Warning: This One Step Can Save You Hours of Work In Your Forensic Examinations

Digital Forensic Triage

 

Have you ever needed to figure out the timezone of the OS in a digital forensic image? What Internet browsers were installed? What chat programs were installed?

I know I have needed all the above in my casework and more.

Now you could find this information in the the various windows registry keys where its located – NTUser.dat, SYSTEM etc – pull it out, format it and stick it in your forensic report.

Or…you could run the triage script in Forensic Explorer and get it done for you without much more work than checking a box during the intake of your evidence.

I don’t know about you but me likey less work.

A lot.

So how do you use the triage processing function in Forensic Explorer? Where is it located? What’s it doing?

I’m glad you asked. I had the same questions.

Want to hear the answers? Good, let’s go!

 The Triage Intake Option Forensic Explorer

The first step in using the triage processing option in Forensic Explorer is to create a case. Now, I’m not going to tell you how to create a case in forensic explorer or add investigators or add evidence to the case. Nope. But that isn’t because I don’t want to or won’t. It’s because this article is about the triage intake processing function. But I will show you some pictures – here you go.

Create Case Forensic Explorer

Create a Case Forensic Explorer

 

 

Add image Forensic Explorer

Add Image Forensic Explorer

 

Now that we have that out of the way and have our image added to the case, Forensic Explorer presents us with a dialog window to select what intake or processing options we want to perform on the evidence.

Using the Triage Script during intake requires no extra expertise on the part of the examiner other than the ability to check a box and if you can’t do that…well, send me an email and I’ll give you a referral to a good doctor.

Triage Check Box

Triage Check Box

Other than selecting that check box in the intake dialog box all you need to do is press the “Ok” button and let FEX rip. When all the intake actions are done, simply head over to the reports module and select the Triage folder to view the results, print or edit.

Forensic Explorer Report Window

Forensic Explorer Report Window

Forensic Explorer Triage Information

The triage intake function in Forensic Explorer creates report group in the report module and is comprised of a title page and three separate report groups – Data Examined, Registry and File system. Note: if you don’t see the a Triage report generated in the report module select the drop-down arrow on the new button in the Reports window and select “Triage”

Forensi Explorer Missing Triage Report

Forensic Explorer Missing Triage Report

 

The Data Examined Group

This group contains a header and details on the data that was added to the case. In our picture below we see that I have added a logical image file to the case.

Forensi Explorer Missing Triage Report

Forensic Explorer Missing Triage Report

 

The Registry Group

This group comprises reports extracted from keys in the SAM, SOFTWARE and SYSTEM Windows registry hives. Information that is parsed include users, network information and email clients.

Forensic Explorer Triage Registry

Forensic Explorer Triage Registry

 

The File System Group

This group reports on installed programs like browsers, chat, shadow copies or wiping tools.

Forensic Explorer Triage File System

Forensic Explorer Triage File System

 

A Word To The Wise

The triage function that happens at intake should not be confused with the triage script that cane be run from within the file system module. This script pulls out a subset of the information that the triage intake function pulls out, plus some other sections like the presence of iPhone backups. This script is run after the evidence is already added and processed in the case, and is an editable Pascal script whereas at the time of this writing the intake triage is built into the program.

Forensic Explorer Triage Script

Forensic Explorer Triage Script

 

Forensic Explorer Triage Script Summary

Forensic Explorer Triage Script Summary

I hope you enjoyed this brief introduction to the triage processing function that is available at intake with Forensic Explorer. Its a standard intake function that I use every time I start a new case and I’ve found it to be a time saver as well as a rich source of clues for evidence artifacts. Its also helped with setting the correct timezone for evidence – and believe me that matters!

Good luck in your forensic endeavors and tell me what you think of the article or about any other articles on Forensic Explorer that you would like to see. If you are reading this because you are trying to figure out if Forensic Explorer is right for you, grab a free 30 day trial from the Forensic Explorer website,I think you will like it. If you need help, feel free to ask me as well!

Photo Credit: Instant Vantage via photopin cc

How to Use Indexing in Searches with Forensic Explorer in Three Easy Steps

Index Searches with Forensic Explorer

 

I’ve been around the block a few times over the years with digital forensic tools. I’ve used all the major computer forensic tools and apps like XRY and Cellebrite for mobile forensics.

So I mean it when I say that Forensic Explorer may be the best-kept secret in digital forensics. Seriously.

The fully featured suite of tools, packs all the punch of much higher priced tools on the market for less than a third of the price(HUGE).

And it’s easier to use, which is good for an old forensic monkey like…um… me.

One of the powerful features built into Forensic Explorer is index searching – I know that indexing has been a lifesaver for me before on cases. In this short how-to, I will show to create an index in your case in Forensic Explorer to quickly search for keywords. I hope that you will find the indexing feature as helpful in casework as I have.

Before we begin however you may be wondering – “What’s an Index?”.

That’s a fair question.

An index is like a database of text strings extracted from files or space on an evidence image. Forensic Explorer leverages the well-known and respected DTSearch engine to create and search such indexes.

Now that you have a basic understanding of what an index is, let’s move on to the three steps to using the Index Search module in Forensic Explorer: Setup, Create and Search.

 STEP ONE – SETUP

Creating an index in Forensic Explorer is a simple affair but – as in most things in life – there are some things to take into consideration prior to creating an index for searching.

The first thing you may wish to do is to head over to the DTSearch site – http://bit.ly/1tkFJTt – and take a quick look at the files that DT Search indexes. There is a better than average chance that most of what you are looking to index is located here. While this step is not necessary, it might be useful for understanding how the engine works and what to expect from using it.

Forensic Explorer stores the indexes it creates at

C:\Program Files\Forensic Explorer %vX%\Cases\%case name%\DTSearchIndexes\index name\

Where %vX% is the version number and %case name% is the name that you have assigned the case. The indexes created are approximately one fourth of the size of the original files indexed but there is a wide index size variance possible depending on the size and amount of files in the index. Examiners should make sure there is plenty of storage room on the examination medium for indexes.

There are some words so common that the software will treat them as “noise”. Words such as “of and “the” in the English language would fall into this category. Forensic Explorer does not index and ignores noise words. The so-called “noise” words are stored in a file called “noise.dat” located at – in Windows 8.1 – C:\Program Files (x86)\GetData\Forensic Explorer %vX%\.

Other versions of Windows will store the noise.dat file in “Program Files\Get Data\Forensic Explorer” in the appropriate version number.

The noise.dat file is a plain text file editable with any text editor like notepad. The words are not in any order and wildcards such as “*” or “?” may be used. For an explanation of wildcards see the Webopedia entry at http://bit.ly/1oSFv6i or Google “wildcard in programming”.

Once an examiner has created an index, Forensic Explorer stores a noise.dat file for that index. Changes to the original will not affect the created index – only subsequently created ones.

As a final consideration before creating an index, the examiner may want to perform basic recovery functions against the evidence such as recovering folders, file carving, decrypting files or uncompressing archives that DT Search does not automatically support. The purpose in doing such actions is to allow Forensic Explorer to see the data as files and aid the engine in indexing.

 STEP TWO – CREATE

You have two options when you create an index in Forensic Explorer – index individual checked files in the File System, Email and Registry modules or index the entire case.

To search individually checked files in the File System, Email and Registry Modules switch to the appropriate modules and select the files you want indexed and then go to the Index Search module.

Once in the Index Search Module regardless of searching individual files or the entire case click on the “New Index” button which will bring up the new index window dialog as shown below.

 

New Index

Creating a new index

 

You will need to name the index. Make sure to make it a name that is descriptive of the search task you are trying to perform such as “Bunny Lebowski Hits”. In the items to index section, you will need to select which module you wish to search. This will be the aforementioned File System, Email or Registry modules.

You will now need to select the second radio button labeled “Checked Items”. This should not read “0 items, 0 bytes”. If it does, double check that you are 1) On the right module that has the files you wish to index and 2) You have items checked for indexing in that module. Finally If selecting individual files for indexing, make sure you check the box to include “Raw Devices, Partitions and Files”.

 

Index Checked Items

Index Checked Items

 

If you are indexing the entire case, go to the Index Search module and keep the selection on the File System module. Remember that the “searchable items” is all the data that Forensic Explorer sees as files – hence the reason why you may wish to perform data recovery and carving functions prior to creating an index.

There is the option for indexing unallocated space when indexing the entire case. Simply check the box to enable this option. If you don’t know what unallocated space is, go to the Center for Computer Forensics at http://bit.ly/1kprEkK for a detailed explanation.

For me indexing unallocated space while time consuming on the front end is a huge help. In the past, I’ve used regular expressions to search these areas and while these are extremely effective, they are nowhere near as fast as searching an index.

 

Indexing an Entire Case

Indexing an Entire Case

 

Whether you are indexing a selection of files or the entire case, you also have the option of having file slack indexed via the additional options checkbox. Again, for an explanation of file slack see the Center For Computer Forensics at http://bit.ly/1jDUQpx.

After making sure you are indexing what you want, press the “Ok” button and Forensic Explorer will begin to create the index. FEX will show you its running the index creation task both in the indexes window and in the process list in the bottom left of the program.

 

Running index

Running Index

 

Index Process Running

Index Process Running

Once Forensic Explorer has finished creating the index, they are available for searching in the index window.

 

Finished Index

Finished Indexes

 

 STEP THREE – SEARCH

To search an index check the box next the index you want to search. Now enter in the word that you want to search the index for in the text box next to the search button.

Forensic Explorer will begin to automagically fill in search hits. Forensic Explorer will display the word in the index, the number of times the word occurred in the index – called the “Word Count” – and the number of times the word occurs in a document called “Doc Count”.

Basic Index Search

Basic Index Search

 

To see the results of the search, double click on the word in the results window for further analysis. Forensic Explorer will then display the results in the Index Results pane. To explore the hits further select a hit from the results pane. Forensic Explorer shows the selection highlighted in yellow in the Search Hits pane below the index results pane.

 

Search Hits

Search Hits

 

That’s it! Easy huh? From the Search Hits pane, you can look through more hits or bookmark interesting results.

SEARCH TIPS

The last thing I want to cover are some tips to aid you in searching the index you have created. I’ve used each of these – and combinations of these – in my casework with Forensic Explorer and I hope you can make good use of them too.

In the Search Hits pane, you can scroll through the highlighted hits by clicking on the marker arrows displayed in the upper left of the pane.

 

Search Scroll

Search Marker Arrows

 

Forensic Explorer also has three options for searching an index that can be chosen by selecting the option located below the search box. The options are as follows.

Stemming

This option searches for other grammatical forms of the word for which you have chosen to search the index. For instance, a search of “lift” with the stemming option applied would also find “lifting”. Custom stemming rules can be formatting by editing the stemming.dat file located at “C:\Program Files (x86)\GetData\Forensic Explorer %vX%”. You may also find more information on stemming on the DTSearch site at http://bit.ly/1lRlfwT.

Phonetic Searching

This option when selected searches for words that sound similar to the one searched for – for instance a search of “plane” with the phonetic search option selected will also find “plain”.

Fuzzy Search

This option accounts for typographical and scanning errors.

 All of these options are not exclusive and can be stacked to include all options while searching.

Boolean Searches

Within the text search box Forensic Explorer allows for Boolean – see http://bit.ly/RV2cc0 – expressions in searching indexes. Forensic Explorer allows this type of index search to connect words or phrases. For instance, a search of “Carlos and package” requires that both words be present for there to be an index hit. For more information on how to use a boolean search with Forensic Explorer go to the DTSearch site at http://bit.ly/1mZpWaX .

Wild Cards

Finally, you can use the following wildcards in your index searches.

 

*         to search for any number of characters

?         to search for any single character

=         to search for any single digit

 

The wildcards can be used anywhere in the word being searched. For instance using the “*” after “kill” would match “kills”, “killed” or “killing”. For more information on wildcards and how to use them in Forensic Explorer go to the DTSearch site at http://bit.ly/1mZpWaX/.

In this article, I showed you how to create an index within a case in Forensic Explorer to quickly search for keywords using three easy steps. Along the way, we looked at advanced index search options like stemming and wildcards.

Forensic Explorer is an amazing new tool that with its full forensic suite and affordable price I have made my go-to Windows forensic application. Don’t miss out on this amazing new tool. If you haven’t already tried it out go and grab an evaluation copy at http://bit.ly/1oH1Xgr.

I hope you found this short how-to useful. If you did, drop me a line at linuxchimp-at-gmail-dot-com and let me know. I’d love to share some more reviews of FEX features and how-to’s for everyone.

I wish everyone the best in their forensic endeavours!

 

Photo Credit: _Untitled-1 via photopin cc

Five Quick Tips For Using Google Earth In Mobile Forensic Investigations

Mobile forensic tools like Cellebrite and XRY allow you to export evidence that contains geo-location information. However when this information is exported and even reported from within these tools it can still lack context and meaning. The examiner must further work with the resulting KMZ export within Google Earth to make the evidence presentable to other investigators or in court proceedings.

If you have ever been frustrated and wondered “What now?” when looking at a KMZ file given to you by an analyst or one you have exported yourself, you aren’t alone. I have asked myself the same question. In fact, asking that question lead me to write my own class and book on the subject – Google Earth In Forensic Investigations.  I’ve taken five quick tips from my research to help you in shaping your own geo-location cases in Google Earth.

Google Earth Forensic Tip #1 — Use HTML

Not many people know that you can use Hypertext Markup Language or HTML in the feature balloon description box within Google Earth. HTML is extremely useful to help format text for readability, add links to further forensic reports or images to enhance the location.

HTML Enhancement For Google Earth Feature Balloon

Feature Balloon in Google Earth showing HTML enhancement

Even knowing a few basic HTML tags such as <br> and <p> can help the readability of your geo-location feature. There are loads of HMTL tutorials on the web and since it involves straight text and markup tags its actually really easy to learn — unlike a lot of programming languages. I encourage you to learn some HTML for your Google Earth cases – you will be pleased with the results in your forensic work.

Google Earth Forensic Tip #2 — Organize!

The location features in your KMZ file may make sense to you, but are you looking at them from the viewpoint of an investigator or even someone further removed from the case such as a prosecutor? As you you begin to work on your exported geo-location evidence KMZ file in Google Earth, it is a good idea to separate similar features — for instance features in the same locations or having the same theme — into folders. Not only does this help you to keep from getting lost in the ‘weeds’ of your work, it helps the investigators and others who view the end result filter details of the case.

Google Earth Forensic Tip #3 — Think Visually

Unless you are looking at images or movies in a digital forensic case report, you are usually looking at plain text or hexadecimal. Geo-location evidence, while containing elements of this type of data — date and time stamps or coordinates — can mean nothing if not put in a proper visual context. This is a real strength of using Google Earth in your mobile forensic cases, it allows you to give visual context to the coordinates that are extracted from the smart phone or GPS device.

Visual context makes a powerful impact on people — so remember to think in visually and use Google Earth to tell a story by showing people the narrative of your geo-location evidence.

Google Earth Forensic Tip #4 — Branding

I’m not talking about coming up with a catchy slogan or tweeting about your forensic case — but putting an agency logo overlay on top of your evidence locations in Google Earth puts a professional polish to the case and can also help warn others that the file contains sensitive information. In addition to logos other overlays such as legends or banners an be added to your Google Earth forensic KMZ — the possibilities are limited only by your imagination.

Logo In Google Earth

Agency Logo and Legend Overlaid In Google Earth

Google Earth Forensic Tip #5 — Learn KML

This tip requires a little more work — but not much more than tip #1. KML stands for Keyhole Markup Language and is the underlying markup language that the Google Earth program uses to display details in its 3D viewer. KML is a descendant of the Extensible Markup Language or XML. XML also consists of text and markup tags called ‘elements’. Learning KML allows for greater control of the Google Earth program and how it displays information. I’ve used KML to create timelines and to get rid of the annoying directions link at the bottom of feature balloon.

Directions Removed From Google Earth Feature Balloon

The Directions link Removed From The Google Earth Feature Balloon

Though there is a slight learning curve and sometimes takes some debugging,  learning KML is a useful skill to have in your bag. You can get a basic KML tutorial from Google, though sometimes the best way to learn is to look at others code and cobble up your own from that.

So there you have it, five tips for using Google Earth with exported geo-location evidence in mobile forensic cases. I hope that the tips help you and spark your imagination in how to use Google Earth in your forensic endeavors.

If you want more detailed information on geo-location forensics and using Google Earth, check out my Google Earth In Forensic Investigations course. Drop me a line or a comment about the article — I appreciate all constructive feedback!

Poll – Online, On Demand, On Site

I’m curious about the efficacy and cost of online and on demand forensic courses as opposed to the traditional week long on-site training paradigm. So I’ve created a poll to see where you, Dear Reader, think about the  subject. If you are interested and take the poll please retweet this post using the #4n6train hashtag. I’ll publish the results in another post. Thanks!

Mea Culpa – mobile forensics & 64 bit does work…

Dear Reader -

I apologize. I didn’t mention in my post on Windows 8 64 bit that I was running PA/XRY in a virtual machine. Nor did I mention that my 32 bit XP box (in which XRY/PA worked just fine) was also a VM.

I apologize as well that I failed to follow up yesterday and post that I successfully installed Windows 7 ultimate 64 bit in a VM and got both PA XRY Complete to run just fine.

As Jansen Cohoon of Micro Systemation pointed out to me on Twitter he has Win 8 64 bit and XRY working fine on a dedicated Windows box.

I should have been more explicit in my post and mentioned the VMs. I should have followed up. I also should have been more scientific in my trouble shooting.

I got frustrated and ran out of time for my testing….but that’s a cop out. I owe it to you all to be more thorough.

So I’ll test it all again on the VM and again test it on some dedicated boxes when I can get my hands on them (they are being used in a course).

Thank you to those who pointed out my mistakes. I’d like to hear from people if they are also having problems using Win 8 in a VM. I know a lot of us use VMs for forensics. Perhaps my host needs some more TLC!

To recap :

  • I was using a 64 bit Win 8 VM when I couldn’t get XRY/PA to work.
  • My 32 bit XP VM runs PA and XRY just fine
  • My 64 bit Win 7 VM runs XRY and PA without a hitch
  • Test and validate!

Sincerely,

Mike

P.S. Always follow your own advice ;-)

Win 8 64 Bit? No can do!

Well, I just wasted hours of my life that I’ll never get back.

“But Mike,” you say concerned, “Whatever do you mean? How can I help?”

Thanks for the offer but there is nothing you can do – unless of course you have a Delorian and a Flux Capacitor.

You see, I foolishly tried to install a copy of Windows 8 64 bit as my OS to use with Cellebrite’s Physical Analyzer and MSAB’s XRY Complete. And I got…bubkes.

Oh the software seemed to run right, yes indeedy. But the dongles wouldn’t work. Neither WIBU or HASP.

“Mike, did you check to see if Win 8 was supported by Cellebrite or MSAB?”

Grrr…No.

I thought I’d give it a shot. I wanted it to work. I figured as long as I was updating my wheezy XP box, I’d go to the latest OS….

…and I got burned. No soup for me.

Ahh, well at least I’m a good example. Three things though

1. Dongle vendors UPDATE YOUR DRIVERS

2. DON’T TRY TO USE WIN 8 for PA or XRY (yet!)

3. Don’t be like me – RTFM!

Have a good one ;-)

Has RIM gasped its last?

I was just in the Netherlands – and I got to enjoy SinterKlaas! – and the police there are still very interested in Blackberry investigations. In fact, I think this is true for the UK and Europe. But here in the States we seemed to have moved on  – and I’m so sick of the pundits who are making their living pontificating on BlackBerry 10.

Its time to settle this with a poll. So, what do you think?