This is the first blog post in a series of five about recovering Business Applications & OS Artifacts for your digital forensics investigations.
With the June release of our latest version of INTERNET EVIDENCE FINDER (IEF), we introduced a new Business Applications & Operating System Artifact module to enable the recovery of a host of new artifact-types including corporate email, instant messaging, document files and OS artifacts.
While IEF’s roots are grounded in the recovery of Internet-based artifacts like browser history, webmail, social networking and chat apps, we recognize that Internet artifacts are only a subset of the potential evidence that can be found on mobile devices and computers. It then became clear through customer feedback that there is a desire in the forensics community to recover more kinds of digital evidence with IEF to get a holistic view of what a suspect has been up to:
“You guys are great at recovering webmail, I would love to see native email recovery like Outlook as well.”
“We use MS Lync in our office, and it would be great if you recovered it just like you recover other chat applications on PCs and mobile devices.”
“IEF recovers so many pictures in my investigations, any chance we’ll see the same capabilities with documents?”
“It would be great if IEF reported OS artifacts like USB devices, jumplists, prefetech, etc. the same way Internet artifacts are reported.”
So, we decided to release our new Business Applications and OS Artifacts module just for you, including evidence recovery capabilities for the following artifacts to make your life easier:
Many customers love how IEF recovers webmail, but wanted us to expand these searches to include native email clients like Outlook and Thunderbird. New with the Business Apps & OS Artifacts module, we’ve added support for Outlook PST and OST files, as well as MBOX email format commonly used by Mozilla Thunderbird and other Linux based email clients.
Traditionally, IEF has supported many chat and social networking applications across PCs and mobile devices, but a lot of our enterprise customers have requested support for Microsoft Lync for their internal investigations. IEF can now recover chat messages, call logs, and file transfers for Lync and Office Communicator, assisting examiners investigate policy violations, fraud or other corporate cases.
Document recovery can be vital to almost any investigation. Whether they’re found in allocated or carved from unallocated space, proper document analysis can provide not only the contents of a document, but the EXIF and metadata around ‘who’ created a document file, and ‘when’ it was created .
Windows OS Artifacts
Many customers already run IEF as the first step in their search for digital evidence to recover Internet artifacts. They then use other forensic tools to pull Windows OS artifacts like jumplists, shellbags, prefetech files and USB devices (among other things). We’ve now made this kind of data available with one IEF search, so customers can find even more evidence quickly and efficiently without having to run multiple searches, or waste time aggregating results from multiple tools.
Over the coming weeks, I look forward to blogging about different tips and techniques you can use to find important business applications and OS artifacts, as they often provide a wealth of information on a user’s activity and are valuable pieces of evidence.
As always, feel free to get in touch with me by emailing jamie(dot)mcquaid(at)magnetforensics(dot)com. Or, you can ask me a question here.
Related resources you might be interested in:
Forensics Consultant, Magnet Forensics