Knowledgebase
E3 VIEWER Aurora 1.0 Getting Started
Posted by Jack H. Ward on 30 November 2016 05:40 PM

Navigation:

Introducing E3:VIEWER

E3 Packages

E3:VIEWER Related Tools

P2X Pro

Installing and Configuring E3: VIEWER

Computer System Requirements

Installing Electronic Evidence Examiner

E3:VIEWER License Activation

Direct Machine Licensing

Installing the FOCH/NIST Database

Working with E3: VIEWER

Exploring E3:VIEWER Interface

E3:VIEWER Data Examination Process

Creating Case

Opening Case

Adding Evidence

Content Analysis

Examining Files

Creating Reports

Exporting

Additional Features

Unavailable Options


Introducing E3:VIEWER

Aurora Edition 1.0

Paraben's Electronic Evidence Examiner — E3 is a comprehensive digital forensic analysis tool designed to handle more data, more efficiently while adhering to Paraben's P2 Paradigm of specialized focus of the entire forensic exam process. E3:VIEWER is for processing data created by Project-aPhone, DP2C, Fact Finder Stick, and Paraben’s E3:DS. E3:Viewer is included with the purchase of the above products as part of the purchase price. E3:Viewer maintains a separate subscription if purchased independently otherwise it is included in the subscription renewal of its companion product. 

E3:VIEWER allows the user to open the following data storages:

  • Forensic containers created by Deployable P2C and Fact Finder Stick and parse and investigate mail archives, chat databases, Internet Browser data, OLE storages, archives and other files stored on them.
  • Mobile data case files with data acquired from smartphones, feature phones, GPS devices, eReaders, SIM Cards and other devices via Paraben’s DS/E3: DS.
  • Data folders created by Project-a-Phone.

E3:VIEWER allows performing multi-parameter searches, report generating in different formats and more.

E3 Packages

Electronic Evidence Examiner comes with a broad range of tools for work with digital evidence. These tools are available in different E3 packages, which include:

  • E3:UNIVERSAL: This package allows you to work through all types of digital data, such as physical and logical drives, disk images, email and chat databases, Internet browser data, mobile devices, cloud data, device backups and more. It includes full functionality of E3: DS and E3: P2C packages and comes with additional Auto-exam feature, which allows you to automatically process evidence added to a case.
  • E3:DS: This package allows you to perform acquisition of mobile devices, import data from such sources as device backups, GPS maps, and cloud based services, and investigate other types of mobile device related evidence.
  • E3:P2C: This package allows you to analyze various types of digital evidence stored on an investigated computer, such as physical and logical drives, disk images, email and chat databases, Internet browser data, and more.

E3:VIEWER Related Tools

Paraben makes other tools that complement the operations of E3: VIEWER.   P2X Pro

P2X Pro

P2X Pro allows you to mount disk images and access them as if they were a read-only drive on your computer. P2X Pro assigns a drive letter to each mounted virtual hard drive on your computer. When mounted, you can access files and applications as though they were installed on your computer. 

Malware and other malicious software contained in an image can infect your computer if accessed  using P2X Pro.

 

Installing and Configuring E3: VIEWER

The E3:VIEWER deployment consists of the following steps:

  • Installation of the program
  • Activation of the E3:VIEWER package
  • Installation of the FOCH/NIST database (optional)

Computer System Requirements

The following computer system requirements are necessary for running E3: VIEWER:

  • Operating system: Microsoft Windows 7 SP1 or newer 32-bit and 64-bit operating system
  • RAM: 4 GB (8 GB recommended)
  • .Net Framework version 4.5 or later

Installing Electronic Evidence Examiner

To install Electronic Evidence Examiner:

  1. Download Electronic Evidence Examiner through your registration site account.
  2. Run the Electronic Evidence Examiner installation file.
  3. Start the Electronic Evidence Examiner installation application.
  4. On the Welcome page, click Next.
  5. On the End-user License Agreement page, accept the terms of the license agreement, and then click Next.
  6. On the Select Installation Folder page, do one of the following:
    • Type the location of the folder where you want to install Electronic Evidence Examiner, and then click Next.
    • Click Browse and select the location of the folder where you want to install Electronic Evidence Examiner, and then click Next.
    • Click Next to keep the default location.
  7. You are now ready to begin the installation. Click Install.
  8. The installation starts. After it finishes, the last page of the installation wizard is displayed. Clear the Open the Electronic Evidence Examiner Driver pack page checkbox (these drivers are not required for E3: VIEWER) and click Finish.
  9. Electronic Evidence Examiner is installed and you can activate your package now.

E3:VIEWER License Activation

When you launch E3: VIEWER, you are prompted to activate the product. Please note that the only available activation type for E3:VIEWER is Direct Machine License.

Direct Machine Licensing

You can activate E3:VIEWER over the Internet or by telephone.

To activate E3:VIEWER over the Internet, do the following:

  1. Start Electronic Evidence Examiner and click Activate in the dialog displayed on start.
  2. The Activation wizard opens.
  3. Select Direct Machine License and click Activate.
  4. On the next page of the wizard, select the Over the Internet activation type and click Next.
  5. The Enter Your Product ID page opens. Click Add and enter the Product ID of the package you want to activate (you can enter one or more Product IDs). Then click Activate.

You can find your Product ID in the email message that was sent to you after you  bought the product.

  1. After the package is activated, the last page of the Activation wizard opens.
  2. Click Finish to exit the wizard.

To activate E3:VIEWER by telephone, do the following:

  1. Start Electronic Evidence Examiner and click Activate in the dialog displayed on start.
  2. The Activation wizard opens.
  3. Select Direct Machine License and click Activate.
  4. On the next page of the wizard, select the By telephone activation type and click Next.
  5. The Phone Activation page opens.
  6. Follow the steps described on the page: call the support center and dictate the Product ID(s) and the Registration key displayed on the Phone Activation

You can find your Product ID in the email message that was sent to you after you  bought the product.

  1. When you receive the Activation key, enter it in the corresponding field and click Activate.
  2. After the package is activated, you will see the last page of the Activation
  3. Click Finish to exit the wizard.

Installing the FOCH/NIST Database

The FOCH (Filter Out Common Hashes) database is a set of hashed files that are associated with many common operating systems and is based on the NIST database of known hash values. 

E3:VIEWER uses this set of hashed files to filter out the common files so that it doesn’t have to sort and rehash them each time you perform scanning.

To install the FOCH Database, do the following:

  1. Download the database from https://www.paraben.com/downloads/tools/foch.exe.
  2. Start the exe application.
  3. Type the location where you want to place the database. It should be in a folder named CommonFiles (NIST) placed in the root directory where you installed Electronic Evidence Examiner. The correct location is provided by default if you select the default location for installing Electronic Evidence Examiner.
  4. Click Install.

For more detailed information on installing and using the FOCH database, see the help file.

Working with E3: VIEWER

Once E3:VIEWER is licensed, you can start using the program. 

Exploring E3:VIEWER Interface

The interface is divided into the following parts: 

  • The Ribbon: This part of the interface contains controls for work with E3: VIEWER.
  • Main window containing the following areas:
    • Tree-view area (on the left): Consists of the Case Content pane, which displays all the case items and Sorted Files pane, which displays files sorted by categories.
    • Data View area (in the center): Displays the content of folders and grids and other panes, such as Sorted Files, Search, Case History, and others.
    • Viewers and Bookmarks area (on the right): Consists of different viewers, which display images, thumbnails, text, and hex data, the Properties pane, which displays file properties, and the Bookmarks pane, which displays the bookmarks created in the case.
    • Tasks and secondary panes area (at the bottom): Consists of the Tasks pane, which allows the user to view the status of search, export, sorting, and report generating tasks, the Hashes pane, which displays the attached hash databases, and the Common Log pane, which allows the user to view the Common Log created during one session of E3: VIEWER.

You can hide, show, and resize panes as you work to see more or less information. If you want to reset the display to the default settings, on the View tab, in the Layout Management group, click Restore Layout.

E3:VIEWER Data Examination Process

In order to examine the evidence, E3:VIEWER offers you the following functions:

  • Creating a case
  • Opening a case
  • Adding evidence to a case
  • Performing content analysis
  • Examining files
  • Creating reports
  • Exporting data

Each of these functions is outlined in this guide with more comprehensive information available in the help file that can be opened from the Case menu of E3: VIEWER.

Creating Case

If you want to examine Project-a-Phone data, an E3 mobile data/DS case, or a Forensic Container, which is not added to a case as evidence, you need to create a case.

To create a new case automatically, click Add Evidence on the Welcome screen that appears at E3:VIEWER start-up. The Case (<n>).e3 case is created automatically in C:\Users\<user name>\Documents\Paraben Corporation\Paraben’s Electronic Evidence Examiner. The Add New Evidence window opens.

To create a new case manually:                               

  1. In the Case menu, click Create New Case.
  2. The New Case wizard
  3. On the Case Properties tab, enter the case name (the name of the *.e3 file where the case will be saved) and the case description. The Case name is a required field.
  4. Select the Additional Information tab, enter the investigator information (if necessary), and click Finish.
  5. Select the folder in which the case will be stored (C:\Users\<User>\Documents\Paraben Corporation\Paraben’s Electronic Evidence Examiner by default) and click Save.
  6. A new case is created.

Opening Case

To open an existing case:

  1. In the Case menu, select Open Case.
  2. The standard Open dialog opens so you can navigate to the case and double-click its name to open it (or click the Open button in the Open window).
  3. The case opens.

If you are opening a case that was created in E3:DS on another PC, make sure you have both the main Electronic Evidence Examiner case (.e3 file) and the acquired mobile data (.ds file) stored in the same location.

After opening such an E3:DS case, right-click the E3 mobile data case node and select Reload to create a correct link to the new location of the evidence.

Please note that you can also add E3 mobile data case as evidence without opening the main .e3 file.

To open a recently used case:

  1. In the Case menu, select Recent.
  2. From the list, select the case you want to open.

Ten most recently opened cases will be displayed.

 

Adding Evidence

Adding evidence is the process of selecting which files and information you want to examine.  

E3:VIEWER allows you to add Project-a-Phone Data, an E3 mobile data/DS case, and Forensic Container evidence. If you performed acquisition or imported of data in E3, you can add an E3 mobile data case file with acquired/imported data, which is located in the same location as the E3 case to which it was added with the following name: <case name>_<Acquisition/Import>_<date and time of acquisition/import>.ds

To add evidence, do the following:

  1. Create a case.
  2. On the Evidence tab, in the Evidence group, click Add Evidence; or click Add New Evidence in the case node context menu; or select Add Evidence on the Welcome page of the program.
  3. In the Add New Evidence window, do one of the following, and then click OK:
    • To add acquired/imported data, in the Paraben Tools category, select E3 mobile data case file/DS case file.
    • To add a Forensic Container, in the Paraben Tools category, select Forensic container file.
    • To add Project-a-Phone data, in the Logical Drive or Folder category, select Project-a-Phone data.
  4. Browse to the file or folder with evidence data, and then click OK.
  5. Enter the Evidence By default, this is the name of the object you select when you browse. Click OK.
  6. When the evidence is added, it is displayed in the Case Content pane of E3: VIEWER.

Content Analysis

After you add data to a case, you can sort data into certain categories, index keywords in this data, scan portable executable files in it for the signs of being malware, and perform text extraction from graphical files. The content analysis operations expedite your work with binary files of different formats and allow you to perform quick searches by indexed keywords, detect suspicious files that might be malware, and perform text searches by text contained in graphic files.

E3:VIEWER automatically sorts files into the following types:

  • Documents
  • Email
  • Chat
  • Spreadsheets
  • Graphics
  • Databases
  • Executable
  • Compressed
  • Multimedia
  • Text
  • XML
  • Encrypted
  • Financial Files
  • Others

 

The following table represents types of evidence and the availability of content analysis for them:

Evidence Type

Sorting

Malware Scan

Text Extraction from graphic files

Keyword Indexing

Recursive content analysis in embedded evidence

Forensic Container 

+

+

+

+

+

E3 mobile data/DS case

+ (Binary files)

-

+ (Binary files)

+

+

Project-a-Phone data

+

-

+

+

-

 

To perform content analysis, do the following:

  1. Have the Content Analysis window open in one of the following ways:
    • If you added an evidence, the Content Analysis window opens automatically if evidence contains analyzable data.
    • Select an evidence, folder, or file in which you want to perform content analysis and, in the context menu or on the Analysis tab, in the Content Analysis group, select Content Analysis > Content Analysis.
  2. On the General options page, do the following and click Next:
    • Select the Sort Data checkbox to sort data into different categories according to their file types.
    • Select the Index keywords checkbox to index keywords in files, which allows performing faster searches in data.
    • Select the Extract and index keywords from graphic files (OCR) checkbox to extract text contained in image files and automatically add keywords from the text to a keyword database and select the Language for keyword extraction.
    • Select the Scan for malware checkbox to scan portable executable files for the signs of being malware.
  3. On the Data analysis options page, define the following options and then click Next:
    • Recursive sorting and keyword indexing in: Select the types of data that should be analyzed within embedded evidence (see the help file for more information on embedded evidence).
    • Include files of undetected format: If this option is selected, files whose type cannot be defined will be placed to the Unknown category during sorting, otherwise they will be skipped.
    • Perform data analysis in deleted data: If this option is selected, deleted data in the file system evidence will be recovered and content analysis for it will be performed.
    • Save current wizard options as default: If this option is selected, then the defined sorting and indexing options are saved as the default options.
  4. On the Advanced options page, select the Skip MSI installations, Skip CAB archives, Skip CHM help files and Skip unknown OLE streams options to make searching and keyword indexing faster. Click Next.
  5. Click Finish.
  6. The content analysis task starts. Its progress is displayed in the Tasks pane, where it can be viewed, paused, stopped, and started.

The results of file sorting can be viewed on the Sorted Files pane.

For keyword indexed files, keyword searches can be performed (see the help file for more information).

The results of the malware scan can be viewed on the Content Analysis tab of the Properties viewer.

Text extracted from graphic files can be viewed on the Extracted Text viewer for the selected file and keyword searches can be performed in the images with extracted text.

Examining Files

After sorting and indexing the files, the next step is their examination. E3:VIEWER provides you with several options for examining files and data sources. These include the following tools:

  • File viewer
  • Text viewer
  • Hex viewer
  • Thumbnails viewer
  • File slack hex viewer
  • File slack text viewer
  • Extracted Text viewer
  • Email Data viewer
  • Chat RTF viewer

The viewers can be enabled on the View tab, in the File Viewers and Advanced Viewers groups.

When you select a certain item, you can examine it in different viewer tabs that are displayed to the right of the Data View pane. If some of the viewers are not available for the selected item, they are inactive. For example, if you select a folder with no graphics, the Thumbnails viewer tab will be inactive.

 

To view files, file information, and their content, do the following:

  1. Make sure that all the viewer options are selected on the View tab, in the File Viewers and Advanced Viewers
  2. Select the file you want to examine.
  3. Click the appropriate viewer tab to see the information displayed in the format you want. For example, click Hex View to view the file in Hex format and so forth.
  4. Click the edge of the pane to resize it if necessary.

File properties including its size, creation date, file name, and other properties are  displayed in the Properties pane, which is located to the right of the program window.

 

Creating Reports

An E3:VIEWER report is a summary of the currently open case that can be printed, e-mailed, etc. 

E3:VIEWER allows you to create the following types of reports:

  • HTML Evidence Summary Report: This report includes information about all evidence added to the case, information about the Investigator (optional), and supplementary external files. Data is displayed in the HTML format.
  • HTML Investigative Report: This report includes any information defined by the user (evidence of different types, bookmarks, and supplementary files). Data is displayed in HTML format without hyperlinks.
  • Simple Text Report: This type of report includes the same information as the HTML Investigative Report displayed in a similar way, but in text format.
  • Simple RTF Report: This type of report represents information in Rich Text Format and can be opened in any text editor that supports formatted text.
  • CSV Text Report: This type of report represents information in a tab-delimited format and can be opened in Microsoft Excel.
  • HTML Email Message Report: This report includes information on email messages stored in the investigated mail archive stored in Forensic Container evidence. Data is displayed in the HTML format.
  • Malware Scan Results Report: This report includes information on all scanned executable files. Data is displayed in CSV format.
  • Mobile Evidence Timeline Report: This report contains timeline representation of mobile data in the HTML format.
  • Mobile Evidence PDF Report: This type of report contains mobile data in the PDF format.
  • Mobile Data Review Report: This type of report includes detailed information on all mobile data acquired by the Android Logical plug-in. Information is represented in the HTML format with hyperlinks, providing a most convenient view of mobile case data.

When you create reports, you can select specific files and information that you want to add to the report. You can select this information by clicking the Add to Report/File Export option in the context menu of an item in the Case Content or Data Viewer pane. You can also export evidence along with the report and add bookmarks and case information to it.

To create reports, do the following: 

  1. Navigate to the data in the Case Content or Data View pane and then select the check boxes next to the records, files or folders you want to include.
  2. On the Analysis tab, in the Reports group, select Generate Report.
  3. On the General options page of the Reports wizard, select the type of the report and the location where you want to save it.
  4. Click through the remaining pages of the wizard and select the options you need for your report. These options include file types, file properties, case information, whether you want to create a report with all evidence or only selected data, and so forth. The report options vary depending on the type of the report you select. For more information on the options, see the help file.
  5. Click Finish to begin the process of creating a report.
  6. The report generation starts and the report generation task is added to the Tasks pane where it can be viewed, paused, stopped, and started. Depending on the size and the options you select when creating a report, the generation process might take several minutes.
  7. The generated report opens automatically if the corresponding option was selected in the Report wizard options.

Exporting

E3:VIEWER allows you to export data from the case as separate files and export selected rows of a grid to spreadsheets. E3:VIEWER exports the files along with a hash file that can be used to ensure that the data has not been changed.  You can use the check boxes in the Case Content or Data View panes to select which files, folders, grids, and rows of data you want to export.

You can:

  • Export currently selected data (file or folder)
  • Export data selected across the case (checked data)
  • Export data to spreadsheet
  • Export sorted files

To export the currently selected data:

  1. Select a folder or a grid in the Case Content or select multiple files and folders in the Data View pane by clicking corresponding items. Use the Shift and Ctrl keys for multi-selection.
  2. On the Export tab, in the Common Export group, click Export or click Export in the context menu.
  3. For folders, select whether you want to export selected folders with all their subfolders (Recursive) or just files stored in selected folders (Non-recursive).
  4. Select whether the data will be exported to a folder or an encrypted Forensic Container.
  5. Browse to the location where you want the data to be exported (folder location or a Forensic Container file to which the data is to be exported).
  6. Define the Forensic Container password (if the export to a Forensic Container is selected).
  7. Сlick Export.
  8. The export process is displayed in the Tasks pane, where it can be stopped, paused, and started.

To export data selected across the case:

  1. Select the checkboxes near the files and folders you want to export in the Case Content and Data View
  2. On the Export tab, in the Export to Native Format group, click Export Checked Files.
  3. For folders, select whether you want to export selected folders with all their subfolders (Recursive) or just files stored in selected folders (Non-recursive).
  4. Select whether the data will be exported to a folder or an encrypted Forensic Container.
  5. Browse to the location where you want the data to be exported (folder location or a Forensic Container file to which the data is to be exported).
  6. Define the Forensic Container password (if the export to a Forensic Container is selected).
  7. Click Export.
  8. The export process is displayed in the Tasks pane, where it can be stopped, paused, and started.

 

To export data to spreadsheet:

  1. In the Data View pane, select the rows to be exported in the Data View Use the Shift and Ctrl keys for multi-selection.
  2. Click Export Info to Spreadsheet in the context menu or in the Export tab, in the Common Export
  3. Define the location and the name of CSV file to be created and click Save.
  4. When the export process finishes, you receive a confirmation message. Click OK.
  5. Data is exported.

 

To export sorted files from a case: 

  1. Perform sorting.
  2. Open the Sorted Files pane and select the category for exporting or the Sorted Files node to export all categories or select several files from the selected category using Shift and Ctrl
  3. Click Export in the context menu or on the Export tab, in the Common Export
  4. Select where the files will be saved and click OK.
  5. The export process is displayed in the Tasks pane, where it can be stopped, paused, and started.

Additional Features

This quick start guide outlines the basic features you need to begin working with E3: VIEWER. However, E3:VIEWER has a powerful set of additional features for more convenient, more complete analysis. Below you can see a list of these options and their short descriptions. For more details on each, please see the Electronic Evidence Examiner help file.

  • Advanced Search: Allows you to look for text and hex strings in the evidence using multiple search parameters (including regular expressions search, Boolean search, and keywords search).
  • Sorted Files Search: Allows you to search for files by name, hash code, creation date, etc.
  • Keywords Search: Allows you to filter out already found keywords according to your search request thus making the search process much faster.
  • Bookmarks: Allows you to create bookmarks for quicker navigation around the case.
  • Case History: Displays a list of performed case-related tasks and processes.
  • Options wizard: Allows you to change and save the default settings for E3: P2C.
  • Forensic Container creation: Allow you to create an encrypted Forensic Container to store your data safely and export files and folders to it.
  • Printing messages: Allows you to print out an email message.
  • Mobile Data Comparer: Allows you to you compare cases with acquired or imported mobile data and create a mobile data comparison report.
  • Mobile Data Validation: Allows you to you check the integrity of mobile data evidence added to a case.

Unavailable Options

E3:VIEWER is designed to allow you examine data created by existing Paraben products, if you are interested in analyzing data stored on computers or mobile devices, you can purchase E3:DS (for mobile forensic analysis), E3:P2C (for computer forensic analysis) or E3:Universal (for mobile and computer forensic analysis).

(0 vote(s))
Helpful
Not helpful

Comments (0)