Internet Evidence F...
 
Notifications
Clear all

Internet Evidence Finder (IEF) and CyberLink .7z files

10 Posts
6 Users
0 Likes
1,368 Views
(@chris55728)
Posts: 49
Eminent Member
Topic starter
 

For those of you that use IEF, I'm not sure whether you're aware of a current issue regarding what appear to be 7-Zip files associated with CyberLink products.

I'm running the latest version of IEF (6.9.0.5983) across an EnCase image which grinds to an almost complete standstill when it hits .7z files associated with CyberLink. I currently have a 'Data1.7z' file (located in the \SWSetup\APP\Applications\CyberLink\CyberLink_LLUBB2\12.0.6.4925\src' directory) that is causing the problem. I've got 6 of 8 cores available but usually only 1 or 2 are actually in use which again seems to be a problem with the way that IEF is processing the file. If I use 7-Zip to open the file separately, this works without any problem at all.

I logged a call with Magnet Support and have received a reply (on 05/06/2017) stating that the development team is already working on the issue and as soon as there was an update they would be in touch so there's clearly some sort of issue.

My next step is to step backwards through previous releases of IEF to see if/when this problem was introduced.

It would be interesting to hear whether other individuals have also encountered this problem and what, if anything, they've managed to do to get around it.

Cheers,

Chris

 
Posted : 12/06/2017 4:38 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Someone from my office had experienced this issue. Today, after waiting about 7 days, he finally cancelled IEF, restarted the computer and attempted to run it again. With your update he has decided to cancel it altogether and await an update from Magnet.

Thanks

 
Posted : 12/06/2017 5:28 pm
(@chris55728)
Posts: 49
Eminent Member
Topic starter
 

Just done a bit of testing with previous versions of IEF.

Exported 15 x .7z files from a forensic image I have, including the 'Data1.7z' that was causing grief, and ran older versions of IEF across just those files with the following results

v6.8.8.5013 - completed in 1m 17secs (all available cores utilised)
v6.8.9.5711 - completed in 1m 17secs (all available cores utilised)
v6.8.9.5774 - completed in 1m 17secs (all available cores utilised)
v6.9.0.5983 - still running, no idea when/if it's going to finish, only one or 2 of the available cores utilised

I've also checked the release notes for v6.9.0 and one of the new features is "Magnet IEF now supports searching of compressed .7z files."

The above is true as more artefacts have been recovered thus far in v6.9.0 than in previous versions.

There's obviously some sort of issue with the way that IEF uncompresses the .7z files that slows things down to such an extent that it's unusable.

The only alternative until Magnet get their act together and release an update that either fixes the problem or removes the compressed .7z support is to go back to the previous version (6.8.9.5774).

The only updates from v6.8.9.5774 to v6.9.0.5983 are as follows

New features
• Skype for Windows This release includes message and date carving updates to support
Skype version 7.33 for Windows.
• Magnet IEF now supports searching of compressed .7z files.
• iOS iMessage/SMS/MMS This release includes iMessage/SMS/MMS carving updates for iOS 10.
Fixed issues
• Certain email messages were incorrectly displayed as hits for both EML(X) Files and MBOX Emails.
• Windows Network Profiles Incorrect information displayed for the last connected date

If you can live without the above then v6.8.9.5774 is the way to go at present.

Cheers,

Chris

 
Posted : 13/06/2017 12:45 pm
(@mcman)
Posts: 189
Estimable Member
 

Hey guys,

Thanks for the heads up and sorry for the problems with 7z. We just added support for 7z in IEF 6.9 and AXIOM 1.1.1 (our latest releases). It looks like if there's a ton of 7z files (or a certain type of 7z) in the image, it's grinding to a halt (basically it hits a timeout threshold for each of them making the search take forever).

We're working on a fix for it to add in our next release so it should be fixed soon but if you're coming across this, I would do as Chris mentions and run the last version (IEF 6.8.9 or AXIOM 1.1.1). It isn't happening for all 7z files but certain types seem to be jamming everything up.

Thanks again for the heads up and feel free to reach out if you have any questions.

Jamie McQuaid
Magnet Forensics

 
Posted : 13/06/2017 6:11 pm
BraindeadVirtually
(@braindeadvirtually)
Posts: 115
Estimable Member
 

I just saw this in the EnCase 8.05 Release Notes

Known Limitations found in Version 8.04
FOR-6647 Parsed 7-Zip files do not display physical size, initialized size, or file extents. Instead, they display the default value of 0.

Coincidence?

 
Posted : 13/06/2017 8:09 pm
(@mcman)
Posts: 189
Estimable Member
 

I just saw this in the EnCase 8.05 Release Notes

Known Limitations found in Version 8.04
FOR-6647 Parsed 7-Zip files do not display physical size, initialized size, or file extents. Instead, they display the default value of 0.

Coincidence?

Interesting but definitely coincidence, we weren't working with them on anything related to 7zip. I'll pass the info to our devs though as maybe we're both doing something wrong to get a similar problem. I'm pretty sure they know the issue already, it just takes a bit of time to build and test the fix to make sure it works.

 
Posted : 13/06/2017 8:46 pm
pcstopper18
(@pcstopper18)
Posts: 60
Trusted Member
 

I want to say to all that this is one of the most helpful exchanges I have seen in a while. I use IEF regularly and have not had any issues with their support team. Having said that, this exchange is great example of teaming to solve an issue and alert everyone without overblowing things on anyone's part

Here is the issue I found and what I've done to check it out. Does anyone have it?
Yeah I do, does the vendor know?
Yes we know, here is what we are doing about it.
Good to know. Here's a work around.

And this, in my opinion is how things should work. )

Thanks all!

 
Posted : 14/06/2017 8:34 pm
(@chris55728)
Posts: 49
Eminent Member
Topic starter
 

A new version of IEF (6.9.1.6423) was released on 22nd June.

I've checked it with .7z files I had that caused problems with the previous version and it appears that the latest version has fixed the problem.

I've also had this confirmed by Magnet support , "…our development team made some significant changes to the way in which 7-Zip files are processed and this is included in the latest release."

The only odd thing is that there's no mention of it in the change log for v6.9.1.

Cheers,

Chris

 
Posted : 29/06/2017 1:55 pm
(@deltron)
Posts: 125
Estimable Member
 

Just experienced this last week, will update IEF and hope it helps.

 
Posted : 29/06/2017 5:42 pm
(@mcman)
Posts: 189
Estimable Member
 

Glad to hear it worked Chris. I'll check with the docs team to see why it was left out of the change log…

Let us know if you come across anything else.

Jamie

 
Posted : 29/06/2017 8:27 pm
Share: