An ‘index.htm’ file is also created in that folder; it lists source / output files along with hyperlinks to the output files.

Hotmail® Webmail email
If this item is checked, IEF will search for Hotmail® webmail left behind in live memory, pagefile.sys/hiberfil.sys files, and on the hard drive in allocated and unallocated space. Recovered email messages, contact listings, and folder views are located and saved to .htm (HTML) and .txt (text) files in the ‘Hotmail webmail’ folder. An ‘index.htm’ file is also created in that folder; it lists source / output files along with hyperlinks to the output files.

AOL® Instant Messenger chat logs
If this item is checked, IEF will search for AOL® Instant Messenger (AIM) chat logs. These logs are left behind in live memory, pagefile.sys/hiberfil.sys files, and on the hard drive in allocated and unallocated space. Each log recovered is saved to an individual HTML (.htm) file. A ’styles.css’ style sheet file is created to aid in viewing these logs. Located logs are saved in the ‘AIM chat’ folder. An ‘index.htm’ file is also created in that folder; it lists source / output files along with hyperlinks to the output files.

Messenger Plus!® chat logs
If this item is checked, IEF will search for Messenger Plus!® chat logs. Messenger Plus! is an add-on for Windows Live Messenger/MSN Messenger that adds a number of features to the chat program. These chat logs are left behind in live memory, pagefile.sys/hiberfil.sys files, and on the hard drive in allocated and unallocated space. Located chat logs are saved into individual HTML (.htm) files in the ‘Messenger Plus! chat’ folder. An ‘index.htm’ file is also created in that folder; it lists source / output files along with hyperlinks to the output files.

MySpace® chat
If this item is checked, IEF will look for messages sent or received in MySpace® live chat. These chat messages are left behind in live memory, the pagefile.sys/hiberfil.sys files and possibly on the hard drive. Information found within these fragments can include the status of the message, the date/time, the sender ID, target ID, and the message itself. An HTML file is created to assist in looking up the MySpace ID’s. Some user info is also recoverable, such as the real name/username associated to a MySpace ID, image URL, and other information. This information is saved to a ‘User Info’ file in the ‘MySpace chat’ folder. Located messages are also exported into a CSV or TSV file format in the ‘MySpace chat’ folder.

Bebo® chat
If this item is checked, IEF will look for messages sent or received in Bebo® live chat. These chat messages are left behind in live memory, the pagefile.sys/hiberfil.sys files and possibly on the hard drive. Information found within these fragments can include the status of the message, the date/time, the sender username, target username, and the message itself. Located messages are exported into a CSV or TSV file format in the ‘Bebo chat’ folder.

Non-encrypted Yahoo!® Messenger chat
If this item is checked, IEF will search for non-encrypted chat messages left behind by Yahoo!® Messenger. These messages are artifacts from the actual Yahoo!® Messenger chat window and are found in memory dumps and the pagefile/hiberfil.sys files. No username(s) are required to recover these messages. Messages of this type include the sending user name, the date/time (local time, not UTC), and the message itself. The recipient is not found in these fragments but can usually be ascertained by viewing the chat conversation. Located messages are saved to a CSV or TSV file format in the ‘Yahoo chat – Non-encrypted’ folder.

Facebook® Email “Snippets”
If this item is checked, IEF will search for Facebook® email “snippets” (previews of a full email message) left behind in live memory, pagefile.sys/hiberfil.sys files, and on the hard drive in unallocated space. This artifact is left behind when a user is viewing their Inbox or Sent Messages folder in their Facebook® account. It can include the Subject line, Original Author user ID, Recent Authors user IDs (the participants of the email conversation), Time Last Updated (the last time a message was posted in the thread), thread ID (ID# of the message in the user’s mailbox), and the “snippet” itself. Located “snippets” are exported into a CSV or TSV file in the ‘Facebook Email Snippets’ folder.

Limitations

  • The file offset/physical sector location will point to where the search hit occurred. Due to the varied formats and data processing/additions/deductions for presentation purposes, this may not always be the exact start of the exported data, but provides the general area in the file or on the disk that the item was located.

Requirements

IEF has been tested on Windows XP, Windows Vista, Windows XP 64-bit, Windows Server 2008 64-bit, and Windows 7 (32-bit and 64-bit). It should run fine on Windows 2000/2003 Server but will NOT run on Windows 9x.

IEF has been tested with and works on single ‘dd’ image files, physical drives connected via a write blocker or otherwise, Encase® PDE mounted images, and files (such as pagefile.sys and hiberfil.sys, and memory dump files). IEF is now also compatible with Mount Image Pro (tested with version 3.26.522).
Download a trial version of Mount Image Pro
Visit the Mount Image Pro website

Initial disk and memory requirements are minimal, if you can run Windows XP and up, you can run IEF. Memory usage goes up as items being searched are found and IEF may require a large amount of RAM for big hard drives that contain a large amount of artifacts.
IEF will also benefit greatly from a fast CPU and hard drive.

Upcoming features

  • The ability to search only unallocated space, only allocated space, or both
  • HTML report option
  • More searches?

Licensing

Due to the amount of time required to develop and support IEF, it is no longer freeware.

However, IEF is still free for law enforcement.

Please go to the Purchase page for details/licensing information.

Thanks for your support!

Download

Go to the Downloads page

IEF v3 new features/release details (see older release notes here):

  • Version 3.5.2 updates:
  • Bug fixed that wouldn’t let IEF load when certain types of virtual drives/shares were present on the system.
  • An interface option that was missing was added.
  • Some search stability/error checking features were added.
  • Version 3.5.1 updates:
  • Bug fixed that stopped IEF in some cases from loading when in demo mode.
  • Version 3.5.0 updates:
  • Limewire Searches updated to support more types of keyword searches in Limewire, and the Limewire version support updated to indicate support for versions 5.2.8 to 5.5.8 – thanks to Jason Belanger for his work in this area.
  • Version 3.4.0 updates:
  • When selecting a file as the source, now multiple files can be selected without having to go with the Select Folder option
  • Updated MSN/WLM text fragment recovery
  • Added recovery of additional GoogleTalk® artifacts
  • Added retries (up to 20) when an error occurs reading a file or sector
  • Empty folders (i.e. 0 hits) in the output folder are removed at the end of the search now
  • Added a “Go to output folder” button that is appears after the search is completed
  • Fixed bug where user was sometimes prompted when errors occurred even if “ignore errors” was checked
  • Issue resolved where installer could not launch IEF properly in Vista/7
  • Slight UI improvements
  • Demo version now saves up to 20 items per search
  • Version 3.3.0 updates:
  • Added the Facebook® Email “Snippets” search function.
  • Version 3.2.0 updates:
  • A newly discovered Facebook® live chat artifact format is now supported in the Facebook® Chat search of version 3.2.0, enabling IEF to locate and recover more Facebook® chat. Thanks to Allen LaFontaine for his help with discovering this new format.
  • A new search option has been added: “Ignore output errors during search”. If this item is checked, IEF will ignore any output errors during the search and automatically continues, logging the error in the IEF log file. This prevents IEF from waiting for user input if IEF is started and then left unattended.
  • IEF now will save up to 10 items per selected search when running in “demo mode” without a key. This allows IEF to be better evaluated before purchasing.
  • Version 3.1.0 updates:
  • New search added! IEF now can locate and recover non-encrypted Yahoo!® Messenger chat. No username is required to locate these artifacts, which appear to be left behind in memory directly from the Yahoo!® chat window. See further down this page or click on the “?” in the “Search for…” box in IEF for more information on this search. (Thanks to Herb Scott and Stephen Swanson for their help with this new search.)
  • Changed how IEF counts hits for Yahoo!® chat. Even if multiple usernames are entered, only one hit is counted for each located message, even though decryption is attempted using all the provided usernames on that message.
  • Cosmetic updates: Added a “Check for Updates” on the main screen, changed the MB/sec reading to MB/min for more accuracy, and a few other minor changes that don’t change any functionality.
  • Version 3.0.2 updates:
  • Support for very large volumes (16TB+) added
  • Main search routine optimized
  • Yahoo! Messenger false positive detection code improved
  • Spaces automatically stripped from user-provided user names for Yahoo! Messenger decryption
  • Bug fixed with Yahoo! Messenger search where discarded false positives were still counted as hits
  • Version 3.0.1 updates:
  • No longer need to right-click and select “Run as administrator” in Vista/7. Just run IEF as usual, accept the warning (if it appears) and IEF will launch and run properly.
  • Yahoo!® Messenger chat search function fine tuned to eliminate more false hits and clean up the report.
  • Version 3.0.0 updates:
  • New major release
  • 10 new searches added! (Limewire® ver 5.3.6 Search History, Limewire.props files, IE8 InPrivate/Recovery URLs, Yahoo!® Messenger Group Chat, Yahoo!® Webmail email, Hotmail® Webmail email, AOL® Instant Messenger chat logs, Messenger Plus!® chat logs, MySpace® chat, Bebo® chat
  • All searches tweaked, improved, and faster
  • Better Facebook® web page fragment filtering
  • Log file created now containing search details and results
  • Added option of selecting an entire folder (and optionally, sub-folders) instead of a single file
  • Multiple Yahoo!® Messenger user names now supported – one report file for each user name is created
  • Results are now written to file as the search progresses, to a CSV or TSV file (Excel option removed in order to make this possible, and to avoid issues with different versions of Excel/date manipulation)
  • Greatly improved memory management
  • “Physical Sector” changed to read “Logical Sector” in report files when a logical drive (e.g. ‘C:’) is searched
  • If a logical drive is selected and Yahoo!® Messenger chat is being searched for, IEF will check the folder structure to check for possible Yahoo!® Messenger user names
  • HTML ‘index.htm’ files are now generated as an index for the individual files that are created in some of the searches
  • ‘Check for updates’ function added to check if newer versions of IEF are available