Have you ever needed to figure out the timezone of the OS in a digital forensic image? What Internet browsers were installed? What chat programs were installed?
I know I have needed all the above in my casework and more.
Now you could find this information in the the various windows registry keys where its located – NTUser.dat, SYSTEM etc – pull it out, format it and stick it in your forensic report.
Or…you could run the triage script in Forensic Explorer and get it done for you without much more work than checking a box during the intake of your evidence.
I don’t know about you but me likey less work.
So how do you use the triage processing function in Forensic Explorer? Where is it located? What’s it doing?
I’m glad you asked. I had the same questions.
Want to hear the answers? Good, let’s go!
The Triage Intake Option Forensic Explorer
The first step in using the triage processing option in Forensic Explorer is to create a case. Now, I’m not going to tell you how to create a case in forensic explorer or add investigators or add evidence to the case. Nope. But that isn’t because I don’t want to or won’t. It’s because this article is about the triage intake processing function. But I will show you some pictures – here you go.
Now that we have that out of the way and have our image added to the case, Forensic Explorer presents us with a dialog window to select what intake or processing options we want to perform on the evidence.
Using the Triage Script during intake requires no extra expertise on the part of the examiner other than the ability to check a box and if you can’t do that…well, send me an email and I’ll give you a referral to a good doctor.
Other than selecting that check box in the intake dialog box all you need to do is press the “Ok” button and let FEX rip. When all the intake actions are done, simply head over to the reports module and select the Triage folder to view the results, print or edit.
Forensic Explorer Triage Information
The triage intake function in Forensic Explorer creates report group in the report module and is comprised of a title page and three separate report groups – Data Examined, Registry and File system. Note: if you don’t see the a Triage report generated in the report module select the drop-down arrow on the new button in the Reports window and select “Triage”
The Data Examined Group
This group contains a header and details on the data that was added to the case. In our picture below we see that I have added a logical image file to the case.
The Registry Group
This group comprises reports extracted from keys in the SAM, SOFTWARE and SYSTEM Windows registry hives. Information that is parsed include users, network information and email clients.
The File System Group
This group reports on installed programs like browsers, chat, shadow copies or wiping tools.
A Word To The Wise
The triage function that happens at intake should not be confused with the triage script that cane be run from within the file system module. This script pulls out a subset of the information that the triage intake function pulls out, plus some other sections like the presence of iPhone backups. This script is run after the evidence is already added and processed in the case, and is an editable Pascal script whereas at the time of this writing the intake triage is built into the program.
I hope you enjoyed this brief introduction to the triage processing function that is available at intake with Forensic Explorer. Its a standard intake function that I use every time I start a new case and I’ve found it to be a time saver as well as a rich source of clues for evidence artifacts. Its also helped with setting the correct timezone for evidence – and believe me that matters!
Good luck in your forensic endeavors and tell me what you think of the article or about any other articles on Forensic Explorer that you would like to see. If you are reading this because you are trying to figure out if Forensic Explorer is right for you, grab a free 30 day trial from the Forensic Explorer website,I think you will like it. If you need help, feel free to ask me as well!
I’ve been around the block a few times over the years with digital forensic tools. I’ve used all the major computer forensic tools and apps like XRY and Cellebrite for mobile forensics.
So I mean it when I say that Forensic Explorer may be the best-kept secret in digital forensics. Seriously.
The fully featured suite of tools, packs all the punch of much higher priced tools on the market for less than a third of the price(HUGE).
And it’s easier to use, which is good for an old forensic monkey like…um… me.
One of the powerful features built into Forensic Explorer is index searching – I know that indexing has been a lifesaver for me before on cases. In this short how-to, I will show to create an index in your case in Forensic Explorer to quickly search for keywords. I hope that you will find the indexing feature as helpful in casework as I have.
Before we begin however you may be wondering – “What’s an Index?”.
That’s a fair question.
An index is like a database of text strings extracted from files or space on an evidence image. Forensic Explorer leverages the well-known and respected DTSearch engine to create and search such indexes.
Now that you have a basic understanding of what an index is, let’s move on to the three steps to using the Index Search module in Forensic Explorer: Setup, Create and Search.
STEP ONE – SETUP
Creating an index in Forensic Explorer is a simple affair but – as in most things in life – there are some things to take into consideration prior to creating an index for searching.
The first thing you may wish to do is to head over to the DTSearch site – http://bit.ly/1tkFJTt – and take a quick look at the files that DT Search indexes. There is a better than average chance that most of what you are looking to index is located here. While this step is not necessary, it might be useful for understanding how the engine works and what to expect from using it.
Forensic Explorer stores the indexes it creates at
C:\Program Files\Forensic Explorer %vX%\Cases\%case name%\DTSearchIndexes\index name\
Where %vX% is the version number and %case name% is the name that you have assigned the case. The indexes created are approximately one fourth of the size of the original files indexed but there is a wide index size variance possible depending on the size and amount of files in the index. Examiners should make sure there is plenty of storage room on the examination medium for indexes.
There are some words so common that the software will treat them as “noise”. Words such as “of and “the” in the English language would fall into this category. Forensic Explorer does not index and ignores noise words. The so-called “noise” words are stored in a file called “noise.dat” located at – in Windows 8.1 – C:\Program Files (x86)\GetData\Forensic Explorer %vX%\.
Other versions of Windows will store the noise.dat file in “Program Files\Get Data\Forensic Explorer” in the appropriate version number.
The noise.dat file is a plain text file editable with any text editor like notepad. The words are not in any order and wildcards such as “*” or “?” may be used. For an explanation of wildcards see the Webopedia entry at http://bit.ly/1oSFv6i or Google “wildcard in programming”.
Once an examiner has created an index, Forensic Explorer stores a noise.dat file for that index. Changes to the original will not affect the created index – only subsequently created ones.
As a final consideration before creating an index, the examiner may want to perform basic recovery functions against the evidence such as recovering folders, file carving, decrypting files or uncompressing archives that DT Search does not automatically support. The purpose in doing such actions is to allow Forensic Explorer to see the data as files and aid the engine in indexing.
STEP TWO – CREATE
You have two options when you create an index in Forensic Explorer – index individual checked files in the File System, Email and Registry modules or index the entire case.
To search individually checked files in the File System, Email and Registry Modules switch to the appropriate modules and select the files you want indexed and then go to the Index Search module.
Once in the Index Search Module regardless of searching individual files or the entire case click on the “New Index” button which will bring up the new index window dialog as shown below.
You will need to name the index. Make sure to make it a name that is descriptive of the search task you are trying to perform such as “Bunny Lebowski Hits”. In the items to index section, you will need to select which module you wish to search. This will be the aforementioned File System, Email or Registry modules.
You will now need to select the second radio button labeled “Checked Items”. This should not read “0 items, 0 bytes”. If it does, double check that you are 1) On the right module that has the files you wish to index and 2) You have items checked for indexing in that module. Finally If selecting individual files for indexing, make sure you check the box to include “Raw Devices, Partitions and Files”.
If you are indexing the entire case, go to the Index Search module and keep the selection on the File System module. Remember that the “searchable items” is all the data that Forensic Explorer sees as files – hence the reason why you may wish to perform data recovery and carving functions prior to creating an index.
There is the option for indexing unallocated space when indexing the entire case. Simply check the box to enable this option. If you don’t know what unallocated space is, go to the Center for Computer Forensics at http://bit.ly/1kprEkK for a detailed explanation.
For me indexing unallocated space while time consuming on the front end is a huge help. In the past, I’ve used regular expressions to search these areas and while these are extremely effective, they are nowhere near as fast as searching an index.
Whether you are indexing a selection of files or the entire case, you also have the option of having file slack indexed via the additional options checkbox. Again, for an explanation of file slack see the Center For Computer Forensics at http://bit.ly/1jDUQpx.
After making sure you are indexing what you want, press the “Ok” button and Forensic Explorer will begin to create the index. FEX will show you its running the index creation task both in the indexes window and in the process list in the bottom left of the program.
Once Forensic Explorer has finished creating the index, they are available for searching in the index window.
STEP THREE – SEARCH
To search an index check the box next the index you want to search. Now enter in the word that you want to search the index for in the text box next to the search button.
Forensic Explorer will begin to automagically fill in search hits. Forensic Explorer will display the word in the index, the number of times the word occurred in the index – called the “Word Count” – and the number of times the word occurs in a document called “Doc Count”.
To see the results of the search, double click on the word in the results window for further analysis. Forensic Explorer will then display the results in the Index Results pane. To explore the hits further select a hit from the results pane. Forensic Explorer shows the selection highlighted in yellow in the Search Hits pane below the index results pane.
That’s it! Easy huh? From the Search Hits pane, you can look through more hits or bookmark interesting results.
The last thing I want to cover are some tips to aid you in searching the index you have created. I’ve used each of these – and combinations of these – in my casework with Forensic Explorer and I hope you can make good use of them too.
In the Search Hits pane, you can scroll through the highlighted hits by clicking on the marker arrows displayed in the upper left of the pane.
Forensic Explorer also has three options for searching an index that can be chosen by selecting the option located below the search box. The options are as follows.
This option searches for other grammatical forms of the word for which you have chosen to search the index. For instance, a search of “lift” with the stemming option applied would also find “lifting”. Custom stemming rules can be formatting by editing the stemming.dat file located at “C:\Program Files (x86)\GetData\Forensic Explorer %vX%”. You may also find more information on stemming on the DTSearch site at http://bit.ly/1lRlfwT.
This option when selected searches for words that sound similar to the one searched for – for instance a search of “plane” with the phonetic search option selected will also find “plain”.
This option accounts for typographical and scanning errors.
All of these options are not exclusive and can be stacked to include all options while searching.
Within the text search box Forensic Explorer allows for Boolean – see http://bit.ly/RV2cc0 – expressions in searching indexes. Forensic Explorer allows this type of index search to connect words or phrases. For instance, a search of “Carlos and package” requires that both words be present for there to be an index hit. For more information on how to use a boolean search with Forensic Explorer go to the DTSearch site at http://bit.ly/1mZpWaX .
Finally, you can use the following wildcards in your index searches.
* to search for any number of characters
? to search for any single character
= to search for any single digit
The wildcards can be used anywhere in the word being searched. For instance using the “*” after “kill” would match “kills”, “killed” or “killing”. For more information on wildcards and how to use them in Forensic Explorer go to the DTSearch site at http://bit.ly/1mZpWaX/.
In this article, I showed you how to create an index within a case in Forensic Explorer to quickly search for keywords using three easy steps. Along the way, we looked at advanced index search options like stemming and wildcards.
Forensic Explorer is an amazing new tool that with its full forensic suite and affordable price I have made my go-to Windows forensic application. Don’t miss out on this amazing new tool. If you haven’t already tried it out go and grab an evaluation copy at http://bit.ly/1oH1Xgr.
I hope you found this short how-to useful. If you did, drop me a line at linuxchimp-at-gmail-dot-com and let me know. I’d love to share some more reviews of FEX features and how-to’s for everyone.
I wish everyone the best in their forensic endeavours!