Internet Evidence Finder (IEF)

1. Insert IEF USB dongle into computer and launch IEF program
2. Go to the “Licensing” menu at the top of the page
3. Click on “Check License Key file info”
4. “Under SMS Valid Until” it will provide the date it expires

1. Insert IEF USB dongle into computer and launch IEF program
2. Go to the “Licensing” menu at the top of the page
3. Click on “Check License Key file info”
4. This will give you the dongle ID number

1. Download the IEFv5setup.exe file and run it and follow the prompts.
2. You can install v5 alongside v4 if you would like to keep an installation of v4 on your system.
3. If you receive an error message that your license is expired. This means that your software maintenance & support (SMS) subscription has expired. You can renew your SMS subscription by contacting sales@jadsoftware.com or by calling 519-342-0195
4. Please note you can continue to use your current IEF license but you won’t be able to upgrade to the latest version without a current SMS subscription.

1. Back up and then delete all the files off your Portable dongle EXCEPT the iefkey.dat file.
2. Download and unzip the IEFv5Triage.zip file to your dongle.
3. Run/double-click the “Run IEF.cmd” file to start IEF Triage
4. If you receive an error message that your license is expired. This means that your software maintenance & support (SMS) subscription has expired. You can renew your SMS subscription by contacting sales@jadsoftware.com or by calling 519-342-0195
5. You can continue to use your current IEF license but you won’t be able to upgrade to the latest version without a current SMS subscription.

Please note: Because of the live environment that Triage is intended to be used in, the drivers required for image mounting are not installed by default (nor are any other files). If you are using Triage on your forensic workstation and wish to run it on an image, please go into the “Drivers” folder in the “IEFTriage” folder and run the “install.cmd” file (either right-click and select “Run as Administrator” or run it from an elevated command prompt).

A: IEF is designed to be as simple as possible without sacrificing functionality. Here’s a quick run-down on how to use IEF:

First, choose the type of search you’d like to run: you can select one of the following presets or customize the search: Quick Search, Full Search, Unallocated Clusters Only, Sector Level Only, and Files / Folders. The IEF v5 User’s Manual describes what these searches do and how to run them. You can access this manual by clicking Help on the main screen or going to the Help menu and clicking ‘IEF Help’.

Next, decide what you want IEF to search for and check or uncheck search items accordingly. Please note, the fewer items you choose, the faster IEF will run.

Now, decide where you’re searching. If you’re searching a hard drive, select the volume/partition that contains the operating system (or if running the “Sector Level Only” search, the PhysicalDrive# of the target drive). IEF can also search a single file or a folder (and subfolders) of files. Examples of files to search would be live memory dumps, pagefile.sys files, and hiberfil.sys files.

Next, select an output location (case folder) for the exported hits to be saved to.
Select or deselect any search options to suit your preference and click Start to begin the search.

That’s it!

For greater detail, walkthroughs, and screenshots, please see the IEF v5 User’s Manual.

A: Yes, IEF v5 now supports native image mounting for .E01 and ‘dd’ (raw) images. Simply point IEF to your image on the screen where you select the source drive. If an image or drive contains multiple partitions, be sure to point IEF to the partition containing the operating system or you can select multiple partitions/volumes.

A: Yahoo!® Messenger chat logs have almost no real header and a very bare structure and are therefore hard to validate. A number of processes are executed on search results to filter out false positives, but some will still get through. There is also no way to detect whether the decrypted message was decrypted by the correct username, so there will be some overlap when multiple usernames are provided.

The bottom line: If the message looks like garbled text it’s either not a real message or the wrong username was provided for decryption.

IEF v4 now includes more validation options, including a user-specified acceptable date range, and user adjustable strictness controls. Click the “Options” button next to the Yahoo!® Messenger item in the “Artifacts to Search For” screen to set these options and for an explanation of the options.

A: Yahoo!® Messenger usernames can be found in the folder structure of a hard drive and in the Windows registry. IEF v5 can check the folder structure and provide suggestions for usernames (Click the “Options” button next to the Yahoo!® Messenger item in the “Artifacts to Search For” screen to check for usernames).

Folder location for usernames: C:\Program Files\Yahoo!\MessengerProfiles
Registry location for usernames: HKEY_CURRENT_USER\Software\Yahoo\Profiles

A: A number of different formats for Facebook® chat have been observed. Some formats include all the fields, while some only include the date/time, user ID of the sender/recipient, and the message itself. It is not known at this time why some messages are left behind in this more limited format.

A: There are two date/time fields in Facebook® chat messages: “time” and “clientTime”, both in UTC format. When a message is sent, the clientTime value is supposed to be the current date/time, sent along with the chat message. When the Facebook chat server receives the message, it adds the “time” value (current date/time from the server) and sends that along with the clientTime value to the recipent. The clientTime is usually about a second behind the “time” value but this can vary.

However, the clientTime value can be manipulated or sent incorrectly by 3rd party chat clients and is not reliable. The “time” value comes from the Facebook chat server and it is the timestamp that IEF uses.

A: No. Because Facebook® chat does not actually log/save messages, it is not possible to recover every single sent or received message. Messages that are “left behind” on the hard drive in files and unallocated space are recovered by IEF, but it is impossible to predict how many will be still intact and not overwritten by other data, or the time frame that is recoverable.

A: This search will locate 2 types of URLs left behind by Internet Explorer v7-v10®. The first type of URL searched for is URLs that were visited while the user was in IE8′s new InPrivate feature in which browsing history is not supposed to be logged. The second type of URL found with this search is URLs stored by IE in recovery files (these files are created by IE so that in the event of an IE crash, IE can take you back to the website(s) you were viewing at the time of the crash when you restart IE. Unfortunately, there is no known method at this time of differentiating between the two types of URLs and no date/time is stored with the URLs in this format. However, the title of the page is, in many cases, found with the URL.

Any hits for this artifact that are in IE Recovery files can be determined to be Recovery URLs and likely not InPrivate URLs. InPrivate URLs are not saved to these files.

A: This search will locate search keywords from searches performed in Limewire® version 5.3.6 by the local user. With each search keyword located, the number of search results for that keyword (at the time it was left behind in memory or otherwise) is also present and recovered. While previous versions of Limewire® made it hard to differentiate between local user searches and “passed-through” searches from the Gnutella network, version 5.3.6 leaves behind a very reliable artifact that can not be mistaken for searches from the network.

Please note: IEF v5 has support for Limewire/Frostwire search keywords as well, using a similar method to locate them and differentiate from “passed-through” searches.

A: The Limewire.props file is the configuration file for Limewire®. It contains valuable information that can include the client ID (“GUID”), geolocation data, searches, recent downloads, and more. This file is overwritten every time Limewire is started or terminated, and therefore multiple copies can be found in unallocated space, providing snapshots of this information from previous dates and times.

A: No, IEF only runs on Windows at this time. However, if you are able to connect a hard drive from a Mac to a Windows system (or mount a Mac image), you can run the IEF v5 “Sector Level Only” search on the Physical Drive that is assigned to the drive (no logical drive, e.g. ‘E:’, will be present since Windows doesn’t natively support the HFS/HFS+ file system.

A: Yes, IEF v5 Triage Edition is portable. The difference between the Standard and Triage version of IEF v5 is that the Triage Edition comes on a larger thumb drive (16GB at this time), can run directly from the thumb drive without needing to be installed, can mount and search Volume Shadow Copies, can perform live RAM captures (32 and 64 bit), drive imaging, and performs an automated encryption check. These features allow you to search Volume Shadow Copies on the live system using the Sector Level Only search (to do a full raw search of the shadow copy), or the Quick Search, which mounts the volume shadow copies and does a logical file search on each mounted shadow copy.

For more information, see the IEF v5 product features page, the IEF v5 User’s Manual, or the IEF comparison matrix.

A: IEF has its own Report Viewer which allows you to sort the results, bookmark items, search through the results, filter the results, export to multiple formats, or create a full, easy-to-browse HTML report containing either just bookmarked items or all items.
Please see the IEF v5 User’s Manual for screenshots and more information.