homepage
Open menu Go one level top
  • Train and Certify
    • Get Started in Cyber
    • Courses & Certifications
    • Training Roadmap
    • Search For Training
    • Online Training
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • NICE Framework
    • DoDD 8140
    • Specials
  • Manage Your Team
    • Overview
    • Security Awareness Training
    • Voucher Program
    • Private Training
    • Workforce Development
    • Skill Assessments
    • Hiring Opportunities
  • Resources
    • Overview
    • Reading Room
    • Webcasts
    • Newsletters
    • Blog
    • Tip of The Day
    • Posters
    • Top 25 Programming Errors
    • The Critical Security Controls
    • Security Policy Project
    • Critical Vulnerability Recaps
    • Affiliate Directory
  • Focus Areas
    • Blue Team Operations
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • SANS Community
    • CyberTalent
    • Work Study
    • Instructor Development
    • Sponsorship Opportunities
    • COINS
  • About
    • About SANS
    • Why SANS?
    • Instructors
    • Cybersecurity Innovation Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press Room
  • Log In
  • Join
  • Contact Us
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  1. Home >
  2. Blog >
  3. Internet Evidence Finder (IEF): interview with Jad Saliba of JADSoftware.com
Brad Garnett

Internet Evidence Finder (IEF): interview with Jad Saliba of JADSoftware.com

November 1, 2019

Editor's note: Brad Garnett recently had an opportunity to interview Jad Saliba, of JADSoftware about how he got started in computer forensics and about some of his company's products. Please note that JADSoftware has offered a discount to readers, see the details below.

Q: Jad, Take a minute to introduce yourself and give us some insight into your background. How did you get involved in computer forensics and software development?

I've been involved in software programming on and off for a long time, going back to my teenage years. I've always had an interest in system tools and figuring out what's going on behind the scenes in a computer. I went to college and studied computer networking and programming, and worked in the industry for a short while before getting into law enforcement, which is another passion of mine. I didn't want anyone to know about my computer skills when I first got hired! But a few years later I was diagnosed with cancer and after being off for a year fighting with that, I started to think that something a little less stressful and with a better schedule would be a good thing for my family and my health. I approached the head of the Technological Crimes Unit, Eugene Silva, who needed an extra hand and graciously brought me into the unit and has kept me there so far!

Q: You have developed several software tools that can assist computer forensic professionals during the analysis phase of a forensic exam. Tools like Internet Evidence Finder (IEF), FChat (FCT), Encrypted Disk Detector (EDD), and Facebook® JPG Finder (FJF) are all great for the forensic examiner's toolkit. We are going to focus on IEF. Explain how IEF is used during media analysis and its capabilities/limitations.

Evidence_Finder
Image 1: JADSoftware's Internet Evidence Finder

IEF is simply a tool that searches for Internet related artifacts on a disk or in a file and parses them out into a readable format. It currently supports 19 different types of artifacts, including things like Facebook chat, Yahoo! Messenger chat, MySpace chat, Hotmail and Yahoo webmail, Limewire searches, and many more. IEF can be run in a number of different ways. You can run it directly against a drive that is connected via a write-blocker, or on a mounted image (mounted by Encase's PDE or a program like Mount Image Pro). If there are specific files or areas you want to search (pagefile.sys/hiberfil.sys files, or unallocated clusters), you could copy these out and point IEF to the specific files or to a folder containing files. As IEF searches the specified item(s), the results are saved to CSV/TSV report files or individual files, depending on the format of the artifact. Statistics are displayed during the search to keep you updated on the progress.

Q: There have been several updates recently to IEF. What are some future enhancements and capabilities in development for IEF?

I hope to add things that include greatly improved reporting features, an option to search unallocated space only, Unicode support, more searches, and a portable version of IEF that could be run on a live system. There's a long list that I hope to start tackling in the near future.

Q: What programming language did you use when you wrote IEF and why?

I use a mix of Visual Basic and other code, depending on the process. I try to use as many low level system calls as possible to make things run as quickly as the hardware and/or medium will allow. I'm comfortable with Visual Basic and it enables me to easily put my ideas into code while keeping the processes manageable, optimized and running fast.

Q: Do you have any future plans for IEF to be a cross-platform application (i.e. Linux, Mac)?

I don't have any plans for a cross platform application at this time. However, IEF can search drives formatted in Linux and Mac systems if they are mounted on or directly connected to a Windows system. The drive will appear as a PhysicalDrive(#) without a drive letter and IEF can search that raw drive (point it to the PhysicalDrive# that appears).

Q: You stated that there are plans for developing a portable edition of IEF to be used forensically on a live system. As live forensic acquisitions continue to grow, this would be a great tool for the incident responder/forensic analyst. Explain.

I think IEF is very well geared towards memory dump files created by tools such as ManTech's MDD and HBGary's Fastdump PRO. A lot of the testing I do when adding support for new artifacts is with memory dumps. I also have plans for an "IEF Portable" that will run from a thumb drive and could be used with a Windows FE (Forensic Edition) boot disk or other forensic boot disk that would allow IEF to run forensically on the live system. I'm also planning to add a "Quick Search" option for the searches that would only search common areas and things like the pagefile.sys file to give the investigator a quick look or preview of the drive.

Q: Do you have any additional tools in development that you would like to share with the SANS Computer Forensics blog audience?

I'm currently working on an application that will take a list of URLs (or import URLs from a CSV file, such as an Internet history report file) and then visit each URL, taking "scrolling screenshots" of each page and saving them all to an indexed, easy to browse HTML report. I think it will be useful for preserving or visually displaying a portion of a user's web browsing history, and to show what they may have seen when they visited those URLs. It would be especially useful in situations where no Internet connection is available, such as courtrooms.

Q: What can the forensic community do to make IEF better? Do you have a mailing list or a way users can submit issues or provide feedback on IEF?

I'm always open to suggestions for new features (although I won't always be able to make them happen!) and bug reports. I just want IEF to be as easy to use, feature rich, and bug-free as possible. I do have a mailing list that folks can sign up on to receive updates when new programs or releases come out. Comments and suggestions can be sent either through the contact page on my website or directly to my email address, jad-at-jadsoftware-dot-com.

Mr. Brad Garnett, CCE, GCFA is a law enforcement officer specializing in computer forensics. You can follow Brad on Twitter @bgarnett17

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Tags:
  • Digital Forensics and Incident Response

Related Content

Blog
Digital Forensics and Incident Response
January 21, 2021
Things the Community Said About Chris Krebs's CTI Keynote
Chris Krebs Fmr. Director, US Cybersecurity and Infrastructure Security Agency (CISA); Founder, Krebs Stamos Group was the keynote speaker
SANS Institute
read more
Blog
Digital Forensics and Incident Response
January 7, 2021
How You Can Start Learning Malware Analysis
Lenny Zeltser shares a roadmap for getting into malware analysis, with pointers to 10 hours of free recorded content and additional references.
370x370_Lenny-Zeltser.jpg
Lenny Zeltser
read more
Blog
Digital Forensics and Incident Response
September 26, 2019
The State of Malware Analysis: Advice from the Trenches
What malware analysis approaches work well? Which don’t? How are the tools and methodologies evolving? The following discussion–captured as an MP3 audio file–offers friendly advice from 5 malware analysts. These are some of the practitioners who teach the reverse-engineering malware course...
370x370_Lenny-Zeltser.jpg
Lenny Zeltser
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters
  • The Critical Security Controls
  • Focus Areas
  • Blue Team Operations
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2021 SANS™ Institute
  • Privacy Policy
  • Contact
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn