Sunday, April 10, 2011

IEF - great new updates including Gigatribe Chat!

Being a user of IEF since near it's inception, I have seen the product grow from an "add on" tool, to one that should almost be considered one our primary forensic toolsets.  Jad has added some new features, one of which will be critical in our own lab - a tool which Jad claims is the first to extract deleted Gigatribe Chat messages (although I know there is a parser tool called Gigaview over at QCC.)  We have noticed a significant increase in the use of Gigatribe as evidenced by many CP investigations, and welcome any additional tools to assist in the investigation of same.  I also note that he has expanded the capability of recovering deleted chat messages from RAM dumps, unallocated space and file slack.  Despite a lot of work being done in the last few years in the area of Windows RAM acquisition and analysis, why do I feel there is still much more to be discovered (??!).

Other improvements to IEF (from his site) include:
  • Gigatribe chat now supported (in Standard and Portable editions)
  • Facebook Email search improved
  • Firefox formhistory.sqlite search improved
  • Unicode support added for Facebook Email, Snippets, and Wall Posts / Status Updates (Unicode is converted to the appropriate HTML code)
  • Minor user interface bugs in IEF/Report Viewer fixed
For those still using the v3.x versions, it's definitely worth considering the jump over to v4.1.   From my point of view, the practice of digital forensics is very time consuming and methodical.  If there is a tool which is reliable and can speed up several facets of my investigation, it is worthy of consideration.  My thoughts...