Finding More Mobile App Data – IEF v6.2 Released

I’m excited to announce the release of Internet Evidence Finder (IEF) v6.2 which brings a number of new features and adds support for even more Internet and mobile artifacts.  

The development team and I have been busy the past few months working on v6.2 and I’m very proud of what we’ve been able to accomplish and deliver in this release.

I’m going to focus this post on the feature I’m most excited about in this release, our new Dynamic App Finder for mobile chat artifacts. We added this feature to address the challenge of keeping up with the thousands of mobile chat/messenger apps available on the iOS App Store and Google Play store for Android.

Simply put, the Dynamic App Finder attempts to locate and recover chat messages from applications not specifically supported in IEF. We already support the recovery of chat messages from the most popular mobile chat apps like WhatsApp, Kik Messenger, etc, and we will continue to add more mobile app support, but there are thousands of chat apps out there, some that we may not know about and some that may never be popular enough to warrant a dedicated R&D project by us or the other forensics software vendors. There is always the potential that your suspect/target/witness is using an obscure app (or an app that we haven’t had a chance to add support for yet) to communicate on their mobile device. The need to support more apps and stay ahead of the curve of an ever-increasing number of apps is why we developed the Dynamic App Finder—to help IEF identify and recover data from obscure and other not-yet-supported apps.

Please see the below excerpt from the IEF documentation for details:

How does it work? The Dynamic App Finder reads through all the files on the mobile image or file dump you are searching and uses a patent-pending process to identify databases from chat apps (we plan to expand the support to other types of mobile apps in the future). If this process identifies a database, we then attempt to map the columns to the respective fields (the sender/recipient, date/time, and message text). At the end of the search, the identified apps and mappings are displayed to you for final verification/remapping (in case the automated process mapped something incorrectly, or chose the wrong date/time format) and the data is read from the respective databases into your case file.

To use the Dynamic App Finder feature, just leave it checked on the artifacts screen (both Android and iOS platforms are supported):

IEF Dynamic App Finder

At the end of the search, you will see a confirmation window showing all the apps that were identified as potential chat apps (click to enlarge):

IEF Dynamic App Finder

As you can see, the assigned mappings are highlighted in blue in the database preview window and the assigned fields are in bold above the column name (Sender, Message, Date/Time in this example). These are the Dynamic App Finder’s recommended mappings for each discovered app. In the event that the recommended mappings are incorrect, you can change them by using the drop-down boxes in the top pane for that item. The Date Format column allows you to change the timestamp conversion IEF is using for the selected Date/Time field. An attempt is made to select this for you automatically during the search but can be changed if needed.

Once you are satisfied with the mapping assignments, clicking “Add checked artifacts and finish” will pull data from all the checked apps into your case file, under a “Dynamic App Finder” category. The name and field mappings for the newly discovered apps will be saved into an IEF database for use in your future searches: if those same apps/databases are found in subsequent searches, they will automatically be added into your case file without requiring your confirmation (only apps that you added to your case file are saved).

If you do not wish to add any of these apps into your case file, click the “Finish without adding these artifacts” button and no action will be taken, and nothing will be saved into the IEF Dynamic App Finder database.

If you wish to remove or modify the saved app mappings, start IEF and go to the Tools menu, then click “Manage Dynamic App Finder Settings”. You’ll get a screen similar to the one below where you can modify or remove entries for saved apps. (click to enlarge)

IEF Dynamic App Finder

In the future, we plan on establishing a way for IEF users to share app mappings for apps they have discovered using the Dynamic App Finder with other IEF users. The intention is to build a vast database of apps/mappings available to all IEF users, potentially adding support for thousands of apps.

We’d love to hear your feedback on this new feature as we realize it is different from what you are used to seeing in IEF. This is the first release of the Dynamic App Finder and we look forward to improving it and making it smarter and more useful to you in your investigations. Please don’t hesitate to contact us with your feedback, good and bad.

 Other new key features in IEF v6.2 include the following:

  • YAFFS2 file system support (for Android images)
  • Full Ares support (now recovering shared/downloaded file information as well as search keywords)
  • Ability to merge two cases into one (combine data from other sources into an IEF case or multiple IEF cases)
  • Chat threading visualization for WhatsApp and Skype (including stylized exports)
  • AVI carving
  • Log2timeline support in IEF Timeline
  • Ability to filter based on evidence numbers (view only data from specific evidence items that were searched)

We will be providing more details on these features in the next few weeks so please stay tuned! To download v6.2, please use the auto-update feature in IEF or download from our Customer Portal. 

I would like to extend a big thank you to our customers and supporters for joining us in our mission to help you find more data, make sense of it, and use it to find the truth in a way that really impacts people’s lives.

A big thank you also goes out to the Magnet Forensics team for all their hard work that is put into every release of our software. Thanks to them we have been able to do so much more for our users than I was able to on my own back in the JADsoftware days. 🙂

As always, please continue to reach out to us with any feature requests, concerns, issues, and success stories—nothing makes our day more than the success stories from the trenches that you send us!

All the best,
Jad and the Magnet Forensics team