FAQ
→ Frequently Asked Questions
Here you will find some frequently asked questions and answers regarding JADsoftware products and related topics. If your question is still not answered after reading this page, feel free to contact Jad at jad@jadsoftware.com
→ IEF Q & A
Q: How should I use IEF to search for Internet artifacts?
A: IEF is designed to be as simple as possible without losing functionality. The following is a quick run down on how to use IEF:
- First, decide what you want IEF to search for and check or uncheck search items accordingly. Please note, the more items that are selected, the slower IEF will run. While IEF has been optimized and continues to be optimized, there’s no way to get around the fact that it is searching for 17 different types of artifacts and parsing the located hits for those artifacts if all the search options are selected.
- Next, decide what you will be searching. IEF can search a single file, a folder (and subfolders) of files, or a drive (Physical or logical). Examples of files to search would be live memory dumps, pagefile.sys files, and hiberfil.sys files. If searching a hard drive, it’s recommended you select the PhysicalDrive in order to ensure the entire physical disk is searched and not just a partition. Even if there is only one partition on the drive, there can sometimes be space outside of the partition that would not get searched if you only select the logical drive (e.g. C:\).
- Now select an output location (folder) for the report files and exported hits to be saved to.
- Select or deselect any search options to suit your preference and click Start to begin the search.
- That’s it!
Q: Does IEF search .Exx (.E01) files?
A: No, IEF does not mount these image files. You must use a program to mount the images as a drive and then run IEF on the PhysicalDrive (e.g. PhysicalDrive1) or logical drive created (e.g. E:\).
An application called Mount Image Pro has been doing this for a long time now and works very well with IEF:
Download a trial version of Mount Image Pro
Visit the Mount Image Pro website
Q: I’m getting hits for Yahoo!® Messenger chat but the report file doesn’t seem to have any real messages?
A: Yahoo!® Messenger chat logs have almost no real header and a very bare structure and therefore are hard to validate. A number of processes are executed on search results to filter out false positives, but some will still get through. There is also no way to detect if the decrypted message was decrypted by the correct username, so there will be some overlap when multiple usernames are provided.
The bottom line is: If the message looks like garbled text it’s either not a real message or the wrong username was provided for decryption.
Q: Where can I find Yahoo!® Messenger user names?
A: Yahoo!® Messenger usernames can be found in the folder structure of a hard drive and in the Windows registry. IEF will automatically check the folder structure and provide suggestions for usernames when searching a logical drive (e.g. C:\).
Folder location for usernames: C:\Program Files\Yahoo!\Messenger\Profiles
Registry location for usernames: HKEY_CURRENT_USER\Software\Yahoo\Profiles
Q: Why do some Facebook® live chat messages not include the full names and other info?
A: A couple of different formats for Facebook® chat have been observed, one format includes all the fields, while the other only includes the date/time, user ID of the sender/recipient, and the message itself. It is not known at this time why some messages are left behind in this more limited format.
Q: Which field in Facebook® live chat messages does IEF use for the date/time and what’s the difference?
A: There are two date/time fields in Facebook® chat messages, “time” and “clientTime”, both in UTC format. When a message is sent, the clientTime value is supposed to be the current date/time, sent along with the chat message. When the Facebook chat server receives the message, it adds the “time” value (current date/time from the server) and sends that along with the clientTime value to the recipent. The clientTime is usually about a second behind the “time” value but this can vary.
However, the clientTime value can be manipulated or sent incorrectly by 3rd party chat clients and is not reliable. The “time” value comes from the Facebook chat server and it is the timestamp that IEF uses.
Q: Are ALL Facebook® live chat messages recovered by IEF?
A: No. Because Facebook® chat does not actually log/save messages anywhere, it is not possible to recover every single sent or received message. Messages that are “left behind” on the hard drive in files and unallocated space are recovered by IEF, but it is impossible to predict how many will be still intact and not overwritten by other data, or the time frame that is recoverable.
Q: Can you tell me more about the IE8 InPrivate/Recovery URL search?
A: This search will locate 2 types of URLs left behind by Internet Explorer 8®. The first type of URL searched for are URLs that were visited while the user was in IE8’s new InPrivate feature in which browsing history is supposed to not be logged. The second type of URL found with this search are URLs stored by IE8 in recovery files (these files are created by IE so that in the event of an IE crash, IE can take you back to the website(s) you were viewing at the time of the crash when you restart IE. Unfortunately, there is no known method at this time of differentiating between the two types of URLs and no date/time is stored with the URLs in this format. However, the title of the page is, in many cases, found with the URL.
Q: What does the “Limewire® ver 5.3.6 searches” search function look for?
A: This search will locate search keywords from searches performed in Limewire® version 5.3.6 by the local user. With each search keyword located, the number of search results for that keyword (at the time it was left behind in memory or otherwise) is also present and recovered. While previous versions of Limewire® made it hard to differentiate between local user searches and “passed-through” searches from the Gnutella network, version 5.3.6 leaves behind a very reliable artifact that can not be mistaken for searches from the network.
Q: What is the value of searching for Limewire.props files?
A: The Limewire.props file is the configuration file for Limewire®. It contains valuable information that can include the client ID (“GUID”), geolocation data, searches, recent downloads, and more. This file is overwritten every time Limewire is started or terminated, and therefore multiple copies can be found in unallocated space, providing snapshots of this information from previous dates and times.
Q: Can IEF be run on a Mac?
A: No, IEF only runs on Windows at this time. However, if you are able to connect a hard drive from a Mac to a Windows system, you can run IEF on the PhysicalDrive that is assigned to the drive (no logical drive, e.g. ‘E:\’, will be present since Windows doesn’t natively support the HFS file system.
Q: Is IEF portable?
A: Not at this time. IEF uses the registry and requires certain DLLs that may or may not be on a computer that has not had IEF installed on to it. Copying the IEF executable to a USB flash drive and running it on another computer will alter the registry on that computer (and ask for the registration key) or may not run at all. A portable version of IEF that does not use the registry and can be run from the command line will a smaller footprint is being developed.
Q: Which programs can I use to view the report files created by IEF?
A: IEF creates CSV or TSV files when possible, instead of individual files. These file formats are standardized and can be opened by any application that reads CSV/TSV files. Here are a few:
Microsoft® Excel
OpenOffice Calc (free)
CSView (free and simple for quick viewing)
JADsoftware does not endorse or provide support for any of the above listed programs. Use what works best for your situation.
→ FJF Q & A
Q: Does the Facebook® JPG Finder locate photos if Firefox was used?
A: No, any browser that does not cache individual files will not save the Facebook® JPGs in a file name format that FJF can locate. Support for the Firefox cache files may be added in the future.
→ Purchasing / Licensing
Q: Do you accept purchase orders?
A: Generally no, only credit card payments/eChecks are accepted at this time, through PayPal. Please contact Jad at jad@jadsoftware.com if you are with an agency/organization that is unable to purchase by credit card.
Q: My credit card is not being accepted, why?
A: There may be a discrepancy with the address/phone number/other info that you provided not matching what your credit card company has on file. Please check this information and if you still have issues contact PayPal directly.
Q: How long does it take for eChecks to be processed?
A: eChecks can take 3 – 5 days to clear, but sometimes longer. You will not receive your IEF registration key until the eCheck clears so if you need the key sooner you should pay by credit card.
Q: Are there any shipping charges or will I receive any printed materials/CDs?
A: There are no shipping charges at this time and no CDs or printed material will be sent as IEF and Fchat are supplied electronically.
Q: Which currencies can be used to purchase software?
A: Software is priced in Canadian dollars, however, PayPal will convert the CDN amount to your local currency.
Q: I’ve paid for IEF/Fchat, when will I receive my license key?
A: License keys are sent out as quickly as possible, usually within a few hours. Sometimes, however, it will take longer, especially if your purchase is not made during the day (in Eastern Standard Time, GMT -0500).
Q: How long does my license last?
A: Currently purchased licenses are valid for the entire major version release (i.e. v3 licenses are valid for all v3 updates/releases).
Q: What is the return policy for software purchased from JADsoftware?
A: All purchases ordered from JADsoftware are final once the Registration Key has been provided to the customer. Due to the inherent nature of artifact recovery being an imperfect science and the current inability to revoke provided registration keys, all sales are non-refundable. Demo or trial versions of the software are provided (when possible) to allow you to preview the software.
If your purchase was made through a third party merchant such as a reseller, then this merchant’s refund policy applies to your order. JADsoftware will not issue refunds for purchases made through a third party merchant.
