mh Service GmbH An der Rainmühle 9 76185 Karlsruhe [email protected]

IEF ARTIFACT MODULES

(included with your IEF license purchase)

Cloud Artifacts

Windows File System

Carbonite

Carbonite is a cloud based automated backup program that is used for backing up a user's files and folders to the cloud. This search will return which files/folders have been or are pending to be backed up to the Carbonite cloud.

Dropbox

This search will recover artifacts left behind when using Dropbox via the web or the desktop application. Data recovered can include file names, dates/times, user ID’s, file sizes, and more.

Dropbox Decryption

This feature will decrypt the filecache.dbx file that Dropbox uses to maintain a list of files that are synced to the user's Dropbox account or have been synced at one point. Currently this feature is only available for Windows XP. This is due to limitations around how the filecache.dbx file is encrypted. We are working on adding support for images, etc. in a future release.

Flickr

This search will recover artifacts left behind when using Flickr to upload files via the web. Data recovered can include file names, dates/times, user ID’s, file sizes, URL’s to files, descriptions, and more.

Google Docs

This search will recover artifacts left behind when using Google Docs to upload files via the web. Data recovered can include file names, dates/times, user ID’s, file sizes, privacy settings, collaborator names, edit times, and more.

Google Drive

This search will recover artifacts left behind when using Google Drive to upload/view files via the web or through the Google Drive desktop application. Data recovered can include file names, dates/times, user ID’s, file sizes, privacy settings, edit times, and more.

Skydrive

This search will recover artifacts left behind when using SkyDrive to upload/view files via the web or through the SkyDrive desktop application. Data recovered can include file names, dates/times, user ID’s, file sizes, sharing settings, and more.

Mac OS X File System

Instant Messenger Chats

Adium

Windows File System

This search with carve out Adium chats, Adium supports the following chat protocols: Jabber (XMPP) AIM MSN Yahoo GTalk Twitter Facebook IRC ICQ MYspace IM LiveJournal Lotus Sametime StatusNet Novell Groupwise Gadu Gadu

AOL Instant Messenger (AIM) chat logs

The entire log is searched for, not individual messages.

Chatroulette Chat

This search recovers the text chat messages left behind when chatting on Chatroulette. The user names and dates/times are not available to be recovered with this artifact.

GoogleTalk Chat Messages

Messages sent or received using GoogleTalk® live chat within Gmail® webmail. Information found with the message can include the message ID, the Sender/Recipient email addresses, and the sender/recipient’s ID. Dates and times are not available to recover at this time. This search option may also recover chat left behind from other chat programs that utilize the ‘Jabber’ chat protocol (the sender/recipient ID will be your clue, containing an abbreviated name of the client used by that person).

iChat

iChat is a Mac specific chat client that allows users to chat across iOS devices, as well as other protocols such as jabber and AIM. IEF will attempt to recover chat messages, date/time stamps, participants and message sender from non-deleted chat logs.

ICQ

This search will parse ICQ history records from the SQLite files ICQ7 uses to store its data. This includes the date/time, From user, the message, and whether the message was read or unread.

Mail.ru

This search will recover chat messages left behind when using the Mail.ru chat client as well as web chat.

Mac OS X File System

Instant Messenger Chats

Messenger Plus Chat logs

Messenger Plus!® is an add-on for Windows Live Messenger®/MSN Messenger® that adds a number of features to the chat program. The logs it creates are different from the traditional MSN/WLM chat logs and it also provides an option of encrypting the chat logs. Encrypted chat logs can not be recovered at this time, but some of the encrypted chat can be recovered in the MSN/WLM search as MSN protocol fragments.

mIRC Chat logs

This search will recover mIRC® chat logs and other logs (e.g. connection logs) saved by mIRC®. Each session located with these log fragments is saved separately into text files.

MSN/Windows Live Messenger (AIM) Chat messages

Chat messages sent/received using Windows Live Messenger®. Located messages are exported into text files for MSN protocol fragments or into a report file for regular chat log messages. MSN protocol fragments usually only include a line of chat and sometimes the sender’s email address, immediately prior to the message. Prior versions of IEF attempted to recreate the original log files but the new method of searching for individual messages enables much more chat to be recovered. Note: The Windows Live Messenger® search option is backwards compatible with MSN Messenger®, and these two program names are used interchangeably in IEF.)

Omegle Chat

This search recovers text chat messages left behind when chatting on Omegle. The user names and dates/times are not available to be recovered with this artifact.

ooVoo

This search will recover chat messages, contact list and phonebook left behind when using the ooVoo chat client. By enabling "Downloading Images from Web" under the Edit menu in the Report Viewer, IEF will attempt to download profile photos for ooVoo users.

Paltalk Chat

This search recovers chat messages left behind by the Paltalk chat client. The user names and dates/times are not available to be recovered with this artifact.

Pidgin Chat

This search recovers chat messages, account information, "buddy" information, and user created shortcuts left behind by the Pidgin chat client. By enabling "Downloading Images from Web" under the Edit menu in the Report Viewer, IEF will attempt to download profile photos for Pidgin users.

Windows File System

Mac OS X File System

Instant Messenger Chats

QQ Chat

QQ chat is one of the most popular chat clients around the world with over 750 million registered users. While the chat logs are encrypted, IEF is capable of retrieving chat messages that are saved in RAM, pagefile.sys/hiberfil.sys, and unallocated clusters. Because the chat messages are retrieved from volatile locations, not all messages have a date/time associated with them. IEF will recover a date/time value when it is present in the data.

Second Life

This search will carve and parse chat logs left behind by the online virtual world, Second Life. The entire logs are not needed (single records can be recovered) and the Second Life Viewer saves chat logs by default. Please note that while IEF will search the default log location (and carve in the pagefile, hiberfil, unallocated, etc), logs can be saved to a different folder (or turned off) by the user. Also note: the dates/times saved in the logs are in Pacific Standard Time (GMT -8), or Pacific Daylight Time, depending on the time of the year. The time zone used was called Second Life Time (SLT) in the past but this naming was discarded as it caused too much confusion. Linden Lab is planning to move to UTC at some point so this could change down the road.

Skype

This search will parse Skype history records from the SQLite files Skype uses to store its data. This includes messages, group chat info, calls, accounts, contacts, file transfers, voicemails, and SMS messages. IEF can also carve Skype messages from live RAM captures, unallocated space, etc. and does not need the entire SQLite file data to be present, just the individual records are enough.

Trillian

This search will carve and parse chat messages that have been sent or received via Trillian. These messages can include the date/time, From/To usernames, the chat network used (e.g. MSN, AIM, Facebook, etc), and the message itself. Details regarding file transfers are also recovered.

TOR Chat

This search will parse and carve for TOR Chat. IEF will recover chat logs when logging has been used or messages have been delayed on the TOR network.

Windows File System

Mac OS X File System

Instant Messenger Chats

World of Warcraft

This search will carve and parse World of Warcraft live chat. This is the chat that can occur between users while playing World of Warcraft online. Messages could be public messages (seen by all users in a group) or private (sent from one user to another user only). Information recovered includes whether the message was public or private, the sender/recipient, the channel the message was sent in, player GUIDs, and the text of the message. Dates and times are not left behind in this artifact.

Yahoo Chat Messages

Chat messages sent and received using Yahoo!® Messenger. These chat messages are logged in an encrypted format that requires the local username to decrypt the message. The username is usually the first half of the email address used to log-in (e.g. if the log-in email address is [email protected], then the username is jasonho). IEF can decrypt messages that have not been deleted without requiring a username, however.When searching unallocated space or memory dumps, etc., a number of false positives are unavoidable due to the format of these chat logs and because there is no way to determine if a chat log was decrypted successfully or not. IEF uses a number of validations to filter out these false positive hits and now with you can specify an acceptable time frame and the filtering strictness to further filter out false hits.

Non-Encrypted Yahoo Messenger Chat

Non-encrypted chat messages left behind by Yahoo!® Messenger. These messages are artifacts from the actual Yahoo!® Messenger chat window. No username(s) are required to recover these messages. Messages of this type include the sending user name, the date/time (local time, not UTC), and the message itself. The recipient is not found in these fragments but can usually be ascertained by viewing the chat conversation.

Yahoo! Messenger Diagnostic Logs

This search will recover the diagnostic logs saved by Yahoo! Messenger. These logs are created when a user attempts to report a problem with Yahoo! Messenger to Yahoo! Support by selecting the Help menu in Yahoo! Messenger and clicking “Report a Problem to Yahoo!”. They contain a wide variety of information including chat messages, user actions, files transferred, and more. A good number of these events have been tested and are parsed by IEF v4. There are some events that are not parsed at this time, but by checking the “Include unparsed entries” option in IEF, these events will still be included with some info being partially decoded.

Windows File System

Mac OS X File System

Instant Messenger Chats

Yahoo Messenger Group Chat Messages

Sent or received in Yahoo!® Messenger Group chat rooms. Information found within these fragments can include the date/time, the username that sent the message, and the message itself. The name of the Yahoo! Messenger group that the message is sent within is not present in these artifacts for recovery.

Yahoo! Webmail Chat Messages

Messages sent or received using the live webmail chat found in Yahoo!® Webmail. Information found with the message can include the Status number, the version number and vendor ID, the session ID, and the Sender/Recipient usernames. Dates and times are not available in this type of artifact to recover at this time.

Media

Pictures

IEF is able to retrieve images through the use of carving and non-carving. The supported formats are as follows: JPEG (.jpg, .jpg, .jpe), PNG (.png), Bitmaps (.bmp), Graphics Interchange Format (.gif), Icons (.ico), Tagged Image File Format (.tif, .tiff).

Videos

IEF is able to retrieve .avi videos and video fragments with non-carving and carving. IEF is also able to retrieve other videos formats through the use of non-carving. The supported videos types include: Windows Media Video (.wmv), MPEG-4 (.mp4), Quicktime (.mov), Matroska (.mkv), DivX (.divx), 3GP (.3gp), MPEG (.mpg, .mpeg).

Web Video Recovery

This search recovers two distinct types of web-based video. Fragments of flash video can be left behind by many video streaming sites (like Youtube). RTMP Frame Fragments are frames left behind by streaming sites using the RTMP protocol (widely used by webcam chat sites like Chatroulette, Camstumble, etc). IEF will show a thumbnail from the recovered video, as well as any relevant metadata. Videos can be exported to .FLV format to be played. Due to the nature of the data recovered, some video players will have issues playing the exported files. We recommend trying ffmpeg, VLC, and the GOM player.

Windows File System

Mac OS X File System

Windows File System

Mac OS X File System

Mobile Backup Files

iOS Backups

Windows File System

iOS calendar, iOS call logs, iOSs contacts, iOS dropbox, iOS imessage/sms, iOS kik messenger, iOS native notes, iOS whatsapp chat, iOS whatsapp media

Mac OS X File System

P2P File Sharing

Windows File System

Adium

This search will parse files used by the P2P file sharing application Amule. It will parse the following files: known.met, emfriends.met, clients.met, StoredSearches.met, sharedfiles.dat, shareddir.dat, and AC_SearchStrings.dat. Information recovered varies from file to file, but all fields available in each file format are recovered. Of particular evidential interest are the known.met, emfriends.met, StoredSearches.met, and AC_SearchStrings.dat files.

Ares

This search will parse and carve for Ares artifacts. IEF can recover search terms, shared files, donwloaded files, incomplete file downloads.

Bitcoin

Bitcoin is a widely-used digital currency based on advanced encryption techniques. This search will return the Bitcoin addresses stored by the most common Bitcoin application, as well as transaction queries logged by older versions. IEF Report Viewer can be used to query the Bitcoin servers for transaction history using these values.

eMule

This search will parse files used by the P2P file sharing application eMule. It will parse the following files: known.met, emfriends.met, clients.met, StoredSearches.met, sharedfiles.dat, shareddir.dat, AC_SearchStrings.dat, and GUIDs. Information recovered varies from file to file, but all fields available in each file format are recovered. Of particular evidential interest are the GUID, known.met, emfriends.met, StoredSearches.met, and AC_SearchStrings.dat files.

Frostwire.prop Files

This search finds fragments of Frostwire.props files. These files contain configuration data for the Frostwire® peer to peer file sharing client and can include geo-locations, recent downloads, and many other useful items.

Gigatribe Chat Messages

This search will recover Gigatribe chat messages saved by Gigatribe® (versions 2 and 3). These logs are created when a user uses the chat feature of Gigatribe. Due to the way IEF searches for these chat messages, they can be recovered even if the log file has been deleted or a portion of the log file has been corrupted or overwritten. The chat messages can also be recovered from live memory dumps.

Mac OS X File System

P2P File Sharing

Windows File System

Limerunner/Luckywire

Previous versions of IEF focused only on configuration files or search keywords for these P2P applications. With the release of v6, IEF now provides deeper support for Limewire and its variants: Frostwire, Limerunner, and Luckywire. IEF now determines the following information for files shared using these applications: the file name, the shared type, the Base32 hash value as well as the SHA1 hash value of the file, and the last modified date time for the file.

Limewire Search History (v5.2.8 – v5.5.16)

Search keywords left behind in live memory by Limewire® (tested with Limewire® v5.2.8 – v5.5.16). Search keywords/terms that are recovered have an associated number indicating how many search results were returned for that search term at the time the keyword was left in memory. The recovered search terms are search keywords that were entered by the local user. Other search keywords that were passed through the client (“Incoming Searches”) from other clients on the P2P network are not recovered.

Limewire.props files

This search finds fragments of Limewire.props files. These files contain configuration data for the Limewire® peer to peer file sharing client and can include geo-locations, recent downloads, and many other useful items.

Limewire and Frostwire Search Keywords

Search keywords left behind in live memory by version 4 of Limewire® and Frostwire® (tested with most Limewire/Frostwire v4 clients). Search keywords/terms that are recovered have an associated number indicating how many search results were returned for that search term at the time the keyword was left in memory. The recovered search terms are search keywords that were entered by the local user. Other search keywords that were passed through the client (“Incoming Searches”) from other clients on the P2P network are not recovered.

Shareaza Search Keywords

This search will carve and parse search keywords entered by a user in the P2P file sharing application called Shareaza. These searches are stored in a file called “Searches.dat” but can be carved from live RAM captures and unallocated clusters, etc.

Torrent File Artifacts

This search will carve and parse data from .torrent files used to download “torrents” on various networks on the Internet. The data can be parsed from live files or carved from live memory captures, unallocated space, etc. Information recovered includes the name of the Torrent, the date/time the torrent file was originally created, and the names of the files included in the torrent.

Mac OS X File System

P2P File Sharing

Usenet Binary Files (Newsgroup Messages)

Windows File System

This search will recover yEnc/uuencoded encoded files that are used to transfer files on newsgroups/USENET. These files can have a number of header information like to/from, subject, date/time, etc. and can be split into multiple files. Rebuildable recovered files can be reconstructed under the IEF Refined Results section in the Report Viewer. You can rebuild the files by clicking on each item or by right-clicking and selecting "Rebuild all".

Mac OS X File System

Social Networking Sites

Bebo Chat

Messages sent or received in Bebo® live chat. Information found within these fragments can include the status of the message, the date/time, the sender username, target username, and the message itself.

Facebook

Facebook® related web pages, including but not limited to the Inbox page, emails, photo galleries, groups, and so on. Most recovered items will be fragments and not the complete page, but attempts are made to recover the entire page and filter out false positives. A header is added to the fragment to aid in viewing the page in its original format.

Facebook Status Updates and Wall Posts

This search will recover Facebook® Status Updates and Wall Posts. These can be from the local user or from other users on Facebook. Recovered items can include the User ID and Name of the person making the status update or wall post, and the text of the update/post itself. This artifact does not contain the date/time that the update or post was made.

Facebook Chat Messages

Messages sent and received using the Facebook® live chat feature. Information found with the message can include the Facebook® profile ID used to send/receive the message, the from/to names and ID’s, and the date/time (in UTC) that the message was sent. However, there are a few different formats of Facebook chat and not all formats include all this data.

Facebook Comments

Recover comments made on a Facebook post as well as the timestamp of the comments.

Facebook Emails

This search will recover emails sent or received on Facebook®. Recovered items can include the Logged In User ID (the ID of the person logged in to Facebook when the email was sent/received), the subject of the email, the recipients of the email, the Last Updated Time (last time a message in the thread was added), the Original Author, the Thread ID#, the Time Rendered (local time), the Author’s User ID and Name, whether or not it was sent from a mobile device, any attachments, and the message.

Facebook Email Snippets

This search will recover Facebook® email “snippets” (previews of a full email message). This artifact is left behind when a user is viewing their Inbox or Sent Messages folder in their Facebook® account. It can include the Subject line, Original Author user ID, Recent Authors user IDs (the participants of the email conversation), Time Last Updated (the last time a message was posted in the thread), thread ID (ID# of the message in the user’s mailbox), and the “snippet” itself.

Windows File System

Mac OS X File System

Social Networking Sites

Facebook Photos

This search looks for files that follow a Facebook photo file naming convention and recovers them, indicating which Facebook user ID the photo belongs to. At this time, only files found in the Internet Explorer cache folders are supported/recovered.

Google+

This search will carve and parse Google+ live chat. This is the chat that can occur between users while logged into the Google+ social networking website. Information recovered includes whether the message was sent or received, the email address of the sender/recipient, the date/time, and the text of the message.

Instagram

This search will recover Instagram posts, as well as comments on that post left by other users. This artifact is left behind in several formats when a user is updating the post, looking and commenting on other users’ posts. It can include the user ID, the user profile, the user profile image URL, comment, and the original post image URL.

Linkedin

This search will locate and carve emails that have been sent or received on LinkedIn. These email fragments can include the from/to names, subject, date/time, and full message. Please note that, depending on the browser, these emails will be in a compressed gzipped form which IEF decompresses on-the-fly.

Myspace Chat

Messages sent or received in MySpace® live chat. Information found within these fragments can include the status of the message, the date/time, the sender ID, target ID, and the message itself. Some user info is also recoverable, such as the real name/username associated to a MySpace ID, image URL, and other information. This information is saved to a ‘User Info’ report.

Twitter

This search will recover Twitter® status updates. This artifact is left behind in several formats when a user is updating their status or viewing another person’s status update. It can include the Name of the user, the screen name, created time, status ID#, where the status was updated from, geo-tags, if the update is a “retweet”, the profile image URL of the user, and the text of the status update.

Windows File System

Mac OS X File System

Webmail Applications

Gmail Email

Windows File System

This search will recover Gmail® email fragments left behind in live memory. Information found will vary and this search does not parse any information out. IEF will do its best to clean up the located fragment and convert encodings into a more readable format. Some fragments will be of the folder view with the sender name/address, subject, and first segment of the body of the email. Please see the “Gmail Parsed Email Snippets” search for a parsed version of this search.

Offline Gmail

This search will parse and carve for offline Gmail databases. IEF will recover the following fields; From Address, To Address, cc Address, bcc Address, Subject, Date & Time, Status and Email Body

Gmail Parsed Email Snippets

This search will recover Gmail® email “snippets” (previews of a full email message). This artifact is left behind when a user is viewing the Inbox folder in their Gmail® webmail account. It can contain the email addresses included in the message, the subject, file names of attachments, the date/time (in local time), read/unread status, and the “snippet” itself.

Hotmail/Outlook.com

Email messages, contact listings, and folder views from Hotmail®/Outlook.com webmail fragments. These recovered artifacts may be complete in some cases but much of the time they will be partial fragments.

Hushmail

This search will carve for hushmail artifacts. IEF will recover fragments of emails sent/received using Hushmail, and Inbox listings of emails received by a user. The sender/receiver and timestamps can be found with these artifacts.

Yahoo Webmail Email

Email messages, email compose pages, and folder views from Yahoo!® webmail fragments. Multiple types of Yahoo!® webmail interfaces are supported, including ‘Classic view’ and the newer Yahoo!® Webmail view. These recovered artifacts may be complete in some cases but much of the time they will be partial fragments.

Mac OS X File System

Web Related Activity

Windows File System

Apple Safari

This search will parse Safari web history from the Plist/Binary Plist files Safari uses to store its data. This includes website visits, bookmarks, downloads, cookies, last session, and “Top Sites” (including thumbnails). IEF can also carve Safari web history from live RAM, unallocated space, etc. and does not need the entire Binary Plist file to be present for recovery.

Bing Toolbar

The Bing toolbar is a browser add-on where a user can perform Bing searches. While the majority of the information, such as Facebook and email is encrypted information, IEF is able to retrieve the user search history. This includes anything they have typed and searched for, or performed an autocomplete and then conducted a search. The Bing Bar artifact is also capable of retrieving information from the mapping capability of the Bing Bar. This includes the default location of where the Bing Bar Map starts along with the latest locations the user searched for. The amount of searches that are able to be retrieve varies based on the length of the locations the user has searched for.

Browser Activity Chrome Incognito/Firefox Private Browsing

The Browser Activity artifact will recover browser-related URLs, including Chrome Incognito and Firefox Private Browsing URLs, HTTP request artifacts from multiple browsers, and regular web browsing. These artifacts do not include meta data like the Windows username, dates/times, etc. The intended use for this artifact recovery is to recover private/incognito browsing but various types of browsing activity will be recovered due to the nature of this artifact. Please note that some recovered URLs can be from background browser processes related to certificate authorities, etc. This artifact is meant to assist with intelligence gathering and to recover browsing history when in extreme cases where only private browsing was used or other forms of anti-forensics.

Mac OS X File System

Web Related Activity

Firefox Places.Sqlite History Artifacts

Windows File System

This is a first-of-its-kind search that recovers browsing history URLs from the places.sqlite files Firefox® uses to store browsing history and other information. The entire SQLite file is not required, only the individual entries. Due to the format and nature of this artifact, some parsing must be done to separate the URL and web page title items. Sometimes this parsing will be incorrect, in this case please see the unparsed column for the original data. Recovered items include the parsed URL, parsed web page title, visit count, whether or not the URL was typed by the user, last visited time (in UTC), and the unparsed URL/web page title. Note 1: Parsing live (undeleted) places.sqlite files is better done with other Firefox history parsing software as there is more information to be found in these files and the URL/title can be parsed more accurately, but this search is very useful for live memory dumps and deleted records, records in the pagefile.sys/hiberfil.sys files, etc. Note 2: if any of the individual items for each recovered record were not recovered or contain garbage information, that record should be verified as it may not be reliable information and could be a false positive hit. Note 3: This search recovers artifacts from Firefox v3.5 to v5.0b5. It does not recover artifacts from Firefox v3.0.x as those older versions use a different database format. Firefox v1-2 do not use the places.sqlite file and therefore are not supported in this search.

Mac OS X File System

Web Related Activity

Firefox Formhistory.Sqlite Artifacts

Windows File System

This is a first-of-its-kind search that recovers query history from the formhistory.sqlite files Firefox® uses to store web page form entry history (e.g. a search entered into Google or other search engine). The entire SQLite file is not required, only the individual entries. Recovered items include the fieldname (the name of the textbox the where the query was made), the value (the text that was entered into the textbox on the web page, e.g. the search term entered), number of times used, the date/time (UTC) the query was first made, and the date/time (UTC) was last made. Note 1: At this time, IEF only recovers the fieldnames “q” and “query” (commonly used in search engines such as Google) and “searchbar-history”/”searchText” (searches made from the Google toolbar). Other fieldnames may be added in the future. Note 2: if any of the individual items for each recovered record were not recovered or contain garbage information, that record should be verified as it may not be reliable information and could be a false positive hit. Note 3: This search recovers artifacts from Firefox v3.0.x to v5.0b5. Firefox v1-2 do not use the formhistory.sqlite file and therefore are not supported in this search.

Firefox Sessionstore.Js Artifacts

This search will recover URLs from the sessionstore.js file Firefox® uses to store URLs to facilitate recovering from a web browser crash. The entire sessionstore.js file is not required, only the individual entries. Recovered items can include the URL, the web page title, and the referring URL. Some items will have the web page title while some will only have the referring URL.

Flash Cookies and Local Shared Objects

This search will carve and parse Adobe's local shared objects (a.k.a. Flash cookies), which contain data from websites that use Adobe Flash. The content of the cookies is arbitrary, so the search decodes them and presents them in their entirety in a human readable format.

Google Analytics Cookies

Along with traditional browser cookies, IEF will now identify cookies that are related to Google Analytics and can provide information about when and how many times a user visited a website and the actions that were taken.

Mac OS X File System

Web Related Activity

Google Chrome History

Windows File System

This search will parse Chrome web history from the SQLite files Chrome uses to store its data. This includes website visits, downloads, keyword search terms, top sites, cookies, autofill, autofill profiles, saved credit cards, logins, archived web history, archived keyword search terms, and favicons data. In a separate search, IEF also can carve the SQLite records from the History files Chrome uses – no other tool can do this. Both the carving and non-carving searches are performed when Chrome is checked.

Google Chrome Last & Current Session Tabs

This search will carve for Chrome last and current session tabs from live RAM capture.

Google Maps

This special artifact will carve for Google Maps URLs, whether or not they are recoverable in regular web history formats. Recovered web history URLs are also parsed for Google Maps data. The recovered information from these URLs can contain: The query the user entered The starting location of a route The center location of the map The latitude and longitude of a business The source address of the search The destination address of the search The route type of the search Additional addresses in the search The latitude and longitude while viewing in street view The artifact the Google Maps URL was found in The record number the Google Maps URL was found under The date/time the search was performed

Google Maps Tiles

This search will recover tiles used in displaying Google Maps and also carve for file names that match the format that the tile files are saved under. The recovered tiles and tile coordinates (x, y, and zoom level) are displayed and by clicking on the "Surrounding Area" tab, IEF will download the surrounding tiles to provide a view of the surrounding area. The 'World Map View' will plot all recovered Google Maps coordinates and GPS coordinates found in the Exif data of recovered pictures on a world map. Plotted points that are close to other points are grouped in clusters to provide a cleaner view. Note that for Google Maps artifacts (not tiles), the "Center of Map" coordinates are used to plot points, if this field is empty and coordinates exist in the Business Lat/Long field, then that data is used. These Business lat/long points can refer to business or locations that were searched on Google Maps by using the "Search nearby" feature.

Mac OS X File System

Web Related Activity

Google Toolbar

The Google toolbar is a browser add-on where a user can perform Google searches. While there are many different features to the Google Toolbar, IEF currently focuses on the search history. IEF is capable to finding the search history, whether it is typed or autocompleted. IEF is also capable of determining which category the userís search comes from, whether it is Google Search, YouTube, Google Maps, Google News, etc.

Internet Explorer v10 history

This search will recover history, cookies, and content left behind when using Internet Explorer v10. IE10 uses a completely different log format than previous versions of Internet Explorer.

Windows File System

Mac OS X File System

n/a

n/a

Carving of IE10 history and content records from unallocated space, partial/corrupt IE10 databases (JETBlue) and other fragments. Opera

This search will carve and parse web history from the Opera web browser, including carving/parsing the “typed” history (URLs or search terms entered by the user). The entire history file is not required, single records can be carved from live RAM captures and unallocated clusters, etc.

360 Safe Browser

This search will parse 360 safe browser web history from SQLite files. This includes website visits, downloads, keyword search terms, top sites, cookies, autofill, autofill profiles, saved credit cards, logins, archived web history, archived keyword search terms, and favicons data.

Xbox Internet Explorer History

This search will recover history, recent/favourites/featured items, and content left behind when using Internet Explorer on the Xbox 360. This can be recovered when doing a sector level search on a Xbox 360 hard drive or image.

Web Page Recovery

Windows File System

Craigslist Ads

This search will extract html and determine if it is a fragment of a Craigslist ad or search results.

Backpage Ads

This search will extract html and determine if it is a fragment of a Backpage ad or search results.

Plenty of Fish

This search will extract html and determine if it is a fragment of a Plenty of Fish profile or search.

Ashley Madison

This search will extract html and determine if it is a fragment of a Ashley Madison profile or search.

Mac OS X File System

Xbox Xbox Internet Explorer History

This search will recover history, recent/favourites/featured items, and content left behind when using Internet Explorer on the Xbox 360. This can be recovered when doing a sector level search on a Xbox 360 hard drive or image.

(available as an optional, add-on module with your IEF license purchase)

Document File Artifacts PDF

This search recovers PDF documents from both PCs and mobile devices in both allocated and unallocated space. Along with the recovered document, IEF is able to recover metadata associated to the document to allow the investigator to analyze information such as created time, modified time, document author and document description. PDFs can be saved as a file from Report Viewer or can be viewed directly in the report viewer for the convenience of navigating through a lot of documents.

Microsoft Office

This search recover Microsoft Office documents including: Word, PowerPoint and Excel. IEF is able to recover deleted and allocated files applies from PCs and mobile devices. Documents can be viewed in Report Viewer as well as exported to files for viewing at a later time. Support for Office 2003-2013 (.doc, .docx, .xls, .xlsx, .ppt, .pptx)

PC/Mac

iOS/Android

Windows Operating System Artifacts USB Devices

IEF can recover USB device history from the Windows Registry. This type of artifact recovery provides insight into what USB devices has been plugged into the computer in the past. IEF will provide information about the USB device such as serial number, friendly name, timestamps, assigned drive letters, and several other identifiers.

File Sytem Information

For each logical volume that is searched, IEF will recover information about the file system. Key items recovered are the file system type, number of allocated and unallocated bytes, VSN, as well as sector and cluster sizes.

Network Share Information LNK Files (Windows Shortcuts)

IEF will recover all LNK files from a Windows drive or image. This includes both allocated and deleted LNK files carved out of unallocated space. The original file path, serial number, volume and timestamps are parsed from each file and included in the IEF report.

User Accounts

IEF will recover all user accounts from the Windows Registry. Details such as the user name, group, description, last login time and login count are provided for analysis.

Startup Items

This search will recover items listed in the Windows Startup folder. This will identify several programs and services are set to run when the Windows computer is booted.

OS Information

The operating system information recovered by IEF gives key information about the system being examined. By recovering details such as the operating system version, service pack installed, last shutdown time and install date one can quickly understand basic details about the installed OS.

Shellbags

This search recovers Windows shellbag artifacts. Shellbags can carry important information about when folders view settings were modified. This artifact will recover shellbag modification information from the registry.

Jumplists

IEF will recover the shortcut lists, known as Windows jumplists from allocated and unallocated space for many applications in Windows Vista or newer. The information that can be obtained from examining jumplists include recently run files, timestamp data, and several others.

Event Logs

IEF will recover allocated and deleted Windows event logs. These event logs can contain information about any application, system, and security events that may have sent informational or error logs to the Windows event manager. IEF will attempt to recover the event message, times and providers of the event.

Prefetch Files

This search will recover allocated and unallocated Windows prefetch files. These files are created with an executable is run and can store important information about the file that was run and the last run date/time stamp. Specifically for Windows 8 and newer, IEF is able to pull up to 8 different timestamps for each file listed in the prefetch giving investigators valuable timeline dates and times.

Timezone Information

IEF will recover information about the date/time and timezone settings of a Windows system (XP, Vista, 7, 8). This information can be derived from the registry and backup registry files.

Corporate Email Artifacts Outlook Web Application (OWA)

IEF will recover fragments of emails when the user has used Outlook Web App (formerly Outlook Web Access) to manage their email. This can be found in both allocated and unallocated space. The list of emails from an inbox view is also recoverable to reveal additional mail items not actively viewed by the suspect. This artifact is particularly useful if the user uses OWA to access their corporate exchange email instead of the Outlook application. This is prominent on Mac computers if they are not using the Outlook application on Mac. Mobile devices could also contain fragments of the OWA artifact.

Microsoft Sharepoint

Microsoft SharePoint comprises a multipurpose set of Web technologies backed by a common technical infrastructure. By default, SharePoint has a Microsoft Office-like interface, and it is closely integrated with the Office suite. The web tools are designed to be usable by non-technical users. SharePoint can be used to provide intranet portals, document & file management, collaboration, social networks, extranets, websites, enterprise search, and business intelligence.

Outlook Email Client

IEF is able to recover emails, appointments, contacts, journals, notes, and tasks from Microsoft Outlook PST and OST archives.

MBOX Email Archives

MBOX is an email archive format used in many email clients most notably, Mozilla Thunderbird. IEF will recover email content, email receivers (including CC and BCC) as well as timestamps associated to the email from allocated and unallocated space.

Instant Messaging Artifacts Microsoft Lync/OCS

This search will recover activity related to Microsoft Lync and Office Communicator. Chat messages, call logs and file transfers can be recovered from both allocated and unallocated space.

(available as an optional, add-on module with your IEF license purchase)

Windows

Mac

Windows

Mac

Native Phone Apps

iOS

Android

SMS

This search will carve and parse SMS messages from the SQLite storage including deleted and draft messages. IEF will recover message, date/timestamp, sender and read status.

This search will carve and parse SMS messages from the SQLite storage including deleted and draft messages. IEF will recover message, date/timestamp, sender and read status.

Voicemail

This search will recover deleted .AMR audio files as well as voicemails that are saved to the voicemail app. These recovered audio clips can be played within report viewer.

This search will recover deleted .AMR audio files. These recovered audio clips can be played within report viewer.

Browser

This search will carve and parse safari history, cache and bookmarks, chrome history, bookmarks and cache. Includes webpage rebuilding. Data can also be recovered from unallocated space.

This search will carve and parse chrome history, bookmarks and cache. Includes webpage rebuilding. Data can also be recovered from unallocated space.

Android Cell.cache

This search will carve for cell.cache. IEF recovers timestamps and GPS data. Location data can then be viewed in World Map.

Android Wifi.cache

This search will carve for wifi.cache. IEF recovers timestamps and GPS data. Location data can be viewed in World Map.

Maps

This search will parse Apple Map Tiles pictures (locations viewed in Apple Maps). These tiles are the blocks that are downloaded to display a map.

This search will parse Google Map search locations. This information is pulled out as X,Y,Z coordinates found the Google Maps SQLite database (includes rebuilding surrounding areas in report viewer)

Pictures

IEF is able to retrieve images through the use of carving and non-carving. The supported formats are as follows: JPEG (.jpg, .jpg, .jpe), PNG (.png), Bitmaps (.bmp), Graphics Interchange Format (.gif), Icons (.ico), Tagged Image File Format (.tif, .tiff).

IEF is able to retrieve images through the use of carving and non-carving. The supported formats are as follows: JPEG (.jpg, .jpg, .jpe), PNG (.png), Bitmaps (.bmp), Graphics Interchange Format (.gif), Icons (.ico), Tagged Image File Format (.tif, .tiff).

Notes

This search will parse the Sqlite databases that store the text notes as well as voice notes including the audio file.

Not Supported at this time

Call logs

This search will parse and carve the sqlite databases that store the Call logs (phone number, duration, date/timestamp) Call logs can be recovered from unallocated space.

This search will parse the Call logs stored in the sqlite database (phone number, duration, date/timestamp)

Native Phone Apps

iOS

Android

Contacts

Not supported

Parsing of contacts information (name, number, emails, addresses and the last time they were contacted)

Downloads

Not supported

Parsing of downloads (Download source, save path, date/timestamp)

Email

Parsing of native email client, recovery of summary, recipient, sent status, html body

Parsing and carving of the native Android email client. IEF recovers the email summary, recipient, sent status and html body

Application snapshots

This search will recover deleted and live application snapshots (screenshots of applications in their last open state)

Not applicable

3rd Party Apps

iOS

Android

What's App

This search will carve and parse What'sApp messages. IEF can recover message sender, conversation partner, message text and date/time stamp of the message from the sqlite database. Deleted sqlite records can also be recovered from unallocated space.

This search will carve and parse What'sApp messages. IEF can recover message sender, conversation partner, message text and date/time stamp of the message from the sqlite database. Deleted sqlite records can also be recovered from unallocated space.

Kik

This search will carve and parse Kik messages. IEF can recover message sender, conversation partner, message text and date/time stamp of the message from the sqlite database. Deleted sqlite records can also be recovered from unallocated space.

This search will carve and parse Kik messages. IEF can recover message sender, conversation partner, message text and date/time stamp of the message from the sqlite database. Deleted sqlite records can also be recovered from unallocated space.

Snapchat

This search will recover deleted Snapchat photos from unallocated space. If the Snapchat photo or video has not been viewed, it will also be recovered

This search will recover deleted Snapchat photos from unallocated space and meta-data related to deleted and live snapchat transfers. If the Snapchat photo or video has not been viewed, it will also be recovered.

Google Talk

Not supported

This search will parse Google Talk Contacts as well as messages. Recovered data includes user name, message text, date/timestamp and recipient

Sino Weibo

This search will parse for Sino Weibo messages. IEF can recover chat messages, posts, and user info with GPS and date/time info present for some artifacts.

This search will parse and carve for Sino Weibo messages. IEF can recover chat messages, posts, and user info with GPS and date/time info present for some artifacts.

AIM (AOL Instant Messenger)

This search will parse and carve for AIM messages. IEF can recover the sender, receiver, message, date/timestamp, latitude/longitude for each message.

This search will parse for AIM messages and buddies, it will also carve for AIM messages. IEF can recover the sender, receiver, message, date/timestamp, latitude/longitude of a message as well as the buddy name, IDs, avatar for each AIM user.

Skype

This search will parse Skype history records from the SQLite files Skype uses to store its data. This includes messages, group chat info, calls, accounts, contacts, file transfers, voicemails, and SMS messages. IEF can also carve Skype messages from unallocated space.

This search will parse Skype history records from the SQLite files Skype uses to store its data. This includes messages, group chat info, calls, accounts, contacts, file transfers, voicemails, and SMS messages. IEF can also carve Skype messages from unallocated space.

3rd Party Apps

iOS

Android

Facebook

This search will parse Facebook friend and message records from the SQLite files Facebook uses to store its data. IEF can also carve Facebook messages from unallocated space.

This search will parse Facebook contacts, friends, pictures, messages and user records from the SQLite files Facebook uses to store its data. IEF can also carve Facebook messages from unallocated space.

Instagram

This search will parse the folder that contains the instagram uploaded and profile pictures.

This search will parse and carve the json file that stores usernames, date/timestamp photos uploaded and profile pictures. Instagram data can be found in unallocated space.

Foursquare

This search will parse and carve the sqlite databases that store the Foursquare check-in locations including the latitude and longitude that can be viewed in the world map found in IEF report viewer. This information can be found in unallocated space as well.

This search will parse the sqlite databases that store the Foursquare check-in locations including the latitude and longitude that can be viewed in the world map found in IEF report viewer. Other recovered fields include address, date/time of checkin and user that checked in. IEF will also parse and carve the Foursquare json file that stores a lot of the same information that is found in the sqlite file. This information can be found in unallocated space as well.

Dropbox

This search will parse and carve the sqlite databases that store the Dropbox uploads. This information can be found in unallocated space as well. Data recovered can include file names, dates/times, user ID’s, file sizes, and more.

This search will parse and carve the sqlite databases that store the Dropbox uploads. This information can be found in unallocated space as well. Data recovered can include file names, dates/times, user ID’s, file sizes, and more.

Google Maps

This search will parse Google Map search locations. This information is pulled out as X,Y,Z coordinates found the Google Maps SQLite database(includes rebuilding surrounding areas in report viewer)

Listed above under 'Native Phone Apps: Maps'

Gmail

Not supported

This search will parse the gmail application sqlite database to recover email summary, recipient, sent status, html body. IEF will decompress the email body to display it in plain text.

Google Hangouts

IEF is able to recover activity related to Google Hangouts. Google Hangouts allows users with Google accounts to communicate via text, video and voice. Photos, text messages and voice and video call metadata can be recovered.

IEF is able to recover activity related to Google Hangouts. Google Hangouts allows users with Google accounts to communicate via text, video and voice. Photos, text messages and voice and video call metadata can be recovered.

3rd Party Apps

iOS

Android

Twitter

This search will carve and parse the Twitter sqlite database to recover tweets, date/timestamps of the tweets as well as Twitter friends (followers). This data can be extracted from unallocated space.

This search will carve and parse the Twitter sqlite database to recover tweets, date/timestamps of the tweets as well as Twitter friends (followers). This data can be extracted from unallocated space.

TigerText

TigerText is a text messaging application that focuses around providing secure communication for its users. Messages sent over TigerText are encrypted and cannot currently be decrypted on iOS however IEF will recover both communications and users of the application.

TigerText is a text messaging application that focuses around providing secure communication for its users. Messages sent over TigerText are encrypted but IEF can decrypt these messages on Android. IEF will recover both communications and users of the application.

Yahoo Mail

This search is able to recover activity related to the Yahoo Mail application on iOS. Important information such as email messages, attachments and users can be recovered from both allocated and unallocated space.

This search is able to recover activity related to the Yahoo Mail application on Android. Important information such as email messages, attachments and users can be recovered from both allocated and unallocated space.

Firefox

This search will recover Internet activity from the Firefox mobile browser. IEF will recover Internet history, bookmarks, cookies, form history and cache records.

This search will recover Internet activity from the Firefox mobile browser. IEF will recover Internet history, bookmarks, cookies, form history and cache records.

Burner

Burner gives users the ability to acquire a real phone number to make spoofed calls and text messages. The application will then delete the burner phone number when they are complete. IEF can recover messages and phone call records as well as phone numbers that were created by the iOS application Burner.

Burner gives users the ability to acquire a real phone number to make spoofed calls and text messages. The application will then delete the burner phone number when they are complete. IEF can recover messages and phone call records as well as phone numbers that were created by the Android application Burner.