Software Forensics Tool Report On

INTERNET EVIDENCE FINDER

Submitted By:
Nandish k chauhan Enrollment No:110280723011 Semester: III, M.E(Information Technology)

Nikita k chauhan Enrollment No: 110280723012 Semester: III, M.E(Information Technology)

Submitted to: Information Technology Department, L.D.College Of Engineering, Ahmedabad-15

L.D. COLLEGE OF ENGINEERING AHMEDABAD 380015

CERTIFICATE
This is to certify that the work presented in the seminar entitled Internet Evidence Finder Have been carried out By Nandish k chauahn & Nikita k chauhan Enrollment No.:110280723011 & 110280723012 Under my guidance as a partial fulfillment of requirements to Award ME Information Technology By Gujarat Technological University, Ahmedabad Date:

Acknowledgement

I wish to thank all who helped me in this seminar work. I thank my Head of the department prof D.A parikh for helping me in sorting out the procedural work and his guidance. Books, Internet and computing facilities have been a treasure in developing this seminar, so words of gratitude for the staff of library and computer department of L.D.College of Engineering, Ahmedabad.

Abstract

IEF is designed to help users in a range of fields conduct thorough, effective computer investigations while preserving the forensic integrity of the data. Used for a variety of investigations including cybercrimes, violent crimes, property crimes, white-collar crimes and street crimes, IEF has become the standard in digital forensic software. Our INTERNET EVIDENCE FINDER (IEF) software recovers social networking, online chat, web browsing history, and other Internet activity from computer hard drives and live memory captures, including deleted data. We currently support over 160 websites and applications. Internet Evidence Finder (IEF) is a computer forensics product that can search a hard drive, live RAM, or files for Internet-related evidence. A data recovery solution designed with digital forensics examiners/investigators in mind, IEF is also used by IT security professionals, litigation support personnel, incident response teams, cyber security specialists and corporate investigators. IEF can recover data from social networking communications, instant messenger chat histories, popular webmail applications, web browsing history, and peer-to-peer sites and online communications.

INDEX
1. Introduction .. 1 1.1 Overview 1 1.2 Requirement of IEF 2 1.3 IEF program Requirements 3 2. About IEF . 4 2.1 Features .4 2.2 Benefits .4 2.3 How IEF works.5 2.4 screen shots ..5 3. Conclusion..8 References

1. INTRODUCTION
The tool has been designed by its developers to aid analyzers with the discovery of relevant forensic data, the identification of suspicious files and activities and the management of the information Forensics Digital forensics is the process of investigating equipment - to determine if the equipment has been used for illegal, unauthorized, or unusual activities Data stored on two types of data layers. Active Data - Information readily available as normally seen by an OS Inactive Data - Information that has been deleted or modified 1.1 Overview IEF is a digital forensics tool developed by the Magnet Forensics for investigating the data on artifacts. IEF is a software application that can search a hard drive or files for Internet related artifacts. It is a data recovery tool that is designed for digital forensics examiners but also designed to be straightforward and simple to use. Internet Evidence Finder is designed to find Internet-related data or files on a hard drive as part of a digital forensics investigation.

The basic operation of IEF is intended to be simple. Select a drive/image/file(s)/folder(s) to be searched, select the artifacts to search for, select an output/case folder, and run the search. INTERNET EVIDENCE FINDER (IEF) software recovers social networking, online chat, web browsing history, and other Internet activity from computer hard drives and live memory captures, including deleted data. IEF software mainstays include: Single Search for 160+ Digital Artifacts Search in 3 Easy Steps for Fast Results Web Page Rebuilding iOS Backup Support Rich & Comprehensive Reporting

1.2 Requirements of IEF In this section we are going to represents main five reasons for need of Internet Evidence Finder. These five reasons are as below: 1.) IEF is comprehensive. Recover data from 60+ commonly used artifacts. Find more evidence in more location on computer hard drive and live memory. First to support new artifacts types , so you be confident you found all results. 2.) IEF is easy to use. Run a search in 3 easy steps. Suitable for all levels of examiners, regardless of tech experience. Set it and forget it ; then come back to key evidence. 3.) IEF speeds up investigation You can star work straight away. Focus on your investigation quickly. Improve case turn around and times get through your backlogs. 4.) IEF presents results in an understable way. Use keyword to search the narrow results to whats relevant. Explore evidence into a report , then hand it off to investigator. 5.) IEF reduce your overall budget spend Many-in-one tool eliminates need to buy multiple products. Easy-to-use technology means less money spent on training. Less man hours spent on manual recovery of evidence.

1.3 IEF program requirements IEF must be run on Windows XP, Windows Vista, or Windows 7 (32 and 64 bit versions). A minimum resolution of 800x600 is required. IEF v5 will not run on Windows 2000 or below. IEF must be run on a computer with .NET framework 4.0 or newer. IEF v5 will not run on a computer with a .NET framework less than 4.0 (or 2.0 for IEF Triage). IEF Report Viewer must be run on a computer with .NET framework 2.0 with Service Pack (SP) 2 or newer. IEF v5 Report Viewer will not run on a computer with a .NET framework less than 2.0 Service Pack 2. System requirements are minimal; if you have the required hardware for the operating system you are running, you can run IEF. However, a fast CPU and at least 2GB of RAM is recommended. The speed of the storage device being searched (or containing the files being searched) will make a large difference in speed as well. A RAID 0 or SSD set-up is recommended. There is the possibility that Anti-Virus software may interfere with IEFs operation. If you receive errors or crashes when running IEF, it is recommended to disable your AV before trying to perform a search with IEF.

2. About IEF
2.1 Features of IEF General features of IEF: o Entire logical or physical drives o Unallocated space/deleted data o Selected files including live RAM captures, pagefile.sys, hiberfil.sys files (with full decompression) and more o Entire user-selected folders and subfolders o Special areas of the NTFS file system Features of latest version of IEF V5.7: Picture & video analysis o Carving/parsing o Skin tone & body part detection o EXIF data

Chrome Incognito & Firefox Private Browsing History Carbonite & Google Maps Artifacts Web History Categorization Support for Ex01, Lx01 & L01 Images Dates and times now converted to local or specified time zone

2.2 Benefits of IEF 1. Robust Search & Dependable Results IEF can recover more types of data than any other solution, which makes it more likely to uncover critical evidence. You can do a single search and find all Internet-related evidence without having to try keywords, manually carve data, or run individual scripts. Its the closest thing to a Find All Evidence button. With our patent-pending technology, IEF finds more forms of Internet artifacts and filters out false positives. IEF is able to recover data from not only deleted data, but also live RAM captures, which often hold vital evidence. 2. Accelerate Investigations & Reduce Case Backlog With the ever-growing hard drive capacities and the explosive growth in both case loads and complexity, organizations and agencies of all kinds require an accurate and comprehensive solution for recovering data. IEF is a rapid automated solution that saves a tremendous amount of

time and allows you to work on other parts of the investigation while its searching. Its as straightforward as hitting search and coming back to a comprehensive report to review the results. 3. User Friendly Both experienced and new forensic examiners/investigators find the IEF user interface flexible, intuitive and easy to use. And because its reporting options are as impressive as it analytical capabilities, producing professional reports for both internal or external audiences is equally simple and straightforward. Time is of the essence and that is why there is no complex configuration or setup. 4. The Gold Standard in Data Recovery IEF is considered the defacto standard for the recovery of data and is used by thousands of the most prestigious national security agencies, law enforcement teams, and corporations around the world.

5. Court Admissible The reporting feature thats built into IEF provides the information examiners require to manually verify all results.

2.3 How IEF Works The basic operation of IEF is as follows: Data is read from a drive or file in chunks (either at the sector level or the file level, depending on the type of search being run). Each chunk is searched for keywords or patterns that correlate to the artifacts being searched for, and any hits are validated and saved to the respective case file. Artifacts that cant be saved in a report file are saved to individual files and linked to a report file. 2.4 Screen shots

Conclusion
Internet Evidence Finder Obviously focuses on Internet Evidence Does a tremendous job with Web browser history IE, Firefox, Safari and Chrome Also great on different types of communication Chats, Skype, Face book and Twitter Very fast considering how much evidence it finds You can review the findings while it is still working Makes a really nice HTML report with active hyperlinks

References:
http://www.magnetforensics.com/products/internet-evidence-finder/ http://www.slideshare.net/Magnet_Forensics/internet-evidence-finder-top-5-reasons http://forensiccontrol.com/resources/reviews/internet-evidence-finder-ief-v4/ http://forensicsource.blogspot.in/2012/02/internet-evidence-finder-vs-netanalysis.html