In my last blog post, I delved into some of the new features/artifacts included in v5.7 of IEF (released last month). This time, I’d like to tell you about what we’re doing with pictures and videos and a backup service called Carbonite.
Pictures & Video
IEFIn IEF v5.7 we now search for and carve pictures files (.jpg, .jpeg, .jpe, .png, .bmp, .gif, .ico, .tif, .tiff). We’ll also carve pictures out of thumbs.db and thumbcache_*.db files. Beyond just recovering the pictures, we’ve also added some features to help you filter results and zero-in on the relevant items. You can filter based on the amount of skin tone detected, and if a face and/or breasts were detected in the picture.
With videos , we currently look for files with extensions .wmv, .mp4, .mov, .avi, .mkv, .divx, .3pg, .mpg , .mpeg, and then pull key frames out of the video and allow you to utilize the same filtering tools we provide for pictures. In the future, we’ll be adding the option to carve videos as well.
On to online backup, an addition to our cloud artifact support. Carbonite is a cloud-based backup service that runs in the background and automatically updates/uploads files as they are modified or created. (It’s also a metal alloy that was made from carbon, mixed with tibanna gas, compressed, and flash-frozen into blocks for transport and used to freeze the body of Han Solo in Star Wars: The Empire Strikes Back…that’s not the Carbonite we’re talking about today though.) 🙂
An interesting feature of Carbonite is that all data is encrypted using 128-bit Blowfish encryption on the local machine before being sent to Carbonite’s servers over an SSL connection. Because of this additional protection, it’s possible some people will feel comfortable using Carbonite to backup files that are of a not-so-legal nature.
IEF v5.7 will carve these file sync records from this log file and from unallocated clusters, the pagefile/hiberfil.sys files, live RAM captures, and other areas. These artifacts can give you some insight into which files were backed-up, especially important if they have since been deleted.Another nice feature of Carbonite, this time for forensic examiners, is a log file that lists (amongst a lot of other diagnostic info) files that have been uploaded or updated. This log file is stored in the [root]\ProgramData\Carbonite\Carbonite Backup folder (on Windows 7/Vista) in a file named, you guessed it, Carbonite.log.
That’s all for this post…hope you found it useful! And if you got here via a Google search for something Star Wars related, sorry about that. 🙂
Stay tuned for next week’s post when we unveil a really cool new (and free!) tool.
Have a great week!