Knowledgebase: E3
E3 UNIVERSAL Aurora 1.0 Getting Started
Posted by Jack H. Ward on 16 November 2016 05:20 PM

Navigation:

Introducing E3:UNIVERSAL

E3:UNIVERSAL Related Tools

DP2C

P2X Pro

Link2

E3:Viewer

Installing and Configuring E3: UNIVERSAL

Computer System Requirements

Installing Electronic Evidence Examiner

Mobile Driver Pack Installation

E3:UNIVERSAL License Activation

Internet Licensing

Direct Machine Licensing

Dongle Licensing 

Installing the FOCH/NIST Database

Working with E3: UNIVERSAL

Exploring E3:UNIVERSAL Interface

E3:UNIVERSAL Data Examination Process

Creating Case

Adding Data to Case

Adding Evidence

Acquiring Mobile Data

Importing Data

Using Auto-Exam

Content Analysis

Examining Files

Data Triage

Creating Reports

Exporting

Batch Export

Additional Features


 

E3:UNIVERSAL

Aurora Edition 1.0 

Paraben's Electronic Evidence Examiner — E3 is a comprehensive digital forensic analysis tool designed to handle more data, more efficiently while adhering to Paraben's P2 Paradigm of specialized focus of the entire forensic exam process. E3:UNIVERSAL is for the universal data types that are supported with this tool from hard drive data, smartphones, and IoT data all boundaries that used to exist for digital evidence have been broken with this one universal tool. 

E3:UNIVERSAL utilizes Paraben's advanced plug-in architecture to create specialized engines that examine elements like e-mail, network e-mail, chat logs, mobile data, file systems, Internet file analysis, smartphones, and more – all while increasing the amount of data that can be processed and utilizing resources through multithreading and task scheduling.

Paraben’s E3:UNIVERSAL system comes with the DS Toolbox hardware kit that includes all the common cables required for processing devices as well as other accessories used in forensics analysis. As well as DP2C for doing hard drive and triage imaging of this type of data.

E3:UNIVERSAL Related Tools

Paraben makes other tools that complement the operations of E3: UNIVERSAL. 

  • DP2C
  • Paraben P2X Pro
  • Link2

DP2C

DP2C is a targeted data triage collection tool. DP2C runs from a USB drive in either forensic mode by booting into DP2C or non-forensic mode by running DP2C on a live system. Acquired data is saved to a Forensic Container storage, usually on a network share or an external drive, for analysis in E3:UNIVERSAL, E3:P2C, or E3:VIEWER. DP2C can acquire in triage form specific pieces of data or full bit-stream disk images. 

P2X Pro

P2X Pro allows you to mount disk images and access them as if they were a read-only drive on your computer. P2X Pro assigns a drive letter to each mounted virtual hard drive on your computer. When mounted, you can access files and applications as though they were installed on your computer. 

Malware and other malicious software contained in an image can infect your computer if accessed using P2X.

 

 

Link2

This program is specially designed to analyze links between data stored on different mobile devices. This is a free tool that is included with your E3:UNIVERSAL license.

E3:Viewer

Your license of E3:UNIVERSAL comes with three (3) E3:Viewer licenses that allow you to setup evidence review stations with your customers or with your investigators. 

Installing and Configuring E3: UNIVERSAL

The E3:UNIVERSAL deployment consists of the following steps:

  • Installation of the program
  • Mobile driver pack installation
  • Activation
  • Installation of the FOCH/NIST database (optional and separate download)

Computer System Requirements

The following computer system requirements are necessary for running E3: UNIVERSAL:

  • Operating system: Microsoft Windows 7 SP1 or newer 32-bit and 64-bit operating system
  • RAM: 4 GB (8 GB recommended)
  • .Net Framework version 4.5 or later

Installing Electronic Evidence Examiner

To install Electronic Evidence Examiner:

  1. Download Electronic Evidence Examiner through your registration site account.
  2. Run the Electronic Evidence Examiner installation file.
  3. On the Welcome page, click Next.
  4. On the End-user License Agreement page, accept the terms of the license agreement, and then click Next.
  5. On the Select Installation Folder page, do one of the following:
    • Type the location of the folder where you want to install the program, and then click Next.
    • Click Browse and select the location of the folder where you want to install Electronic Evidence Examiner, and then click Next.
    • Click Next to keep the default location.
  6. You are now ready to begin the installation. Click Install.
  7. The installation starts. After it finishes, the last page of the installation wizard is displayed. Select the Open the Electronic Evidence Examiner Driver pack page checkbox to open the page for downloading E3 Mobile Driver Pack and click Finish.
  8. The installation is now complete and you need to activate your product.

Mobile Driver Pack Installation

After the installation of the program, you need to install a separate Mobile Driver Pack. The drivers pack is included with your installation disk or you can download it from the Paraben website in the Customer Zone. This driver pack allows you to have the necessary drivers for the majority of mobile devices that you can process using E3:UNIVERSAL. 

Electronic Evidence Examiner uses the SHA-2 code signing, which is not supported by Windows 7 without a security update. Without it, driver installation will be constantly interrupted by requests to confirm every driver installation. 

To install the update, please follow this link: 

https://technet.microsoft.com/en-us/library/security/3033929

If the problem persists, please try installing Microsoft hotfix. To install the hotfix, please follow this link: https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=2598139&kbln=en-us

 

 

 

 

 

 

 

To install the E3 Mobile Driver Pack:

  1. Start the E3 Mobile Driver Pack installation application.
  2. On the Welcome page, click Next.
  3. On the End-user License Agreement page, accept the terms of the license agreement, and then click Next.
  4. On the Customize Setup page, click Next.
  5. You are now ready to begin the installation. Click Install.
  6. The installation starts. After it finishes, click Finish.

E3:UNIVERSAL License Activation

When you launch E3:UNIVERSAL, you are prompted to activate the product. The following types of activation are available:

  • Internet licensing
  • Direct Machine licensing
  • Dongle licensing

Additionally, you can request a trial version of Electronic Evidence Examiner (www.paraben.com/forms/requesthttps://www.paraben.com/forms/request-trialtrial) to try the full product functionality for a limited time period. 

Internet Licensing

You can connect to the web license server as a Paraben user or an E3 user created under your Paraben account. For more information on E3 users, see the help file.

To activate E3:UNIVERSAL via Internet licensing, do the following:

  1. Start Electronic Evidence Examiner and click Activate in the dialog displayed on start.
  2. The Activation wizard opens.
  3. In the Activation wizard, select the Internet License option (selected by default) and click Activate.
  4. The Connect to Web License Server dialog is displayed.
  5. Enter your Paraben user or E3 user login and password and click Connect.

To automatically connect to the server under the same account in the future, select Save credentials for future use checkbox.

You can change the settings of this option in Options > Common.

 

 

 

 

  1. Electronic Evidence Examiner connects to the web license server and checks what packages are available for this account.
  2. If the E3:UNIVERSAL package is available (not activated on another computer), it becomes activated. You can start working with E3: UNIVERSAL.

Direct Machine Licensing

This type of activation is preferable if you intend to use E3:UNIVERSAL on one computer only.

You can activate the product over the Internet or by telephone.

To activate the product over the Internet, do the following:

  1. Start Electronic Evidence Examiner and click Activate in the dialog displayed on start.
  2. The Activation wizard opens.
  3. Select Direct Machine License and click Activate.
  4. On the next page of the wizard, select the Over the Internet activation type and click Next.
  5. The Enter Your Product ID page opens. Click Add and enter the Product ID of the package you want to activate (you can enter one or more Product IDs). Then click Activate.

You can find your Product ID in the email message that was sent to you after you bought the product.

 

 

 

  1. After the package is activated, the last page of the Activation wizard opens.
  2. Click Finish to exit the wizard.

To activate the product by telephone, do the following:

  1. Start Electronic Evidence Examiner and click Activate in the dialog displayed on start.
  2. The Activation wizard opens.
  3. Select Direct Machine License and click Activate.
  4. On the next page of the wizard, select the By telephone activation type and click Next.
  5. The Phone Activation page opens.
  6. Follow the steps described on the page: call the support center and dictate the Product ID(s) and the Registration key displayed on the Phone Activation

You can find your Product ID in the email message that was sent to you after you bought the product.

 

 

 

  1. When you receive the Activation key, enter it in the corresponding field and click Activate.
  2. After the package is activated, you will see the last page of the Activation
  3. Click Finish to exit the wizard.

Dongle Licensing

To activate E3:UNIVERSAL via dongle, do the following:

  1. Purchase a dongle separately as the cost is not included with the license purchase. The $89.00 fee can be added to your quote or shopping cart order.
  2. Get the dongle delivered to you.
  3. Download Dongle Manager (https://www.paraben.com/download/products) and install it on any computer with Internet connection.
  4. Plug the dongle into your computer, start Dongle Manager and update the dongle.
  5. Install the Dongle Manager on the computers where E3:UNIVERSAL will be used.
  6. Plug in the dongle and start Electronic Evidence Examiner.  

As long as the dongle is plugged in, E3:UNIVERSAL will work. 

If you ordered a dongle but want to use E3:UNIVERSAL before your dongle arrives: You can request a temporary activation key that will expire in 30 days. The key can be requested from the Paraben support center.

Installing the FOCH/NIST Database

The FOCH (Filter Out Common Hashes) database is a set of hashed files that are associated with many common operating systems and is based on the NIST database of known hash values.

E3:UNIVERSAL uses this set of hashed files to filter out the common files so that it doesn’t have to sort and rehash them each time you perform scanning.

To install the FOCH Database, do the following:

  1. Download the database from https://www.paraben.com/downloads/tools/foch.exe.
  2. Start the exe application.
  3. Type the location where you want to place the database. It should be in a folder named CommonFiles (NIST) placed in the root directory where you installed Electronic Evidence Examiner. The correct location is provided by default if you select the default location for installing Electronic Evidence Examiner.
  4. Click Install.

For more detailed information on installing and using the FOCH database, see the help file.

Working with E3: UNIVERSAL

Once E3:UNIVERSAL is licensed, you can start using the program. 

Exploring E3:UNIVERSAL Interface

The interface is divided into the following parts: 

  • The Ribbon: This part of the interface contains controls for work with E3: UNIVERSAL.
  • Main window containing the following areas:
    • Tree-view area (on the left): Consists of the Case Content pane, which displays all the case items and Sorted Files pane, which displays files sorted by categories.
    • Data View area (in the center): Displays the content of folders and grids and other panes, such as Sorted Files, Search, Case History, and others.
    • Viewers and Bookmarks area (on the right): Consists of different viewers, which display images, thumbnails, text, and hex data, the Properties pane, which displays file properties, and the Bookmarks pane, which displays the bookmarks created in the case.
    • Tasks and secondary panes area (at the bottom): Consists of the Tasks pane, which allows the user to view the status of search, export, sorting, and report generating tasks, the Hashes pane, which displays the attached hash databases, and the Common Log pane, which allows the user to view the Common Log created during one session of E3: UNIVERSAL.

You can hide, show, and resize panes as you work to see more or less information. If you want to reset the display to the default settings, on the View tab, in the Layout Management group, click Restore Layout.

 

 

 

E3:UNIVERSAL Data Examination Process

E3:UNIVERSAL offers you the following functions for evidence examination:

  • Creating a case
  • Adding data to a case
  • Performing auto-exam
  • Performing content analysis of an evidence
  • Examining files
  • Viewing triage data
  • Creating reports
  • Exporting data
  • Performing batch export

Each of these functions is outlined in this guide with more comprehensive information available in the help file that can be opened from the Case menu of E3: UNIVERSAL.

Creating Case

When you initially start E3: UNIVERSAL, you need to create a case. There are two ways of creating a new case: automatic and manual.

To create a new case automatically, click Add Evidence, Acquire Device, or Import Data on the Welcome screen that appears at E3:UNIVERSAL start-up. The Case (<n>).e3 case is created automatically in C:\Users\<user name>\Documents\Paraben Corporation\Paraben’s Electronic Evidence Examiner. Depending on your selection, the Add Evidence window or Acquisition or Import wizard opens automatically.

To create a new case manually:

  1. In the Case menu, click Create New Case.
  2. The New Case wizard
  3. On the Case Properties tab, enter the case name (the name of the *.e3 file where the case will be saved) and the case description. The Case name is a required field.
  4. Select the Additional Information tab, enter the investigator information (if necessary), and click Finish.
  5. Select the folder in which the case will be stored (C:\Users\<User>\Documents\Paraben Corporation\Paraben’s Electronic Evidence Examiner by default) and click Save.
  6. A new case is created.

Adding Data to Case

After creating a case, you need to add data to it. There are three main ways to add data to a case:

  • Adding evidence from investigated computers
  • Acquiring mobile devices
  • Importing mobile data

Adding Evidence

Adding evidence is the process of selecting which files and information you want to examine. E3:UNIVERSAL allows you to specify what types of evidence you would like to add and includes:

  • Logical drive: Reads files and folders stored on the hard drive in the hierarchical order. You can select an entire disk or a folder on the disk.
  • Physical drive: Reads all data on the disk regardless of whether it is stored in a logical folder on the disk drive or in an unallocated space.
  • Separate Folder: Reads a folder on a physical drive connected to the computer on which the case is opened, or a network folder, or a folder on a CD/DVD disc, or a whole CD/DVD disc.
  • Image file: Reads a stored hard drive image. Has the ability to read images in most common formats.
  • Email database: You can select an email database created by a specific email application or you can use the auto-detect option.
  • Chat database: You can select a chat database created by a specific online chat application or you can use the auto-detect option.
  • Registry files: You can view registry data stored in files of binary hive format.
  • Internet Browser Data files: You can view data created by Internet Explorer, Mozilla Firefox, and Google Chrome.
  • Game Console Data files: You can investigate data extracted from XBOX game consoles.
  • Forensic Containers: You can investigate data stored in encrypted Forensic Containers (data collected by DP2C or exported from an E3 case).
  • E3 mobile data/DS cases: Reads data stored in cases created by Paraben’s DS or E3 while investigating smartphones, feature phones, PDAs, and other devices.
  • iOS backups: Reads backups created via iTunes from an iPhone/iPad/iPod Touch devices.
  • JTAG memory dumps: Reads images of device physical memory created via RIFF Box (RIFF JTAG) hardware.
  • Other: You can investigate OLE storages, archives or compressed files, raw memory dump files, and SQLite database files.

 

When you use the auto-detect option, you can select a file or a folder. For most files and data sources, you should select File. Select Folder only if the object you want to examine is the folder itself. For most auto-detect options, you should select the file and E3:UNIVERSAL will determine what type of file it is.

 

 

 

 

 

To add evidence, do the following:

  1. Create a case.
  2. On the Evidence tab, in the Evidence group, click Add Evidence; or click Add New Evidence in the case node context menu; or select Add Evidence on the Welcome page of the program.
  3. In the Add New Evidence window, select the type of evidence that you want to add, and then click OK.
  4. Browse to the file or folder with evidence data, and then click OK.
  5. Enter the Evidence By default, this is the name of the object you select when you browse. Click OK.
  6. When opening some mail archive evidence or NTFS file system evidence, you will be asked to define its options. Select the options you want to use when adding the evidence, then click OK.
  7. When the evidence is added, it is displayed in the Case Content pane of E3: UNIVERSAL.

 

Acquiring Mobile Data

Data acquisition is the automatic collection of data from the device. It starts with connecting the device to the computer with data cable and ends when an E3 mobile data case file with acquired device data is added as evidence to the currently opened case.

The process of data acquisition completely depends on the type of device from which data is acquired. For more information, consult the help file.

 

 

 

Generally, the acquisition process consists of four steps:

  • Preparation step: Preparing your device for acquisition. Consult the help file to get more information about preparing your device for acquisition. Some devices require to be turned off or additional settings on the device should be defined before acquisition.
  • Selection step: Starting the acquisition wizard and selecting a device for acquisition.
  • Acquisition step: Reading data from the device.
  • Final step: Adding an E3 mobile data case file with acquired data to the currently opened case.

You can perform acquisition via automatic device detection or manual plug-in selection. We recommend using automatic detection for acquisition and using manual plug-in selection only if you have problems with device detection or your device cannot be acquired via automatic detection (see the description of the acquisition process for your device in the help file).

To acquire data from your device via automatic detection:

  1. Prepare your device for acquisition:
    • Make sure the device is charged.
    • Choose the proper cable or cradle for your device.
    • Check that drivers for USB connection are installed.
    • Define connection properties if necessary.
    • Some devices require a SIM card to be inserted to perform acquisition so make sure a SIM card is inserted for such devices.
  2. Launch Electronic Evidence Examiner with administrator privileges.
  3. Click Acquire Device on the Welcome screen or click Start Acquisition on the Evidence tab, in the Mobile Data
  4. The Acquisition wizard opens.
  5. On the Home page, the icon of your device will be displayed. Click the icon of the required device. If your device icon is not displayed, click the troubleshooting link at the bottom of the page.

It is recommended to work only with one connected device at a time.

Some devices cannot be acquired via automatic detection. If your device is not detected, consult the troubleshooting or use manual plug-in selection.

 

 

 

 

  1. On the Acquisition Type page, select the type of acquisition to be performed.
  2. If additional actions are required to perform the acquisition, you will be prompted to select them on the Pre-acquisition Options Select the required options and click the link to the next page.
  3. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click the link to the next page.
  4. If special acquisition instructions are available for the device, they will be displayed on the Instructions Click Start Acquisition.
  5. The data acquisition starts and a new Mobile Data Acquisition task is added to the Task pane, where you can view its general progress.

The progress is also displayed on the Acquisition Progress page where you can see which features were successfully acquired and which features were not acquired and why.

Some devices require your interaction during the acquisition process. For more information, consult the help file.

  1. When the data acquisition finishes, the E3 mobile data case with acquired data is saved and same location as the currently open case and is added to it as evidence. Click Finish.

The name of the E3 mobile data case with acquired data is: <case name>_Acquisition_<date and time of acquisition>.ds

 

 

 

To acquire data from your device via manual plug-in selection:

  1. Prepare your device for acquisition (the same as for automatic detection).
  2. Click Acquire Device on the Welcome screen or click Start Acquisition on the Evidence tab, in the Mobile Data
  3. The Acquisition wizard opens.
  4. On the Home page, click Manual Plug-in Selection.
  5. On the Plug-in Selection page, select the plug-in corresponding to the device manufacturer and the type of acquisition you want to perform.
  6. If additional actions are required to perform the acquisition, you will be required to select them on the Pre-acquisition Options Click Continue.
  7. On the Connection Selection page, select the port to which the device is connected. Click the Instructions link if specific instructions are available for your device or click Start Acquisition.
  8. The rest of the acquisition process is performed the same way as for the automatic detection.

Importing Data

Electronic Evidence Examiner allows you to import RIM Blackberry backup files, non-encrypted iPhone 1.x-10.x and encrypted iPhone 1.x-9.x backup files, Cellebrite UFED cases, Tarantula backup data, tower information, and GPS and KML maps.

To import data, do the following:

  1. Launch Electronic Evidence Examiner with administrator privileges.
  2. Click Import Data on the Welcome page or click Import From on the Evidence tab, in the Mobile Data
  3. On the Imported data type page, select the type of data for importing. Click Next.
  4. On the Source page, click Browse.
  5. The standard Open window opens. Navigate to the location of the required file and click Open.
  6. For tower information, define the Date format of imported data from the drop-down list and define the period for which data is to be imported.
  7. Click Finish.
  8. For encrypted backups, you will be asked to enter a password. Enter a password and click Next.
  9. The import process starts and the Import stored mobile data task is added to the Tasks pane where its general progress can be viewed.

The progress is also displayed on the Importing File Process page of the Import wizard.

  1. If the import process completes successfully, you will see the last page of the wizard. Click Finish to exit the wizard.
  2. The imported data is saved to an E3 mobile data case in the same location as the currently open case and is added to it as evidence.

The name of the E3 mobile data case with imported data is: <case name>_Import_<date and time of import>.ds

 

 

 

Using Auto-Exam

The auto-exam feature allows you to select a sequence of actions to be performed with an evidence to have it processed automatically. This feature is available for all types of evidence except Memory Dump files.

To start auto-exam, do the following:

  1. Add an evidence to a case or on the Analysis tab, in the Auto-Exam group, click Start Auto-Exam.
  2. The Paraben’s Auto-Exam window opens.
  3. Define the following parameters:
    • Would you like to sort the data into categories and provide a list of data in each category? Select Yes, sort data if you want to sort data from the evidence into categories according to their file types, otherwise, select No.
    • Do you want to export any data from the sorted categories?

If you selected to sort data, select the categories of sorted data that you would like to have exported.

The data is exported to a folder in the same location as the case or to a folder with report data if you select to generate a report.

 

 

 

  • Would you like to remove duplicated data?

If you selected to sort data, select Yes, remove duplicates if you want duplicates of files to be absent from exported data and reports generated by the Auto-exam engine.

  • Do you want to do any searches?

If you want to perform searches in the evidence, define search expressions in the empty text box or click Load Words to load search expressions from a file or a pre-defined search list. Otherwise, leave the text box empty.

  • What type of report would you like generated?

Select the types of reports you want to be generated for the evidence. If necessary, click Edit report template… to customize the reports.

The reports are created in a folder in the same location with the case.

 

 

 

  • Do you want to include Triage Data with your report?

Select Computer/media data to include triage data with generated reports.

  1. Click Start Auto-exam.
  2. The Auto-exam starts and the selected tasks are displayed in the Tasks pane one by one.

Content Analysis

After you add data to a case, you can sort data into certain categories, index keywords in this data, scan portable executable files in it for the signs of being malware, and perform text extraction from graphical files. The content analysis operations expedite your work with binary files of different formats and allow you to perform quick searches by indexed keywords, detect suspicious files that might be malware, and perform text searches by text contained in graphic files.

E3:UNIVERSAL automatically sorts files into the following types:

  • Documents
  • Email
  • Chats
  • Spreadsheets
  • Graphics
  • Databases
  • Executable
  • Compressed
  • Multimedia
  • Text
  • XML
  • Encrypted
  • Financial Files
  • Others
  • Image Analyzer Results
  • Recovered from Unallocated Space

The following table represents types of evidence and the availability of content analysis for them:

Evidence Type

Sorting

Malware Scan

Text Extraction from graphic files

Keyword Indexing

Recursive content analysis in embedded evidence

File System evidence 

+

+

+

+

+

E-mail database 

+

(Attachments)

+

(Attachments)

+

(Attachments)

+

+

Archive 

+

+

+

+

+

Forensic Container 

+

+

+

+

+

OLE storage

+

+

+

+

+

E3 mobile data/DS case

+

(Binary files)

-

+

(Binary files)

+

+

iPhone/iPad/iPod Touch backup evidence

+

(Binary files)

+

(Binary files)

+

(Binary files)

+

+

SQLite database

+

(Embedded binary files)

+

(Embedded binary files)

+

(Embedded binary

files)

+

+

Xbox evidence

+

+

+

+

Project-a-Phone data

+

-

+

+

-

Chat databases 

+

(Only for Hello database)

+

(Only for Hello database)

+

(Only for Hello database)

+

+

Internet Browser data 

+

(Temporary

files)

+

(Temporary

files)

+

(Temporary files)

+

 

+

Registry file

-

-

-

+

-

Dump file

-

-

-

-

-

JTAG memory dump file

+

+

+

+

+

To perform content analysis, do the following:

  1. Have the Content Analysis window open in one of the following ways:
    • If you added an evidence or performed acquisition or import of mobile data, the Content Analysis window opens automatically if evidence contains analyzable data.
    • Select an evidence, folder, or file in which you want to perform content analysis and, in the context menu or on the Analysis tab, in the Content Analysis group, select Content Analysis > Content Analysis.
  2. On the General options page, do the following and click Next:
    • Select the Sort Data checkbox to sort data into different categories according to their file types.
    • Select the Index keywords checkbox to index keywords in files, which allows performing faster searches in data.
    • Select the Extract and index keywords from graphic files (OCR) checkbox to extract text contained in image files and automatically add keywords from the text to a keyword database and select the Language for keyword extraction.
    • Select the Scan for malware checkbox to scan portable executable files for the signs of being malware.
  3. On the Data analysis options page, define the following options and then click Next:
    • Recursive sorting and keyword indexing in: Select the types of data that should be analyzed within the embedded evidence (see the help file for more information on embedded evidence).
    • Include files of undetected format: If this option is selected, files whose type cannot be defined will be placed to the Unknown category during sorting, otherwise they will be skipped.
    • Perform data analysis in deleted data: If this option is selected, deleted data in the file system evidence will be recovered and content analysis for it will be performed.
    • Save current wizard options as default: If this option is selected, then the defined sorting and indexing options are saved as the default options.
  4. On the Advanced options page, select the Skip MSI installations, Skip CAB archives, Skip CHM help files and Skip unknown OLE streams options to make searching and keyword indexing faster. Click Next.
  5. On the Image Analyzer page, define the following options:
    • Use Image Analyzer: If this option is selected, the Image Analyzer will be used while sorting graphic files
    • Engine sensitivity: The larger the value of the engine sensitivity, the more images will be put in the Highly suspect and Suspect categories.
    • Use file filter: If this check box is selected, then only files of the defined size will be checked by Image Analyzer.
    • Use resolution filter: If this check box is selected, then only images of the defined size will be checked by Image Analyzer.

Image analysis will be performed only when you perform file sorting.

 

 

 

  1. Click Finish.
  2. The content analysis task starts. Its progress is displayed in the Tasks pane, where it can be viewed, paused, stopped, and started.

The results of file sorting can be viewed on the Sorted Files pane.

For keyword indexed files, keyword searches can be performed (see the help file for more information).

The results of the malware scan can be viewed on the Content Analysis tab of the Properties viewer.

Text extracted from graphic files can be viewed on the Extracted Text viewer for the selected file and keyword searches can be performed in the images with extracted text.

Examining Files

After sorting and indexing the files, the next step is their examination. E3:UNIVERSAL provides you with several options for examining files and data sources. These include the following tools:

  • File viewer
  • Text viewer
  • Hex viewer
  • Thumbnails viewer
  • File slack hex viewer
  • File slack text viewer
  • Extracted Text viewer
  • Email Data viewer
  • Chat RTF viewer

The viewers can be enabled on the View tab, in the File Viewers and Advanced Viewers groups.

When you select a certain item, you can examine it in different viewer tabs that are displayed to the right of the Data View pane. If some of the viewers are not available for the selected item, they are inactive. For example, if you select a folder that has no graphics, the Thumbnails viewer tab will be inactive.  

 

To view files, file information, and their content, do the following:

  1. Make sure that all the viewer options are selected on the View tab, in the File Viewers and Advanced Viewers
  2. Select the file you want to examine.
  3. Click the appropriate viewer tab to see the information displayed in the format you want. For example, click Hex View to view the file in Hex format and so forth.
  4. Click the edge of the pane to resize it if necessary.

File properties including its size, creation date, file name, and other properties are displayed in the Properties pane, which is located to the right of the program window.

 

 

 

Data Triage

E3:UNIVERSAL allows you to view data of email clients, chat messenger clients, and Internet browsers installed on the investigated computer. You can also view recently used files and Documents folders. E3:UNIVERSAL autodetects this data in the registry and displays it in the sub-nodes of the Data Triage node.

Auto-detection is available only for the following types of evidence:

  • Physical drives and images of the physical drives that have a system partition
  • System logical drives and images of system logical drives  Registry hives

The Data Triage node is placed under the partitions node if a physical drive/physical drive image evidence is added and on the same level as the Root node if a system disk/system disk image evidence is added.

To view detected data in Data Triage, do the following:

  1. Add a physical drive or a system drive evidence to the case.
  2. In the Case Content pane, expand the evidence node.
  3. Click the plus sign near the Data Triage The following nodes are displayed:
    • E-mail Databases: Detected installed e-mail databases.
    • Chat Databases: Detected installed chat databases.
    • Internet Browser Data: Detected installed Internet browsers (including Internet Browser data).
    • My Documents Folders: Detected My Documents folders (based on the number of users on the investigated computer).
    • Recently Used Files: The list of the most recently opened files.
    • Parsed Registry Data: Groups of registry keys including information about auto run programs, list of installed programs that can be uninstalled, list of Windows services, etc.

Creating Reports

An E3:UNIVERSAL report is a summary of the currently open case that that can be printed, e-mailed, etc. 

E3:UNIVERSAL allows you to create the following types of reports:

  • HTML Investigative Report: This report includes any information defined by the user (evidence of different types, bookmarks, and supplementary files). Data is displayed in the HTML format without hyperlinks.
  • Simple Text Report: This type of report includes the same information as the HTML Investigative Report displayed in a similar way, but in text format.
  • Simple RTF Report: This type of report represents information in Rich Text Format and can be opened in any text editor that supports formatted text.
  • CSV Text Report: This type of report represents information in a tab-delimited format and can be opened in Microsoft Excel.
  • HTML Evidence Summary Report: This report includes information about all evidence added to the case, information about the Investigator (optional), and supplementary external files. Data is displayed in HTML format.
  • HTML Email Message Report: This report includes information on email messages stored in the investigated mail archive. Data is displayed in the HTML format.
  • Malware Scan Results Report: This report includes information on all scanned executable files. Data is displayed in CSV format.
  • Mobile Evidence Timeline Report: This report contains timeline representation of mobile data in the HTML format.
  • Mobile Evidence PDF Report: This type of report contains mobile data in the PDF format.
  • Mobile Data Review Report: This type of report includes detailed information on all mobile data acquired by the Android Logical plug-in. Information is represented in the HTML format with hyperlinks, providing a most convenient view of mobile case data.

When you create reports, you can select specific files and information that you want to add to the report. You can select this information by clicking the Add to Report/File Export option in the context menu of an item in the Case Content or Data Viewer pane. You can also export evidence along with the report and add bookmarks and case information to it.

To create reports, do the following: 

  1. Navigate to the data in the Case Content or Data View pane and then select the check boxes next to the records, files or folders you want to include.
  2. On the Analysis tab, in the Reports group, select Generate Report.
  3. On the General options page of the Reports wizard, select the type of the report and the location where you want to save it.
  4. Click through the remaining pages of the wizard and select the options you need for your report. These options include file types, file properties, case information, whether you want to create a report with all evidence or only selected data, and so forth. The report options vary depending on the type of the report you select. For more information on the options, see the help file.
  5. Click Finish to begin the process of creating a report.
  6. The report generation starts and the report generation task is added to the Tasks pane where it can be viewed, paused, stopped, and started. Depending on the size and the options you select when creating a report, the generation process might take several minutes.
  7. The generated report opens automatically if the corresponding option was selected in the Report wizard options.

Exporting

E3:UNIVERSAL allows you to export data from the case as separate files and export selected rows of a grid to spreadsheets. E3:UNIVERSAL exports the files along with a hash file that can be used to ensure that the data has not been changed.  You can use the check boxes in the Case Content or Data View panes to select which files, folders, grids, and rows of data you want to export. Export currently selected data (file or folder) 

  • Export data selected across the case (checked data)
  • Export data to spreadsheet
  • Export sorted files

To export the currently selected data:

  1. Select a folder or a grid in the Case Content or select multiple files and folders in the Data View pane by clicking corresponding items. Use the Shift and Ctrl keys for multi-selection.
  2. On the Export tab, in the Common Export group, click Export or click Export in the context menu.
  3. For folders, select whether you want to export selected folders with all their subfolders (Recursive) or just files stored in selected folders (Non-recursive).
  4. Select whether the data will be exported to a folder or an encrypted Forensic Container.
  5. Browse to the location where you want the data to be exported (folder location or a Forensic Container file to which the data is to be exported).
  6. Define the Forensic Container password (if the export to a Forensic Container is selected).
  7. Сlick Export.
  8. The export process is displayed in the Tasks pane, where it can be stopped, paused, and started.

To export data selected across the case:

  1. Select the checkboxes near the files and folders you want to export in the Case Content and Data View panes.
  2. On the Export tab, in the Export to Native Format group, click Export Checked Files.
  3. For folders, select whether you want to export selected folders with all their subfolders (Recursive) or just files stored in selected folders (Non-recursive).
  4. Select whether the data will be exported to a folder or an encrypted Forensic Container.
  5. Browse to the location where you want the data to be exported (folder location or a Forensic Container file to which the data is to be exported).
  6. Define the Forensic Container password (if the export to a Forensic Container is selected).
  7. Click Export.
  8. The export process is displayed in the Tasks pane, where it can be stopped, paused, and started.

To export data to spreadsheet:

  1. In the Data View pane, select the rows to be exported in the Data View Use the Shift and Ctrl keys for multi-selection.
  2. Click Export Info to Spreadsheet in the context menu or in the Export tab, in the Common Export
  3. Define the location and the name of CSV file to be created and click Save.
  4. When the export process finishes, you receive a confirmation message. Click OK.
  5. Data is exported.

To export sorted files from a case: 

  1. Perform sorting.
  2. Open the Sorted Files pane and select the category for exporting or the Sorted Files node to export all categories or select several files from the selected category using Shift and Ctrl
  3. Click Export in the context menu or on the Export tab, in the Common Export
  4. Select where the files will be saved and click OK.
  5. The export process is displayed in the Tasks pane, where it can be stopped, paused, and started.

Batch Export

E3:UNIVERSAL allows you to perform searches in multiple mail storages of different formats and export the search results to EML, EMX, MSG, PST, and Attachments only formats.

To perform a batch export, do the following:

  1. On the Export tab, in the Mail Archive Export group, click Batch Export.
  2. The Batch Export Wizard
  3. On the Welcome page, click Next.
  4. On the Source Options page, define the parameters of the source mail archive detection.
  5. On the Filter Options page, define the parameters for selecting data from source mail archives.
  6. On the Export Options page, define the options for exporting search results.
  7. On the Common Options page, define the common options for the export process.
  8. Сlick Finish.
  9. The export process starts.

Additional Features

This quick start guide outlines the basic features you need to begin working with E3: UNIVERSAL. However, E3:UNIVERSAL has a powerful set of additional features for more convenient, and more complete analysis. Below you can see a list of these options and their short descriptions. For more details on each, please see the Electronic Evidence Examiner help file. 

  • Advanced Search: Allows you to look for text and hex strings in the evidence using multiple search parameters (including regular expressions search, Boolean search, and keywords search).
  • Sorted Files Search: Allows you to search for files by name, hash code, creation date, etc.
  • Keywords Search: Allows you to filter out already found keywords according to your search request thus making the search process much faster.
  • Bookmarks: Allows you to create bookmarks for quicker navigation around the case.
  • Case History: Displays a list of performed case-related tasks and processes.
  • Options wizard: Allows you to change and save the default settings for E3: UNIVERSAL.
  • Forensic Container creation: Allows you to create an encrypted Forensic Container to store your data safely and export files and folders to it.
  • Mounting: Allows you to mount images of physical/logical disks and forensic storages to your computer.
  • Printing messages: Allows you to print out a message from the Mail archive evidence.
  • Cloud data import: Allows you to import data from cloud-based services, such as Facebook, Gmail, Google Locations, and others using an authentication data file extracted from logically acquired Android OS data or from an imported encrypted iTunes backup or using user account credentials.
  • SIM Cloner: Allows you to duplicate identification files from a GSM SIM card to a blank card.
  • Mobile Data Comparer: Allows you to compare cases with acquired or imported mobile data and create a mobile data comparison report.
  • Application Data Parsing: Allows data associated with specific applications to be parsed and reviewed quickly in E3: UNIVERSAL. Application support is limited to Android and iOS devices and RIM BlackBerry 10 backups (see the help file for more information).


Attachments 
 
 e3 universal aurora 1.0 getting started.pdf (777.28 KB)
(0 vote(s))
Helpful
Not helpful

Comments (0)