Internet Evidence Finder: Part 2

As we are finishing the IEF project we are coming to the realization that IEF does not parse 100% of the internet artifacts on a drive. That’s not to say the tool isn’t useful, it just the IEF should not be used by itself. This project entailed generating internet data on a fresh computer and taking detailed notes during the process. Thirty three hours later the data is ready for IEF to parse. We took the drive out of the computer, hooked it up to a write blocker and imaged the drive in an E01 format. We then ran IEF on both the drive and the E01 to see if there would be different results. The results, unsurprisingly, were identical. After comparing the results to my notes we notice there were a lot of things missing. For one, only two thirds of the artifacts we generated data for were discovered by IEF.

We generated data for all the appliaction IEF is able to pull data from. Most of them generated results from IEF except for the following: AOL Instant Messenger, Google Talk, ICQ, Flickr, Hotmail Webmail, Yahoo Webmail, iOS Backups, torrent Files, Ares Search Keywords, Emule, Limewire/Frostwire, Bebo, Google+, LinkedIn, and MySpace. These applications did not return any results even though we generated data for them. Some of the results that we did get from IEF did not match our notes. Mostly time stamps were off by anywhere from a minute to months or years. It is worth noting that we were tested IEF v5.6, newer versions of IEF may address the time stamp issue we found. A full report of our findings will be uploaded to the LCDI website under Cases.

-Nick Murray

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team