Knowledgebase
We are constantly updating our YouTube Channel with How-To videos for our customers with Paraben's E3 Software.  Check them out and subscribe! https://www.youtube.com/user/ParabenForensics  [https://www.youtube.com/user/ParabenForensics]
How to Turn ON and Collect Logs within E3 * Case * Options * Check  * Enable exteded logs * Enable logging for plug-ins * Enable serial log during mobile acquisition (IF acquiring a mobile device) * REPRODUCE THE ISSUE * Archive folder...
Acquired/imported mobile data is saved as an E3 mobile data case, which is a file with the .ds extension stored in the same folder as the Electronic Evidence Examiner case to which the data was acquired or imported. The E3 mobile data case file name has t...
Scanning for malware means analyzing Windows portable executable files for the signs indicating that a file might be malware. The portable executable files, as a rule, have the following extensions: *.com, *.cpl, *.dll, *.efi, *.exe, *.mst, *.mui, *.ocx...
Archive Evidence is a link to an archive that allows the user to examine its structure and contents. All files/folders added to the archive can be viewed and examined in the same way as general file system evidence. Electronic Evidence Examiner support...
Chat Database Evidence is a link to a database created by any instant messaging application. TO ADD NEW CHAT DATABASE EVIDENCE TO THE CASE: 1. On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the case node and select Add Ne...
File System Evidence is a link to any type of storage device containing files that allows the examiner to view and examine its structure and contents. File system evidence can recover the contents of deleted files and folders on a computer and view compre...
To add new file system evidence to the case: 1.On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the case node and select Add New Evidence. 2. If no case has been created, the New Case wizard will open. This allows the user t...
Electronic Evidence Examiner allows you to add raw memory dump files as evidence. These files contain information on all processes that were running on the computer when the dump was created. Memory dump files created by Win32dd, Mandiant’s Memoryze, Man...
Forensic Container is a secure encrypted database that contains data acquired by Electronic Evidence Examiner or DP2C. Data in a forensic container is encrypted and cannot be accessed by any other means except Electronic Evidence Examiner or Evidence Revi...
Internet Browser Data includes data created by Internet Explorer, Mozilla Firefox, and Google Chrome: * For Internet Explorer (up to version 10): Internet data is stored in a special dat file. This file can contain history, cookies, or temporary inter...
iTunes backup is a database created by iTunes that contains backup data from iPhone, iPad, and iPod Touch devices. iTunes backup data is stored in a folder, containing the following files: * plist * mdbd * plist * plist iTunes backup data def...
ABOUT JTAG MEMORY DUMP EVIDENCE JTAG memory dump is a raw image of device physical memory created with the help of the RIFF Box (RIFF JTAG) hardware. To investigate JTAG memory dump evidence, you need to have one of the following packages: * E3: U...
A Mailstorage or Email Evidence is a link to a mailstorage (email database) that allows the user to view and examine its structure and content. Generally, a mailstorage consists of folders, each of which can include messages, which, in their turn, can hav...
OLE Storage Evidence is a link to any file of OLE storage format that allows the user to view its structure and examine it. TO ADD NEW OLE STORAGE EVIDENCE TO THE CASE: 1.On the Evidence tab, in the Evidence group, click Add Evidence; or right-click th...
ABOUT PROJECT-A-PHONE DATA EVIDENCE Project-a-Phone Data evidence contains files created by Paraben's Project-a-Phone, a special tool for taking high resolution screenshots of mobile devices. Electronic Evidence Examiner allows you to add Project-a-Phon...
Registry File Evidence is a link to a file in a binary hive format where the contents of the Windows registry is stored. TO ADD NEW REGISTRY FILE EVIDENCE TO THE CASE: 1. On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the...
SQLite is a database format that is used by many applications for storing data. Applications that use SQLite include mobile applications, some instant messengers (like Skype), and others. Electronic Evidence Examiner supports SQLite 3.0 and higher. Gen...
Xbox evidence is mainly stored in FATX file system clusters which contain STFS packages and XDBF databases inside. * FATX partition image is a logical partition image of Xbox physical drive. * STFS partition image. STFS (Secure Transacted File Syste...
Batch Export allows you to perform searches and filtering in multiple mailstorages of different formats and export the results to EML, EMX, MHT, MSG, PST, and Attachments only formats. TO PERFORM A BATCH EXPORT, DO THE FOLLOWING: 1. On the Export tab, i...
A Boolean search allows the user to search for complicated expressions in text following the rules of Boolean logic. Boolean searches are applied both to Advanced searches and to Keyword searches. Searching is performed by the rules of Boolean logic app...
Yes, you can monitor more than one device.  You will need to purchases additional subscriptions to monitor more than one device (i.e.2 devices = 2 subscriptions).
No. Only messages created and calls performed after the Agent/App installation will be displayed on the web-site.
Electronic Evidence Examiner allows you to view email databases, chat databases, Internet browsers installed on the investigated computer. Also, you can view recently used files and My Document folders. Electronic Evidence Examiner auto-detects this data ...
The NTFS filesystem evidence settings are settings that define the parameters of opening filesystem evidence (disks and disk images) with an NTFS filesystem. To define the default NTFS settings, use Electronic Examiner Evidence options. The following set...
For Android OS devices, only the incoming calls from contacts blacklisted with the help of the 3rd party applications are monitored.
E3 provides several engines for detect malware or suspicious files. The first one can scan any added evidence. This is malware scan from content analysis. However, it searches for malware in Windows PE files. For example it will find unsigned files or m...
NAVIGATION: Introducing E3: DS E3 Packages E3:DS Related Tools Link2 E3:Viewer Installing and Configuring E3: DS Computer System Requirements Installing Electronic Evidence Examiner Mobile Driver Pack Installation E3:DS License Activati...
NAVIGATION: Introducing E3: P2C E3:P2C Related Tools DP2C P2X Pro Installing and Configuring E3:P2C Computer System Requirements Installing Electronic Evidence Examiner E3:P2C License Activation Internet Licensing Direct Machine Licensi...
NAVIGATION: Introducing E3:UNIVERSAL E3:UNIVERSAL Related Tools DP2C P2X Pro Link2 E3:Viewer Installing and Configuring E3: UNIVERSAL Computer System Requirements Installing Electronic Evidence Examiner Mobile Driver Pack Installation ...
iOS Device Firmware Logical Support Physical Support 1.x x x 2.x x x 3.x x x 4.x x x 5.x x x 6.x x x 7.x x x 7.1 x x 7.1.1 x x 8.0.x x x 8.1.x x x 8.2.x x x 8.3 x x 8.4 ...
ANDROID DEVICE FIRMWARE LOGICAL SUPPORT PHYSICAL SUPPORT Cupcake (1.5) X X Doughnut (1.6) X X Éclair (2.0-2.1) X X Froyo (2.2-2.3) X X Gingerbread (2.3-2.3.7) X X Honeycomb (3.0-3.2.6) X - Ice Cream Sandwich (4.0-...
NAVIGATION: Introducing E3:VIEWER E3 Packages E3:VIEWER Related Tools P2X Pro Installing and Configuring E3: VIEWER Computer System Requirements Installing Electronic Evidence Examiner E3:VIEWER License Activation Direct Machine Licensing...
If you have OS Windows 10 then do the following steps: * Install the windows update according your OS * https://support.microsoft.com/en-us/help/3118401/update-for-universal-c-runtime-in-windows [https://support.microsoft.com/en-us/help/3118401/upda...
EDB settings are settings for EDB email databases created by Microsoft Exchange. * RAW MODE: Displays all database content including system, orphaned, and deleted items. EDB 2013 databases containing non-English mailstorages must be added in Raw mod...
The following are available packages of the E3 platform. * FEATURES E3:UNIVERSAL  E3:P2C E3:DS E3:NEMX  E3:EMX E3:INTERNET/CHAT MOBILE/SMARTPHONE FORENSICS Logical imaging + - + - - - Physical imaging + - + - - ...
Electronic Evidence Examiner allows you to export attachments (files attached to the message). Exporting attachments means creating a forensic copy of attachments on the computer on which Electronic Evidence Examiner is installed. Electronic Evidence Exam...
Electronic Evidence Examiner allows you to export attachments (files attached to the message). Exporting attachments means creating a forensic copy of attachments on the computer on which Electronic Evidence Examiner is installed. Electronic Evidence Exam...
Electronic Evidence Examiner allows you to export archive data from the case. Exporting means making an exact copy of data on the computer where Electronic Evidence Examiner is installed. To export archive data, do the following: 1. Add the archive evi...
When you acquire data from an Android OS device or import an encrypted iTunes backup, an authentication data file containing device authentication tokens, user credentials, and cookies is automatically created in the case data. This file is used to import...
Electronic Evidence Examiner allows you to export bookmarks which point to the mailstorage, file system, or their parts. Bookmarked data can be quickly exported from the Bookmarks pane. TO EXPORT BOOKMARKED DATA: 1. In the Bookmarks pane, select the bo...
Exporting means saving all or part of the case evidence in an external format. DATA EXPORTING FROM ELECTRONIC EVIDENCE EXAMINER CAN BE PERFORMED IN SEVERAL WAYS: * Exporting from the data View pane: This type of exporting allows you to save data dis...
Information displayed in the Data View pane can be exported to a spreadsheet (CSV file). TO EXPORT DATA: * Manage  to make all necessary columns visible and hide all unnecessary columns. Define the columns order. * Select the rows to be exported i...
Electronic Evidence Examiner allows you to export geographical data from a case. Exporting means making an exact copy of data on the computer where Electronic Evidence Examiner is installed. TO EXPORT GPS DATA TO MAPLINK, DO THE FOLLOWING: 1. Create a ...
Graphic data can be exported, i.e., a copy of the image will be saved to the computer with Electronic Evidence Examiner installed. TO EXPORT GRAPHIC DATA: 1.Navigate to the folder with graphic data in the Case Content or Data View pane. 2. Right-click ...
Electronic Evidence Examiner allows you to find and export all multimedia and graphics files stored in an evidence or mobile data. Files will be exported to the computer with Electronic Evidence Examiner installed and can be played with media players and ...
Some chat database evidence, such as Hello databases, can include images which can be exported. A .md5 file is created for each exported image. It is placed in the same folder as the exported image and contains the MD5 value of the ...
Electronic Evidence Examiner allows you to export images from the Temporary Internet Files data created by the Internet Explorer browser. TO EXPORT IMAGES, DO THE FOLLOWING: 1. Add the Temporary Internet Files data to a new or existing case. 2. The cont...
Electronic Evidence Examiner allows you to export iTunes backup data from the case. Exporting means making an exact copy of data on the computer where Electronic Evidence Examiner is installed. To export iTunes backup data, do the following: 1. Add the ...
Electronic Evidence Examiner allows you to export a mailstorage to one of the following formats: EML (E-mail File), EMX (E-mail Examiner archive), and PST (Microsoft Outlook). Content-ID property of the exported EML message is the property that Electroni...
Electronic Evidence Examiner allows you to export messages from external mailstorages and add them to a newly created case using Batch Export. To add messages, do the following: 1. Start Paraben's Batch Export Wizard from the Welcome screen, or click Ba...
Electronic Evidence Examiner allows you to export messages from the selected mailstorage without saving attachments (files attached to messages). TO EXPORT MESSAGES WITHOUT ATTACHMENTS, DO THE FOLLOWING: 1. Add the mailstorage database to a new or exis...
Electronic Evidence Examiner allows the user to export files stored in different folders/disks or even different file system/archive/E3 mobile data case/Forensic Container/iTunes backup/SQLite database/Xbox evidences. All files are exported to one folde...
Sorted files can be exported in two ways: * As separate files * By categories TO EXPORT SORTED FILES AS SEPARATE FILES: 1. Perform sorting. 2. Open the Sorted files pane and select the category from which files are to be exported. 3. Select files ...
FILE SYSTEM/FOLDER PROPERTIES (EXT) When  you click a node, its properties are displayed in the Properties pane. Depending on the type, nodes have the following properties: PROPERTY NAME COMMENTS SCREENSHOT FILE SYSTEM NODE (EXT2/EXT3) Block si...
File Properties File properties are displayed in the Properties pane when the file is selected in the Data View pane. File properties are displayed both for existing and deleted files. Each file has the following properties: PROPERTY COMMENTS FILE...
Exporting files (folders) means making a forensic copy on a computer with installed Electronic Evidence Examiner. File exporting can be performed only for filesystem evidence, archive evidence, E3 mobile data case evidence, Forensic Container evidence, ...
Filesystem/Folder Properties When you click the node, its properties are displayed in the Properties pane. Depending on the type, the nodes have the following properties:   PROPERTY NAME COMMENTS FILE SYSTEM NODE (NTFS) Bytes per File Record ...
TO GENERATE A REPORT: 1. Select the data that you want to add to the report. It can be: * Evidence or part of the evidence (it can be selected in the Case Content pane or in the Data View pane). * A category of sorted files (it is selected in the S...
Unlike Exchange or Lotus Notes files, GroupWise databases are not stored in just one file. They are stored in a file hierarchy generally referred to as a post office. A post office can consist of a Single mailbox containing one user's information or any n...
ABOUT E3:DS E3:DS is a package for mobile forensic analysis. While keeping all the functionality available in Paraben's DS, E3:DS offers you a lot more - new supported types of data, advanced data analysis options, and a number of other new features inte...
ABOUT ELECTRONIC EVIDENCE EXAMINER E3:UNIVERSAL Electronic Evidence Examiner (E3) is a comprehensive analysis tool combining plug-ins for computer forensic and mobile forensic analysis. You can purchase either a full version of Electronic Evidence Examin...
ABOUT ELECTRONIC EVIDENCE EXAMINER E3:P2C Electronic Evidence Examiner is a comprehensive analysis tool combining plug-ins for computer forensic and mobile forensic analysis. You can purchase either a full version of Electronic Evidence Examiner (E3:Univ...
iOS/iPhone support is coming soon. We have decided to change our methods for working with these devices to match changes that have happened to the operating system/firmware. We hope to offer a new HAWK agent for iOS in the coming months.
FILE SYSTEM/FOLDER NODE PROPERTIES (HFS+) When you click a node, its properties are displayed in the Properties pane. Depending on its type, a node will have the following properties: PROPERTY NAME COMMENTS SCREENSHOT FILE SYSTEM NODE (HFS+) Bl...
To change target device you need to remove Agent from the web site and from the device. After that you will be able to install and activate Agent again to a new device. To remove Agent from the web site please follow the step-by-step instruction below:: ...
HAWK is a parental control system and was not created to be a spy-ware tool.  Therefore, we do not provide any tools for hiding the app/agent.
If an Agent is installed on a device, you will see it as HAWK in the list of applications installed on a device.
You can differentiate such devices by viewing device information, such as phone number or IMEI. You can then define different names for devices on the Device Info tab of the Monitored Devices page.
TO UPDATE AND ACTIVATE YOUR DONGLE * Open E3 * Cancel out of the add evidence wizard * Click on case in the upper left hand corner of E3 * Activation * Activate * Select Dongle * Finish Then do the following: * Plug in your Dongle int...
There are two options to get access to cloud data: * Using user credentials if we know them. * Using authentication data file. This files is being generated for Android devices during logical acquisition and during import of encrypted iOS backup for...
It depends on the user activity. Generally, such features as GPS tracking and MMS messages (2.5 MB per message maximum) consume the most volume of traffic.
TO PREPARE AN ADVANCED ANDROID LG DEVICE FOR ACQUISITION: 1. Put the device into Firmware Update mode. 2. Make sure that the required drivers are installed (the required drivers are included in the Electronic Evidence Examiner Driver Pack). 3. Open Device...
Electronic Evidence Examiner allows you to add to a case and investigate different types of evidence from an investigated computer. The possibility to add evidences comes with the following packages: * E3: UNIVERSAL (logical/physical drivers, folder...
To create a new case: * In the Case menu, select Create New Case or select Create New Case on the Welcome screen of Electronic Evidence Examiner. (You can add an evidence before creating a new case, the New Case wizard will create the case automatical...
Electronic Evidence Examiner allows you to open cases in *.e3 format as well as cases in old *.p2c format. To open an existing case, do the following: * In the Case menu, select Open Case.Cases created or opened in Electronic Evidence Examiner of ne...
TO PERFORM SORTING, DO THE FOLLOWING: 1. Create a new case and add data to it or open an existing page with data. 2. The structure of evidence/mobile data is displayed in the Case Content pane (to the left), contents of the selected folder/file are displ...
1. Install E3 DP. 2. Go to Windows Control Panel and open Device Manager. 3. In the Device Manager locate your Android device. Then right-click on it and select "Update Driver Software". 4. Select "Browse my computer for driver software" in opened win...
* You will need to first login to our registration site: http://register.paraben.com [http://register.paraben.com]. You will see the Dongle Manager option on the left hand side. * You will need to click on the link and it will bring you to the Dongle ...
Please make sure you have allowed the installation from unknown sources on your device. To allow the installation from unknown sources, do the following: * For Android OS 4.x and higher, select Settings > Security > Unknown Sources. * For Android OS...
Have you had a chance to compare data on the device and on the Hawk website? Check the following, if the data on the device and on the site is different: * The device has Internet connection; * The Agent is still on the device; * The Agent on the ...
If during the installation of an Agent you activated a device administrator, you will need to disable a device administrator. To disable a device administrator, do the following: * In the device Settings, select Security > Device administrators * In...
We do not have the ability to tell you who installed HAWK on your phone. It is designed as a parental monitoring tool. There are a few fail safes that whomever has installed it can do when you take it off so you want to make sure you do the following. Bac...
Currently, HAWK Monitoring System supports Android 7.0 devices. We have checked on our side on the device Samsung S7, S8 with Android 7.0, we do receive the data from the device (including SMS, MMS, call history and locations) on our web-site hawk-monit...
You can download the Agent to the device directly using mobile browser. This is the recommended way of Agent downloading.
An Agent sends data regardless of its state. To stop the sending of data, you need to uninstall an Agent.
To appear in the list, the device must be connected to Internet to allow an Agent to connect to the HAWK Mobile Monitor web-site. Also make sure the Agent is installed: there must be a HAWK application in the list of installed applications on the device.
The free 7 day trial period is available only to users who register to the service for the first time. If you have already registered to HAWK Mobile Monitor in the past, you will need to buy a subscription [https://www.hawk-monitoring.com/User/Billing/Bil...
The file may contain no coordinates. If the file was downloaded from the GPS History tab of the Device Monitoring page, try downloading it again and check that the GPS history data is displayed in the grid before starting the download.
We can only offer refunds if you purchased HAWK through our website: https://www.hawk-monitoring.com [https://www.hawk-monitoring.com].  If you did not purchase through our website, but through a reseller (i.e. SpyTech, etc.) you will need to contact thei...
If you want to disable uninstallation of HAWK on your Target device, you should perform the following to your Samsung device: * Go to Settings - Security - Device Administrators; * Check that HAWK has admin rights the device (the HAWK should be check...
Check if HAWK Agent has all permissions enabled on the target device. To check that please do the following: * On the Android device open the Settings menu. * Select the Applications option. * Select HAWK application. * Open the Permissions opti...
* Register an account on https://www.hawk-monitoring.com/Public/ and confirm registration by using a link which was sent to your e-mail. * Log in to the HAWK web site and go to Account/Promo Codes page. * Insert your Promo Code in the field on the P...
To perform keyword indexing: 1. Select the evidence (case node, evidence node, disk, folder, etc.) you wish to index keywords in. If the evidence has changed (because data has been added to it), you should clear the content analysis results and then inde...
ABOUT NIST HASH DATABASE To expedite working with Electronic Evidence Examiner, you can use the Common Files (NIST) database: This database is created on the base of information provided on the NIST site. The Common Hash (NIST) database is an optimized v...
__ America On-line mailstorage is stored in a *.pfc file or mailstorage file with no extension. Mailstorage default location:  Windows 7, 8, 8.1 C:Program DataAOLOrganize TO INVESTIGATE AOL MAILSTORAGE, DO THE FOLLOWING: 1. Have the Ad...
E-mail Examiner archives are stored in *.pmx files. E-mail Examiner archives are created by Paraben's E-mail Examiner in the location defined by the user. TO INVESTIGATE E-MAIL EXAMINER ARCHIVES, do the following: 1. Have the Add New Evidence window ...
E-mail File evidence is an *.eml file or the folder containing *.eml files. E-mail files can be created by Microsoft Outlook or other e-mail program and it can also contain an e-mail attachment or files sent with a message. E-mail Files have no defaul...
Eudora mailstorage is stored in *.mbx files or the Eudora folder. Mailstorage default location: WINDOWS 7, 8, 8.1, 10 C:UsersAppDataQualcommEudora The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by de...
Electronic Evidence Examiner allows you to add a special cache folder created by the Google Chrome browser that contains history, autofill items, keywords, logins, bookmarks and cookies data. By default, the Cache folder can be found in the following lo...
Google Takeout storage is stored in the archive containing *.mbox file. The Google Takeout archive is created in the location defined by the user. To investigate the Google Takeout storage, do the following: 1. Have the Add New Evidence window open. ...
GroupWise mailstorage is stored in the GroupWise folder. Mailstorage default location: WINDOWS 7, 8, 8.1, 10 C:UsersAppDataRoamingNovellGroupWise The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default. ...
Hello chat databases are located in the folder with the Hello user nickname. To investigate Hello chat databases, do the following: 1. Have the Add New Evidence window open. 2. In the Category list, select Chat Database. In the Source Type list, select...
ICQ CHAT DATABASE is located in the folder with the ICQ user nickname. Chat database default location: ICQ 1999-2003, ICQ 2003 WINDOWS 7, 8, 8.1, 10 C:Program FilesICQ ICQ 6, ICQ 7 WINDOWS 7, 8, 8.1, 10 C:Users
To investigate a Lotus Notes mailstorage, do the following: 1.  Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select NSF database. Click OK. 3. In the standard Open window, navigate to t...
Maildir is a format of storing e-mail messages used by a number of e-mail clients for Unix-like operating systems (such as Balsa, Cone, Evolution, GNUMail, etc). Maildir folders containing e-mail messages are stored in the location defined by the setting...
Electronic Evidence Examiner allows you to investigate the following versions of Microsoft Exchange (EDB) information stores: 5.0, 5.5, 2000, 2003, 2007, 2010, and 2013. Microsoft Exchange mailstorage is stored in an *.edb file. Its default location in a...
Microsoft Outlook mailstorage is stored in *.pst or *.ost files (offline mailstorage). Attachments in deleted messages in Microsoft Outlook mailstorages aren't restored and can't be viewed. Deleted messages that had attachments have a special icon in the...
Miranda chat database are located in *.dat files. Chat database default location: WINDOWS 7, 8, 8.1, 10 C:UsersAppDataRoamingMiranda.dat The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden b...
Electronic Evidence Examiner allows you to add a special places.sqlite file that can contain history data created by the Mozilla Firefox browser. By default, this file can be found in the following locations: OS BROWSER FILE LOCATION Windows 10 ...
MSN chat databases are located in the folder with the MSN user nickname. Chat database default location: WINDOWS 7, 8, 8.1, 10 C:UsersMy Documents My Received FilesUser nicknameHistory To investigate MSN chat databases, do the fo...
Outlook Express mailstorage is stored in *.dbx files or the Outlook Express folder. Mailstorage default location: WINDOWS 7, 8, 8.1, 10 C:UsersAppDataIdentities{GUID}MicrosoftOutlook Express The Application Data folder (AppData i...
Skype chat databases are located in the folder with the Skype user nickname or in the main.db file. Chat database default location: WINDOWS 7, 8, 8.1, 10 For Skype version lower than 4.0: C:UsersAppDataRoamingSkype ...
Electronic Evidence Examiner allows you to investigate mailstorages created by The Bat! of versions 3.x and higher.   The Bat! mailstorage is stored in a *.tbb file or in the The Bat! folder. Mailstorage default location: WINDOWS 7, 8, 8.1, 10 C:U...
Thunderbird mailstorage is stored in the Thunderbird folder. Mailstorage default location: WINDOWS 7, 8, 8.1, 10 C:UsersAppDataRoamingThunderbirdProfiles The Application Data folder (AppData in Windows 7, 8, 8.1, an...
TRILLIAN CHAT DATABASES are located in the folder with the Trillian user nickname. Chat database default location: WINDOWS 7, 8, 8.1, 10 C:UsersAppData LocalVirtualStoreProgram FilesTrillianusers  The Application Data...
Windows Mail database is stored in the Windows Mail folder. Mailstorage default location: WINDOWS 7, 8, 8.1, 10 C:UsersAppDataLocalMicrosoftWindows Mail The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden...
Yahoo! chat databases are located in the folder with the Yahoo! user nickname. Chat database default location: WINDOWS 7, 8, 8.1, 10 C: Program FilesYahoo!MessengerProfiles
ELECTRONIC EVIDENCE EXAMINER ALLOWS YOU TO PERFORM SEARCHES IN MAILSTORAGE EVIDENCE MUCH FASTER IF YOU USE THE KEYWORD SEARCH OPTION. KEYWORD SEARCHES ARE AVAILABLE FOR TEXTUAL DATA IN THE EVIDENCE THAT HAS BEEN PREVIOUSLY INDEXED. During indexing, the k...
Mobile Evidence Comparer allows you to prepare a report on the case comparison results that is suitable for printing, emailing, etc. A report can be generated either in the PDF or XLS format. TO GENERATE A REPORT: 1. Start Electronic Evidence Examiner....
If you want to uninstall the HAWK agent, please follow the instructions: * Uncheck HAWK in Device Settings -> Security & Screen Lock -> Device Administrators * Go to Settings -> Apps -> HAWK and press Uninstall.
NSF settings are settings for opening LotusNotes databases (.nsf format). * USER NAME FOR UNREAD NOTES LIST: This option defines the name of the user for whom the list of read/unread notes will be displayed. * REMOVE DATABASE QUOTA LIMITATIONS: Lotu...
Electronic Evidence Examiner allows you to open binary files within added evidence using external viewers. You can open a binary file in an external viewer from the DATA VIEW pane or SORTED FILES VIEWER. You can also view e-mail attachments using external...
PST Settings are settings for Microsoft Outlook databases (PST Format). Scan database for deleted messages (slows down opening): If this option is selected, deleted messages in the database will be found and recovered. This can take a long time.
When you add any type of evidence to your workspace, evidence is not physically added to your case file; rather, a link to the physical location of your evidence is created. Therefore, you must keep the physical evidence in the same location each time you...
This step allows the user to define which bookmarks will be added to the report and define their options. BOOKMARKS TO INCLUDE: The following options are available: * Include only bookmarks checked as "Include to reports": If this option is selecte...
This step allows the user to define what chat database evidence will be added to the report and to define its options. CHAT DATABASE EVIDENCE TO INCLUDE: One of the following options will be available: * Include only data checked as "Include to rep...
This step allows the user to define a custom report header, footer, and logo image to be added to the report. LOGO: The selected logo will be displayed in the report instead of the default Paraben's logo for reports in HTML and PDF formats. To add a ...
This step allows the user to define exactly what will be exported, what properties will be included, etc. This page is not available if the Don't include file system evidence checkbox on the Filesystem types page is selected.  PROPERTIES OF THE INCLUDE...
This step allows the user to define which types of file system evidence and Xbox disk images will be added to the report and what the report will look like. * Include only data checked as "Include to reports": If this option is selected, the report wil...
This step allows the user to define which Internet Browser Data evidence will be added to the report and to define its options. INTERNET BROWSER DATA EVIDENCE TO INCLUDE: The following options are available: * Include only data checked as "Include ...
This step allows the user to define the investigator information to be added to the report. Enter the required Investigator Information or edit the existing one. Select the Save changes to the case check box to save the information, otherwise all changes...
This step allows the user to define which supplementary files will be attached to the report. Supplementary files are placed in the folder where the report is created, and links to them are added to the report. This page also allows you to define whether...
This step allows the user to define which mailstorage evidence will be added to the report and to define its options. MAILSTORAGE EVIDENCE TO INCLUDE: The following options will be available: * Include only data checked as "Include to reports": If ...
This step allows the user to define what E3 mobile data case and iTunes backup evidence will be added to the report and to define its options. E3 MOBILE DATA CASE EVIDENCE * Include only data checked as "Include to reports": If this option is selecte...
This step allows the user to define what OLE/XDBF storage evidence, Archive evidence, or SQLite evidence will be added to the report and define their options. OLE/XDBF STORAGE EVIDENCE * Include only data checked as "Include to reports": If this opti...
This step allows the user to define which Registry file evidence will be added to the report and to define its options. REGISTRY FILE EVIDENCE TO INCLUDE: The following options are available: * Include only data checked as "Include to reports": If ...
This step allows the user to define whether to include the sorted data to report or not. TYPES OF SORTED FILES TO INCLUDE: * Include only data checked as "Include to reports": If this option is selected, the report will include only the sorted files ...
This step allows the user to define the Examination Summary and Examination Conclusion for the report. EXAMINATION SUMMARY: The Examination Summary section is placed at the beginning of the report, preceding other data included in the case. This sectio...
A Report is a summary of the currently opened case whose contents are controlled by the examiner and can be printed, emailed, etc. In the current version, the following types of reports are available: * HTML INVESTIGATIVE REPORT: This report include...
Electronic Evidence Examiner allows you to save a case to an archive in the ZIP format. The case is saved along with its keyword indexing database and evidences stored in the same folder. TO SAVE A CASE TO AN ARCHIVE: * Open an existing case or crea...
Electronic Evidence Examiner allows you to scan portable executable files for the signs of being malware. TO PERFORM MALWARE SCAN ON EXECUTABLE FILES, DO THE FOLLOWING: 1. Add evidence or acquire/import mobile data to a new or existing case. 2. The struc...
When a search is finished, its results can be added to the special Search results report. This report can be generated both for advanced search and keyword search results. TO GENERATE THE SEARCH RESULTS REPORT: 1. Perform a search. 2. Select the results...
Electronic Evidence Examiner allows you to perform searches in chat databases. To search for text data, it is recommended that you use the keyword search. Keyword searches are performed much faster than regular searches. Please note that keywords in you...
Electronic Evidence Examiner allows you to perform searches in the Internet Browser data added as evidence to the case. To search for text data, it is recommended that you use a keyword search. Keyword searches are performed much faster than regular sea...
TO SEARCH FOR DATA IN MAILSTORAGE (email) evidence: 1. Add evidence to a new or existing case. 2. Select the mailstorage, folder, or message in which the data will be searched. 3. Right-click and select Advanced Search or click Advanced Search on the Ana...
The HAWK Mobile Monitor Server uses the standard MMS message size limit in 2.5 MB. If an MMS message attachment is more than 2.5 MB, it will not be received by the Server.
Electronic Evidence Examiner allows you to perform searches in sorted files using special parameters. To perform searching, do the following: 1. Add evidence or acquire/import mobile data to a new or existing case. 2. The structure of the evidence/mobi...
Sorting means defining the file types in the evidence containing binary data while calculating the MD5, SHA1, and SHA-256 hash codes. It is recommended that you perform sorting upon adding evidence to expedite working with Electronic Evidence Examiner and...
Usually, The Bat! email database contains the following data: * The Account.cfn file. * The Account.flb file. * Folders with the account name (mailboxes). These contain files and folders that belong to the account. The folder for each account con...
Sometimes GPS history shows not the exact location of a device, but rather a location of a Wi-Fi spot which was used to send the monitored data. Please also check the Accuracy column in the GPS history, which indicates how accurate the recorded coordinate...
Please check that the device GPS tracking, or location services, is enabled on the monitored device.
Please check the following: * The device has no Internet connection * The Agent on the device is activated * There is no anti-virus software or firewall installed on a device * If you still do not receive any monitored data, please, contact our ...
The Agent has its own storage of monitored data. The storage size is limited to 10 MB. If there is no Internet connection on the device and the limit is exceeded, the storage data is erased and the device starts monitoring data anew.
The time displayed in the Device Date/Time column is displayed according to the current device time zone. If the time zone was changed, the time displayed in the column will change as well.
If the Deactivate button is not present on the tab, it means that the 30 days period, during which an Agent cannot be deactivated, has not passed yet. Please wait till the 30 days period comes to an end.
The mailbox is a folder. It contains the  following data: * Global settings: abook.mab- the address book, xpti.dat- the service components, XUL.mfl- appearance settings, etc. These files are not parsed by Electronic Evidence Examiner. * Information ...
* You will want to update your dongle anytime a new version of the software is released. * Software locked to a dongle must be updated through dongle manager in order for the software to run as a full version. * You will need to download the softwar...
Evidence structure can be viewed in the CASE CONTENT PANE. Evidence content can be viewed in the DATA VIEW PANE. Content of email messages can be viewed in the special EMAIL DATA PANE. Content of chat databases can be viewed in the special RTF VIEWER. Con...
Google Chrome Browser Data allows the user to view the contents of History, Keywords, Logins, Auto-fill items, and Cookies created by the Google Chrome browser. Google Chrome data is displayed in the form of main node and six sub-nodes: HISTORY is displa...
Internet Explorer Browser Data allows the user to view the contents of the History, Cookies and Temporary Internet Files list.  The COOKIES AND HISTORY DATA created by Internet Explorer is displayed in a grid with the following columns: * Type: This ...
Mozilla Firefox Internet Browser data allows the user to view the contents of the History and Cache data created by the Mozilla Firefox browser.   THE HISTORY DATA created by Mozilla Firefox is displayed in a grid with the following columns: - Title: Thi...
By default, sorted files/folders in the Data View pane and Case Content pane are marked in blue (sorted files) and purple (sorted files linked to a hash database) and they have the Yes value in the Sorted field on the Content Analysis tab of the Propertie...
Data in SQLite Database evidence is stored in a tree-like structure. The following data is displayed in the Case Content pane: * Evidence node – * Evidence type node – SQLite Database * Tables The content of t...
There are advanced, keyword search and sorted files search. Advanced search is a common search engine with powerful customization. It helps to customize a lot of options to get the most accurate results. For example user can search for HEX or text, use ...
It works for system drive or dumps with system drives. It searches for supported email databases, chat databases, registry information, browser data, recently used files and documents folder.
We parse DJI GO drones data from iOS devices, Fitbit data from Androids. We can acquire smart watches based on Samsung Tizen, Google Wear or Android. Also, we will support Alexa Cloud.
Forensic container is specially designed secure database. Data in forensic containers is encrypted and locked by password. Only E3 and Evidence Reviewed can provide access to data in the database. DP2C and FF sticks collects data to forensic containers. A...
Smartphones are the same PCs in a small body. This means that they have their own OS. Each OS has some version and build number. Each new version vendors provide some new functions, patches, API changes and so on. Therefore, we can get different errors on...
iOS is one of the most highly protected file system. Most of iOS devices file system is not available for users or through Apple API. It is a big problem for forensics as we also can’t get all data from a device. However, some users wants to have full acc...
Rooting is a process of getting root permissions for an Android device. After that we can get access to all file system data using Android SDK functions. Android must be loaded, and USB-debugging must be enabled and device unlocked. In case with bootloade...
Usually, we get data in its raw format as dumps or databases. So it is not really easy and not comfortable for users to work with such data. For example they need to know where a system stores useful data. It is a big problem to find it within all system ...
After scanning for malware, you can view the scan results for each scanned file individually or generate a special Windows PE Files Malware Scan Report for all scanned files. To view the scan results for an individual file, select a scanned file, select...
Most popular articles 
 
Newest articles