±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34282
New Yesterday: 1 Visitors: 158

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

IEF Web History Issue - Feedback Wanted

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

IEF Web History Issue - Feedback Wanted

Post Posted: Thu Jul 24, 2014 9:02 am

Hi All

I have found what I consider to be a flaw in IEF. I wanted to ask the community:

1) Were you aware of this 'feature'?
2) Do you see it as an issue?

I was examining a job involving Google Chrome (From later testing it is also an problem with Firefox). I was dual tooling by extracting live history from the HISTORY database using SQL as well as running IEF. I soon noted that IEF was displaying 10,000 live history records while my manual SQL queries of LIVE data was finding over 30,000. To cut a long story short - It appears that IEF joins the visits and urls Tables but only displays the FIRST visit to a site which has been visited multiple times along with the hit count.

Therefore, if a user has visited sites which have the same URLS record but multiple visits then IEF is only displaying the FIRST visit.

From my point of view this is a major issue and is not a true reflection of the Internet History.

Why Is This An Issue

I have a job with many 1000s of Internet searches for child abuse keywords. Due to case circumstances I was required to review the Internet History in an attempt to locate potential identifying Information (E-Mail logins, Facebook use etc) in close proximity to child abuse searches Therefore, only displaying one visit for sites which have been visited many time gives a false timeline representation of the true Internet history.

I can't see any valid reason why IEF needs to do this. To me it is misrepresenting the history, or at the least giving a misleading representation. Our office is unanimous that this is a problem.

What are peoples thought?

I have put an IEF support ticket in but it seems that this is an intentional 'feature'. The reply:

Ticket #3311: Chrome Web History

Your request (#3311) has been updated. Reply to this email or click the link below:




--------------------------------------------------------------------------------

Support, Jul 23 16:43:
Hi Dan,

Thank you for contacting us with your inquiry.Currently IEF will join information from the "visits" and "urls" table to populate the information displayed in Report Viewer. Where the record should show the Date Visited Date/Time - The Date and Time the URL was first visited, visit count, Last Visited Date/Time etc IEF does not show every hit found in the "visits" table.

May I ask if this not showing every hit found in the visits table is the "fault" which you are referring to? We do hope to overcome this by showing the visit count, and by having displayed that the information has been recovered from the tables indicated with the Source and Located at columns that the investigator can find the unique visit counts if required.

Or is it rather that you are experiencing IEF is incorrectly displaying the visit count, which should be what is parsed from the "urls" table?

As you have also indicated you are currently using IEF v6.4.0, we would like to let you know that IEF v6.4.1 is available and can be downloaded from www.magnetforensics.com/downloadief

Kind regards,


Regards

Dan, LE Organisation  

dan0841
Senior Member
 
 
  

Re: IEF Web History Issue - Feedback Wanted

Post Posted: Thu Jul 24, 2014 10:36 am

Reading your post a couple of times, I don't see how IEF is "misrepresenting" the information you have available, although I do agree that it might possibly be open to misinterpretation to someone who really doesn't know what they're doing.

I can see how the output doesn't meet your needs.

Based on the response to your ticket it appears to me that the developers do not clearly understand your needs, what it is you're trying to show.

My suggestion would be to either go back to them and see if you can have a conversation with them that will lead to a solution, and if not, then vote with your wallet.  

keydet89
Senior Member
 
 
  

Re: IEF Web History Issue - Feedback Wanted

Post Posted: Thu Jul 24, 2014 11:07 am

Thanks for the reply

- keydet89
Reading your post a couple of times, I don't see how IEF is "misrepresenting" the information you have available, although I do agree that it might possibly be open to misinterpretation to someone who really doesn't know what they're doing.


Maybe misrepresenting the information was the wrong choice of words. The data is not wrong but for me it is an unnecessary omission, and one which I know (unfortunately) will not be understood by many people who read and review IEF reports.

I agree with the last part of your statement. Unfortunately, there are many organisations (certainly in the UK) that just 'dump' IEF reports out for non-technical investigators to review. Clearly this is not IEFs fault but is more of a problem with the way that organisations interact.

- keydet89

Based on the response to your ticket it appears to me that the developers do not clearly understand your needs, what it is you're trying to show.

My suggestion would be to either go back to them and see if you can have a conversation with them that will lead to a solution, and if not, then vote with your wallet.


I still think that IEF is a great and useful tool so I wouldn't want to stop using it. One of many......However, having seen how some organisations in the UK handle forensic/investigation workflow I have no doubt in my mind that this will be misinterpreted by some. This is clearly a problem with the methods but nevertheless it is still the reality.

I'm not sure why they would not want to include all individual visits? Maybe to keep down the database size?

I had already replied to their support. I have always found them to be pretty good at handing issues.

Cheers

Dan  

dan0841
Senior Member
 
 
  

Re: IEF Web History Issue - Feedback Wanted

Post Posted: Thu Jul 24, 2014 11:54 am

Unfortunately, there are many organisations (certainly in the UK) that just 'dump' IEF reports out for non-technical investigators to review.

Like you said, this is not IEF's fault...this is the fault of the investigators, and Magnet Software is simply trying to serve the needs of their clients, as they understand them. For me, it's always been incumbent upon the investigator to select the correct tool, based on the goals of the examination, available data, etc. Unfortunately, much of what I see is letting the tool drive the examination.

...having seen how some organisations in the UK handle forensic/investigation workflow I have no doubt in my mind that this will be misinterpreted by some.

I would agree, replacing "some" with "many". Unfortunately, the same thing is very true here in the US. Combined with a lack of understanding of the data itself, the issues of displaying results simply compound the problem.

I'm not sure why they would not want to include all individual visits? Maybe to keep down the database size?

Is it a matter of "including" in the sense of the data set, or the display?  

keydet89
Senior Member
 
 
  

Re: IEF Web History Issue - Feedback Wanted

Post Posted: Thu Jul 24, 2014 1:08 pm

- keydet89
Unfortunately, there are many organisations (certainly in the UK) that just 'dump' IEF reports out for non-technical investigators to review.


I'm not sure why they would not want to include all individual visits? Maybe to keep down the database size?

Is it a matter of "including" in the sense of the data set, or the display?


In both senses. It is not included in either their data set or their display. Their data set is an SQLite database with a table for each artefact. Because the WebHistory is extracted from multiple tables (E.G, In Chrome - URLS / VISITS) when IEF is run the program (IEF) then collates the data from these two tables into a single table within the IEF database. The viewer program then displays the data from this database and adds searching/bookmarking functionality etc.

The only way to view all of the individual visits )as far as I can see!) is to use another tool or manually pull it out using SQL.

The SQL solution was better for me because I could combine it with the results from WebData database and downloads to get a more comprehensive timeline.

Cheers

Dan  

dan0841
Senior Member
 
 
  

Re: IEF Web History Issue - Feedback Wanted

Post Posted: Fri Jul 25, 2014 5:35 am

I completely agree with dan0841. I don’t care whether it is called “misrepresentation by omission” or not. It is failing to display very useful information that is available to it (the intervening visit dates are in the databases it’s querying & are useful).

Since one has to do the SQL on the tables anyway (& merge autofill too obviously to get the detailed, useful history including references to personal information that may help identify the user), then the live data for Chrome visits/urls in IEF is just extraneous “noise” that subsequently needs to be weeded out & thrown away.

I don’t intend to walk away from IEF either. I find it very useful in carving deleted, possibly incomplete, possibly partially overwritten records from the various places it does. Merging that with the detailed live history I’ve got for myself, cleansing & de-duplicating the end result works for me.

Surely a more sensible approach than walking away is to get a few people to explain to IEF what they are missing & then the tool will be improved even further?

Keydet89 clearly understands the issue & I bet JAD does too. Hopefully it will come to the latter’s attention & he can explain it to the development & support staff.

In the meantime, a big health warning for the unsuspecting in the help file wouldn’t go amiss.  

dd1234
Newbie
 
 
  

Re: IEF Web History Issue - Feedback Wanted

Post Posted: Fri Jul 25, 2014 6:46 am

Jesus, you're right. Thanks for pointing this out - it changes things somewhat significantly for us. And it makes the "timeline" feature a bit of a joke.

I wonder if it would be possible to get an option in a future release to extract the complete info?

EDIT:

Also, if it does this with IE10+, it is an even bigger problem - as I'm not sure I have any other tool which parses webcache.  

Chris_Ed
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next