This month we’ve added some new and exciting artifacts for both computers and smartphones. Below I’ve listed a few of the more popular artifacts and features. For a full listing of what’s included and updated, be sure to look at the change log when you download the new version of Magnet IEF version 6.7.3.
Telegram Messenger for iOS and Android
Telegram is a messaging app with greater security and speed than other messaging apps. It has become a popular app because of its security and privacy for users, claiming end-to-end encryption support. Created by the same person who invented VK, Telegram is available for both iOS and Android. However, both apps were developed separately and the data and features are very different between the two.
New in Magnet IEF version 6.7.3, we’ve added support for Telegram for both iOS and Android, allowing examiners to pull valuable chat data from this app. IEF will pull a user’s contacts and chat conversations. In general, the conversations can be broken down into four types:
- Dialogue – this is a one-to-one conversation with a contact much like any other chat program.
- Secret Chat – this is also one-to-one but allows for end-to-end encryption as well as additional features such as self-destruction and deletion. Encryption keys are exchanged to encrypt the data.
- Group Chat – this is a many-to-many chat just like most other chat programs that have this feature.
- Channel – this is a one-to-many chat allowing one person to send messages to multiple followers.
There are a lot of additional details available from Telegram chats for examiners. Stay tuned for a more detailed artifact profile and additional resources to help with your analysis.
EML and EMLX Files
In this release, we’ve also included support for EML and EMLX files that may be found on a user’s computer. EML and EMLX files are created by apps like Outlook Express, Mozilla Thunderbird, Apple Mail, as well as the Windows Mail app that’s included with Windows 8 and 10. These files may also be used when exporting email data from other applications as well.
IEF will now analyze EML and EMLX files, providing examiners with common details such as sender, receiver, CC/BCC, timestamp, subject, body, importance, last read timestamp, and attachments. IEF will also present several views available to examiners including details, hex, text, body, headers, and attachments, so that the examiner can choose to view the raw data or view the email as the user saw it.
Message Body View
Support for EML and EMLX files will be valuable to many examiners since it is used by several different applications, both old and new.
Windows 10 Artifacts: Cortana, Notifications, Edge Browser, Prefetch
This release also includes several artifacts specific for Windows 10 including Cortana, the Notifications center, Edge Browser, and Prefetch files.
Cortana is Microsoft’s digital assistant (think Siri for Windows). You can ask it questions or have it find things on your computer or the Internet. This can be valuable to examiners in the same manner a Google Search can reveal a user’s activity and intentions.
Notifications will simply notify a user of a particular event based on time, location, or person. They may contain emails, security alerts, or calendar events as well. The data stored for these alerts are relatively simple containing a title, subtext, and message depending on the type of notification.
Edge browser is Microsoft’s new browser that replaces the old Internet Explorer. Forensically, not much has changed from IE10+. It still uses an ESE database to store the URLs, timestamps, etc. and IEF will present it in a similar manner as IE10+.
Finally, Prefetch files are not a new artifact for IEF but there was a structural change that prevented previous versions from parsing the data that’s useful for examiners. We’ve now added support for the newer Windows 10 Prefetch files to match what was available for Windows 8 or older versions.
There are several other updates and fixes in this release, so be sure to update your version of IEF to take full advantage of these new features and artifacts.