Knowledgebase: E3
E3 DS Aurora 1.0 Getting Started
Posted by Jack H. Ward on 21 November 2016 05:49 PM

Navigation:

Introducing E3: DS

E3 Packages

E3:DS Related Tools

Link2

E3:Viewer

Installing and Configuring E3: DS

Computer System Requirements

Installing Electronic Evidence Examiner

Mobile Driver Pack Installation

E3:DS License Activation

Internet Licensing

Direct Machine Licensing

Dongle Licensing

Working in E3:DS

Exploring E3:DS Interface

E3:DS Data Examination Process

Creating Case

Acquiring Data

Importing Data

Content Analysis

Examining Files

Creating Reports

Exporting Data

Additional Features

Unavailable Options


Introducing E3: DS

Aurora Edition 1.0

Paraben's E3:DS allows investigators to acquire data contained on mobile phones, smartphones, tablets, GPS, and PDA devices in the most forensically sound manner possible. E3:DS employs different techniques with each type of device. In most cases, images are created both logically and physically. This gives the examiner the maximum access to data that includes information such as phone numbers, dates, times, pictures, and call history for both active and deleted data. There are many unique analysis functions as well that come with the powerful acquisition engines to include bookmarking, advanced searching, importing of backup data, and case data comparisons.

Paraben’s E3:DS utilizes Paraben's advanced plug-in architecture to provide comprehensive content analysis – all while increasing the amount of data that can be processed and utilizing resources through multi-threading and task scheduling. E3:DS is affordable, and it runs effectively with lower hardware requirements than you thought possible.

Paraben’s E3:DS system comes with the DS Toolbox hardware kit that includes all the common cables required for processing devices as well as other accessories used in forensics analysis.

E3 Packages

Electronic Evidence Examiner comes with a broad range of tools for work with digital evidence. These tools are available in different E3 packages, which include:

  • E3: UNIVERSAL: This package allows you to work through all types of digital data, such as physical and logical drives, disk images, email and chat databases, Internet browser data, mobile devices, cloud data, device backups and more. It includes full functionality of E3:DS and E3: P2C packages and comes with an additional Auto-exam feature, which allows you to automatically process evidence added to a case.
  • E3: P2C: This package allows you to analyze various types of digital evidence stored on an investigated computer, such as physical and logical drives, disk images, email and chat databases, Internet browser data, and more.
  • E3: VIEWER: This package allows you to view data created by Project-a-Phone, Deployable P2C, Fact Finder, and Paraben’s DS / E3: DS.

E3:DS Related Tools

Paraben makes other tools that complement the operations of E3:DS:

  • Link2
  • E3:Viewer

Link2

This program is specially designed to analyze links between data stored on different devices.

E3:Viewer

Your license of E3:DS comes with one (1) E3:Viewer licenses that allow you to setup evidence review stations with your customers or with your investigators.

Installing and Configuring E3: DS

The E3:DS deployment consists of the following steps:

  • Installation of Electronic Evidence Examiner
  • Installation of E3 Mobile Driver Pack
  • Activation of the E3:DS package

Computer System Requirements

The following computer system requirements are necessary for running E3: DS:

  • Operating system: Microsoft Windows 7 SP1 or newer 32-bit and 64-bit operating system
  • RAM: 4 GB (8 GB recommended)
  • .Net Framework version 4.5 or later

Windows 7 without Service Packs and lower operating systems are not supported as they do not support the SHA-2 cryptography used by E3: DS.

Installing Electronic Evidence Examiner

When you place the installation CD in your computer, the auto-run feature launches the installation program that guides you through the installation process. If the auto-run feature needs to be started manually, you can click autorun.exe in the root directory of the installation CD. You can also download Electronic Evidence Examiner through your registration site account.

To install Electronic Evidence Examiner:

  1. Run the Electronic Evidence Examiner installation file.
  2. On the Welcome page, click Next.
  3. On the End-user License Agreement page, accept the terms of the license agreement, and then click Next.
  4. On the Select Installation Folder page, do one of the following:
    • Type the location of the folder where you want to install the program, and then click Next.
    • Click Browse and select the location of the folder where you want to install the program, and then click Next.
    • Click Next to keep the default location.
  5. You are now ready to begin the installation. Click Install.
  6. The installation starts. When the installation process finishes, the last page of the installation wizard is displayed. Select the Open the Electronic Evidence Examiner Driver pack page checkbox to open the page for downloading E3 Mobile Driver Pack and click Finish.
  7. The installation is now complete.

Mobile Driver Pack Installation

After the installation of E3: DS, you need to install a separate Mobile Driver Pack. The driver pack is included with your installation CD or you can download it from the Paraben website (www.paraben.com/download/products). This driver pack allows you to have the necessary drivers for the majority of mobile devices.

Electronic Evidence Examiner uses the SHA-2 code signing, which is not supported by Windows 7 without a security update. Without it, driver installation will be constantly interrupted by requests to confirm every driver installation. To install the update, please follow this link:

https://technet.microsoft.com/en-us/library/security/3033929

If the problem persists, please try installing Microsoft hotfix. To install the hotfix, please follow this link: https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=2598139&kbln=en-us

To install the E3 Mobile Driver Pack:

  1. Start the E3 Mobile Driver Pack installation application.
  2. On the Welcome page, click Next.
  3. On the End-user License Agreement page, accept the terms of the license agreement, and then click Next.
  4. On the Customize Setup page, сlick Next.
  5. You are now ready to begin the installation. Click Install.
  6. The installation starts. After it finishes, click Finish.

E3:DS License Activation

When you launch Electronic Evidence Examiner, you are prompted to activate the product. The following types of activation are available:

  • Internet licensing
  • Direct Machine licensing
  • Dongle licensing

Additionally, you can request a trial version of E3:DS (https://www.paraben.com/forms/request-trial) to try the full product functionality for a limited time period. 

Internet Licensing

You can connect to the web license server as a Paraben user or an E3 user created under your Paraben account. For more information on E3 users, see the help file.

To activate E3:DS via Internet licensing, do the following:

  1. Start Electronic Evidence Examiner and click Activate in the dialog displayed on start.
  2. The Activation wizard opens.
  3. In the Activation wizard, select the Internet License option (selected by default) and click Activate.
  4. The Connect to Web License Server dialog is displayed.
  5. Enter your Paraben user or E3 user login and password and click Connect.

To automatically connect to the server under the same account in the future, select Save     credentials for future use checkbox.

You can change the settings of this option in Case > Options > Common.

  1. Electronic Evidence Examiner connects to the web license server and checks what packages are available for this account.
  2. If the E3:DS package is available (not activated on another computer), it becomes activated. You can start working with E3: DS.

Direct Machine Licensing

This type of activation is preferable if you intend to use E3:DS on one computer only.

You can activate the product over the Internet or by telephone.

To activate the product over the Internet, do the following:

  1. Start Electronic Evidence Examiner and click Activate in the dialog displayed on start.
  2. The Activation wizard opens.
  3. Select Direct Machine License and click Activate.
  4. On the next page of the wizard, select the Over the Internet activation type and click Next.
  5. The Enter Your Product ID page opens. Click Add and enter the Product ID of the package you want to activate (you can enter one or more Product IDs). Then click Activate.

You can find your Product ID in the email message that was sent to you after you bought the product.

  1. After the package is activated, the last page of the Activation wizard opens.
  2. Click Finish to exit the wizard.

To activate the product by telephone, do the following:

  1. Start Electronic Evidence Examiner and click Activate in the dialog displayed on start.
  2. The Activation wizard opens.
  3. Select Direct Machine License and click Activate.
  4. On the next page of the wizard, select the By telephone activation type and click Next.
  5. The Phone Activation page opens.
  6. Follow the steps described on the page: call the support center and dictate the Product ID(s) and the Registration key displayed on the Phone Activation

You can find your Product ID in the email message that was sent to you after you bought the product.

  1. When you receive the Activation key, enter it in the corresponding field and click Activate.
  2. After the package is activated, you will see the last page of the Activation
  3. Click Finish to exit the wizard.

Dongle Licensing

To activate E3:DS via dongle, do the following:

  1. Purchase a dongle separately either with your sales representative or via our shopping cart. The Dongle fee is not included in your license fee.
  2. Get the dongle delivered to you.
  3. Download Dongle Manager (https://www.paraben.com/download/products) and install it on any computer with Internet connection.
  4. Plug the dongle into your computer, start Dongle Manager and update the dongle.
  5. Install the Dongle Manager on the computers where E3:DS will be used.
  6. Plug in the dongle and start Electronic Evidence Examiner.  

As long as the dongle is plugged in, E3:DS will work. 

If you ordered a dongle but want to use E3:DS before your dongle arrives: You can request a temporary activation key that will expire in 30 days. The key can be requested from the Paraben support center.

Working in E3:DS

When your license is in place, you can begin using E3:DS. 

Exploring E3:DS Interface

The interface is divided into the following parts: 

  • The Ribbon: This part of the interface contains controls for work with E3:DS.
  • Main window containing the following areas:
    • Tree-view area (on the left): Consists of the Case Content pane, which displays all the case items, and Sorted Files pane, which displays files sorted by categories.
    • Data View area (in the center): Displays the content of folders and grids and other panes, such as Sorted Files, Search, Case History, and others.
    • Viewers and Bookmarks area (on the right): Consists of different viewers, which display images, thumbnails, text, and hex data, the Properties pane, which displays file properties, and the Bookmarks pane, which displays the bookmarks created in the case.
    • Tasks and secondary panes area (at the bottom): Consists of the Tasks pane, which allows a user to view the status of search, export, sorting, mobile data acquisition and import, and report generating tasks, the Hashes pane, which displays the attached hash databases, and the Common Log pane, which allows a user to view the Common Log created during one session of E3: DS.

You can hide, show, and resize panes as you work to see more or less information. If you want to reset the display to the default settings, on the View tab, in the Layout Management group, click Restore Layout.

E3:DS Data Examination Process

E3:DS offers you the following functions for evidence examination:  

  • Creating a case
  • Acquiring mobile data
  • Importing data
  • Performing content analysis
  • Examining data
  • Creating reports
  • Exporting data

Each of these is outlined in this guide with more comprehensive information available in the help file that can be opened from the Case menu of E3:DS.

Creating Case

When you initially start E3:DS, you need to create a case. There are two ways of creating a new case: automatic and manual.

To create a new case automatically, click Acquire Device or Import Data on the Welcome screen that appears at E3:DS start-up. The Case (<n>).e3 case is created automatically in C:\Users\<user name>\Documents\Paraben Corporation\Paraben’s Electronic Evidence Examiner\. The Acquisition or Import wizard opens. 

To create a new case manually:

  1. In the Case menu, click Create New Case.
  2. The New Case wizard
  3. On the Case Properties tab, enter the case name (the name of the *.e3 file where the case will be saved) and the case description. The Case name is a required field.
  4. Select the Additional Information tab, enter the investigator information (if necessary), and click Finish.
  5. Select the folder in which the case will be stored (C:\Users\<User>\Documents\Paraben Corporation\Paraben’s Electronic Evidence Examiner by default) and click Save.
  6. A new case is created.

Acquiring Data

After creating a case, you need to acquire data from your device.

Data acquisition is the automatic collection of data from the device. It starts with connecting the device to the computer with data cable and ends when an E3 mobile data case file with acquired device data is added as evidence to the currently opened case. 

The process of data acquisition completely depends on the type of device from which data is acquired. For more information, consult the help file.

Generally, the acquisition process consists of four steps:

  • Preparation step: Preparing your device for acquisition. Consult the help file to get more information about preparing your device for acquisition. Some devices require to be turned off or additional settings on the device should be defined before acquisition.
  • Selection step: Starting the acquisition wizard and selecting a device for acquisition.
  • Acquisition step: Reading data from the device.
  • Final step: Adding an E3 mobile data case file with acquired data to the currently opened case.

You can perform acquisition via automatic device detection or manual plug-in selection. We recommend using automatic detection for acquisition and using manual plug-in selection only if you have problems with device detection or your device cannot be acquired via automatic detection (see the description of the acquisition process for your device in the help file).

To acquire data from your device via automatic detection:

  1. Prepare your device for acquisition:
    • Make sure the device is charged.
    • Choose the proper cable or cradle for your device.
    • Check that drivers for USB connection are installed.
    • Define connection properties if necessary.
    • Some devices require a SIM card to be inserted to perform acquisition so make sure a SIM card is inserted for such devices.
  2. Launch Electronic Evidence Examiner with administrator privileges.
  3. Click Acquire Device on the Welcome screen or click Start Acquisition on the Evidence tab, in the Mobile Data
  4. The Acquisition wizard opens.
  5. On the Home page, the icon of your device will be displayed. Click the icon of the required device. If your device icon is not displayed, click the troubleshooting link at the bottom of the page.

It is recommended to work only with one connected device at a time.

Some devices cannot be acquired via automatic detection. If your device is not detected, consult the troubleshooting or use manual plug-in selection.

  1. On the Acquisition Type page, select the type of acquisition to be performed.
  2. If additional actions are required to perform the acquisition, you will be prompted to select them on the Pre-acquisition Options Select the required options and click the link to the next page.
  3. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click the link to the next page.
  4. If special acquisition instructions are available for the device, they will be displayed on the Instructions Click Start Acquisition.
  5. The data acquisition starts and a new Mobile Data Acquisition task is added to the Tasks pane, where you can view its general progress.

The progress is also displayed on the Acquisition Progress page where you can see which features were successfully acquired and which features were not acquired and why.

Some devices require your interaction during the acquisition process. For more information, consult the help file.

  1. When the data acquisition finishes, the E3 mobile data case with acquired data is saved in the same location as the currently open case and is added to it as evidence. Click Finish.

The name of the E3 mobile data case with acquired data is: <case name>_Acquisition_<date and time of acquisition>.ds

To acquire data from your device via manual plug-in selection:

  1. Prepare your device for acquisition (the same as for automatic detection).
  2. Click Acquire Device on the Welcome screen or click Start Acquisition on the Evidence tab, in the Mobile Data
  3. The Acquisition wizard opens.
  4. On the Home page, click Manual Plug-in Selection.
  5. On the Plug-in Selection page, select the plug-in corresponding to the device manufacturer and the type of acquisition you want to perform.
  6. If additional actions are required to perform the acquisition, you will be required to select them on the Pre-acquisition Options Click Continue.
  7. On the Connection Selection page, select the port to which the device is connected. Click the Instructions link if specific instructions are available for your device or click Start Acquisition.
  8. The rest of the acquisition process is performed the same way as for the automatic detection.

Importing Data

Electronic Evidence Examiner allows you to import RIM Blackberry backup files, non-encrypted iPhone 1.x-10.x and encrypted iPhone 1.x-9.x backup files, Cellebrite UFED cases, Tarantula backup data, tower information, and GPS and KML maps.

To import data, do the following:

  1. Launch Electronic Evidence Examiner with administrator privileges.
  2. Click Import Data on the Welcome page or click Import From on the Evidence tab, in the Mobile Data
  3. On the Imported data type page, select the type of data for importing. Click Next.
  4. On the Source page, click Browse.
  5. The standard Open window opens. Navigate to the location of the required file and click Open.
  6. For tower information, define the Date format of imported data from the drop-down list and define the period for which data is to be imported.
  7. Click Finish.
  8. For encrypted backups, you will be asked to enter a password. Enter a password and click Next.
  9. The import process starts and the Import stored mobile data task is added to the Tasks pane where its general progress can be viewed. The progress is also displayed on the Importing File Process page of the Import wizard.
  10. If the import process completes successfully, you will see the last page of the wizard. Click Finish to exit the wizard.
  11. The imported data is saved to an E3 mobile data case in the same location as the currently open case and is added to it as evidence.

The name of the E3 mobile data case with imported data is: <case name>_Import_<date and time of import>.ds

Content Analysis

After data is acquired or imported and added as evidence to a case, you can sort data into certain categories, index keywords in this data, and perform text extraction from graphical files. The content analysis operations expedite your work with binary files of different formats and allow you to perform quick searches by indexed keywords and text searches by text contained in graphic files.

E3:DS automatically sorts files into the following types:

  • Documents
  • Email
  • Chats
  • Spreadsheets
  • Graphics
  • Databases
  • Executable
  • Compressed
  • Multimedia
  • Text
  • XML
  • Encrypted
  • Financial Files
  • Others
  • Image Analyzer Results

To perform content analysis, do the following:

  1. Have the Content Analysis window open in one of the following ways:
    • If you performed acquisition or import of mobile data or added an evidence, the Content Analysis window opens automatically if evidence contains analyzable data.
    • Select an evidence, folder, or file in which you want to perform content analysis and, in the context menu or on the Analysis tab, in the Content Analysis group, select Content Analysis > Content Analysis.
  2. On the General options page, do the following and click Next:
    • Select the Sort Data checkbox to sort data into different categories according to their file types.
    • Select the Index keywords checkbox to index keywords in files for faster text searches.
    • Select the Extract and index keywords from graphic files (OCR) checkbox to extract text contained in image files and automatically add keywords from the text to a keyword database and select the Language for keyword extraction.

The Malware Scan option doesn’t work with files commonly stored on mobile devices. For detection of potential malware on mobile devices, use the Application Permissions grid (see the help file for more information).

  1. On the Data analysis options page, define the following options and then click Next:
    • Recursive data analysis in: Select the types of data that should be analyzed within the embedded evidence.
    • Include files of undetected format: If this option is selected, files whose type cannot be defined will be placed to the Unknown category during sorting, otherwise they will be skipped.
    • Save current wizard options as default: If this option is selected, then the defined sorting and indexing options are saved as the default options.
  2. On the Advanced options page, leave the default options (these options do not affect content analysis in mobile data), click Next.
  3. On the Image Analyzer page, define the following options:
    • Use Image Analyzer: If this option is selected, the Image Analyzer will be used while sorting graphic files.
    • Engine sensitivity: The larger the value of the engine sensitivity, the more images will be put in the Highly suspect and Suspect categories.
    • Use file filter: If this check box is selected, then only files of the defined size will be checked by Image Analyzer.
    • Use resolution filter: If this check box is selected, then only images of the defined size will be checked by Image Analyzer.

Image analysis will be performed only when you perform file sorting.

  1. Click Finish.
  2. The content analysis task starts. Its progress is displayed in the Tasks pane, where it can be viewed, paused, stopped, and started.

The results of file sorting can be viewed on the Sorted Files pane.

For keyword indexed files, keyword searches can be performed (see the help file for more information).

Text extracted from graphic files can be viewed on the Extracted Text viewer for the selected file and keyword searches can be performed in the images with extracted text.

Examining Files

After acquiring data, the next step is to examine it to determine what you have acquired. E3:DS gives you several options for examining files and data sources. 

These include the following tools:

  • Data View pane: It allows you to view content of a selected folder or parsed data such as Call logs, SMS messages, Phonebooks, Calendar, etc.

It also allows you to parse and view the content of SQLite databases stored on device. These databases store such data as call logs, messages, and application data.

  • Text viewer and Hex viewer: These allow you to view not parsed binary data in the text and hex format.
  • File viewer: It allows you to view graphics (.bmp, .gif, .ico, .jpg, .png, .wdp, and .tiff.) and files in their original format (.doc, .docx, .xls, .xlsx, .pdf, .odt, and .rtf).
  • Attachments viewer: It allows you to view data related to grid records as well as information that is too big to fit in a grid.
  • Extracted Text viewer: It allows you to view the text extracted from graphic file (OCR) during sorting, advanced search, or just by selecting a certain image and viewing the text extracted from it.

 

To view parsed text data:

  1. In the Case Content or the Data View pane, navigate to the node you want to look at.
  2. The node content is displayed in the Data View pane in the grid form.
  3. You can define columns width and columns order, perform data grouping, and sort data in the grid.

 

To parse and view the content of SQLite databases:

  1. Navigate to a database file in the Data View These databases have SQLite database type in the Type column and are marked with the embedded evidence icon .
  2. Double-click the database in the Data View pane to parse it.
  3. The database is parsed.The database tables are available under the SQLite database > Tables node in the parsed database.
  4. Click a table to view its content.

 

To view non-parsed data content:

  1. On the View tab of the ribbon, in the Viewers group, make sure all viewers are enabled.
  2. In the Data View pane, navigate to the file you want to look at.
  3. The file content is displayed in the Viewers pane. Select the appropriate tab to see information in the format you want.
  4. Click the pane edge to resize it if necessary.

Creating Reports

An E3:DS report is a summary of the currently open case that can be printed, e-mailed, etc. 

The following types of reports are available for mobile data: 

  • HTML Evidence Summary Report: This report includes information on case evidence added to the case, information about the Investigator (optional), and supplementary external files. Data is displayed in the HTML format.
  • Mobile Data Review Report: This type of report includes detailed information on all mobile data acquired by the Android Logical plug-in. Information is represented in the HTML format with hyperlinks, providing a most convenient view of mobile case data.
  • Mobile Evidence Timeline Report: This report contains timeline representation of mobile data in the HTML format.
  • Mobile Evidence PDF Report: This type of report contains mobile data in the PDF format.
  • HTML Investigative Report: This report includes any information selected by the user (different devices, evidence, bookmarks, and supplementary files). Data is displayed in the HTML format without hyperlinks. This report can be used for printing.
  • Simple Text Report: This type of report includes the same information as the HTML Investigative Report displayed in a similar way, but in the *.txt
  • Simple RTF Report: This type of report represents information in Rich Text Format and can be opened in any text editor that supports formatted text.
  • CSV Text Report: This type of report represents information in a tab-delimited format and can be opened in Microsoft Excel.

When you create reports, you can select specific files and information that you want to add to the report. You can select this information by clicking the Add to Report/File Export option in the context menu of an item in the Case Content or Data Viewer pane. You can also export evidence along with the report and add bookmarks and case information to it.

To create reports, do the following: 

  1. Navigate to the data in the Case Content or Data View pane and then select the check box next to the records, files or folders you want to include.
  2. On the Analysis tab, in the Reports group, select Generate Report.
  3. On the General options page of the Reports wizard, select the type of the report and the location where you want to save it.
  4. Click through the remaining pages of the wizard and select the options you need for your report. These options include file types, file properties, case information, whether you want to create a report with all evidence or only selected data, and so forth. The report options vary depending on the type of the report you select. For more information on the options, see the help file.
  5. Click Finish to begin the process of creating a report.
  6. The report generation starts and the report generation task is added to the Tasks pane where it can be viewed, paused, stopped, and started. Depending on the size and the options you select when creating a report, the generation process might take several minutes.
  7. The generated report opens automatically if the corresponding option was selected in the Report Wizard options.

 

Exporting Data

E3:DS allows you to export data from the case as separate files and export selected rows of a grid to spreadsheets.  You can use the check boxes in the Case Content or Data View panes to select which files, folders, grids, and rows of data you want to export.

You can:

  • Export currently selected data (file or folder)
  • Export data selected across the case (checked data)
  • Export data to spreadsheet
  • Export sorted files

 

To export the currently selected data:

  1. Select a folder or a grid in the Case Content or select multiple files and folders in the Data View pane by clicking corresponding items. Use the Shift and Ctrl keys for multi-selection.
  2. On the Export tab, in the Common Export group, click Export or click Export in the context menu.
  3. For folders, select whether you want to export selected folders with all their subfolders (Recursive) or just files stored in selected folders (Non-recursive).
  4. Select whether the data will be exported to a folder or an encrypted Forensic Container.
  5. Browse to the location you want to export data to (folder location or a Forensic Container file to which the data is to be exported).
  6. Define the Forensic Container password (if export to a Forensic Container is selected).
  7. Сlick Export.
  8. The export process is displayed in the Tasks pane, where it can be stopped, paused, and started.

 

To export data selected across the case:

  1. Select the checkboxes near the files and folders you want to export in the Case Content and Data View
  2. On the Export tab, in the Export to Native Format group, click Export Checked Files.
  3. For folders, select whether you want to export selected folders with all their subfolders (Recursive) or just files stored in selected folders (Non-recursive).
  4. Select whether the data will be exported to a folder or an encrypted Forensic Container.
  5. Browse to the location where you want the data to be exported (folder location or a Forensic Container file to which the data is to be exported).
  6. Define the Forensic Container password (if the export to a Forensic Container is selected).
  7. Click Export.
  8. The export process is displayed in the Tasks pane, where it can be stopped, paused, and started.

To export data to spreadsheet:

  1. In the Data View pane, select the rows to be exported in the Data View Use the Shift and Ctrl keys for multi-selection.
  2. Click Export Info to Spreadsheet in the context menu or in the Export tab, in the Common Export
  3. Define the location and the name of CSV file to be created and click Save.
  4. When the export process finishes, you receive a confirmation message. Click OK.
  5. Data is exported.

 

To export sorted files from a case: 

  1. Perform sorting.
  2. Open the Sorted Files pane and select the category for exporting or the Sorted Files node to export all categories or select several files from the selected category using Shift and Ctrl
  3. Click Export in the context menu or on the Export tab, in the Common Export
  4. Select where the files will be saved and click OK.
  5. The export process is displayed in the Tasks pane, where it can be stopped, paused, and started.

Additional Features

This quick start guide has the basic features you need to begin working with E3: DS. However, E3:DS has a powerful set of additional features for more convenient, more complete analysis. Below you can see a list of these options and their short descriptions. For more details on each, please see the Electronic Evidence Examiner help file.

  • Advanced Search: Allows you to look for text and hex strings in the evidence using multiple search parameters (including regular expressions search, Boolean search, and keywords search).
  • Sorted Files Search: Allows you to search for files by name, hash code, creation date, etc.
  • Keywords Search: Allows you to filter out already found keywords according to your search request thus making the search process much faster.
  • Bookmarks: Allows you to create bookmarks for quicker navigation around the case.
  • Case History: Displays a list of performed case-related tasks and processes.
  • Options wizard: Allows you to change and save the default settings for E3: DS.
  • Cloud data import: Allows you to import data from cloud-based services, such as Facebook, Gmail, Google Locations, and others using an authentication data file extracted from logically acquired Android OS data, or from an imported encrypted iTunes backup, or using user account credentials.
  • SIM Cloner: Allows you to duplicate identification files from a GSM SIM card to a blank card.
  • Mobile Data Comparer: Allows you to compare cases with acquired or imported mobile data and create a mobile data comparison report.
  • Suspicious Application Detection: Allows you to view permissions required by each application installed on the acquired device and see the application suspicion level basing on these permissions.
  • Application Data Parsing: Allows data associated with specific applications to be parsed and reviewed quickly in E3: DS. Application support is limited to Android and iOS devices and RIM BlackBerry 10 backups based on the following chart:

 

Application

iOS

Android

BlackBerry 10 Backup

BB Messenger

 

 

X

Chrome

X

X

 

DJI Go

X

 

 

Evernote

X

 

X

Facebook

X

X

 

Facebook Messenger

X (iOS 7.x and higher)

X

 

Gmail

X

 

 

Pinger

 

X

 

Skype

X

X

X

Snapchat

 

X

 

TextFree

X

X

 

TextPlus

X

X

 

Tinder

X

X

 

Twitter

X

 

 

Vkontakte

X

X

 

VoiceMail

X

 

 

WhatsApp

X

X

X

Whisper

X

X

 

WeChat

 

 

X

Yik Yak

X

 

 

 

Unavailable Options

You can find some unavailable options in the E3:DS interface, for example, adding certain types of evidence, like Logical/Physical Drives, E-mail Databases, etc. If you are interested in using these options, you can purchase an E3:P2C package (for computer forensic analysis) or upgrade your package to E3:Universal.



Attachments 
 
 e3 ds aurora 1.0 getting started.pdf (687.60 KB)
(0 vote(s))
Helpful
Not helpful

Comments (0)