Knowledgebase
We are constantly updating our YouTube Channel with How-To videos for
our customers with Paraben's E3 Software. Check them out and
subscribe!
https://www.youtube.com/user/ParabenForensics
[https://www.youtube.com/user/ParabenForensics]
How to Turn ON and Collect Logs within E3
* Case
* Options
* Check
* Enable exteded logs
* Enable logging for plug-ins
* Enable serial log during mobile acquisition (IF acquiring a mobile
device)
* REPRODUCE THE ISSUE
* Archive folder...
Acquired/imported mobile data is saved as an E3 mobile data case,
which is a file with the .ds extension stored in the same folder as
the Electronic Evidence Examiner case to which the data was acquired
or imported. The E3 mobile data case file name has t...
Scanning for malware means analyzing Windows portable executable files
for the signs indicating that a file might be malware.
The portable executable files, as a rule, have the following
extensions: *.com, *.cpl, *.dll, *.efi, *.exe, *.mst, *.mui, *.ocx...
Archive Evidence is a link to an archive that allows the user to
examine its structure and contents.
All files/folders added to the archive can be viewed and examined in
the same way as general file system evidence.
Electronic Evidence Examiner support...
Chat Database Evidence is a link to a database created by any instant
messaging application.
TO ADD NEW CHAT DATABASE EVIDENCE TO THE CASE:
1. On the Evidence tab, in the Evidence group, click Add Evidence; or
right-click the case node and select Add Ne...
File System Evidence is a link to any type of storage device
containing files that allows the examiner to view and examine its
structure and contents. File system evidence can recover the contents
of deleted files and folders on a computer and view compre...
To add new file system evidence to the case:
1.On the Evidence tab, in the Evidence group, click Add Evidence; or
right-click the case node and select Add New Evidence.
2. If no case has been created, the New Case wizard will open. This
allows the user t...
Electronic Evidence Examiner allows you to add raw memory dump files
as evidence. These files contain information on all processes that
were running on the computer when the dump was created.
Memory dump files created by Win32dd, Mandiant’s Memoryze, Man...
Forensic Container is a secure encrypted database that contains data
acquired by Electronic Evidence Examiner or DP2C. Data in a forensic
container is encrypted and cannot be accessed by any other means
except Electronic Evidence Examiner or Evidence Revi...
Internet Browser Data includes data created by Internet Explorer,
Mozilla Firefox, and Google Chrome:
* For Internet Explorer (up to version 10): Internet data is stored
in a special index.dat file. This file can contain history, cookies,
or temporary...
iTunes backup is a database created by iTunes that contains backup
data from iPhone, iPad, and iPod Touch devices.
iTunes backup data is stored in a folder, containing the following
files:
* Info.plist
* Manifest.mdbd
* Manifest.plist
* Status...
ABOUT JTAG MEMORY DUMP EVIDENCE
JTAG memory dump is a raw image of device physical memory created with
the help of the RIFF Box (RIFF JTAG) hardware.
To investigate JTAG memory dump evidence, you need to have one of the
following packages:
* E3: U...
A Mailstorage or Email Evidence is a link to a mailstorage (email
database) that allows the user to view and examine its structure and
content. Generally, a mailstorage consists of folders, each of
which can include messages, which, in their turn, can hav...
OLE Storage Evidence is a link to any file of OLE storage format that
allows the user to view its structure and examine it.
TO ADD NEW OLE STORAGE EVIDENCE TO THE CASE:
1.On the Evidence tab, in the Evidence group, click Add Evidence; or
right-click th...
ABOUT PROJECT-A-PHONE DATA EVIDENCE
Project-a-Phone Data evidence contains files created by Paraben's
Project-a-Phone, a special tool for taking high resolution screenshots
of mobile devices. Electronic Evidence Examiner allows you to add
Project-a-Phon...
Registry File Evidence is a link to a file in a binary hive format
where the contents of the Windows registry is stored.
TO ADD NEW REGISTRY FILE EVIDENCE TO THE CASE:
1. On the Evidence tab, in the Evidence group, click Add Evidence; or
right-click the...
SQLite is a database format that is used by many applications for
storing data. Applications that use SQLite include mobile
applications, some instant messengers (like Skype), and others.
Electronic Evidence Examiner supports SQLite 3.0 and higher.
Gen...
NOTE: ONLY DATA FROM XBOX 360 IS SUPPORTED IN THE CURRENT VERSION OF
THE PROGRAM.
Xbox evidence is mainly stored in FATX file system clusters which
contain STFS packages and XDBF databases inside.
* FATX partition image is a logical partition image of...
In some cases, you can view the UNDEFINED value in the columns in the
grid with a list of messages stored in the mailstorage evidence. This
might mean that either the value is NO or it cannot be retrieved from
the database, depending on the plug-in and th...
Batch Export allows you to perform searches and filtering in multiple
mailstorages of different formats and export the results to EML, EMX,
MHT, MSG, PST, and Attachments only formats.
TO PERFORM A BATCH EXPORT, DO THE FOLLOWING:
1. On the Export tab, i...
A Boolean search allows the user to search for complicated expressions
in text following the rules of Boolean logic. Boolean searches are
applied both to Advanced searches and to Keyword searches.
Searching is performed by the rules of Boolean logic app...
Electronic Evidence Examiner allows you to view email databases, chat
databases, Internet browsers installed on the investigated computer.
Also, you can view recently used files and My Document folders.
Electronic Evidence Examiner auto-detects this data ...
The NTFS filesystem evidence settings are settings that define the
parameters of opening filesystem evidence (disks and disk images) with
an NTFS filesystem. To define the default NTFS settings,
use Electronic Examiner Evidence options.
The following set...
If you have OS Windows 10 then do the following steps:
* Install the windows update according your OS
*
https://support.microsoft.com/en-us/help/3118401/update-for-universal-c-runtime-in-windows
[https://support.microsoft.com/en-us/help/3118401/upda...
EDB settings are settings for EDB email databases created by Microsoft
Exchange.
* RAW MODE: Displays all database content including system,
orphaned, and deleted items.
EDB 2013 databases containing non-English mailstorages must be added
in Raw mod...
The following are available packages of the E3 platform. *
FEATURES
E3:UNIVERSAL
E3:P2C
E3:DS
E3:NEMX
E3:EMX
E3:INTERNET/CHAT
MOBILE/SMARTPHONE FORENSICS
Logical imaging
+
-
+
-
-
-
Physical imaging
+
-
+
-
-
...
Some emails do not have the Text body by design. Such emails are
contained in:
* Windows 10 Mail database
* Office 365 import results (Outlook mailstorage)
If the email does not have a Text body, its content will not be
included in keywords indexing...
Electronic Evidence Examiner allows you to export attachments (files
attached to the message). Exporting attachments means creating a
forensic copy of attachments on the computer on which Electronic
Evidence Examiner is installed. Electronic Evidence Exam...
Electronic Evidence Examiner allows you to export attachments (files
attached to the message). Exporting attachments means creating a
forensic copy of attachments on the computer on which Electronic
Evidence Examiner is installed. Electronic Evidence Exam...
Electronic Evidence Examiner allows you to export archive data from
the case. Exporting means making an exact copy of data on the computer
where Electronic Evidence Examiner is installed.
To export archive data, do the following:
1. Add the archive evi...
When you acquire data from an Android OS device or import an encrypted
iTunes backup, an authentication data file containing device
authentication tokens, user credentials, and cookies is automatically
created in the case data. This file is used to import...
Electronic Evidence Examiner allows you to export bookmarks which
point to the mailstorage, file system, or their parts. Bookmarked data
can be quickly exported from the Bookmarks pane.
TO EXPORT BOOKMARKED DATA:
1. In the Bookmarks pane, select the bo...
Exporting means saving all or part of the case evidence in an external
format.
DATA EXPORTING FROM ELECTRONIC EVIDENCE EXAMINER CAN BE PERFORMED IN
SEVERAL WAYS:
* Exporting from the data View pane: This type of exporting allows
you to save data dis...
Information displayed in the Data View pane can be exported to a
spreadsheet (CSV file).
TO EXPORT DATA:
* Manage to make all necessary columns visible and hide all
unnecessary columns. Define the columns order.
* Select the rows to be exported i...
Electronic Evidence Examiner allows you to export geographical data
from a case. Exporting means making an exact copy of data on the
computer where Electronic Evidence Examiner is installed.
TO EXPORT GPS DATA TO MAPLINK, DO THE FOLLOWING:
1. Create a ...
Graphic data can be exported, i.e., a copy of the image will be saved
to the computer with Electronic Evidence Examiner installed.
TO EXPORT GRAPHIC DATA:
1.Navigate to the folder with graphic data in the Case Content or Data
View pane.
2. Right-click ...
Electronic Evidence Examiner allows you to find and export all
multimedia and graphics files stored in an evidence or mobile data.
Files will be exported to the computer with Electronic Evidence
Examiner installed and can be played with media players and ...
Some chat database evidence, such as Hello databases, can include
images which can be exported.
A .md5 file is created for each exported image.
It is placed in the same folder as the exported image and contains the
MD5 value of the ...
Electronic Evidence Examiner allows you to export images from the
Temporary Internet Files data created by the Internet Explorer
browser.
TO EXPORT IMAGES, DO THE FOLLOWING:
1. Add the Temporary Internet Files data to a new or existing case.
2. The cont...
Electronic Evidence Examiner allows you to export iTunes backup data
from the case. Exporting means making an exact copy of data on the
computer where Electronic Evidence Examiner is installed.
To export iTunes backup data, do the following:
1. Add the ...
Electronic Evidence Examiner allows you to export a mailstorage to one
of the following formats: EML (E-mail File), EMX (E-mail Examiner
archive), and PST (Microsoft Outlook).
Content-ID property of the exported EML message is the property that
Electroni...
Electronic Evidence Examiner allows you to export messages from
external mailstorages and add them to a newly created case using Batch
Export.
To add messages, do the following:
1. Start Paraben's Batch Export Wizard from the Welcome screen, or
click Ba...
Electronic Evidence Examiner allows you to export messages from the
selected mailstorage without saving attachments (files attached to
messages).
TO EXPORT MESSAGES WITHOUT ATTACHMENTS, DO THE FOLLOWING:
1. Add the mailstorage database to a new or exis...
Electronic Evidence Examiner allows the user to export files stored
in different folders/disks or even different file system/archive/E3
mobile data case/Forensic Container/iTunes backup/SQLite database/Xbox
evidences.
All files are exported to one folde...
Sorted files can be exported in two ways:
* As separate files
* By categories
TO EXPORT SORTED FILES AS SEPARATE FILES:
1. Perform sorting.
2. Open the Sorted files pane and select the category from which files
are to be exported.
3. Select files ...
FILE SYSTEM/FOLDER PROPERTIES (EXT)
When you click a node, its properties are displayed in the
Properties pane. Depending on the type, nodes have the following
properties:
PROPERTY NAME
COMMENTS
SCREENSHOT
FILE SYSTEM NODE (EXT2/EXT3)
Block si...
File Properties
File properties are displayed in the Properties pane when the file is
selected in the Data View pane. File properties are displayed both for
existing and deleted files.
Each file has the following properties:
PROPERTY
COMMENTS
FILE...
Exporting files (folders) means making a forensic copy on a computer
with installed Electronic Evidence Examiner.
File exporting can be performed only for filesystem evidence, archive
evidence, E3 mobile data case evidence, Forensic Container evidence,
...
Filesystem/Folder Properties
When you click the node, its properties are displayed in the
Properties pane. Depending on the type, the nodes have the following
properties:
PROPERTY NAME
COMMENTS
FILE SYSTEM NODE (NTFS)
Bytes per File Record
...
TO GENERATE A REPORT:
1. Select the data that you want to add to the report. It can be:
* Evidence or part of the evidence (it can be selected in the Case
Content pane or in the Data View pane).
* A category of sorted files (it is selected in the S...
Unlike Exchange or Lotus Notes files, GroupWise databases are not
stored in just one file. They are stored in a file hierarchy generally
referred to as a post office. A post office can consist of a Single
mailbox containing one user's information or any n...
ABOUT E3:DS
E3:DS is a package for mobile forensic analysis. While keeping all the
functionality available in Paraben's DS, E3:DS offers you a lot more -
new supported types of data, advanced data analysis options, and a
number of other new features inte...
ABOUT ELECTRONIC EVIDENCE EXAMINER E3:UNIVERSAL
Electronic Evidence Examiner (E3) is a comprehensive analysis tool
combining plug-ins for computer forensic and mobile forensic analysis.
You can purchase either a full version of Electronic Evidence Examin...
ABOUT ELECTRONIC EVIDENCE EXAMINER E3:P2C
Electronic Evidence Examiner is a comprehensive analysis tool
combining plug-ins for computer forensic and mobile forensic analysis.
You can purchase either a full version of Electronic Evidence Examiner
(E3:Univ...
FILE SYSTEM/FOLDER NODE PROPERTIES (HFS+)
When you click a node, its properties are displayed in the Properties
pane. Depending on its type, a node will have the following
properties:
PROPERTY NAME
COMMENTS
SCREENSHOT
FILE SYSTEM NODE (HFS+)
Bl...
There are two options to get access to cloud data:
* Using user credentials if we know them.
* Using authentication data file. This files is being generated for
Android devices during logical acquisition and during import of
encrypted iOS backup for...
TO PREPARE ENVIRONMENT FOR DEVICE ACQUISITION:
1. Make sure that the Mobile Driver Pack from
https://paraben.com/paraben-downloads/ is installed.
2. Download the DA Files Collection archive from
https://paraben.com/paraben-downloads/ to your computer ...
TO PREPARE ENVIRONMENT FOR DEVICE ACQUISITION:
1. Download the Firmware Update Drivers from the trusted Internet
source to the computer.
2. Download the firmware PAC file (ROM image) for your Spreadtrum
device model from the trusted Internet source to...
Note: Only Samsung devices not updated since 10/27/2017 can be
acquired by this plug-in.
TO PREPARE AN ANDROID OS DEVICE FOR ACQUISITION:
1. Turn on the device.
2. If the device is unlocked, check that MTP (FILE TRANSFER MODE) is
enabled on the devic...
TO PREPARE AN ADVANCED ANDROID LG DEVICE FOR ACQUISITION:
1. Put the device into Firmware Update mode.
2. Make sure that the required drivers are installed (the required
drivers are included in the Electronic Evidence Examiner Driver Pack).
3. Open Device...
Electronic Evidence Examiner allows you to add to a case and
investigate different types of evidence from an investigated computer.
The possibility to add evidences comes with the following packages:
* E3: UNIVERSAL (logical/physical drivers, folder...
NOTE: IT IS HIGHLY RECOMMENDED TO USE THE DISK IMAGES FOR
INVESTIGATION BECAUSE SOME SERVICES AND PROCESSES MIGHT USE OR BLOCK
CERTAIN FILES ON A LIVE DISK. AS A RESULT, IT MIGHT CAUSE FAILURE OF
SOME FEATURES.
If it is required to add Windows 10 Mail da...
To create a new case:
* In the Case menu, select Create New Case or select Create New Case
on the Welcome screen of Electronic Evidence Examiner. (You can add an
evidence before creating a new case, the New Case wizard will create
the case automatical...
To use ROP/JOP technologies, you must have a raw kernel file extracted
from the firmware. The firmware must match the particular device and,
as a rule, can be found in the trusted sources on the Internet.
Note: The following steps are relevant only for ...
To use ROP/JOP technologies, you must have a raw kernel file extracted
from the firmware. The firmware must match the particular device and,
as a rule, can be found in the trusted sources on the Internet.
For successful extraction of a kernel file, you w...
TO INVESTIGATE A WINDOWS 10 MAIL DATABASE, DO THE FOLLOWING:
* Have the ADD NEW EVIDENCE windows open.
* In the CATEGORY list, select E-MAIL DATABASE. In the SOURCE TYPE
list, select WINDOWS 10 MAIL. Click OK.
* In the BROWSE FOR FOLDER window, sel...
Electronic Evidence Examiner allows you to open cases in *.e3 format
as well as cases in old *.p2c format.
To open an existing case, do the following:
* In the Case menu, select Open Case.Cases created or opened in
Electronic Evidence Examiner of ne...
TO PERFORM SORTING, DO THE FOLLOWING:
1. Create a new case and add data to it or open an existing
page with data.
2. The structure of evidence/mobile data is displayed in the Case
Content pane (to the left), contents of the selected folder/file are
displ...
To prepare the environment for importing Outlook data from Microsoft
Office 365 accounts, you need to use the administrator account
credentials to obtain APPLICATION (CLIENT) ID, DIRECTORY (TENANT) ID,
and CLIENT SECRET required for the authentication.
T...
To root Android devices using the Root Engine:
1. In the MOBILE DATA group, on the EVIDENCE tab of the ribbon, click
ROOT ANDROID DEVICE. The Root Engine wizard opens.
2. Connect the device for rooting and click Refresh.
3. Select the device in the list ...
1. Install E3 DP.
2. Go to Windows Control Panel and open Device Manager.
3. In the Device Manager locate your Android device. Then right-click
on it and select "Update Driver Software".
4. Select "Browse my computer for driver software" in opened win...
The IMAGE ANALYZER feature allows you to find the potentially
illicit images falling under the following categories: DRUGS, GORE,
PORN, SWIM UNDERWEAR, EXTREMISM, WEAPONS, AND SUSPICIOUS.
TO USE THE IMAGE ANALYZER DURING THE SORTING, DO THE FOLLOWING: ...
IMPORTANT:
With the forensic process, it is important to note that, with embedded
systems such as smart devices, some data must be written to the device
in order to communicate with it. Depending on the type of device, the
data that is written will chan...
Electronic Evidence Examiner allows you to view information from
standard Windows registry hive files. The Parsed Registry data
includes information on the state of the Windows registry at the
moment the disk image was created or when the physical/logical...
Electronic Evidence Examiner allows you to detect the jump list files,
which are OLE Compound Files, in the filesystem evidence and view them
in the HEX and TEXT viewers.
The jump list files contain information about the applications that
are pinned on a...
Electronic Evidence Examiner allows you to detect the link files in
the filesystem evidence and view them in the HEX and TEXT viewers.
The link files are the shortcuts that link to an application or file,
and contain the type, location, filename, as well...
To perform keyword indexing:
1. Select the evidence (case node, evidence node, disk, folder, etc.)
you wish to index keywords in. If the evidence has changed (because
data has been added to it), you should clear the content analysis
results and then inde...
ABOUT NIST HASH DATABASE
To expedite working with Electronic Evidence Examiner, you can use the
Common Files (NIST) database: This database is created on the base of
information provided on the NIST site. The Common Hash (NIST) database
is an optimized v...
__
America On-line mailstorage is stored in a *.pfc file or mailstorage
file with no extension.
Mailstorage default location:
Windows 7, 8, 8.1
C:Program DataAOLOrganize
TO INVESTIGATE AOL MAILSTORAGE, DO THE FOLLOWING:
1. Have the Ad...
E-mail Examiner archives are stored in *.pmx files.
E-mail Examiner archives are created by Paraben's E-mail Examiner in
the location defined by the user.
TO INVESTIGATE E-MAIL EXAMINER ARCHIVES, do the following:
1. Have the Add New Evidence window ...
E-mail File evidence is an *.eml file or the folder containing *.eml
files.
E-mail files can be created by Microsoft Outlook or other e-mail
program and it can also contain an e-mail attachment or files sent
with a message.
E-mail Files have no defaul...
Eudora mailstorage is stored in *.mbx files or the Eudora folder.
Mailstorage default location:
WINDOWS 7, 8, 8.1, 10
C:UsersAppDataQualcommEudora
The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is
hidden by de...
Electronic Evidence Examiner allows you to add a special cache folder
created by the Google Chrome browser that contains history, autofill
items, keywords, logins, bookmarks and cookies data.
By default, the Cache folder can be found in the following lo...
Google Takeout storage is stored in the archive containing *.mbox
file.
The Google Takeout archive is created in the location defined by the
user.
To investigate the Google Takeout storage, do the following:
1. Have the Add New Evidence window open.
...
GroupWise mailstorage is stored in the GroupWise folder.
Mailstorage default location:
WINDOWS 7, 8, 8.1, 10
C:UsersAppDataRoamingNovellGroupWise
The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is
hidden by default.
...
Hello chat databases are located in the folder with the Hello user
nickname.
To investigate Hello chat databases, do the following:
1. Have the Add New Evidence window open.
2. In the Category list, select Chat Database. In the Source Type
list, select...
ICQ CHAT DATABASE is located in the folder with the ICQ user nickname.
Chat database default location:
ICQ
1999-2003,
ICQ 2003
WINDOWS 7, 8, 8.1, 10
C:Program FilesICQ
ICQ 6,
ICQ 7
WINDOWS 7, 8, 8.1, 10
C:Users
To investigate a Lotus Notes mailstorage, do the following:
1. Have the Add New Evidence window open.
2. In the Category list, select E-mail Database. In the Source Type
list, select NSF database. Click OK.
3. In the standard Open window, navigate to t...
Maildir is a format of storing e-mail messages used by a number of
e-mail clients for Unix-like operating systems (such as Balsa, Cone,
Evolution, GNUMail, etc).
Maildir folders containing e-mail messages are stored in the location
defined by the setting...
Electronic Evidence Examiner allows you to investigate the following
versions of Microsoft Exchange (EDB) information stores: 5.0, 5.5,
2000, 2003, 2007, 2010, and 2013. Microsoft Exchange mailstorage is
stored in an *.edb file.
Its default location in a...
Microsoft Outlook mailstorage is stored in *.pst or *.ost files
(offline mailstorage).
Attachments in deleted messages in Microsoft Outlook mailstorages
aren't restored and can't be viewed. Deleted messages that had
attachments have a special icon in the...
Miranda chat database are located in *.dat files.
Chat database default location:
WINDOWS 7, 8, 8.1, 10
C:UsersAppDataRoamingMiranda.dat
The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is
hidden b...
Electronic Evidence Examiner allows you to add a special places.sqlite
file that can contain history data created by the Mozilla Firefox
browser.
By default, this file can be found in the following locations:
OS
BROWSER
FILE LOCATION
Windows 10 ...
MSN chat databases are located in the folder with the MSN user
nickname.
Chat database default location:
WINDOWS 7, 8, 8.1, 10
C:UsersMy Documents My Received FilesUser
nicknameHistory
To investigate MSN chat databases, do the fo...
Outlook Express mailstorage is stored in *.dbx files or the Outlook
Express folder.
Mailstorage default location:
WINDOWS 7, 8, 8.1, 10
C:UsersAppDataIdentities{GUID}MicrosoftOutlook
Express
The Application Data folder (AppData i...
Skype chat databases are located in the folder with the Skype user
nickname or in the main.db file.
Chat database default location:
WINDOWS 7, 8, 8.1, 10
For Skype version lower than 4.0:
C:UsersAppDataRoamingSkype ...
Electronic Evidence Examiner allows you to investigate mailstorages
created by The Bat! of versions 3.x and higher.
The Bat! mailstorage is stored in a *.tbb file or in the The Bat!
folder.
Mailstorage default location:
WINDOWS 7, 8, 8.1, 10
C:U...
Thunderbird mailstorage is stored in the Thunderbird folder.
Mailstorage default location:
WINDOWS 7, 8, 8.1, 10
C:UsersAppDataRoamingThunderbirdProfiles
The Application Data folder (AppData in Windows 7, 8, 8.1, an...
TRILLIAN CHAT DATABASES are located in the folder with the Trillian
user nickname.
Chat database default location:
WINDOWS 7, 8, 8.1, 10
C:\Users\\AppData\ Local\VirtualStore\Program
Files\Trillian\users\
_The Applicatio...
Windows Mail database is stored in the Windows Mail folder.
Mailstorage default location:
WINDOWS 7, 8, 8.1, 10
C:UsersAppDataLocalMicrosoftWindows Mail
The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is
hidden...
Yahoo! chat databases are located in the folder with the Yahoo! user
nickname.
Chat database default location:
WINDOWS 7, 8, 8.1, 10
C: Program FilesYahoo!MessengerProfiles
ELECTRONIC EVIDENCE EXAMINER ALLOWS YOU TO PERFORM SEARCHES IN
MAILSTORAGE EVIDENCE MUCH FASTER IF YOU USE THE KEYWORD SEARCH
OPTION. KEYWORD SEARCHES ARE AVAILABLE FOR TEXTUAL DATA IN THE
EVIDENCE THAT HAS BEEN PREVIOUSLY INDEXED.
During indexing, the k...
Electronic Evidence Examiner allows you to view what word and where
exactly it was found after completing the ADVANCED SEARCH, and without
opening every search result hit in the viewer.
After performing the ADVANCED SEARCH, in the RESULTS area, click the...
Mobile Evidence Comparer allows you to prepare a report on the case
comparison results that is suitable for printing, emailing, etc.
A report can be generated either in the PDF or XLS format.
TO GENERATE A REPORT:
1. Start Electronic Evidence Examiner....
NSF settings are settings for opening LotusNotes databases (.nsf
format).
* USER NAME FOR UNREAD NOTES LIST: This option defines the name of
the user for whom the list of read/unread notes will be displayed.
* REMOVE DATABASE QUOTA LIMITATIONS: Lotu...
Electronic Evidence Examiner allows you to open binary files within
added evidence using external viewers. You can open a binary file in
an external viewer from the DATA VIEW pane or SORTED FILES VIEWER. You
can also view e-mail attachments using external...
PST Settings are settings for Microsoft Outlook databases (PST
Format).
Scan database for deleted messages (slows down opening): If this
option is selected, deleted messages in the database will be found and
recovered. This can take a long time.
When you add any type of evidence to your workspace, evidence is not
physically added to your case file; rather, a link to the physical
location of your evidence is created.
Therefore, you must keep the physical evidence in the same location
each time you...
This step allows the user to define which bookmarks will be added to
the report and define their options.
BOOKMARKS TO INCLUDE:
The following options are available:
* Include only bookmarks checked as "Include to reports": If this
option is selecte...
This step allows the user to define what chat database evidence will
be added to the report and to define its options.
CHAT DATABASE EVIDENCE TO INCLUDE:
One of the following options will be available:
* Include only data checked as "Include to rep...
This step allows the user to define a custom report header, footer,
and logo image to be added to the report.
LOGO:
The selected logo will be displayed in the report instead of the
default Paraben's logo for reports in HTML and PDF formats.
To add a ...
This step allows the user to define exactly what will be exported,
what properties will be included, etc.
This page is not available if the Don't include file system evidence
checkbox on the Filesystem types page is selected.
PROPERTIES OF THE INCLUDE...
This step allows the user to define which types of file
system evidence and Xbox disk images will be added to the report and
what the report will look like.
* Include only data checked as "Include to reports": If this option
is selected, the report wil...
This step allows the user to define which Internet Browser Data
evidence will be added to the report and to define its options.
INTERNET BROWSER DATA EVIDENCE TO INCLUDE:
The following options are available:
* Include only data checked as "Include ...
This step allows the user to define the investigator information to be
added to the report.
Enter the required Investigator Information or edit the existing one.
Select the Save changes to the case check box to save the information,
otherwise all changes...
This step allows the user to define which supplementary files will be
attached to the report. Supplementary files are placed in the folder
where the report is created, and links to them are added to the
report.
This page also allows you to define whether...
This step allows the user to define which mailstorage evidence will
be added to the report and to define its options.
MAILSTORAGE EVIDENCE TO INCLUDE:
The following options will be available:
* Include only data checked as "Include to reports": If ...
This step allows the user to define what E3 mobile data case and
iTunes backup evidence will be added to the report and to define its
options.
E3 MOBILE DATA CASE EVIDENCE
* Include only data checked as "Include to reports": If this option
is selecte...
This step allows the user to define what OLE/XDBF storage evidence,
Archive evidence, or SQLite evidence will be added to the report and
define their options.
OLE/XDBF STORAGE EVIDENCE
* Include only data checked as "Include to reports": If this opti...
This step allows the user to define which Registry file evidence will
be added to the report and to define its options.
REGISTRY FILE EVIDENCE TO INCLUDE:
The following options are available:
* Include only data checked as "Include to reports": If ...
This step allows the user to define whether to include the sorted data
to report or not.
TYPES OF SORTED FILES TO INCLUDE:
* Include only data checked as "Include to reports": If this option
is selected, the report will include only the sorted files ...
This step allows the user to define the Examination Summary and
Examination Conclusion for the report.
EXAMINATION SUMMARY:
The Examination Summary section is placed at the beginning of the
report, preceding other data included in the case. This sectio...
A Report is a summary of the currently opened case whose contents are
controlled by the examiner and can be printed, emailed, etc.
In the current version, the following types of reports are available:
* HTML INVESTIGATIVE REPORT: This report include...
Electronic Evidence Examiner allows you to save a case to an archive
in the ZIP format. The case is saved along with its keyword indexing
database and evidences stored in the same folder.
TO SAVE A CASE TO AN ARCHIVE:
* Open an existing case or crea...
Electronic Evidence Examiner allows you to scan portable executable
files for the signs of being malware.
TO PERFORM MALWARE SCAN ON EXECUTABLE FILES, DO THE FOLLOWING: 1. Add
evidence or acquire/import mobile data to a new or existing case.
2. The struc...
When a search is finished, its results can be added to the special
Search results report. This report can be generated both for advanced
search and keyword search results.
TO GENERATE THE SEARCH RESULTS REPORT:
1. Perform a search.
2. Select the results...
Electronic Evidence Examiner allows you to perform searches in chat
databases.
To search for text data, it is recommended that you use the keyword
search. Keyword searches are performed much faster than regular
searches. Please note that keywords in you...
Electronic Evidence Examiner allows you to perform searches in the
Internet Browser data added as evidence to the case.
To search for text data, it is recommended that you use a keyword
search. Keyword searches are performed much faster than regular
sea...
TO SEARCH FOR DATA IN MAILSTORAGE (email) evidence:
1. Add evidence to a new or existing case.
2. Select the mailstorage, folder, or message in which the data will
be searched.
3. Right-click and select Advanced Search or click Advanced Search on
the Ana...
Electronic Evidence Examiner allows you to perform searches in sorted
files using special parameters.
You can perform two types of sorted files search:
* QUICK SORTED FILES SEARCH: This search allows you to select files
with certain MD5 and file names...
Sorting means defining the file types in the evidence containing
binary data while calculating the MD5, SHA1, and SHA-256 hash codes.
It is recommended that you perform sorting upon adding evidence to
expedite working with Electronic Evidence Examiner and...
Usually, The Bat! email database contains the following data:
* The Account.cfn file.
* The Account.flb file.
* Folders with the account name (mailboxes). These contain files and
folders that belong to the account.
The folder for each account con...
The mailbox is a folder. It contains the following data:
* Global settings: abook.mab- the address book, xpti.dat- the
service components, XUL.mfl- appearance settings, etc. These files
are not parsed by Electronic Evidence Examiner.
* Information ...
ADS: Short for ALTERNATE DATA STREAM, a function of the Microsoft NTFS
file system in which files can be embedded in other files while
remaining invisible to the user.
Electronic Evidence Examiner allows you to view a file ADS as separate
files. Their na...
The Electronic Evidence Examiner allows you to view all deleted files
in the Trash folder. The Trash folder is added to the root of the
evidence and contains all restored data that was deleted from the
evidence. The Trash folder can only be added to the d...
Evidence structure can be viewed in the CASE CONTENT PANE.
Evidence content can be viewed in the DATA VIEW PANE.
Content of email messages can be viewed in the special EMAIL DATA
PANE.
Content of chat databases can be viewed in the special RTF VIEWER.
Con...
Google Chrome Browser Data allows the user to view the contents of
History, Keywords, Logins, Auto-fill items, and Cookies created by the
Google Chrome browser.
Google Chrome data is displayed in the form of main node and six
sub-nodes:
HISTORY is displa...
The Electronic Evidence Examiner allows you to view EXIF information,
which can be contained in the images made by digital cameras and
scanners: date and time the picture was taken, manufacturer, and the
model of camera, image number, GPS data including t...
Internet Explorer Browser Data allows the user to view the contents
of the History, Cookies and Temporary Internet Files list.
The COOKIES AND HISTORY DATA created by Internet Explorer is
displayed in a grid with the following columns:
* Type: This ...
Mozilla Firefox Internet Browser data allows the user to view the
contents of the History and Cache data created by the Mozilla Firefox
browser.
THE HISTORY DATA created by Mozilla Firefox is displayed in a grid
with the following columns:
- Title: Thi...
By default, sorted files/folders in the Data View pane and Case
Content pane are marked in blue (sorted files) and purple (sorted
files linked to a hash database) and they have the Yes value in the
Sorted field on the Content Analysis tab of the Propertie...
Data in SQLite Database evidence is stored in a tree-like structure.
The following data is displayed in the Case Content pane:
* Evidence node –
* Evidence type node – SQLite Database
* Tables
The content of t...
After the Full Logical Acquisition or Custom Logical Acquisition of a
device with ANDROID OS 5.0 AND HIGHER, you will be able to view what
actions were performed on the device at the certain moment of time.
TO VIEW THE LIST OF ACTIONS PERFORMED ON THE D...
There are advanced, keyword search and sorted files search.
Advanced search is a common search engine with powerful customization.
It helps to customize a lot of options to get the most accurate
results. For example user can search for HEX or text, use ...
We parse DJI GO drones data from iOS devices, Fitbit data from
Androids.
We can acquire smart watches based on Samsung Tizen, Google Wear or
Android. Also, we will support Alexa Cloud.
Forensic container is specially designed secure database. Data in
forensic containers is encrypted and locked by password. Only E3 and
Evidence Reviewed can provide access to data in the database. DP2C and
FF sticks collects data to forensic containers. A...
During logical acquisition we get logical structure and its related
data, in other words we copy all available files from the file system
to a case. Logical acquisition has some limitations related to a
device restrictions. Usually, we can’t get all files...
Rooting is a process of getting root permissions for an Android
device. After that we can get access to all file system data using
Android SDK functions. Android must be loaded, and USB-debugging must
be enabled and device unlocked. In case with bootloade...
Usually, we get data in its raw format as dumps or databases. So it is
not really easy and not comfortable for users to work with such data.
For example they need to know where a system stores useful data. It is
a big problem to find it within all system ...
After scanning for malware, you can view the scan results for each
scanned file individually or generate a special Windows PE Files
Malware Scan Report for all scanned files.
To view the scan results for an individual file, select a scanned
file, select...
Help Desk Software by Kayako