IEF Web History Iss...
 
Notifications
Clear all

IEF Web History Issue - Feedback Wanted

11 Posts
6 Users
0 Likes
981 Views
(@dan0841)
Posts: 91
Trusted Member
Topic starter
 

Hi All

I have found what I consider to be a flaw in IEF. I wanted to ask the community

1) Were you aware of this 'feature'?
2) Do you see it as an issue?

I was examining a job involving Google Chrome (From later testing it is also an problem with Firefox). I was dual tooling by extracting live history from the HISTORY database using SQL as well as running IEF. I soon noted that IEF was displaying 10,000 live history records while my manual SQL queries of LIVE data was finding over 30,000. To cut a long story short - It appears that IEF joins the visits and urls Tables but only displays the FIRST visit to a site which has been visited multiple times along with the hit count.

Therefore, if a user has visited sites which have the same URLS record but multiple visits then IEF is only displaying the FIRST visit.

From my point of view this is a major issue and is not a true reflection of the Internet History.

Why Is This An Issue

I have a job with many 1000s of Internet searches for child abuse keywords. Due to case circumstances I was required to review the Internet History in an attempt to locate potential identifying Information (E-Mail logins, Facebook use etc) in close proximity to child abuse searches Therefore, only displaying one visit for sites which have been visited many time gives a false timeline representation of the true Internet history.

I can't see any valid reason why IEF needs to do this. To me it is misrepresenting the history, or at the least giving a misleading representation. Our office is unanimous that this is a problem.

What are peoples thought?

I have put an IEF support ticket in but it seems that this is an intentional 'feature'. The reply

Ticket #3311 Chrome Web History

Your request (#3311) has been updated. Reply to this email or click the link below

——————————————————————————–

Support, Jul 23 1643
Hi Dan,

Thank you for contacting us with your inquiry.Currently IEF will join information from the "visits" and "urls" table to populate the information displayed in Report Viewer. Where the record should show the Date Visited Date/Time - The Date and Time the URL was first visited, visit count, Last Visited Date/Time etc IEF does not show every hit found in the "visits" table.

May I ask if this not showing every hit found in the visits table is the "fault" which you are referring to? We do hope to overcome this by showing the visit count, and by having displayed that the information has been recovered from the tables indicated with the Source and Located at columns that the investigator can find the unique visit counts if required.

Or is it rather that you are experiencing IEF is incorrectly displaying the visit count, which should be what is parsed from the "urls" table?

As you have also indicated you are currently using IEF v6.4.0, we would like to let you know that IEF v6.4.1 is available and can be downloaded from http//www.magnetforensics.com/downloadief

Kind regards,

Regards

Dan, LE Organisation

 
Posted : 24/07/2014 3:02 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Reading your post a couple of times, I don't see how IEF is "misrepresenting" the information you have available, although I do agree that it might possibly be open to misinterpretation to someone who really doesn't know what they're doing.

I can see how the output doesn't meet your needs.

Based on the response to your ticket it appears to me that the developers do not clearly understand your needs, what it is you're trying to show.

My suggestion would be to either go back to them and see if you can have a conversation with them that will lead to a solution, and if not, then vote with your wallet.

 
Posted : 24/07/2014 4:36 pm
(@dan0841)
Posts: 91
Trusted Member
Topic starter
 

Thanks for the reply

Reading your post a couple of times, I don't see how IEF is "misrepresenting" the information you have available, although I do agree that it might possibly be open to misinterpretation to someone who really doesn't know what they're doing.

Maybe misrepresenting the information was the wrong choice of words. The data is not wrong but for me it is an unnecessary omission, and one which I know (unfortunately) will not be understood by many people who read and review IEF reports.

I agree with the last part of your statement. Unfortunately, there are many organisations (certainly in the UK) that just 'dump' IEF reports out for non-technical investigators to review. Clearly this is not IEFs fault but is more of a problem with the way that organisations interact.

Based on the response to your ticket it appears to me that the developers do not clearly understand your needs, what it is you're trying to show.

My suggestion would be to either go back to them and see if you can have a conversation with them that will lead to a solution, and if not, then vote with your wallet.

I still think that IEF is a great and useful tool so I wouldn't want to stop using it. One of many……However, having seen how some organisations in the UK handle forensic/investigation workflow I have no doubt in my mind that this will be misinterpreted by some. This is clearly a problem with the methods but nevertheless it is still the reality.

I'm not sure why they would not want to include all individual visits? Maybe to keep down the database size?

I had already replied to their support. I have always found them to be pretty good at handing issues.

Cheers

Dan

 
Posted : 24/07/2014 5:07 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Unfortunately, there are many organisations (certainly in the UK) that just 'dump' IEF reports out for non-technical investigators to review.

Like you said, this is not IEF's fault…this is the fault of the investigators, and Magnet Software is simply trying to serve the needs of their clients, as they understand them. For me, it's always been incumbent upon the investigator to select the correct tool, based on the goals of the examination, available data, etc. Unfortunately, much of what I see is letting the tool drive the examination.

…having seen how some organisations in the UK handle forensic/investigation workflow I have no doubt in my mind that this will be misinterpreted by some.

I would agree, replacing "some" with "many". Unfortunately, the same thing is very true here in the US. Combined with a lack of understanding of the data itself, the issues of displaying results simply compound the problem.

I'm not sure why they would not want to include all individual visits? Maybe to keep down the database size?

Is it a matter of "including" in the sense of the data set, or the display?

 
Posted : 24/07/2014 5:54 pm
(@dan0841)
Posts: 91
Trusted Member
Topic starter
 

Unfortunately, there are many organisations (certainly in the UK) that just 'dump' IEF reports out for non-technical investigators to review.

I'm not sure why they would not want to include all individual visits? Maybe to keep down the database size?

Is it a matter of "including" in the sense of the data set, or the display?

In both senses. It is not included in either their data set or their display. Their data set is an SQLite database with a table for each artefact. Because the WebHistory is extracted from multiple tables (E.G, In Chrome - URLS / VISITS) when IEF is run the program (IEF) then collates the data from these two tables into a single table within the IEF database. The viewer program then displays the data from this database and adds searching/bookmarking functionality etc.

The only way to view all of the individual visits )as far as I can see!) is to use another tool or manually pull it out using SQL.

The SQL solution was better for me because I could combine it with the results from WebData database and downloads to get a more comprehensive timeline.

Cheers

Dan

 
Posted : 24/07/2014 7:08 pm
(@dd1234)
Posts: 6
Active Member
 

I completely agree with dan0841. I don’t care whether it is called “misrepresentation by omission” or not. It is failing to display very useful information that is available to it (the intervening visit dates are in the databases it’s querying & are useful).

Since one has to do the SQL on the tables anyway (& merge autofill too obviously to get the detailed, useful history including references to personal information that may help identify the user), then the live data for Chrome visits/urls in IEF is just extraneous “noise” that subsequently needs to be weeded out & thrown away.

I don’t intend to walk away from IEF either. I find it very useful in carving deleted, possibly incomplete, possibly partially overwritten records from the various places it does. Merging that with the detailed live history I’ve got for myself, cleansing & de-duplicating the end result works for me.

Surely a more sensible approach than walking away is to get a few people to explain to IEF what they are missing & then the tool will be improved even further?

Keydet89 clearly understands the issue & I bet JAD does too. Hopefully it will come to the latter’s attention & he can explain it to the development & support staff.

In the meantime, a big health warning for the unsuspecting in the help file wouldn’t go amiss.

 
Posted : 25/07/2014 11:35 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Jesus, you're right. Thanks for pointing this out - it changes things somewhat significantly for us. And it makes the "timeline" feature a bit of a joke.

I wonder if it would be possible to get an option in a future release to extract the complete info?

EDIT

Also, if it does this with IE10+, it is an even bigger problem - as I'm not sure I have any other tool which parses webcache.

 
Posted : 25/07/2014 12:46 pm
(@dd1234)
Posts: 6
Active Member
 

Chris_Ed
Also, if it does this with IE10+, it is an even bigger problem - as I'm not sure I have any other tool which parses webcache.
Chris_Ed

For IE11 history you can open the WebcacheV01.dat file (WebcacheV24.dat for IE10?) with ESEDatabaseView which is free from nirsoft

http//www.nirsoft.net/utils/ese_database_view.html

Strart at the table called Continer_14 for visits & work your way outwards. I got that hint from IEF - so it's not all bad news D

There also a few words on other IE10-11 artefacts here

http//computerforensics.champlain.edu/blog-tags/windows

Sorry, can't be more help as I'm just starting to work my way through this too & obviously needs some testing.

I've got Chrome, Firefox & IE11 all being used at the same time. I can guarantee that IEF's implelemtnation for Firefox suffers from the same flaw as it does for Chrome. I can't say anything about how it handles IE11 yet.

 
Posted : 25/07/2014 3:50 pm
pcstopper18
(@pcstopper18)
Posts: 60
Trusted Member
 

Ditto on the use of ESEDatabaseView from Nirsoft.

It is always good practice to be able to use multiple tools or individual artifact parsers to parse information when something doesn't look right or to just confirm what one is seeing.

 
Posted : 25/07/2014 6:36 pm
MagnetForensics
(@magnetforensics)
Posts: 40
Eminent Member
 

Hi everyone,

Thanks for bringing this to our/my attention. While our approach has been to consolidate the web history for better/easier viewing, I completely see your points on the importance of seeing every individual visit, especially for the purposes of timelining user activity.

I do agree with Harlan that some may want to see the current view we provide while some may want to see more granularity, so what we plan to do is keep the current Chrome/Firefox Web History artifact as is, but add another for each browser called Chrome Web Visits, or Firefox Web Visits, that provide detail on every visit. I believe this provides the best of both worlds.

We’ll get this update out ASAP, certainly in the next few weeks. If you need more specifics please contact me offline.

This situation does not apply to IE/IE10-11 since they use a different database schema/storage mechanism.

Best regards,
Jad

 
Posted : 25/07/2014 8:53 pm
Page 1 / 2
Share: