Internet Evidence Finder

Blog25Our next venture is to make a tutorial for Internet Evidence Finder (IEF) for local law enforcement. This tool parses many different internet artifacts that are located in: Common Areas/Folder Locations, pagefile.sys, $MFT, $Logfile, hiberfil.sys, Volume Shadow Copies, Unallocated Clusters, and File Slack; and presents most data in a more readable and understandable format. One of the features that IEF offers is reconstructing websites users have visited. It’s not always successful, but when it is, it can provide an investigator with very important evidence. IEF gathers cached data from various browsers and attempts to recreate webpages the user visited. Below is the report interface for IEF

IEF also supports many different formats of input medium. For the above report we used an E01 of a VMDK file from a virtual machine, used to generate data. Before we converted the VMDK file, we were able to find some data but not all of it. IEF 5.6, the version we used does not fully support VMDK, but version 6.0+ does. Individual files, folders, and drives can also be added as well.
Below is a rebuilt web page that IEF put together.

For the most part the web page is almost reconstructed completely. The links appear to work properly. The only problem we found was the missing image preview noted above, but the link still works. The rebuilt pages are grabbed from various browser caches. Most of the “rebuilt” pages look something like this.

Not too pretty to look at but the data is there. These pages are just concatenated versions of their original code; which is much nicer to look at.

The report tab gives you some nice information about the file it parsed.

All in all IEF seems retrieves lots of data and is relatively simple to use. One important note is that this program can produce false positive results and everything should be checked over by a professional examiner to confirm the results.

-Nick Murray