Electronic Evidence Examiner

Home , GNUMail, Google Takeout

Table of Contents About Electronic Evidence Examiner How To ...... 12 How to Work with Cases ...... 13 How to Create New Case ...... 13 How to Enable Automatic Case Naming ...... 14 How to Define Case Name During Automatic Case Creation ...... 14 How to Open Existing Case...... 15 How to Save Case to Archive ...... 16 How to Change Default Case Location ...... 16 How to Add Data to Case ...... 17 How to Add Evidence ...... 18 How to Acquire Devices ...... 20 How to Import Mobile Data ...... 21 How to Import Cloud Data ...... 22 How to Import Office 365 Data ...... 23 How to Prepare Environment for Importing Office 365 Data ...... 23 How to Import Office 365 Data ...... 31 How to Investigate Different Types of Evidence ...... 32 How to Investigate Mailstorages ...... 32 How to Investigate Different Types of Mailstorages ...... 33 How to Autodetect Mailstorage Format ...... 33 How to Investigate America On-line (AOL) Mailstorage...... 35 How to Investigate Microsoft Exchange Mailstorage ...... 36 How to Investigate GroupWise Mailstorage ...... 40 How to Investigate Lotus Notes Mailstorage ...... 42 How to Investigate Microsoft Outlook Mailstorage ...... 46 How to Investigate The Bat! Mailstorage ...... 48 How to Investigate Thunderbird Mailstorage ...... 51 How to Investigate Outlook Express Mailstorage ...... 52 How to Investigate Eudora Mailstorage ...... 54 How to Investigate E-mail Files ...... 56

How to Investigate E-mail Examiner Archive ...... 57 How to Investigate Google Takeout Storage ...... 58 How to Investigate Windows Mail Database ...... 60 How to Investigate Maildir Database ...... 61 How to Investigate Windows 10 Mail database ...... 62 How to Investigate Mailstorage Stored within Added File System Evidence ...... 64 How to Investigate E-mails Stored in tar.gz Archives ...... 64 How to View Mailstorage Evidence ...... 65 How to View Messages in Different Formats ...... 65 How to View Attachments ...... 66 How to View Attachments that Can Be Opened as Embedded Evidence ...... 68 How to Detect Attachment File Types ...... 68 How to Perform Searches in Mailstorage Evidence ...... 69 How to Search in Mailstorages ...... 69 How to Search in Message Attachments...... 70 How to Search in Mailstorage by Attachment Type...... 72 How to Search for Data in Message Body Only ...... 73 How to Find Emails with Particular Senders or Particular Receivers...... 74 How to Search in Deleted Email Messages ...... 76 How to Search in Email Messages Sent on a Specific Date ...... 77 How to Search for Email Addresses Sent in Message Bodies ...... 79 How to Search for Text Data ...... 80 How to Export Mailstorage Data ...... 82 How to Export the Mailstorage to Another Format ...... 82 How to Export an Attachment ...... 83 How to Export All Attachments ...... 84 How to Create Attachments List ...... 85 How to Print Messages ...... 86 How to Investigate Chat Databases ...... 87 How to Investigate Different Types of Chat Databases ...... 87 How to Autodetect Chat Database Format...... 87 How to Investigate Yahoo! Chat Databases ...... 88

How to Investigate Skype Chat Databases ...... 89 How to Investigate ICQ Chat Databases ...... 91 How to Investigate Miranda Chat Databases ...... 93 How to Investigate Hello Chat Databases ...... 94 How to Investigate Trillian Chat Databases ...... 95 How to Investigate MSN and Windows Live Chat Databases ...... 96 How to Investigate Chat Database Stored Within Added File System Evidence ...... 97 How to View Chat Database Evidence ...... 98 How to View Chat History ...... 98 How to View Skype File Transfer History ...... 99 How to Perform Searches in Chat Database Evidence ...... 100 How to Search in Chat Databases ...... 100 How to Search for Messages from Several Combined Screennames ...... 101 How to Search for Messages that Were Sent at a Specific Time ...... 102 How to Investigate Internet Browser data ...... 103 How to View History and Temporary Internet Files Created by Internet Explorer ...... 103 How to View Mozilla Firefox History Data ...... 104 How to View Google Chrome Data...... 106 How to View Google Chrome Keywords ...... 107 How to Export Images from Temporary Internet Files ...... 108 How to Search in Internet Browser Data ...... 109 How to Investigate File System ...... 110 How to Investigate Different Types of File Systems ...... 110 How to Autodetect Disk Image File System Type...... 110 How to Investigate Disk Image ...... 111 How to Investigate Separate Folders ...... 113 How to Investigate Logical Drive ...... 114 How to Investigate Physical Drive ...... 115 How to Investigate FAT File System Data ...... 116 How to Investigate NTFS File System Data ...... 116 How to Investigate ExtX File System Data ...... 117 How to Investigate HFS File System Data ...... 118

How to investigate FATX File System Data ...... 118 How to Investigate STFS File System Data ...... 119 How to View Filesystem Evidence ...... 119 How to View the Contents of Files/Folders ...... 119 How to View Deleted Files and Folders ...... 120 How to View Free Parts of Disk Added as Evidence ...... 120 How to View the File Slack ...... 122 How to View File ADS ...... 122 How to View Files with Wrong Extensions ...... 123 How to View Contents of Hidden Partitions in Physical Drive Evidence ...... 123 How to View the Link Files ...... 124 How to View the Jump List Files ...... 125 How to Perform Searches in Filesystem Evidence ...... 125 How to Search for Data in File System Evidence ...... 125 How to Search in Ext File System Data ...... 127 How to Search in HFS File System Data...... 128 How to Search for All Documents Created Within a Specific Period of Time in File System Evidence ...... 129 How to Export Filesystem Evidence Data...... 130 How to Export Filesystem Data (File Type) ...... 130 How to Export Filesystem Data (Folder Type) ...... 131 How to Export All Graphic Files in File System Evidence ...... 133 How to Investigate Registry Data ...... 133 How to Investigate Registry Data ...... 133 How to Search in Registry Data ...... 135 How to Investigate OLE Storage ...... 136 How to View OLE Storage ...... 137 How to Search in OLE Storage ...... 138 How to Investigate Archive Data ...... 139 How to View Archives Locked by Password ...... 139 How to View Archive Contents ...... 140 How to Export Archive Data ...... 141 How to Search in Archive Data ...... 142

How to Investigate Dump Files ...... 143 How to Investigate Dump Files ...... 143 How Search in Dump File Evidence ...... 144 How to Investigate E3 Mobile Data Case ...... 145 How to Investigate E3 Mobile Data Case ...... 145 How to View Parsed Recovered Data ...... 147 How to Search in E3 Mobile Data Case ...... 147 How to Investigate iTunes Backup Data ...... 148 How to Investigate iTunes Backup Data ...... 149 How to View Parsed Recovered Data ...... 150 How to View Password-Protected iTunes Backup ...... 150 How to Search in iTunes Backup ...... 151 How to Export iTunes Backup Data...... 152 How to Investigate JTAG Memory Dumps ...... 154 How to Investigate JTAG Memory Dumps...... 154 How to Search in JTAG Memory Dump Evidence ...... 155 How to Investigate SQLite Databases ...... 156 How to Investigate SQLite Databases ...... 156 How to View Embedded Binary Files ...... 157 How to Search in SQLite Databases ...... 157 How to Investigate Project-a-Phone Data ...... 158 How to Investigate Project-a-Phone Data ...... 158 How to View Project-a-Phone Data ...... 159 How to Search in Project-a-Phone Data ...... 160 How to Investigate Xbox Data ...... 160 How to Investigate Xbox Data ...... 161 How to View Xbox Data ...... 162 How to Search in Xbox Data ...... 163 How to Work with Forensic Container Data ...... 164 How to Create New Forensic Container ...... 164 How to View Forensic Container Data ...... 165 How to View Audit Log ...... 167 How to Search in Forensic Container Data ...... 167 How to Acquire and Investigate Mobile Device Data ...... 170 Drivers Installation ...... 170

How to Check That Drivers Are Installed ...... 171 How to Check That Device Is Detected ...... 179 How to Acquire Different Types of Devices ...... 181 How to Acquire Data from iPhone/iPad/iPod Touch/iPod Devices ...... 181 How to Acquire Data from iPhone Devices ...... 181 How to Acquire Data from iPad Devices ...... 188 How to Acquire Data from iPod Touch Devices ...... 192 How to Acquire Data from iPod Devices ...... 195 How to View Installed Application Information and Parsed Application Data...... 198 How to Put Phone/iPad/iPod Touch in DFU Mode ...... 198 How to Acquire Data from Android OS Devices ...... 201 How to Acquire Data from Android OS Devices ...... 201 How to Acquire Data from Advanced Android LG Devices ...... 209 How to Acquire Data from Android Spreadtrum Devices ...... 212 How to Acquire Data from Android MTK Devices ...... 216 How to Acquire Data from Samsung Devices with Android OS 4.4.4–6.0.1 ...... 220 How to Acquire Data from Samsung Devices with Android OS 4.0.3-7.x ...... 225 How to Acquire Data from Android Wear Devices ...... 228 How to Acquire Data from Kindle Fire Tablets ...... 235 How to View Installed Applications Information and Parsed Applications Data ...... 241 How to Put Device in Firmware Update Mode ...... 242 How to Acquire Data from Windows Phone Devices ...... 245 How to Acquire Data from RIM Blackberry Devices ...... 247 How to Acquire Data from Tizen Devices ...... 249 How to Acquire Data from Smartphones ...... 253 How to Acquire Data from Nokia Symbian OS 9.x Devices ...... 253 How to Acquire Data from WebOS Devices ...... 255 How to Acquire Data from PDAs ...... 259 How to Acquire Data from Palm OS Devices ...... 259 How to Acquire Data from Windows Mobile Devices ...... 262 How to Acquire Data from Feature Phones ...... 264 How to Acquire Data from Alcatel Cell Phones...... 264

How to Acquire Data from LG GSM Cell Phones ...... 266 How to Acquire Data from LG CDMA Cell Phones ...... 268 How to Acquire Data from Motorola Cell Phones ...... 271 How to Acquire Data from Motorola iDEN Phones ...... 273 How to Acquire Data from Nokia GSM Cell Phones ...... 275 How to Acquire Data from Nokia TDMA Phones ...... 278 How to Acquire Data from Samsung GSM Cell Phones ...... 279 How to Acquire Data from Samsung CDMA Cell Phones...... 282 How to Acquire Data from Sanyo CDMA Cell Phones ...... 285 How to Acquire Data from Siemens Cell Phones ...... 287 How to Acquire Data from Sony Ericsson Cell Phones ...... 289 How to Acquire Data from ZTE Cell Phones ...... 291 How to Acquire Data from GPS devices ...... 293 How to Acquire Data from Garmin Devices...... 293 How to Acquire Data from TomTom GPS Devices ...... 296 How to Acquire Data from SIM Cards ...... 297 How to Acquire Data from Memory Card/Mass Storage/e-Reader/Portable Devices ...... 300 How to Acquire Data from Memory Cards ...... 300 How to Acquire Data from Mass Storages ...... 301 How to Acquire Data from e-Readers (including Kindle Devices) ...... 303 How to Acquire Data from Portable Devices ...... 305 How to Use Root Engine ...... 307 How to Import Mobile Data ...... 313 How to Import Data ...... 313 How to Import Data from Encrypted iPhone Backups ...... 314 How to Import Data from RIM BlackBerry 10 Backup ...... 316 How to Import Cloud Data ...... 317 How to Find and Export Authentication Data ...... 317 How to Import Cloud Data Using Authentication Data ...... 317 How to Import Cloud Data Using User Account Credentials ...... 322 How to View Mobile Data ...... 326 How to View Parsed Data ...... 326 How to View Parsed Recovered Data ...... 327

How to View Attachments ...... 327 How to View Binary Files ...... 328 How to View Geolocation Data on Maps ...... 328 How to View Device Information ...... 329 How to View Data from Android OS/iOS devices ...... 329 How to View User Activity Timeline ...... 329 How to View Installed Applications ...... 331 How to View Contact Email Accounts ...... 331 How to View ICE Contacts ...... 331 How to View Location Data ...... 332 How to View Recent Web Searches...... 332 How to Analyze SQLite Databases ...... 333 How to Analyze plist Files ...... 335 How to Work with Data in Different Formats ...... 336 How to Work with Parsed Data ...... 336 How to Work with Data in Text Format ...... 336 How to Work with Data in Hex Format ...... 337 How to Work with Data in Image (Graphics) Format ...... 338 How to Work with Data in Document Format ...... 338 How to Work with Data in GPS Format ...... 339 How to Search in Mobile Data ...... 339 How to Validate Mobile Data Hash Code ...... 340 How to Work with Mobile Evidence Comparer ...... 341 How to Compare Two Cases with Mobile Data ...... 341 How to Prepare Mobile Evidence Comparer Report ...... 342 How to Clone SIM Card from Existing Card ...... 343 How to Investigate Embedded Data ...... 345 How to View Mailstorage Stored in Added Disk/Disk Image ...... 345 How to View Chat Databases Stored in Added Disk/Disk Image ...... 346 How to Search in Embedded Data ...... 347 How to Perform Content Analysis in Embedded Data ...... 348 How to Perform Export ...... 350 How to Export Messages from Several Databases ...... 350 How to Add Messages with Certain Parameters to New Case ...... 352 How to Export Messages in Mailstorage Without Saving Its Attachments...... 355

How to Export All Graphics/Multimedia Files Stored in Evidence/Mobile Data ...... 356 How to Export Files ...... 357 How to Export Folders ...... 358 How to Export GPS Data to MapLink ...... 360 How to Work with Auto-Exam ...... 362 How to Process Evidence with Auto-Exam ...... 362 How to Enable and Disable Auto-Exam Wizard Automatic Pop-up Option ...... 363 How to Perform Content Analysis ...... 365 How to Perform Sorting in Evidence/Mobile Data ...... 365 How to Perform Keyword Indexing in Evidence/Mobile Data ...... 366 How to Analyze Sorted Graphic Files Using Thumbnails Viewer ...... 367 How to Find All Graphic Files Stored in File System Evidence/Mobile Data ...... 369 How to Perform Malware Scan ...... 370 How to Extract Text Data in Default Language from Graphic Files ...... 371 How to Extract Text Data in Non-Default Language from Graphic Files ...... 372 How to Search in Sorted Data ...... 375 How to Search for Text Data ...... 376 How to Search in Extracted Text Data ...... 377 How to Use Image Analyzer ...... 378 How to Work with Hash Databases ...... 381 How to Use NIST Hash Database ...... 381 How to Use User-Created Hash Databases ...... 381 How to Prepare Report ...... 384 How to Prepare Report...... 384 How to Add Graphics from Message Attachments to Report ...... 385 How to Generate Search Results Report...... 388 How to Use Data Triage ...... 390 How to View Email Databases Detected via the Registry ...... 390 How to View Chat Databases in the Registry ...... 390 How to View Internet Browser Data in the Registry ...... 391 How to View Detected My Documents Folders ...... 392 How to View Detected Recently Used Files ...... 392 How to View Media Databases ...... 393 How to View Cortana Search Suggestions, Search Results and Voice Commands ...... 394 How to View Data from the Communications Apps ...... 395

How to View Windows Apps and Packages Data ...... 395 How to View File History Data ...... 396 How to View Cloud Storages Data ...... 397 How to View Recent Typed URLs ...... 397 How to View Recent Searches Performed via Windows Explorer ...... 398 How to View Recently Opened and Saved Documents ...... 399 How to View a List of Programs Set to Autorun for the User...... 399 How to View a List of Run Commands ...... 400 How to Get Information on Mounted Storage Devices and External Memory Cards ...... 401 How to View a List of Installed Programs ...... 401 How to Get Operating System Information ...... 402 How to View Deleted Recent Documents ...... 404 How to Get Information on Last Logged on User ...... 404 How to Get Information on Network Connections ...... 405 How to Work with Regular Expressions ...... 406 How to Find Credit Card Numbers in Added Evidence ...... 406 How to Find All Email Addresses in Added Evidence ...... 407 How to Find IP Addresses ...... 408 How to Find the Phone Numbers for Different Countries ...... 409 How to Find URL Address ...... 410 How to Create Special Template for Searching ...... 411 How to Use Python SDK ...... 413 Other Questions ...... 415 How to Change Color Settings in Electronic Evidence Examiner ...... 415 How to Use Boolean Search ...... 416 How to Use Load Words Option ...... 417 How to Skip Displaying of Items in Mailstorages ...... 418 Index ...... 420

About Electronic Evidence Examiner How To

This manual is designed to make it easier for you to perform the most common actions in Electronic Evidence Examiner.

For more information, please see the Electronic Evidence Examiner help file.

How to Work with Cases

How to Create New Case

1. In the Case menu, select Create New Case or select Create New Case on the Welcome screen of Electronic Evidence Examiner.

Two cases can't be opened simultaneously. The currently opened case will be saved and closed.

2. The New Case wizard appears. 3. On the Case Properties tab, enter the case name (the name of the *.e3 file where the case will be saved) and the case description. The Case name is a required box.

4. Select the Additional Information tab, enter the investigator information (if desired), and click Finish. Once the entered information is saved, it will appear in a drop-down list for future cases.

5. Select the folder where the case will be stored and its file name (C:\Users\\My Documents\Paraben’s Electronic Evidence Examiner by default). 6. A new case is created. The Add New Evidence window opens. New Evidence can be added.

How to Enable Automatic Case Naming

1. Select Options in the Case menu. 2. Open the Common options page. 3. Clear the Ask a case name during automatic case creation option. 4. Click OK. 5. When the options are applied, the cases will be created automatically and saved to the default location. The name of the case file will be case.e3.

How to Define Case Name During Automatic Case Creation

1. Start adding evidence, device acquisition or data import without creating/opening the case. 2. The New Case window opens.

3. In the Case name box, enter the case name.

For a case name you can only use the English characters, numbers, spaces, and some special characters like comma, hyphen, period, etc.

4. In the Location box, enter the case path or click Browse to navigate to the required case location.

The case path must not contain the Unicode characters.

5. Select the Don’t ask me again and always use the default case name option if you want cases to be created with a default name and saved to the default location. 6. Click Continue. 7. The case will be created. 8. Once the case is created, the Add Evidence window or Acquisition or Import wizard opens automatically.

How to Open Existing Case

Electronic Evidence Examiner allows you to open cases in *.e3 format as well as cases in old *.p2c format.

To open an existing case, do the following:

1. In the Case menu, select Open Case.

Cases created or opened in Electronic Evidence Examiner of newer versions cannot be opened in any previous version of the program.

2. The standard Windows Open window opens so you can navigate to the case and double-click its name to open it (the Open button in the Windows Open window can be clicked instead). 3. The case opens.

To open a recently used case, do the following:

1. In the Case menu, select Recent. 2. From the list, select the case you want to open.

Ten most recently opened cases will be displayed.

How to Save Case to Archive

Electronic Evidence Examiner allows you to save a case to an archive in the ZIP format. The case is saved along with its keyword indexing database and evidences stored in the same folder.

To save a case to an archive:

1. Open an existing case or create a new case. 2. If you want to save a case along with all evidences added to it, make sure that the case and the evidences are stored in the same location. 3. In the Case menu, click Save As Archive. 4. In the Save As window, define the name for the *.zip file and the location to which it will be saved and click Save. 5. The progress of saving is displayed. 6. After the saving finishes, the list of files included in the archive is displayed. Click OK.

How to Change Default Case Location

The default case location is the location in which cases are created and from which they are opened by default. When you initially install Electronic Evidence Examiner, the default location is C:\Users\\Documents\E3 Cases.

In the Electronic Evidence Examiner version 1.4 and lower, the default case location was automatically changed after the Save As operation. Since version 1.5 this feature is no longer available.

To change the default case location:

1. In the Case menu, select Options. 2. On the Common page, in the Default case location box, enter a new default path or click Browse and navigate to a new default case location. 3. Click OK. 4. The default case location is changed.

How to Add Data to Case

Electronic Evidence Examiner allows you to add to a case and investigate different types of evidence from an investigated computer.

The possibility to add evidences comes with the following packages:

E3: Universal • Logical/physical drivers • Folders • Image files • Mailstorages • Network mailstorages • Chat databases • Internet browser data • Registry files • Game console data • E3 mobile data cases • iTunes backups • JTAG memory dumps • Project-a-Phone data evidence • Forensic containers • OLE storages • Archives • Dump files • SQLite databases E3: P2C • Logical/physical drivers • Folders • Image files • Mailstorages • Network mailstorages • Chat databases • Internet browser data • Registry files • Game console data • E3 mobile data cases • iTunes backups • Forensic containers • OLE storages • Archives • Dump files • SQLite databases

E3: DS • E3 mobile data cases • JTAG memory dumps • SQLite databases • Project-a-Phone folders E3: EMX • Mailstorages

E3: NEMX • Network mailstorages

E3: Internet • Chat databases • Internet browser data E3: Viewer • E3 mobile data cases • Forensic containers • Project-a-Phone folders E3: IA Boost Potentially illicit images by the following categories:

• Drugs • Gore • Porn • Swim underwear • Extremism • Weapons

How to Add Evidence

To add evidence to a new or existing case, do the following: 1. On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the case node and select Add New Evidence; or click Add Evidence on the Welcome screen. 2. If there is no opened case, the New Case window opens where you can define the name and location of the created case. See the How to Define Case Name During Automatic Case Creation section for details.

If the Ask a case name during automatic case creation option in the Common options is cleared, the case will be saved automatically to the default location and its

name will be case.e3.

3. Once the case is created, the Add New Evidence window opens.

4. Follow the instructions on adding the corresponding type of evidence to the case: • Mailstorage data • Chat database data • File system data • Registry data • Internet browser data • OLE storage data • Archive data • Dump file • E3 mobile data case • iTunes backup data • JTAG memory dump • SQLite database • Project-a-Phone data • Xbox data • Forensic Container data

How to Acquire Devices

Electronic Evidence Examiner allows you to perform acquisition of data from different types of mobile devices and automatically add this data as an E3 mobile data case evidence to a case.

The possibility to acquire data from mobile devices comes with the E3: Universal and E3: DS packages. To acquire device data to a new or existing case: 1. Do one of the following: • Click Acquire Device on the Welcome screen. • Click Start Acquisition on the Evidence tab, in the Mobile Data group. • Click Add Evidence on the Welcome screen or on the Evidence tab, in the Evidence group; and then, in the Add New Evidence window, select Mobile Data Acquisition in the Mobile Data category and click OK.

2. If there is no opened case, the New Case window opens where you can define the name and location of the created case. See the How to Define Case Name During Automatic Case Creation section for details.

If the Ask a case name during automatic case creation option in the Common options is cleared, the case will be saved automatically to the default location and its

name will be case.e3.

3. Once the case is created, the Acquisition wizard opens.

4. Follow the instructions on acquiring data from the corresponding type of device: • Apple iOS devices (iPhone, iPad, iPod, and iPod Touch) • Android OS devices • Windows Phone devices • RIM BlackBerry devices • Tizen devices • Smartphones • PDAs • Feature phones • GPS devices • SIM cards • Memory cards, mass storages, e-readers, and portable devices

How to Import Mobile Data

Electronic Evidence Examiner allows you to import data from various sources, such as mobile device backups, GPS files, other mobile forensic tools, etc.

The possibility to import data comes with the E3: Universal and E3: DS packages.

To acquire device data to a new or existing case:

1. Do one of the following: • Click Import Data on the Welcome screen. • Click Import From on the Evidence tab, in the Mobile Data Import group. • Click Add Evidence on the Welcome screen or on the Evidence tab, in the Evidence group; and then, in the Add New Evidence window, select Mobile Data Import in the Mobile Data category and click OK. 2. If there is no opened case, the New Case window opens where you can define the name and location of the created case. See the How to Define Case Name During Automatic Case Creation section for details.

If the Ask a case name during automatic case creation option in the Common options is cleared, the case will be saved automatically to the default location and its

name will be case.e3.

3. Once the case is created, the Import wizard opens.

4. Follow the instructions on importing data from the corresponding source: • RIM Blackberry 1.x–7.x, iPhone 1.x-10.2 backup files, GrayKey cases, Cellebrite UFED XML report, Tower information, and GPS and KML maps • Encrypted iPhone backups

You can also import iPhone backups with E3: P2C package using the Add Evidence wizard.

• BlackBerry 10 backups

How to Import Cloud Data

Electronic Evidence Examiner allows you to import data from cloud-based services using authentication data extracted from logically acquired Android OS data or imported encrypted iTunes backup data or using user account credentials.

The possibility to import cloud data comes with the E3: DS package.

To import cloud data using an authentication data file, find and export an authentication data file and then follow this instruction.

To import cloud data using user account credentials, follow this instruction.

How to Import Office 365 Data

Electronic Evidence Examiner allows you to obtain Outlook data from the Microsoft Office 365 account.

How to Prepare Environment for Importing Office 365 Data

To prepare the environment for importing Outlook data from Microsoft Office 365 accounts, you need to use the administrator account credentials to obtain Application (client) ID, Directory (tenant) ID, and Client secret required for the authentication.

To do this, register the Electronic Evidence Examiner as a trusted application: 1. Go to https://portal.azure.com/ and login using the Office 365 administrator credentials. 2. In the Favorites menu, select Azure Active Directory.

3. In the Manage menu, click App registrations.

4. Click New registration.

5. On the Register an application page, enter a random application name in the Name text box, select Accounts in this organizational directory only in the Supported account types list, and select Public client (mobile & desktop) in the menu, in the Redirect URI (optional) section.

6. Click Register. 7. On the Overview page, copy Application (client) ID and Directory (tenant) ID and save them to the safe location.

8. In the Manage menu, click API permissions, and then click Add a permission.

9. On the Request API permissions page, click Microsoft Graph.

10. Click Application permissions.

11. In the permissions list, expand Mail and select Mail.Read.

12. Then expand User, select User.Read.All and click Add permissions.

13. On the API permissions page, in the Grant consent section, click Grant admin consent for, and then click Yes.

14. On the Certificates & secrets page, click New client secret in the Client secrets section.

15. Enter the random description, select Never in the Expires list, and click Add.

16. The client secret will be displayed in the Value column in the Client secrets section.

The Client secret should be copied and saved to the safe location just after its generation as it will not be shown anymore.

17. To copy the client secret, click the Copy icon near the client secret value and paste it to the selected text document.

How to Import Office 365 Data

To import data from the Office 365 cloud-based service: 1. Start Electronic Evidence Examiner. 2. Obtain the values required for the account authentication. 3. On the Tools tab, in the Cloud Data group, click Import Office 365 Data. 4. If there is no opened case, the New Case window opens where you can define the name and location of the created case. See the How to Define Case Name During Automatic Case Creation section for details.

If the Ask a case name during automatic case creation option in the Common options is cleared, the case will be saved automatically to the default location and its

name will be case.e3.

5. Once the case is created, the Office 365 Data Import wizard opens and the Account page is displayed. 6. On the Account page, enter the Application ID (Client ID), the Tenant ID, and the Application Secret (Client secret) assigned in the process of the application registration, and click Authenticate. 7. The authentication starts. Its progress is displayed on the Authentication Process page. 8. After the authentication process finishes, click Continue. 9. On the Data for Importing page, the list of successfully authenticated email accounts will be displayed. 10. If necessary, do the following:

• Select the Select custom date range for time related data check box and define the time interval for which the emails (inbox, outbox, etc.) from the selected email accounts must be imported. • Select check boxes next to the email accounts in the accounts list, and then select check boxes next to the data to be imported from each email account. To import all data from an email account, select a check box next to it.

Only folders available for the particular email account are displayed in the Available data pane.

11. Click Import Data. 12. The import process starts and a new Import data from Office 365 task is added to the Tasks pane, where you can view its general progress. The progress is also displayed on the Importing Progress page of the Office 365 Data Import wizard. 13. When the data import is over, click Finish. 14. Data is imported and added to the case. Every imported email account is added as a separate mailstorage evidence with the corresponding account name. How to Investigate Different Types of Evidence

How to Investigate Mailstorages

The investigation of mailstorage evidence is possible with the following packages:

Mailstorage Type E3: Universal/P2C E3: EMX E3: NEMX America On-line (AOL) + + - Eudora + + - E-mail Files + + - E-mail Examiner Archive + + - Google Takeout + + -

Mailstorage Type E3: Universal/P2C E3: EMX E3: NEMX Microsoft Outlook + + - Outlook Express + + - The Bat! + + - Thunderbird + + - Windows Mail + + - Maildir Database + + + Microsoft Exchange + - + GroupWise + - + Lotus Notes + - +

How to Investigate Different Types of Mailstorages

How to Autodetect Mailstorage Format

If you're not sure of the format of the mailstorage to be added to the case, Electronic Evidence Examiner allows you to autodetect it.

To autodetect the mailstorage format, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select Auto-detect e-mail database and click OK.

3. In the Select source for mounting window, select whether the evidence is found in a File or Folder and click OK. The following mailstorages are stored in files: AOL database File *.pfc EDB database File *.edb EDB 5.5 database File *.edb EDB 2013/2016 database File *.edb PST database File *.pst OST database File *.ost The Bat! database File *.tbb Outlook Express database File *.dbx NSF database File *.nsf Eudora database File *.mbx Google Takeout Storage File *.mbox E-mail File database File *.eml

E-mail Examiner archive File *.pmx

The following mailstorages are stored in folders:

GroupWise database Folder containing a mailstorage

The Bat! database Folder containing a mailstorage

Thunderbird database Folder containing a mailstorage

Outlook Express database Folder containing a mailstorage

Eudora database Folder containing a mailstorage

E-mail File database Folder containing a mailstorage

Windows mail database Folder containing a mailstorage

Maildir database Folder containing a mailstorage

Zimbra email archives exported as Folder containing a mailstorage *.eml files (EML)

4. If you select the Folder option, in the Browse For Folder window, navigate to the folder containing the mailstorage and click Open. If you select the File option, in the standard Open window, navigate to the file and click Open.

How to Investigate America On-line (AOL) Mailstorage

America On-line mailstorage is stored in a *.pfc file or mailstorage file with no extension.

Mailstorage default location: Windows 7, 8, 8.1 C:\Program Data\AOL\\Organize

To investigate AOL mailstorage, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select AOL database. Click OK.

3. In the standard Open window, navigate to the desired file ( *.pfc file or file with no extension). Click OK. 4. Enter the Evidence name (the default one is the name of the selected file) and click OK. 5. The AOL mailstorage is added to the case. 6. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right). 7. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom). 8. You can view the message contents in different formats and/or view the attachments.

How to Investigate Microsoft Exchange Mailstorage

Electronic Evidence Examiner allows you to investigate the following versions of Microsoft Exchange (EDB) information stores: 5.0, 5.5, 2000, 2003, 2007, 2010, 2013, and 2016.

Microsoft Exchange mailstorage is stored in an *.edb file.

Its default location in all versions of Windows is C:\Program Files\Exchsrvr\Mdbdata\*.edb.

Please note that bodies of some messages can be stored in the *.stm file. The path to this file can be defined separately in the EDB settings.

To investigate a Microsoft Exchange mailstorage, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select EDB database, EDB 5.5 database, or EDB 2013/2016 database. Click OK.

3. In the standard Open window, navigate to the desired *.edb file. Click OK. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. Define the EDB Database Settings and click OK.

EDB 2013 databases containing non-English mailstorages must be added in Raw mode only. Otherwise such mailstorages will not be parsed.

• Skip pages with wrong checksum: This option allows you to show the pages with wrong checksums. In this case, in the log file, the Checksum error" warning on a database page will be recorded along with the reasons for the error. If this option is not selected, pages with wrong checksums will not be opened. • Check logical structure of mailboxes/folders (slow): This option allows the user to check the accuracy of the Mailbox tree structure to prevent the duplication of folders (mailboxes). • Ignore database signature: This option allows the user to open any database as an EDB database without verifying that it is a EDB database. • Message retrieving limit: For some corrupted folders, the process of reading data can be infinite and the read messages will repeat. This number limits the number of messages that will be read after the first repeating message is discovered. • *.stm file: Click Browse to locate the *.stm file for the added mailstorage. If the path to this file is not defined, the bodies of some letters can be empty.

6. The Microsoft Exchange mailstorage is added to the case.

7. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right).

8. The deleted messages are displayed in the Data View pane in the folders they were deleted from. The deleted messages are marked with a red X. 9. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (below the message list).

10. You can view the message contents in different formats and/or view the attachments.

How to Investigate GroupWise Mailstorage

GroupWise mailstorage is stored in the GroupWise folder.

Mailstorage default location: Windows 7, 8, 8.1, 10 C:\Users\\AppData\Roaming\Novell\GroupWise

The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default.

To investigate the GroupWise mailstorage, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select GroupWise database. Click OK.

3. In the Browse For Folder window, select the location of the source folder. Click OK.

4. Enter the Evidence name (opened folder name by default) and click OK. 5. Define the GroupWise Database Settings.

• Raw mode: Shows all database content including system, orphaned, and deleted items. You will have to re-open the database (re-add it as evidence or re-open the case) for this option to take effect. • Map GroupWise Message ID to Internet Message ID: This option allows you to show the Internet message ID instead of the GroupWise message ID. • Populate both send and received field: This option allows you to fill both send and received fields if one of them is empty (for example, if the send field is empty, it will be filled with the data from the received field and vice versa). • Use TEXT.htm attachment for HTML body: If this option is selected, the TEXT.htm attachment containing the message text will be created for those messages that have an HTML body.

6. The GroupWise mailstorage is added to the case. 7. The mailstorage structure is displayed in the Case Content pane, messages stored in the mailbox are displayed in the Data View pane.

10. You can view the message contents in different formats and/or view the attachments.

How to Investigate Lotus Notes Mailstorage

Electronic Evidence Examiner allows you to investigate the following versions of Lotus Notes information stores 4.0, 5.0, 6.0, 7.0, 8.0, 8.5, 9.0 Please note that encrypted 8.5 and 9 Lotus Notes databases with ODS 51 and 48 are not supported in this version of Electronic Evidence Examiner.

The encrypted databases are empty in Electronic Evidence Examiner.

Lotus Notes mailstorage is stored in a *.nsf file.

Mailstorage default location: Windows 7, 8, 8.1, 10 C:\Users\\AppData\Local\Lotus\Notes\Data\*.nsf

The Application Data folder (AppData in Windows 7) is hidden by default.

To investigate a Lotus Notes mailstorage, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select NSF database. Click OK.

3. In the standard Open window, navigate to the desired *.nsf file. Click OK. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. Define the NSF Database Settings and click OK.

• Raw mode: Shows all database content including system, orphaned, and deleted items. You will have to re-open the database (re-add it as evidence or re-open the case) for this option to take effect. • User name for unread notes list: This option defines the name of the user for whom the list of read/unread notes will be displayed. • Remove database quota limitations: Lotus Notes allows the user to set limitations on the created database size. If such limitations are set, the database will not be opened by Electronic Evidence Examiner. When selected, this option allows the user to remove the limitations and open the database. • Create missing view (alter database contents): This option allows the user to select letters in the View and to create a collection. If this is not done, letters for View will be selected each time the user requests it and it will slow down the program. • Use LotusNotes MAPI Connector dates behavior: When selected, this option retrieves dates the same way that the Lotus Notes MAPI connector does. • User ID file: A special file required for decrypting the encrypted NSF mail storage. This file is stored in the same directory as the NSF file. If you don't define it, the mail storage will not be added as evidence. • Password: A correct password is required for decrypting encrypted NSF mail storage. If you don't define it, the mail storage will not be added as evidence.

6. The Lotus Notes mailstorage is added to the case.

7. The mailstorage structure is displayed in the Case Content pane, messages stored in the mailbox are displayed in the Data View pane.

8. The deleted messages are marked as service files and their content cannot be viewed. 9. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom).

10. You can view the message contents in different formats and/or view the attachments.

How to Investigate Microsoft Outlook Mailstorage

Microsoft Outlook mailstorage is stored in *.pst or *.ost files (offline mailstorage).

Attachments in deleted messages in Microsoft Outlook mailstorages aren't restored and can't be viewed. Deleted messages that had attachments have a

special icon in the Attachments column.

Mailstorage default location: Windows 7, 8, 8.1, 10 C:\Users\\AppData\Local\Microsoft\Outlook\Outlook.pst

Offline mailstorage default location:

Windows 7, C:\Users\\AppData\Local\Microsoft\Outlook\Outlook. 8, 8.1, 10 ost

The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default.

To investigate the Microsoft Outlook mailstorage, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select MS Outlook database (*.pst file) or MS Outlook offline database (*.ost file). Click OK.

3. In the standard Open window, navigate to the desired *.pst or *.ost file. Click OK. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. Define the MS Outlook Database Settings and click OK.

• Raw mode: Shows all database contents including system, orphaned, and deleted items. You will have to re-open the database (re-add it as evidence or re-open the case) for this option to take effect.

• Scan database for deleted messages (slows down opening): If this option is selected, deleted messages in the database will be found and recovered. This can take a long time.

6. The Microsoft Outlook mailstorage is added to the case. 7. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right). 8. The restored deleted messages can be viewed in the Outlook storage root node. 9. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom).

10. You can view the message contents in different formats and/or view the attachments.

How to Investigate The Bat! Mailstorage

Electronic Evidence Examiner allows you to investigate mailstorages created by The Bat! of versions 3.x and higher.

The Bat! mailstorage is stored in a *.tbb file or in the The Bat! folder.

Mailstorage default location:

Windows 7, 8, C:\Users\<\AppData\The Bat! 8.1, 10

The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default.

If you want to add the whole mailstorage with all accounts, navigate to the The Bat! folder and add it to Electronic Evidence Examiner.

If you want to add a specific mailbox, navigate to the subfolder with the name of the account in the The Bat! folder and add it to Electronic Evidence Examiner.

If you want to add a specific folder of a specific user from the mailstorage (i.e., Inbox folder, Outbox folder), do one of the following:

• Navigate to the desired subfolder in the folder with Account name and add it to Electronic Evidence Examiner.

The folder must contain a MESSAGES.tbb file.

• Navigate to the desired subfolder, select the MESSAGES.tbb file and add it to Electronic Evidence Examiner (e.g., MESSAGES.tbb file from the Inbox folder to add only the Inbox folder).

To investigate the The Bat! mailstorage, do the following:

1. Have the Add New Evidence window open.

2. In the Category list, select E-mail Database. In the Source Type list, select The Bat! database. Click OK.

3. In the Select source for mounting window, select the Folder option to open the folder containing the mailstorage. Select the File option to open the *.tbb file. 4. If you select the Folder option, in the Browse For Folder window, navigate to the folder containing The Bat! database and click Open. If you select the File option, in the standard Open window, navigate to the *.tbb file and click Open. 5. Enter the Evidence name (by default, the name of the file/folder to be added) and click OK. 6. The Bat! mailstorage is added to the case. 7. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right). 8. The deleted messages are displayed in the Data View pane in the folders they were deleted from. The deleted messages are marked with a red X. 9. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom). 10. You can view the message contents in different formats and/or view the attachments.

How to Investigate Thunderbird Mailstorage

Thunderbird mailstorage is stored in the Thunderbird folder.

Mailstorage default location: Windows 7, 8, C:\Users\\AppData\Roaming\Thunderbird\Profiles\

The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default.

To investigate Thunderbird mailstorage, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select Thunderbird database. Click OK.

3. In the Browse For Folder window, select the location of the source folder and click OK. 4. Enter the Evidence name (opened folder name by default) and click OK. 5. The Thunderbird mailstorage is added to the case. 6. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right). 7. The deleted messages are displayed in the Data View pane in the folders they were deleted from. The deleted messages are marked with a red X. 8. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom). 9. You can view the message contents in different formats and/or view the attachments.

How to Investigate Outlook Express Mailstorage

Outlook Express mailstorage is stored in *.dbx files or the Outlook Express folder. Mailstorage default location:

Windows C:\Users\\AppData\Identities\{GUID}\Microsoft\Outlook 7, 8, 8.1, Express\ 10

The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default.

If you want to add the whole mailstorage, navigate to the Outlook Express folder and do one of the following:

• Add this folder to Electronic Evidence Examiner.

• Add the Folders.dbx file to Electronic Evidence Examiner.

If you want to add separate user-specified folders from the mailstorage, navigate to them in the Outlook Express folder. For example, select the Inbox.dbx file to add the Inbox folder, Sent Items.dbx to add the folder with sent messages, etc.

To investigate Outlook Express mailstorage, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select Outlook Express database. Click OK.

3. In the Select source for mounting window, select the Folder option to open the folder containing the mailstorage. Select the File option to open a *.dbx file. 4. If you select the Folder option, in the Browse For Folder window, navigate to the folder containing the Outlook Express database and click Open. If you select the File option, in the standard Open window, navigate to the *.dbx file and click Open. 5. Enter the Evidence name (by default, the name of the file to be added) and click OK. 6. The Outlook Express mailstorage is added to the case. 7. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right).

The messages that have been deleted from the trash in outlook Express mailstorage cannot be restored. Only the trash content can be viewed.

8. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom). 9. You can view the message contents in different formats and/or view the attachments.

How to Investigate Eudora Mailstorage

Eudora mailstorage is stored in *.mbx files or the Eudora folder.

Mailstorage default location:

Windows 7, C:\Users\\AppData\Qualcomm\Eudora 8, 8.1, 10

The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default.

If you want to add the whole mailstorage, navigate to the Eudora folder and add it to Electronic Evidence Examiner.

If you want to add a specific folder from the Eudora database (e.g., Inbox or Outbox folder), in the Eudora folder, navigate to the *.mbx file and add it to Electronic Evidence Examiner (e.g., add the In.mbx file to add the Inbox folder, add the Out.mbx file to add the Outbox folder, etc).

To investigate Eudora mailstorage, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select Eudora database. Click OK.

3. In the Select source for mounting window, select the Folder option to open the folder containing the mailstorage. Select the File option to open a *.mbx file. 4. If you select the Folder option, in the Browse For Folder window, navigate to the folder containing the Eudora mailstorage and click Open. If you select the File option, in the standard Open window, navigate to the *.mbx file and click Open. 5. Enter the Evidence name (by default, the name of the file/folder to be added) and click OK. 6. The Eudora mailstorage is added to the case. 7. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right).

How to Investigate E-mail Files

E-mail File evidence is an *.eml file or the folder containing *.eml files.

E-mail files can be created by Microsoft Outlook or other e-mail program and it can also contain an e-mail attachment or files sent with a message.

E-mail Files have no default location.

To investigate E-mail Files, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select Email File. Click OK.

3. In the Select source for mounting window, select the Folder option to open the folder containing the *.eml file(s). Select the File option to open an *.eml file. 4. If you select the Folder option, in the Browse For Folder window, navigate to the folder containing the Email Files and click Open. If you select the File option, in the standard Open window, navigate to the *.eml file and click Open. 5. Enter the Evidence name (by default, the name of the file/folder to be added) and click OK. 6. The E-mail Files are added to the case. 7. The list of *.eml files is displayed in the Case Content pane (to the left), messages stored in them are displayed in the Data View pane (to the right). 8. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom). 9. You can view the message contents in different formats and/or view the attachments.

How to Investigate E-mail Examiner Archive

E-mail Examiner archives are stored in *.pmx files. E-mail Examiner archives are created by Paraben's E-mail Examiner in the location defined by the user. To investigate E-mail Examiner archives, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select Email examiner archive. Click OK.

3. In the standard Open window, navigate to the desired *.pmx file. Click OK. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. The E-mail Examiner archive is added to the case. 6. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right). 7. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom). 8. You can view the message contents in different formats and/or view the attachments.

How to Investigate Google Takeout Storage

Google Takeout storage is stored in the archive containing *.mbox file.

The Google Takeout archive is created in the location defined by the user.

To investigate the Google Takeout storage, do the following:

1. Have the Add New Evidence window open.

2. In the Source type list, select the Google Takeout storage and click OK.

3. In the standard Open window, navigate to the desired *.mbox file and click Open. 4. Enter the Evidence name (by default, the name of the file to be added) and click the OK button. 5. The Google Takeout storage is added to the case. 6. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right).

Only the read messages from Google Takeout storage are parsed in the current version of Electronic Evidence Examiner.

7. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (in the bottom). 8. You can view the message contents in different formats and/or view the attachments.

How to Investigate Windows Mail Database

Windows Mail database is stored in the Windows Mail folder.

Mailstorage default location:

Windows 7, 8, C:\Users\\AppData\Local\Microsoft\Windows Mail 8.1, 10

The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default.

To investigate a Windows Mail database, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select Windows Mail database. Click OK.

3. In the Browse For Folder window, select the location of the source folder and click OK.

4. Enter the Evidence name (opened folder name by default) and click OK. 5. The Windows Mail database is added to the case. 6. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right).

The messages that have been deleted from the trash in Windows Mail cannot be restored. Only the Trash content can be viewed.

7. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom). 8. You can view the message contents in different formats and/or view the attachments.

How to Investigate Maildir Database

Maildir is a format of storing e-mail messages used by a number of e-mail clients for Unix-like operating systems (such as Balsa, Cone, Evolution, GNUMail, etc). Maildir folders containing e-mail messages are stored in the location defined by the settings of the e-mail client.

To investigate Maildir mailstorages, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select Maildir database. Click OK.

3. In the Browse For Folder window, select the location of the source folder and click OK. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. The Maildir database is added to the case. 6. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right). 7. Select the message in the Data View pane. Its contents is displayed in the E-mail Data pane (at the bottom). 8. You can view the message contents in different formats and/or view the attachments.

How to Investigate Windows 10 Mail database

To investigate a Windows 10 Mail database, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select E-mail Database. In the Source Type list, select Windows 10 Mail. Click OK.

3. In the Browse For Folder window, select the location of the source folder and click OK. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. The Windows 10 Mail database is added to the case. 6. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right). 7. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom).

The current version of the Electronic Evidence Examiner does not detect the email attachments, email size, as well as some email properties. For this reason, the

Size column and some properties contain the Undefined value.

How to Investigate Mailstorage Stored within Added File System Evidence

Electronic Evidence Examiner allows you to find mailstorages stored within added file system evidence (forensic image, local drives, etc.) and investigate it as if it was added as a separate type of evidence.

To investigate mailstorage stored within file system evidence, do the following:

1. Add the file system evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. The structure of the added evidence is displayed in the Case Content pane (to the left), contents of the selected folder/node are displayed in the Data View pane (to the right). 3. Perform sorting of the selected evidence or part of it (for more information, please see the How to perform sorting in added evidence topic). 4. In the Sorted Files pane, select the Email category. 5. Contents of the selected category are displayed in the Data View pane (to the right). 6. In the Data View pane, select the mailstorage you want to investigate, right-click and select Open Path. 7. If the selected email file is a part of a mailstorage within a folder, it will open in the Data View pane and you will be asked to mount it as a mailstorage. 8. If the selected file is a mailstorage within a file, it will open in the Data View pane and will have a special symbol next to its name. Double-click it to mount the mailstorage. 9. The parsed mailstorage appears in the evidence tree in the Case Content pane.

How to Investigate E-mails Stored in tar.gz Archives

Electronic Evidence Examiner allows investigating Zimbra email archives that have the tar.gz extension.

To investigate e-mails stored in tar.gz archives, do the following:

1. Extract the tar.gz file to a folder using the archiving utility (for example, 7-Zip). If the tar.gz file contains another archive in the tar format, extract it as well.

2. Open E3 and on the Evidence tab, in the Evidence group, click Add Evidence; or right- click the case node and select Add New Evidence; or click Add Evidence on the welcome screen. 3. In the Add New Evidence window, select the E-mail Database category and then select the Email File source type. Click OK. 4. In the Select source for mounting window, select Folder. 5. In the Folder Selection window, click Browse and select one of the folders containing .eml files from the extracted archive. 6. Enter the evidence name. 7. Navigate to the folder with email messages. 8. The added emails can be analyzed in the same way as other mailstorage evidence. Click the email to view it in the E-mail viewer.

How to View Mailstorage Evidence

How to View Messages in Different Formats

Electronic Evidence Examiner allows you to view the selected messages in different available formats. You can view the body of the desired message in the following formats: RFC header, Text, RTF, HTML, and Raw HTML. If the message contains an attachment (file attached to it), the Attachments tab is also available.

Please note that the number of available message formats can change depending on the message properties.

To view a message in the desired format, do the following:

3. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom). Make sure that the E-mail Data pane is enabled. To enable the E-mail Data pane, click the corresponding icon on the View tab. 4. To view the message in the desired format, click the corresponding icon at the bottom of the E-mail Data pane.

To enable Text, Hex and File viewers, click the corresponding icon on the View tab.

How to View Attachments

Electronic Evidence Examiner allows you to view email attachments (files attached to messages).

Attachments in deleted messages in PST databases aren't restored and can't be viewed. Attachments in AOL databases might be empty, because generally they

are stored on an outside server database.

To view the attachments, do the following:

3. Messages with attachments (files attached to them) have a special symbol in the corresponding column. For these messages, the Attachments tab in the E-mail Data pane is enabled. 4. Select the message with an attachment in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom). 5. Click the Attachments tab in the bottom of the E-mail Data pane to view attached files. Attachments are displayed in Hex, Text, and File viewers if they are enabled. 6. To enable the Text, Hex and File viewers, click the corresponding icon on the View tab.

How to View Attachments that Can Be Opened as Embedded Evidence

If an email attachment contains an evidence of another format it can be investigated as an embedded evidence. For example, a mailstorage database may contain an attached archive, which in turn may contain chat databases.

To view attachments that can be opened as embedded evidence, do the following:

1. Add the mailstorage evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right). 3. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom). 4. Click the Attachments tab in the bottom of the E-mail data pane to view attached files. 5. If the attached file contains an evidence of another format, double-click it. 6. The embedded evidence is parsed and is added to the Case Content tree. It contains the evidence type subnode where the parsed contents can be found.

How to Detect Attachment File Types

Electronic Evidence Examiner allows you to sort attachments (files attached to messages), i.e. to define their file types. The following file types are detected after sorting: Documents, Email, Chats, Databases, Compressed, Encrypted, Spreadsheets, Graphics, Executable, Multimedia, Text, XML, Financial Files, Game Console Files, and Others (Unknown).

To sort attachments, do the following:

1. Add the mailstorage evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right). 3. Select the message, folder, or the mailstorage, whose contents you want to sort. 4. On the Evidence tab, in the Content Analysis group, click Content Analysis and then click Sort Data. 5. The Content Analysis wizard opens. 6. Move between pages of the wizard to set the options you need (for more information, please see the help file). 7. After all the selections are made, click Finish to start sorting. 8. The sorting process is displayed in the Tasks pane. 9. To view the results of sorting, click the Sorted Files tab.

10. Files are sorted by categories according to their file types and are displayed in a tree-view structure. 11. To view sorted files of the desired category, select the corresponding category in the Sorted Files pane. The contents are displayed in the Data View pane (to the right).

How to Perform Searches in Mailstorage Evidence

How to Search in Mailstorages

Electronic Evidence Examiner allows you to perform searches in mailstorages.

To perform searching, do the following:

5. Enter the Search Parameters (for more information, please see the help file). The following group of parameters are available:

• Common parameters: These parameters include general information about what is to be searched.

• Special E-mail database parameters. Common Parameters: These parameters define where data is to be searched. They also include sender & recipient filters and date parameters.

• Special E-mail database parameters. Advanced Filters: These parameters define message filters.

6. Click Start. 7. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (via the right-click menu or using the Stop, Pause, or Start/Resume buttons). 8. The search results are displayed at the bottom part of the Search pane. 9. Double-click the search result to open it in the E-mail Data pane and view it.

How to Search in Message Attachments

Electronic Evidence Examiner allows you to perform searches in attachments.

You can search in attachments in two ways:

• Select the corresponding option in the Special E-mail Databases parameters (Common Parameters tab), while searching in e-mail databases.

• Perform a search in the sorted attachments. This type of search is much quicker.

Sorted Files searching is limited to searching by file name and hash value. For searching the text of sorted attachments, please see the Keyword Search topic.

To search in the sorted attachments, do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. In the Case Content pane (to the left), navigate to the folder or message where you want to search for data. 3. Perform sorting to sort attachments detected in it by file types (for more information, please see the How to Perform Sorting in Added Evidence topic). 4. After the sorting finishes, click Sorted Files Search on the Analysis tab in the Search group. 5. The Sorted Files Search pane opens (to the right).

6. Enter the Sorted Files Search parameters (for more information, please see the help file). Click Run Query. To find all sorted attachments, leave all boxes empty and click Run Query. 7. The Sorted Files Search starts. The results are displayed at the bottom part of the Sorted Files Search pane in a grid where they can be managed. 8. Double-click the search result to open it in the E-mail Data pane and view it. It is displayed in the E-mail Data pane and in Hex, Text, and File viewers (make sure that the viewers are enabled).

To enable Text, Hex and File viewers, click the corresponding icon on the View tab.

How to Search in Mailstorage by Attachment Type

Electronic Evidence Examiner allows you to perform searches in attachments of certain types. This is available only for sorted attachments.

To perform searching by attachment type, do the following:

5. Click the Email Databases tab in the Search pane. 6. In the opened tab, select the Attachments option. 7. Click Attachment Types and, in the opened window, define the desired types of attachments where the search will be performed. To select all types of attachments, click Check All. To clear all types of attachments, click Uncheck All. Click OK.

8. Define other search parameters if necessary. After all parameters are defined, click Start. 9. The search starts. Its status is displayed in the Task pane and it can be stopped, paused, and started from there (through the right-click menu or using Stop, Pause, or Start/Resume buttons). 10. The search results are displayed at the bottom part of the Search pane. 11. Double-click the search result to open it in the E-mail Data pane and view it.

How to Search for Data in Message Body Only

Electronic Evidence Examiner allows you to perform searches only in email message bodies.

To search for data in the message body only, do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic).

2. In the Case Content pane (to the left), navigate to the folder or message where you want to search for data, right-click and select Advanced Search, or click Advanced Search on the Analysis tab, in the Search group. 3. The Search pane opens (to the right).

4. Enter the expression you want to find in the Search what box and other parameters if necessary. 5. Select the E-mail Databases tab. Select the Body option in the Search in group of options. 6. Enter other search parameters if necessary. Click Start to start search. 7. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using Stop, Pause, or Start/Resume buttons). 8. The search results are displayed at the bottom part of the Search pane. 9. Double-click the search result to open it in the E-mail Data pane and view it.

How to Find Emails with Particular Senders or Particular Receivers

You can find e-mails from a particular sender or senders, e-mails to a particular receiver or receivers, or e-mails sent from a particular sender to a particular receiver. You can also find e- mails where a particular address is added to CC or to BCC.

To search e-mails sent from particular senders or to particular receivers, do the following:

4. Enter the expression you want to find in the Search what box and other parameters if necessary. 5. Select the E-mail Databases tab. 6. Select by which fields you want to search in the Filter sender and recipient group of options. 7. Enter the e-mail addresses or names you want to find.

You can use Boolean expressions in these boxes for more defined searching (for more information, please see the How to use Boolean Search topic).

8. Enter other search parameters if necessary. Click Start to start the search. 9. The search starts. Its status is displayed in the Task pane and it can be stopped, paused, and started from there (through the right-click menu or using Stop, Pause, or Start/Resume buttons). 10. The search results are displayed at the bottom part of the Search pane. 11. Double-click the search result to open it in the E-mail Data pane and view it.

How to Search in Deleted Email Messages

You can search for data in messages that were deleted within a specific date range.

To search for data in messages that were deleted on a specific date, do the following:

4. Enter the expression you want to find in the Search what box and other parameters if necessary. 5. Select the E-mail Databases tab. 6. Click Add Filter to define a date filter. Select Deleted between in the Data Type drop-down list. Set the desired date and time.

7. Enter other search parameters if necessary. Click Start to start the search. 8. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using Stop, Pause, or Start/Resume buttons). 9. The search results are displayed at the bottom part of the Search pane. 10. Double-click the search result to open it in the E-mail Data pane and view it.

How to Search in Email Messages Sent on a Specific Date

Electronic Evidence Examiner allows you to search for data in messages that were sent on a specific date.

To search for data in messages that were sent on a specific date, do the following:

4. Enter the expression you want to find in the Search what box and other parameters if necessary. 5. Select the E-mail Databases tab. 6. Click Add Filter to define the date type filter. Select Sent between in the Data Type drop- down list and set the desired date and time.

How to Search for Email Addresses Sent in Message Bodies

Electronic Evidence Examiner allows you to search for email addresses that were sent in message bodies. This will prove useful if the user sent some private email addresses to other people.

To find email addresses that were sent in message bodies, do the following:

4. In the Use drop-down list, select Regular expressions. 5. Click Use Template. The Regular Expression Templates window opens. 6. Select the E-mails regular expression category at the left of the window. 7. Select the required regular expression at the right of the window.

8. Click OK. The selected regular expression appears in the Search what box in the Search pane. 9. Select the E-mail Databases tab. 10. Select the Body option in the Search in group of options. 11. Enter other search parameters if necessary. Click Start to start the search. 12. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (via the right-click menu or using Stop, Pause, or Start/Resume buttons). 13. The search results are displayed at the bottom part of the Search pane. 14. Double-click the search result to open it in the E-mail Data pane and view it.

How to Search for Text Data

Electronic Evidence Examiner allows you to perform searches for text data in mailstorages.

Keyword searching is performed much faster than regular searching. It is available only for evidence where keywords have previously been indexed.

To perform a keyword search, do the following:

3. Right-click and select Keyword Search in the right-click menu, or select Keyword Search on the Analysis tab, in the Search group. 4. The Keyword Search pane opens (to the right).

5. Enter the Search Parameters. The following parameters are available:

• Subject: Select this option to search in the message subject.

• Body: Select this option to search in the message body.

• Contacts: Select this option to search in mailbox contacts. • Calendars: Select this option to search in mailbox calendars.

• Attachment file names: Select this option to search in file names of message attachments. • Attachments: Select this option to search in attachment bodies.

• Sender: Select this option to search in email sender fields. • Recipient: Select this option to search in Recipient, CC, BCC fields of an email.

6. Click Start. 7. The search starts. Its status is displayed in the Task pane and it can be stopped, paused, and started from there (through the right-click menu or using Stop, Pause, or Start/Resume buttons). 8. The search results are displayed at the bottom part of the Search pane. 9. Double-click the search result to open it in the E-mail Data pane and view it.

How to Export Mailstorage Data

How to Export the Mailstorage to Another Format

Electronic Evidence Examiner allows you to export a mailstorage to one of the following formats: EML (E-mail File), EMX (E-mail Examiner archive), and PST (Microsoft Outlook).

To export a mailstorage, do the following:

6. On the Source and Output page, select the desired output format for the exported data. 7. Move between other pages of the wizard to set the options you need. 8. After all the selections are made, click Finish. 9. The exporting process is displayed in the Tasks pane. 10. Once the exporting process is completed, navigate to the destination folder to view the result. When the export is performed, the MD5 is calculated for each exported file and placed in a separate file with the name .MD5.

How to Export an Attachment

Electronic Evidence Examiner allows you to export attachments (files attached to the message). Exporting attachments means creating a forensic copy of attachments on the computer on which Electronic Evidence Examiner is installed. Electronic Evidence Examiner allows you to export an attachment from an opened message.

To export an attachment, do the following:

3. Messages with attachments (files attached to them) have a special symbol in the corresponding column. For these messages, the Attachments tab in the E-mail Data pane is enabled. 4. In the Data View pane, select the message with the attachment. Its contents are displayed in the E-mail Data pane (at the bottom). 5. Click the Attachments tab in the bottom of the E-mail Data pane to view attached files. 6. Right-click the attachment and select Export.

7. In the Browse For Folder window, specify the location where the file will be saved. 8. Click the OK button to start exporting. 9. The export process is displayed in the Tasks pane. 10. Once the process of export is completed, navigate to the destination folder to view the results. When the export is performed, the MD5 is calculated for the exported attachment. It is placed in a separate file with the name .MD5.

How to Export All Attachments

To export all attachments, do the following:

1. Add the mailstorage evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right). 3. Select the data to be exported. You can select the mailstorage, folder, or message. Use the Ctrl and Shift keys to select more than one item. 4. Right-click and select Export or select Export on the Export tab, in the Common Export group. 5. The Export Wizard opens. 6. On the Source and Output page of the wizard, select the Attachments Only output format.

7. Move between other pages of the wizard to set the options you need (for more information, please see the help file). 8. When all the parameters are defined, click Finish. The export process is displayed in the Tasks pane. 9. Once the exporting process is completed, navigate to the destination folder to view the results. When the export is performed, the MD5 is calculated for each exported attachment and placed in a separate file with the name .MD5.

How to Create Attachments List

The Attachments list is a text file that contains a list of attachments from selected messages and their MD5.

To generate an attachments list, do the following:

3. Select messages for which the attachments list is to be created in the Data View pane. 4. Right-click and select Create Attachments List or select Create Attachments List on the Evidence tab, in the Mailstorages group. 5. Select the name and location of the attachments list. 6. When the list is created, the information message is displayed. Click OK.

How to Print Messages

Electronic Evidence Examiner allows you to print messages.

To print a message, do the following:

6. Define the message composing settings (for more information, please see the help file). 7. Click Page Setup to define printer and paper options, click Preview to preview the message before printing. 8. Click Print to start printing.

How to Investigate Chat Databases

The investigation of chat database evidence is possible with the following packages: • E3: Universal • E3: P2C • E3: Internet

How to Investigate Different Types of Chat Databases

How to Autodetect Chat Database Format

Electronic Evidence Examiner allows you to autodetect the format of the chat database being added to the case.

To autodetect the chat database format, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Chat Database. In the Source Type list, select Auto-detect chat database and click OK.

3. In the Select source for mounting window, select whether the evidence is found in a File or Folder and click OK.

The following chat databases are stored in files:

Skype chat database File main.db

Miranda chat database File *.dat

The following chat databases are stored in folders:

Yahoo chat database Folder name is the Yahoo user nickname.

Skype chat database Folder name is the Skype user nickname.

ICQ 2003b chat database Folder name is the ICQ number

ICQ 1999-2003a chat Folder name is the ICQ number database

ICQ6 chat database Folder name is the ICQ number

ICQ7 chat database Folder name is the ICQ number

Hello chat database Folder name is the Hello number

Trillian chat database Folder name is the Trillian number

MSN chat database Folder name is the MSN user nickname

4. If you select the Folder option, in the Browse For Folder window, navigate to the folder containing the chat database and click Open. If you select the File option, in the standard Open window, navigate to the file and click Open.

How to Investigate Yahoo! Chat Databases

Yahoo! chat databases are located in the folder with the Yahoo! user nickname.

Chat database default location: Windows 7, 8, 8.1, 10 C:\ Program Files\Yahoo!\Messenger\Profiles\

To investigate a Yahoo! chat database, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Chat Database. In the Source Type list, select Yahoo! database. Click OK.

3. In the Browse For Folder window, select the location of the source folder and click OK. 4. Enter the Evidence name (opened folder name by default) and click OK. 5. The Yahoo! chat database is added to the case. Saved conversations are displayed in the Data View pane and in the special RTF viewer.

How to Investigate Skype Chat Databases

Skype chat databases are located in the folder with the Skype user nickname or in the main.db file.

Chat database default location: Windows 7, For Skype version lower than 4.0: 8, 8.1, 10 C:\Users\\AppData\Roaming\Skype\

For Skype version 4.0 or higher: C:\Users\\AppData\Roaming\Skype\main.db

The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default.

To investigate Skype chat databases, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Chat Database. In the Source Type list, select Skype database. Click OK.

3. In the Select source for mounting window, select the Folder option to open the folder containing the chat database. Select the File option to open the main.db file. Click OK. 4. If you select the Folder option in the Browse For Folder window, navigate to the folder containing the Skype chat database and click Open. If you select the File option in the standard Open window, navigate to the main.db file and click Open. 5. Enter the Evidence name (by default, the name of the file/folder to be added) and click OK. 6. The Skype chat database is added to the case. Saved conversations are displayed in the Data View pane and in the special RTF viewer.

You can view the information about users' IP addresses in the Contact IPs node in the Case Content pane.

The information includes:

• User ID

• Local IP

• Public IP • Time when the user sent a message via this IP

How to Investigate ICQ Chat Databases

ICQ chat database is located in the folder with the ICQ user nickname.

Chat database default location: ICQ Windows 7, 8, 8.1, 10 C:\Program Files\ICQ\\ 1999-2003,

ICQ 2003 ICQ 6, Windows 7, 8, 8.1, 10 C:\Users\\AppData\ ICQ 7 Roaming\ICQ\

The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default.

To investigate an ICQ chat database, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Chat Database. In the Source Type list, select ICQ 2003b database, ICQ 1999-2003a database, ICQ6 database, or ICQ 7 database, depending on the version of the chat client. Click OK.

3. In the Browse For Folder window, navigate to the location of the source folder. Click OK. 4. Enter the Evidence name (opened folder name by default) and click OK. 5. The ICQ chat database is added to the case. Saved conversations are displayed in the Data View pane and in the special RTF viewer.

How to Investigate Miranda Chat Databases

Miranda chat database are located in *.dat files.

Chat database default location: Windows 7, 8, 8.1, C:\Users\\AppData\Roaming\Miranda\.dat 10

The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default

To investigate Miranda chat databases, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Chat Database. In the Source Type list, select Miranda database. Click OK.

3. In the standard Open window, navigate to the desired *.dat file. Click Open. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. The Miranda chat database is added to the case. Saved conversations are displayed in the Data View pane and in the special RTF viewer.

How to Investigate Hello Chat Databases

Hello chat databases are located in the folder with the Hello user nickname.

To investigate Hello chat databases, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Chat Database. In the Source Type list, select Hello database. Click OK.

3. In the Browse For Folder window, navigate to the location of the source folder. Click OK. 4. Enter the Evidence name (opened folder name by default) and click OK.

5. The Hello chat database is added to the case. Saved conversations are displayed in the Data View pane and in the special RTF viewer.

Hello chat database can contain images that can be examined.

To view images, do the following:

1. In the Case Content pane (to the left), select the Thumbnails node. 2. The contents of the node are displayed in the Data View pane (to the right). Images are displayed as thumbnails in the Thumbnails pane (at the bottom part). 3. Double-click the image in the Thumbnails pane to open it in the File, Hex, or Text viewer (make sure that these viewers are enabled). 4. To enable the File, Text, and Hex viewers, click the corresponding item on the View tab.

How to Investigate Trillian Chat Databases

Trillian chat databases are located in the folder with the Trillian user nickname.

Chat database default location: Windows 7, 8, 8.1, 10 C:\Users\\AppData\ Local\VirtualStore\Program Files\Trillian\users\

The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default

To investigate the Trillian chat database, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Chat Database. In the Source Type list, select Trillian database. Click OK.

3. In the Browse For Folder window, navigate to the location of the source folder. Click OK. 4. Enter the Evidence name (opened folder name by default) and click OK. 5. The Trillian chat database is added to the case. Saved conversations are displayed in the Data View pane and in the special RTF viewer.

How to Investigate MSN and Windows Live Chat Databases

MSN chat databases are located in the folder with the MSN user nickname.

Chat database default location: Windows 7, 8, 8.1, C:\Users\\My Documents\ My Received Files\User 10 nickname\History

To investigate MSN chat databases, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Chat Database. In the Source Type list, select MSN and Windows live messenger database. Click OK.

3. In the Browse For Folder window, navigate to the location of the source folder. Click OK. 4. Enter the Evidence name (opened folder name by default) and click OK. 5. The chat database is added to the case. Saved conversations are displayed in the Data View pane and in the special RTF viewer.

How to Investigate Chat Database Stored Within Added File System Evidence

Electronic Evidence Examiner allows you to find chat databases stored within added file system evidence (forensic images, local drives, etc.) and investigate it as if it was added as a separate type of evidence.

To investigate a chat database stored within system evidence, do the following:

1. Create a new case (for more information, please see the help file). 2. Add the file system evidence to the case (for more information, please see the corresponding How to investigate... topic). 3. The structure of the added evidence is displayed in the Case Content pane (to the left), contents of the selected folder/node are displayed in the Data View pane (to the right). 4. Perform sorting of the selected evidence or its part (for more information, please see the How to Perform Sorting in Added Evidence topic). 5. In the Sorted Files pane, select the Chats category. 6. Contents of the selected category are displayed in the Data View pane (to the right). 7. In the Data View pane, select the chat database you want to investigate, right-click and select Open Path. 8. If the selected chat database file is a part of a chat database of the folder type, it will open in the Data View pane and you will be asked to mount it as a chat database. 9. If the selected file is a chat database of the file type, it will open in the Data View pane and will have a special icon next to its name. Double-click it to mount the chat database. 10. The parsed chat database appears in the evidence tree in the Case Content pane.

How to View Chat Database Evidence

How to View Chat History

Electronic Evidence Examiner allows you to view chat history in one file where all messages are given one by one in the following format: .

You can also change the font and background color for each interlocutor to make it more convenient for viewing and analyzing.

To view the chat history, do the following:

1. Add the chat database evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. The chat database structure is displayed in the Case Content pane (to the left). The contents of the selected node are displayed in the Data View pane (to the right). 3. Click the conversation node in the Case Content pane. Its contents are displayed in the Data View pane and in the RTF viewer.

To change the color settings in the RTF viewer, do the following:

1. Select the nickname in the bottom part of the RTF viewer (Change color section). 2. Click Font color or Background color. 3. In the opened Color window, select your desired colors for Font and Background.

To copy data from the RTF Viewer, select it, right-click and select Copy.

To select all data in the RTF viewer, right-click and select Select All.

How to View Skype File Transfer History

Electronic Evidence Examiner allows you to view the Skype chat database file transfer history. This data includes the following information: name of the file that was transferred, full path to the file, ID and name of the recipient, time the file was sent, and the file size.

To view Skype file transfer history, do the following:

1. Create a new case (for more information, please see the help file). 2. Add the Skype chat database to Electronic Evidence Examiner (for more information, please see the How to investigate Skype chat database topic).

100

3. The chat database structure is displayed in the Case Content pane (to the left). Expand the chat database tree and select the File Transfer History node.

How to Perform Searches in Chat Database Evidence

How to Search in Chat Databases

Electronic Evidence Examiner allows you to perform searches in chat databases.

To search for text data, it is recommended that you use the keyword search. Keyword searches are performed much faster than regular searches. Please note that keywords in your evidence should be indexed before you perform a keyword search.

To perform searching, do the following:

1. Add the chat database to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topics). 2. The chat database structure is displayed in the Case Content pane (to the left), contents of the selected node are displayed in the Data View pane (to the right). 3. Select the node in the Case Content pane or message in the Data View pane where you want to search for data. The selected node or message must be sorted and indexed first. 4. Right-click and select Advanced Search, or click Advanced Search on the Analysis tab, in the Search group. 5. The Search pane opens (to the right).

6. Enter the Search Parameters (for more information, please see the help file). The following groups of parameters are available:

101

• Common parameters: These parameters include general information about what is to be searched. • Special Chat databases parameters: These parameters include sender & date filters.

7. Click Start. 8. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using Stop, Pause, or Start/Resume buttons). 9. The search results are displayed at the bottom part of the Search pane. 10. Double-click the search result to open it in the RTF viewer. The search result is highlighted.

How to Search for Messages from Several Combined Screennames

You can find messages from one screenname or from several screennames. You can also find all messages from all screennames except from specific ones.

To find messages from several combined screennames, do the following:

102

4. Select the Chat Databases tab. 5. Select the Screenname check box. Enter your Boolean expression, using the needed screennames (for more information, please see the corresponding topics in the Help file). 6. Enter other parameters if necessary. Click Start. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right- click menu or using Stop, Pause, or Start/Resume buttons). 7. The search results are displayed at the bottom part of the Search pane. 8. Double-click the search result to open it in the Chat Database pane and view it.

How to Search for Messages that Were Sent at a Specific Time

You can find messages that were sent on a specific date and at a specific time.

To find messages that were sent on a specific date and at a specific time, do the following:

4. Select the Chat Databases tab. Select or manually type the date and time in the Sent between boxes to find messages that were sent between these two dates.

103

5. Enter other parameters if necessary. Click Start. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right- click menu or using Stop, Pause, or Start/Resume buttons). 6. The search results are displayed at the bottom part of the Search pane. 7. Double-click the search result to open it in the Chat Database pane and view it.

How to Investigate Internet Browser data

The investigation of Internet browser data evidence is possible with the following packages: • E3: Universal • E3: P2C • E3: Internet

How to View History and Temporary Internet Files Created by Internet Explorer

Electronic Evidence Examiner allows you to add a special index.dat file that can contain history, cookies, and temporary internet files created by the Internet Explorer browser.

By default, the index.dat file can be found in the following locations:

OS Browser File location

Windows 10 Internet C:\Users\\AppData\Roaming\Microsoft\Windows\C Explorer ookies\index.dat Windows 8, C:\Users\\AppData\Roaming\Microsoft\Windows\C 8.1 ookies\Low\index.dat C:\Users\\AppData\Local\Microsoft\Windows\Histo Windows 7 ry\History.IE5\index.dat C:\Users\\AppData\Local\Microsoft\Windows\Histo ry\History.IE5\Low\index.dat C:\Users\\AppData\Local\Microsoft\Windows\Histo ry\History.IE5\index.dat\MSHistXXXXXXXXXXX\index.dat C:\Users\\AppData\Local\Microsoft\Windows\Histo ry\History.IE5\Low\index.dat\MSHistXXXXXXXXXXX\index.dat C:\Users\\AppData\Local\Microsoft\Windows\Tem porary Internet Files\Content.IE5\index.dat C:\Users\\AppData\Local\Microsoft\Windows\Tem porary Internet Files\Low\Content.IE5index.dat C:\Users\\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat C:\Users\\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\index.dat

104

To investigate the Internet Explorer data, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Internet Browser Data. In the Source Type list, select Internet Explorer Cache Data. Click OK.

3. In the standard Open window, navigate to the desired index.dat file. Click Open. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. The Internet Explorer data is added to the case. 6. If you add Temporary Internet Files data, it can include temporary downloaded files. These files are displayed in the Thumbnails pane.

How to View Mozilla Firefox History Data

Electronic Evidence Examiner allows you to add a special places.sqlite file that can contain history data created by the Mozilla Firefox browser.

105

By default, this file can be found in the following locations:

OS Browser File location

Windows 10 Firefox C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\< profile folder>\places.sqlite Windows 7, 8, 8.1

To investigate Mozilla Firefox History data, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Internet Browser Data. In the Source Type list, select Firefox History Data. Click OK.

3. In the standard Open window, navigate to the desired places.sqlite file. Click Open. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. The Mozilla Firefox History data is added to the case.

106

How to View Google Chrome Data

Electronic Evidence Examiner allows you to add a special cache folder created by the Google Chrome browser that contains history, autofill items, keywords, logins, bookmarks and cookies data.

By default, the Cache folder can be found in the following locations:

OS File location

Windows 10 C:\Users\\AppData\Local\Google\Chrome\User Data\Default Windows 7, 8, 8.1

To investigate Google Chrome data, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Internet Browser Data. In the Source Type list, select Google Chrome Browser Data. Click OK.

3. In the standard Browse For Folder window, navigate to the desired folder with cache data. Click OK. 4. Enter the Evidence name (opened folder name by default) and click OK.

107

5. The Google Chrome data is added to the case.

How to View Google Chrome Keywords

Electronic Evidence Examiner allows you to view Google Chrome keywords, i.e., data that the user typed in the Google Chrome address bar. Keywords display what the user searched for using the browser.

To view Google Chrome keywords, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Internet Browser Data. In the Source Type list, select Google Chrome Browser Data. Click OK.

3. In the standard Browse For Folder window, navigate to the desired folder with cache data. Click OK. 4. Enter the Evidence name (opened folder name by default) and click OK. 5. The Google Chrome data is added to the case.

108

6. In the Case Content pane, select the Keywords node. Its contents are displayed in the Data View pane (to the right). 7. In the Term column, the list of Google Chrome keywords are displayed. In the Action URL column, the list of URLs used for the search is displayed. 8. You can copy the URL address from the Properties pane (lower left).

How to Export Images from Temporary Internet Files

Electronic Evidence Examiner allows you to export images from the Temporary Internet Files data created by the Internet Explorer browser.

To export images, do the following:

1. Add the Temporary Internet Files data to a new or existing case (for more information, please see the corresponding How to view... topic). 2. The contents of the Temporary Internet Files node are displayed in the Data View pane (to the right). Temporary downloaded images are displayed in the Thumbnails pane (at the bottom). 3. Select the image in the Thumbnails pane. 4. On the Export tab, in the Common Export group, click Export, or right-click the image and select Export. 5. In the Exporting Options window, set the options.

• Export to folder: Click this option if you want to export file(s) to a folder on the computer. • Export to forensic container: Click this option if you want to export file(s) to an encrypted forensic container (for more information on forensic containers, please see the help file). • Destination Path: Define the location of the exported data, click Browse to navigate to the desired location. • Password: Enter the password defined during the forensic container creation (required if Export to forensic container is selected).

109

6. Click Export. The export process is displayed in the Tasks pane. 7. Navigate to the folder with the exported data to view the results.

How to Search in Internet Browser Data

Electronic Evidence Examiner allows you to perform searches in the Internet Browser data added as evidence to the case. To search for text data, it is recommended that you use a keyword search. Keyword searches are performed much faster than regular searches. Please note that keywords in your evidence should be indexed before you perform a keyword search.

To perform searching, do the following:

110

5. Enter the Search Parameters (for more information, please see the help file). The following group of parameters are available:

• Common parameters: These parameters include general information about what is to be searched. • Internet Browser Data parameters: These parameters define where data is to be searched.

6. Click Start. 7. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using Stop, Pause, or Start/Resume buttons). 8. The search results are displayed at the bottom part of the Search pane. 9. Double-click the search result to open it in the Data View pane.

How to Investigate File System

The investigation of file system evidence is possible with the following packages: • E3: Universal • E3: P2C

How to Investigate Different Types of File Systems

How to Autodetect Disk Image File System Type

Electronic Evidence Examiner allows you to autodetect the file system type for the disk image being added to the case.

111

Electronic Evidence Examiner supports disk images created by Paraben's Forensic Replicator (PFR), Encase 4-5-6-7-8, Safeback 2-3, or RAW disk images (created by SMART and other software).

To autodetect the disk image format, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Image File. In the Source Type list, select Auto-detect image and click OK.

3. In the standard Open window, navigate to the desired image file of the supported format. Click OK.

How to Investigate Disk Image

Electronic Evidence Examiner allows you to investigate an image of a logical or physical drive with a corresponding filesystem created by Paraben's Forensic Replicator (PFR), Encase 4-5-6- 7-8, Safeback 2-3, or RAW disk images (created by SMART and other software).

The following file systems are supported: FAT, FATX, NTFS, ExtX, HFS+, HFSX, and STFS.

112

To investigate the disk image, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Image File. In the Source Type list, select the desired image type (type of the file system on the image). Click OK.

3. In the standard Open window, navigate to the desired image file and click OK. Please note that, when opening *.vmdk split images you can select any part of it, not just the first one. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. When opening an encrypted image, you need to enter its password. Click OK. 6. When opening a NTFS filesystem image, you will be asked to define its settings before you open it (for more information, please see the help file). 7. The image file is added to the case. 8. The structure of the file system is displayed in the Case Content pane (to the left). The contents of the selected folder/node are displayed in the Data View pane (to the right). 9. You can view the contents of files and folders and unallocated space.

113

How to Investigate Separate Folders

Electronic Evidence Examiner allows you to investigate a separate folder instead of adding the whole logical drive. You can investigate either local or network folders as well as folders stored on CD/DVD discs. You can also add a whole CD/DVD disc as a separate folder evidence.

To investigate a separate folder, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Logical Drive or Folder. In the Source Type list, select Separate Folder. Click OK.

3. In the Browse For Folder window, navigate to the location of the desired folder. Click OK. 4. Enter the Evidence name (opened folder name by default) and click OK. 5. If the folder is stored on a disk with an NTFS file system, define the NTFS settings and click OK (for more information, please see the help file). 6. The folder is added to the case.

114

7. The structure of the added folder is displayed in the Case Content pane (to the left). The contents of the selected folder/node are displayed in the Data View pane (to the right). 8. You can view the contents of files and folders and unallocated space.

How to Investigate Logical Drive

Electronic Evidence Examiner allows you to investigate logical drives that are connected to the computer on which the case is opened.

To investigate a logical drive, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Logical Drive or Folder. In the Source Type list, select the desired disk. Click OK.

3. Enter the Evidence name (opened disk name by default) and click OK. 4. If opening a disk with an NTFS file system, define the NTFS Settings and click OK. 5. The logical drive is added to the case.

115

6. The structure of the file system is displayed in the Case Content pane (to the left). The contents of the selected folder are displayed in the Data View pane (to the right). 7. You can view the contents of files and folders and unallocated space. 8. When investigating an NTFS file system, you can also view deleted files and folders.

How to Investigate Physical Drive

Electronic Evidence Examiner allows you to investigate a physical drive that is connected to the computer on which the case is opened.

To investigate a physical drive, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Physical Drive. In the Source Type list, select the desired physical drive. Click OK.

3. Enter the Evidence name (opened drive name by default) and click OK. 4. The physical drive is added to the case.

116

5. Click the partition node to view its contents. If it is a disk with an NTFS file system, you are asked to define the NTFS Settings (for more information, please see the help file).

6. The number of Partition nodes correspond to the number of logical disks on the selected physical drive connected to the computer (for more information, please see the corresponding How to investigate a logical drive topic).

How to Investigate FAT File System Data

Electronic Evidence Examiner allows you to investigate an image of a logical drive or a logical drive with a FAT filesystem.

Electronic Evidence Examiner supports the following FAT filesystems:

• FAT12 • FAT16 • FAT32

When adding FAT file system evidence to the case, the deleted data is restored automatically and is marked with a red cross X.

To investigate FAT file system data, do the following:

1. Have the Add New Evidence window open. 2. Add the FAT file system disk image or the logical drive with the FAT file system as evidence. 3. Enter the Evidence name (by default, the name of the file to be added) and click OK. 4. The FAT file system evidence is added to the case. 5. The structure of the file system is displayed in the Case Content pane (to the left). The contents of the selected folder/node are displayed in the Data View pane (to the right). The deleted data is restored automatically and marked with a red cross X. 6. You can view the contents of files and folders and unallocated space.

How to Investigate NTFS File System Data

Electronic Evidence Examiner allows you to investigate an image of a logical drive or a logical drive with an NTFS file system (for Windows OS).

To investigate NTFS file system data, do the following:

1. Have the Add New Evidence window open.

117

2. Add the NTFS file system disk image or the logical drive with the NTFS file system as evidence. 3. Enter the Evidence name (by default, the name of the file to be added) and click OK. 4. Define the NTFS file system settings. The following options are available:

• Search deleted files and folders: If selected, this option activates the deleted files and folders search and recovery when opening evidence.

• Add the Trash folder to the NTFS root: If selected, this option allows you to add the special Trash folder where deleted files and folders are placed (available only if the Search deleted files and folders option is checked).

• Recover folders structure for bad images: If selected, this option allows you to recover folder structure for damaged disk images.

• Add the Unallocated Space folder to the NTFS root: If selected, this option allows you to recover the current contents of the free parts of a disk which may include temporary data, parts of deleted data, etc.

All options are selected by default.

5. The file system evidence is added to the case. 6. The structure of the file system is displayed in the Case Content pane (to the left). The contents of the selected folder/node are displayed in the Data View pane (to the right). 7. You can view the file contents in different viewers. 8. Double-click the file to view its NTFS attributes (for more information, please see the help file). After you double-click the file, it becomes parsed and appears in the Case Content tree. 9. To view the unallocated disk space (disk space that is marked as free), in the Case Content pane, select the Unallocated Space node (for more information, please see the help file). 10. You can also view deleted files and folders.

How to Investigate ExtX File System Data

Electronic Evidence Examiner allows you to investigate an image of a logical drive or a logical drive with an ExtX file system (for Linux OS).

For Ext2, deleted files are recovered and displayed in the Trash folder. For other ExtX file systems, deleted files can be found in the Unallocated Space folder.

To investigate an ExtX file system, do the following:

118

1. Have the Add New Evidence window open. 2. Add the ExtX file system disk image or the logical drive with the ExtX file system as evidence. 3. Enter the Evidence name (by default, the name of the file to be added) and click OK. 4. The file system evidence is added to the case. 5. The structure of the file system is displayed in the Case Content pane (to the left). The contents of the selected folder/node are displayed in the Data View pane (to the right). 6. You can view the contents of files and folders and unallocated space.

How to Investigate HFS File System Data

Electronic Evidence Examiner allows you to investigate an image of a logical drive or logical drive with a HFS+ file system (for Mac OS).

In the HFS+ file system, deleted data can be found in the Unallocated Space folder.

To investigate a HFS file system data, do the following:

1. Have the Add New Evidence window open. 2. Add the HFS file system disk image or the logical drive with the HFS file system as evidence. 3. Enter the Evidence name (by default, the name of the file to be added) and click OK. 4. The HFS file system evidence is added to the case. 5. The structure of the file system is displayed in the Case Content pane (to the left). The contents of the selected folder/node are displayed in the Data View pane (to the right). 6. You can view the contents of files and folders and unallocated space.

How to investigate FATX File System Data

Electronic Evidence Examiner allows you to investigate an image of a logical or a physical drive with a FATX filesystem.

To investigate FATX file system data, do the following:

1. Have the Add New Evidence window open. 2. Add the FATX file system disk image. 3. Enter the Evidence name (by default, the name of the file to be added) and click OK. 4. The FATX file system evidence is added to the case.

119

5. The structure of the file system is displayed in the Case Content pane (to the left). The contents of the selected folder/node are displayed in the Data View pane (to the right). 6. You can view the contents of files and folders and unallocated space.

How to Investigate STFS File System Data

Electronic Evidence Examiner allows you to investigate an image of a logical or physical drive with an STFS filesystem.

To investigate STFS file system data, do the following:

1. Have the Add New Evidence window open. 2. Add the STFS file system disk image. 3. Enter the Evidence name (by default, the name of the file to be added) and click OK. 4. The STFS file system evidence is added to the case. 5. The structure of the file system is displayed in the Case Content pane (to the left). The contents of the selected folder/node are displayed in the Data View pane (to the right). 6. You can view the contents of files and folders and unallocated space.

How to View Filesystem Evidence

How to View the Contents of Files/Folders

Electronic Evidence Examiner allows you to view the contents of folders in a special Data viewer and the contents of files in Hex, Text, and File viewers.

To view folders contents, do the following:

1. Have the Add New Evidence window open. 2. Add the logical, physical drive, the disk image, or the folder to the case (for more information, please see the corresponding How to investigate... topics). 3. The file system structure is displayed in the Case Content pane (to the left). 4. In the Case Content pane, navigate to the folder, whose contents you want to be displayed. Expand the file system tree by clicking the plus near the name of the node. 5. The content of the selected folder is displayed in the Data View pane (to the right).

If the folder contains data which can be investigated in Electronic Evidence Examiner as separate evidence (e.g. mail storage), you can parse it to the

suitable format by double-clicking the folder.

120

6. You can view the file contents in different viewers. 7. File properties are displayed in the Properties pane.

How to View Deleted Files and Folders

Electronic Evidence Examiner restores deleted files and folders. There are two ways to restore data:

• Complete restoring: Restores both the contents of deleted files and their attributes, properties, location, etc. This type of restoring is available for NTFS, FAT, FATX, STFS, and Ext2 file systems. • Data carving: Restores the contents of deleted files in the Unallocated Disk Space. This type of restoring is available for all types of file system evidence, including HFS and ExtX data.

Please note that, for NTFS file systems, deleted files and folders are restored if the corresponding option is selected in the NTFS file system settings. Also for NTFS file systems, a Trash folder can be added to the file system root where all deleted files and folders are displayed.

To view deleted files and folders restored with complete restoring (for NTFS, FAT and Ext2 filesystem evidence), do the following:

1. Add the file system data to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to Investigate… topic). 2. When adding an NTFS file system, select the Search deleted files and folders and the Add the Trash folder to the NTFS root options in the NTFS Settings. 3. The deleted data recovery process is displayed in the Case Content pane. If the process takes too long, right-click it and select Cancel to stop the search. 4. Deleted files and folders are marked with a red cross X. The contents of the deleted files can be viewed in the Hex and Text viewers. If possible, the contents of the file will also be displayed in the File viewer. 5. Select the deleted file/folder in the Case Content pane (to the left) or in the Data View pane (to the right) to view its contents. Make sure that Hex, Text, and File viewers are enabled. 6. To enable Text, Hex and File viewers, click the corresponding item on the View tab.

How to View Free Parts of Disk Added as Evidence

Electronic Evidence Examiner allows you to view the unallocated disk space (parts of the disk that are marked as free). This method allows you to carve deleted data.

121

The unallocated disk space is available for logical and physical drives and also for disk images. It is not available if you add a folder as evidence.

You can view the contents of unallocated clusters in Hex and Text viewers.

The following types of data are carved from the unallocated space:

• Graphics: PC bitmap data, GIF image data, JPEG image data, JPEG image data JFIF standard, JPEG image data HSI proprietary, JPEG 2000 image data, PNG image data, TIFF image data big-endian, TIFF image data little-endian, Windows Enhanced Metafile (EMF) image data, Windows Metafile Format (WMF).

• Documents: PDF documents, Rich Text Format data, Microsoft OLE Compound files, DOC Microsoft Office Word, XLS Microsoft Office Excel, PPT Microsoft Office PowerPoint 97-2004, XLS Microsoft Office Excel 97/98/2004, Microsoft Office 2007 Open XML format, Microsoft Office 2007 Open XML XLSX, Microsoft Office 2007 Open XML DOCX, Open Office OpenDocument Spreadsheet, Open Office OpenDocument Text, Open Office OpenDocument Presentation, Open Office OpenDocument Database, XML document text, XML document unicode text, AutoCAD (release 12-14), MS Windows HtmlHelp Data, HTML document text

• Multimedia: MP3 Audio file with ID3 version 2, OGG Vorbis Audio • Database: SQLite database, Mozilla Firefox 3 History File Format, Skype 4 and later database, ICQ7 database, Google Chrome History file

• Archives: Zip archive data, Zip archive data encrypted, Android Package • Android file types: APK functions file, Android keychar file, Android key file

• Font types: TrueType font data • Other: Windows Installer File, .NET Framework configuration file, Windows Mobile SDK config file, Microsoft Automatic Destination file, Windows XP Thumbnail Database, PUB Microsoft Office Publisher, MSG Outlook message file, Test Director templates set, Microsoft VisualStudio Solution User Options, VSD Microsoft Visio, Microsoft Access Database, MindManager Brainstorm and Process Control Map, ELF Executable and Linkable Format.

To view the unallocated disk space, do the following:

1. Add the file system data to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to Investigate… topic). 2. If you add NTFS file system data, select the Add the Unallocated Space folder to the NTFS root option. 3. The file system structure is displayed in the Case Content pane (to the left). Select the Unallocated Space node in the file system tree (it is placed in the root of the added file system evidence).

122

4. Click the Detected Items subnode of the Unallocated Space node. 5. The process of searching for free disk (disk image) space starts. If it takes too long, right- click the Searching unallocated clusters message and select Cancel. 6. Once the process is completed, the list of all unallocated clusters is displayed in the Case Content pane. Each cluster contains free parts of the disk. Click the unallocated cluster subnode to view its contents in the Data View pane. 7. Select the free part of the disk in the Data View pane to view it in the Hex or Text viewer (make sure that the viewers are enabled). If possible, it can be displayed in the File viewer. 8. To enable the File, Text, and Hex viewers, click the corresponding item on the View tab.

How to View the File Slack

Most modern file systems use fixed-size clusters or blocks. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file. The unused space is called the slack space.

Some data can be stored in the slack space of the file. Electronic Evidence Examiner allows you to view the file slack (unused space) in special File Slack Hex and File Slack Text viewers.

To view the file slack, do the following:

1. Add the file system data to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to Investigate… topic). 2. The file system structure is displayed in the Case Content pane (to the left). Files stored in folders are displayed in the Data View pane (to the right). 3. In the Data View pane, select the file whose file slack you want to be displayed. 4. The File Slack Hex and File Slack Text viewers are enabled automatically when you enable the Hex and Text viewers. To enable them, click the corresponding item on the View tab.

How to View File ADS

Electronic Evidence Examiner allows you to view the file ADS (Alternate Data Stream) in NTFS file system data. This means that some files can be embedded in another file while staying invisible to you.

With the help of Electronic Evidence Examiner, you can view file ADS as separate files. They are displayed as main file name: ADS name.

123

To view the file ADS, do the following:

1. Add the NTFS file system data to a new or existing case (please see the How to investigate NTFS file system data topic). 2. The file system structure is displayed in the Case Content pane (to the left). Navigate to the folder with the file ADS in the file system tree. 3. Its contents are displayed in the Data View pane (to the right).

4. The ADS files are displayed right under the main file. 5. You can view the ADS files in the File, Text, Hex, File Slack Text, and File Slack Hex viewers (make sure that the viewers are enabled). 6. To enable the File, Hex, and Text viewers, click the corresponding item on the View tab.

The File Slack Hex and the File Slack Text viewers are enabled automatically when you enable the Hex and Text viewers.

How to View Files with Wrong Extensions

Electronic Evidence Examiner allows you to view files whose extensions do not correspond to the file types detected by the program. It can happen when another extension was assigned to a file of a certain type. Such files are highlighted in pink and can be viewed in the Data View pane.

To view files with wrong extension, do the following:

1. Add the file system data to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to Investigate… topic). 2. In the Case Content pane (to the left), navigate to the folder where you want to search for files with wrong extensions and select it. 3. The contents of the selected folder are displayed in the Data View pane. 4. Files whose extensions do not correspond to the file types detected by Electronic Evidence Examiner are highlighted in pink. 5. In the Type column in the Data View pane, the real file type is displayed.

How to View Contents of Hidden Partitions in Physical Drive Evidence

Electronic Evidence Examiner allows you to view hidden partitions when adding a physical drive or physical drive image evidence. Hidden partitions are logical sections of a disk that are not

124 accessible to the operating system. These partitions may be used to store confidential data or system backup.

Electronic Evidence Examiner detects these hidden partitions and allows you to view their contents.

To view the contents of a hidden partition, do the following:

1. Add a physical drive or physical drive image to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to Investigate… topic). 2. In the Case Content pane, expand the physical drive tree to view its structure. Hidden partitions are marked with transparent icons. 3. To view the contents of a hidden partition, click it and expand it. If it is a disk with an NTFS file system, you are asked to define the NTFS Settings (for more information, please see the help file). 4. The number of Partition nodes corresponds to the number of logical disks on the selected physical drive or physical drive image.

How to View the Link Files

Electronic Evidence Examiner allows you to detect the link files in the filesystem evidence and view them in the Hex and Text viewers.

The link files are the shortcuts that link to an application or file, and contain the type, location, filename, as well as the program that opens the file or runs the application.

To view the link files content: 1. Add filesystem evidence to a new or existing case (for more information on adding different types of evidence, please see the corresponding How to Investigate… topic). 2. In the Case Content pane (to the left), navigate to the folder containing the link files; or use the Advanced Search option to find the link files by their extension (.lnk).

The default location of the link files is the following: C:\Users\\AppData\Roaming\Microsoft\Windows\Recent

3. Select the required link file. 4. In the File Viewers group, select the Hex View tab or the Text View tab to view the link file in the corresponding format.

125

How to View the Jump List Files

Electronic Evidence Examiner allows you to detect the jump list files, which are OLE Compound Files, in the filesystem evidence and view them in the Hex and Text viewers.

The jump list files contain information about the applications that are pinned on a user's taskbar, timestamps, as well as the paths to the items (documents, webpages, images, etc.) recently accessed by a program pinned on a user's taskbar.

To view the jump list files content: 1. Add filesystem evidence to a new or existing case (for more information on adding different types of evidence, please see the corresponding How to Investigate… topic). 2. In the Case Content pane (to the left), navigate to the folder containing the jump list files; or use the Advanced Search option to find the jump list files by their extension (.customDestinations-ms or .automaticDestinations-ms).

The default location of the jump list files is the following: C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDesti nations; C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\CustomDestina tions.

3. Select the required jump list file. 4. In the File Viewers group, select the Hex View tab or the Text View tab to view the jump list file in the corresponding format.

How to Perform Searches in Filesystem Evidence

How to Search for Data in File System Evidence

Electronic Evidence Examiner allows you to perform searches in file systems added as evidence to the case.

Please note that searches in sorted data are much quicker than simple searches. To search for text data, it is recommended that you use the keyword search. Keyword searches are performed much faster than regular searches. Please note that keywords in your evidence should be indexed before you perform a keyword search.

To perform searching, do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic).

126

2. In the Case Content pane (to the left), navigate to the file, folder, node, etc. where you want to search for data. 3. Right-click and select Advanced Search, or click Advanced Search on the Analysis tab, in the Search group. 4. The Search pane opens (to the right).

5. Enter the Search Parameters (for more information, please see the help file). The following group of parameters are available:

• Common parameters: These parameters include general information about what is to be searched.

• Search Area parameters: These parameters define places where the search will be performed. • File System Data parameters. Search Text Scope: These parameters define where data is to be searched. They allow the user to define file attributes and file mask. Also, date parameters can be defined.

• File System Data parameters. File Attributes: These parameters define the attributes of files that will be searched.

6. Click Start. 7. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using Stop, Pause, or Start/Resume buttons). 8. Search results are displayed at the bottom part of the Search pane. 9. Double-click the search result to open it in the Data View pane, or in Hex, Text, or File viewers.

127

How to Search in Ext File System Data

Electronic Evidence Examiner allows you to perform searches in Ext file system data using special parameters. Please note that, to search for text data, it is recommended that you use keyword search. Keyword searches are performed much faster than regular searches. Please note that keywords in your evidence should be indexed before you perform a keyword search.

To perform searching in Ext file system data, do the following:

5. Click the File System Data tab in the Search pane. 6. In the opened tab, click the File attributes tab. 7. Define the Ext file system attributes. These include the following groups of attributes: File Format (HFS/Ext), Access rights (HFS/Ext), and Process execution (Ext). 8. Define other search parameters if necessary (for more information, please see the help file). 9. Once all the parameters are defined, click Start.

128

10. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using Stop, Pause, or Start/Resume buttons). 11. The search results are displayed at the bottom part of the Search pane. 12. Double-click the result to open it in the File, Hex, or Text viewer.

How to Search in HFS File System Data

Electronic Evidence Examiner allows you to perform searches in HFS file system data using special parameters. Please note that, to search for text data, it is recommended that you use keyword search. Keyword searches are performed much faster than regular searches. Please note that keywords in your evidence should be indexed before you perform a keyword search.

To perform searching in HFS file system data, do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. In the Case Content pane (to the left), navigate to the node, file, folder, etc. where you want to search for data. 3. Right-click and select Advanced Search, or click Advanced Search on the Analysis tab, in the Search group. 4. The Search pane opens (to the right). 5. Click the File System Data tab in the Search pane. 6. In the opened tab, click the File attributes tab. 7. Define the HFS file system attributes. These include the following groups of attributes: File Format (HFS/Ext), Access rights (HFS/Ext), and Finder info (HFS). 8. Define other search parameters if necessary (for more information, please see the help file). 9. Once all the parameters are defined, click Start. 10. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using the Stop, Pause, or Start/Resume buttons). 11. The search results are displayed at the bottom part of the Search pane. 12. Double-click a result to open it in the File, Hex, or Text viewer.

129

How to Search for All Documents Created Within a Specific Period of Time in File System Evidence

Electronic Evidence Examiner allows you to find all documents in file system evidence that were created within a specific period of time. Then you can export the results found to a computer with Electronic Evidence Examiner installed.

To find all documents created within a specific period of time, do the following:

1. Add file system evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to Investigate… topic). 2. The structure of the added evidence is displayed in the Case Content pane (to the left), the contents of the selected folder/node are displayed in the Data View pane (to the right). 3. Sort the selected evidence or its part (for more information, please see the How to Perform Sorting in Added Evidence topic). 4. On the Analysis tab, in the Search group, select Sorted Files Search. 5. The Sorted Files Search pane opens (to the right).

6. On the Common tab, click the dots (...) button and in the opened Select Group Types window, select the Text type. Click OK. 7. On the Dates tab, define the time parameters when the text documents were created. 8. Click Run Query. The sorted files search starts. 9. To export the file from the Sorted Files Search pane, right-click it and select Export or click Export on the Export tab, in the Common Export group.

130

How to Export Filesystem Evidence Data

How to Export Filesystem Data (File Type)

Electronic Evidence Examiner allows you to export files from the case. Exporting means making an exact copy of data on the computer where Electronic Evidence Examiner is installed.

An .md5 file is created when a file is exported. It is placed in the same folder as the exported file and contains its MD5.

To export a file, do the following:

1. Add file system evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to Investigate… topic). 2. The file system structure is displayed in the Case Content pane (to the left), files stored in folders are displayed in the Data View pane (to the right). 3. In the Data View pane, select the file (or files) that you want to export. Use Ctrl and Shift keys to select more than one file. 4. On the Export tab, in the Common Export group, select Export or right-click the file (files) and select Export.

5. In the Exporting Options window, set the options you need.

• Export to folder: Click this option if you want to export the file(s) to a folder.

• Export to forensic container: Click this option if you want to export the file(s) to an encrypted forensic container (for more information on forensic containers, please see the help file).

131

• Destination Path: Define the location of the exported data. Click Browse to navigate to the desired location. • Password: Enter the password that was set when the forensic container was created (required if Export to forensic container is selected).

6. Click Export. The export process is displayed in the Tasks pane. 7. To view the results:

• If data was exported to a folder, navigate to the selected folder to view the exported file(s).

• If data was exported to a forensic container, add the desired forensic container as evidence (please see the How to view the forensic container data topic) and view the results.

How to Export Filesystem Data (Folder Type)

Electronic Evidence Examiner allows you to export folders from the case. Exporting means making an exact copy of data on the computer where Electronic Evidence Examiner is installed.

A summary.md5 file is created for each exported folder. It is placed in the exported folder and contains a list of all exported files stored in this folder and their MD5 hash codes.

To export folders, do the following:

When selecting the folder in the Data View pane, you can select more than one folder using the Ctrl and Shift keys.

4. On the Export tab, in the Common Export group, select Export, or right-click the file(s) and select Export. 5. In the Exporting Options window, set the options you need and define the destination. The following export options are available:

• Export type:

o Recursive: If this option is selected, the folder will be exported with all its subfolders.

132

o Non recursive: If this option is selected, only files stored directly in the folder will be exported and the subfolder contents will not be exported. • Export to:

o Export to folder: If this option is selected, the data will be exported to a folder. o Export to forensic container: If this option is selected, the data will be exported to an encrypted forensic container (for more information on forensic containers, please see the help file). • Destination

o Destination Path: Define the location of the exported data. Click Browse to navigate to the desired location.

o Password: Enter the password that was set when the forensic container was created (required if Export to forensic container is selected).

6. Click Export. 7. The export process is displayed in the Tasks pane. 8. To view the results:

• If data was exported to a folder, navigate to the selected folder to view the exported data.

• If data was exported to a forensic container, add that Forensic container as evidence and view the results.

133

How to Export All Graphic Files in File System Evidence

Electronic Evidence Examiner allows you find and export all graphic files stored in file system evidence. Graphic files may include JPEG, PNG, TIFF, and other graphic file formats (to view all formats that can be detected by Electronic Evidence Examiner, please see the Detected filetypes topic in the Electronic Evidence Examiner help file). Files will be exported to the computer with Electronic Evidence Examiner installed.

To export all graphic files, do the following:

1. Add file system evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to Investigate… topic). 2. The structure of the added evidence is displayed in the Case Content pane (to the left), contents of the selected folder/node are displayed in the Data View pane (to the right). 3. Sort the selected evidence or part of it (for more information, please see the How to perform sorting in the added evidence topic). 4. In the Sorted Files pane, select the Graphics category. 5. The contents of the selected category are displayed in the Data View pane (to the right). 6. Do one of the following:

• In the Sorted Files pane, right-click the Graphics category and select Export.

• In the Data View pane, select the graphic files you want to export. You can use the Ctrl and Shift buttons for multi-selection.

7. In the opened Browse For Folder window, define the destination folder for the exported data. Click OK. 8. The export process is displayed in the Tasks pane. Once the process is completed, navigate to the destination folder to view the exported data.

How to Investigate Registry Data

The investigation of registry data evidence is possible with the following packages: • E3: Universal • E3: P2C

How to Investigate Registry Data

Electronic Evidence Examiner allows you to investigate the contents of binary hive format files where the contents of the Windows registry are stored.

134

To investigate the Registry data, do the following:

1. Have the Add New Evidence window open (by adding new evidence to a new or existing case). 2. In the Category list, select Registry. In the Source Type list, select Registry File. Click OK.

3. In the standard Open window, navigate to the desired registry file. Click OK. 4. Enter the Evidence name (opened registry file name by default) and click OK. 5. The registry data is added to the case. 6. Registry keys and subkeys are displayed in the Case Content pane (to the left), key values and the subkeys of the selected key are displayed in the Data View pane (to the right). 7. Select the key in the Case Content pane to view the DACL (Discretionary Access Control List) and SACL (System Access Control List). Both DACL and SACL are displayed in the Security Key Data pane (to the right). DACL specifies the access particular users or groups can have to the key. SACL controls the generation of audit messages for attempts to access a key.

135

8. To view the DACL, click the Registry/DACL tab in the bottom of the Security Key Data pane. To view the SACL, click the Registry/SACL tab in the bottom of the Security Key Data pane.

9. Select the key value in the Data View pane to view it in the Registry Value pane (at the bottom). 10. To copy data from the Registry Value pane, select it, right-click and select Copy. 11. To select all data from the Registry Value pane, right-click and select Select All.

How to Search in Registry Data

Electronic Evidence Examiner allows you to perform searches in Registry data added as evidence to the case.

To search for text data, it is recommended that you use a keyword search. Keyword searches are performed much faster than regular searches. Please note that keywords in your evidence should be indexed before you perform a keyword search.

To perform searching, do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic).

136

2. In the Case Content pane (to the left), navigate to the Registry node, key, or subkey where you want to search for data. 3. Right-click and select Advanced Search, or click Advanced Search on the Analysis tab, in the Search group. 4. The Search pane opens (to the right).

5. Enter the Search Parameters (for more information, please see the help file). The following group of parameters are available:

• Common parameters: These parameters include general information about what is to be searched.

• Registry Data parameters: These parameters define where data is to be searched.

6. Click Start. 7. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using the Stop, Pause, or Start/Resume buttons). 8. The search results are displayed at the bottom part of the Search pane. 9. Double-click the search result to open it in the Data View pane.

How to Investigate OLE Storage

The investigation of OLE storage evidence is possible with the following packages: • E3: Universal • E3: P2C

137

How to View OLE Storage

Electronic Evidence Examiner allows you to view OLE storage data.

To view OLE storage, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Other. In the Source Type list, select OLE Storage. Click OK.

3. In the standard Open window, navigate to the desired file. Click Open. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. The OLE storage is added to the case. The OLE Storage structure is displayed in the Case Content. After you click each node, its contents will be displayed in a grid in the Data View pane. The contents of some rows can be seen in the Text, Hex, and File viewers.

138

How to Search in OLE Storage

Electronic Evidence Examiner allows you to perform searches in OLE storage added as evidence to the case.

To perform searching, do the following:

5. Enter the Search Parameters (for more information, please see the help file). Click Start. 6. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using the Stop, Pause, or Start/Resume buttons). 7. The search results are displayed at the bottom part of the Search pane. 8. Double-click the search result to open it in the Data View pane, Hex, or Text viewer (make sure that the viewers are enabled). 9. To enable the Hex and Text viewers, click the corresponding item on the View tab.

139

How to Investigate Archive Data

The investigation of archive data evidence is possible with the following packages: • E3: Universal • E3: P2C

How to View Archives Locked by Password

Electronic Evidence Examiner allows you to add and view archives locked by a password.

To investigate archive data, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Other. In the Source Type list, select Archive. Click OK.

3. In the standard Open window, navigate to the desired archive file. Click Open. 4. Enter the Evidence name (opened archive name by default) and click OK. 5. The archive data is added to the case.

140

6. Click the archive node. You are asked to enter the password. In the Please enter a password window, enter the correct password and click OK. 7. If the password is correct, the archive is decrypted. Click the folder in the Case Content pane (to the left). Its contents are displayed in the Data View pane (to the right). 8. Select the file in the Data View pane. Its contents are displayed in the Hex, Text, or File viewer (make sure that the viewers are enabled). 9. To enable the Hex, Text, and File viewers, click the corresponding item on the View tab. 10. If the password is not correct or you click Cancel in the Please enter a password window, you will be able to view only the structure of the archive but not its contents. Files stored in the archive will be of an unknown format.

How to View Archive Contents

Electronic Evidence Examiner allows you to view the contents of archive data added to the case.

To view the archive contents, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Other. In the Source Type list, select Archive. Click OK.

141

3. In the standard Open window, navigate to the desired archive file. Click Open. 4. Enter the Evidence name (opened archive name by default) and click OK. 5. The archive data is added to the case. 6. The archive structure is displayed in the Case Content pane (to the left), its contents are displayed in the Data View pane (to the right). 7. Select the file in the Data View pane. Its contents are displayed in the Hex, Text, or File viewer (make sure that the viewers are enabled). 8. To enable the Hex, Text, and File viewers, click the corresponding item on the View tab.

How to Export Archive Data

Electronic Evidence Examiner allows you to export archive data from the case. Exporting means making an exact copy of data on the computer where Electronic Evidence Examiner is installed. To export archive data, do the following:

1. Add the archive evidence to a new or existing case (for more information, please see the corresponding How to view... topic). 2. The archive structure is displayed in the Case Content pane (to the left), files stored in archive folders are displayed in the Data View pane (to the right). 3. In the Data View pane, select the file (or several files) you want to export. Use the Ctrl and Shift keys to select more than one file. 4. On the Export tab, in the Common Export group, click Export, or right-click the file (files) and select Export.

5. In the Exporting Options window, set the options you need.

142

• Destination Path: Define the location of the exported data. Click Browse to navigate to the desired location. • Password: Enter the password that was set during the forensic container creation (required if Export to forensic container is selected).

6. Click Export. The export process is displayed in the Tasks pane. 7. To view the results:

• If data was exported to a folder, navigate to the selected folder to view the exported file(s). • If data was exported to a forensic container, add the desired forensic container as evidence (please see the How to view the Forensic Container data topic) and view the results.

How to Search in Archive Data

Electronic Evidence Examiner allows you to perform searches in archive data added to the case. To search for text data, it is recommended that you use a keyword search. Keyword searches are performed much faster than regular searches. Please note that keywords in your evidence should be indexed before you perform a keyword search. To perform searching, do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. Navigate to the node in the Case Content pane or the file in the Data View pane where you want to search for data. Use Ctrl and Shift keys to select more than one file in the Data View pane. 3. Right-click and select Advanced Search, or click Advanced Search on the Analysis tab, in the Search group. 4. The Search pane opens (to the right).

143

5. Enter the Search Parameters (for more information, please see the help file). 6. Click Start. 7. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using the Stop, Pause, or Start/Resume buttons). 8. The search results are displayed at the bottom part of the Search pane. 9. Double-click the search result to open it in the Data View pane, Hex, Text, or File viewer. The search result is highlighted.

How to Investigate Dump Files

The investigation of dump file evidence is possible with the following packages: • E3: Universal • E3: P2C

How to Investigate Dump Files

Electronic Evidence Examiner allows you to view and analyze RAW memory dump files. These files include information on files and Registry keys being used by a specific process when the dump file was created.

To investigate the dump file evidence, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Other. In the Source Type list, select Dump file. Click OK.

144

3. In the standard Open window, navigate to the location of the dump file. Click Open. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. The dump file evidence is added to the case.

How Search in Dump File Evidence

Electronic Evidence Examiner allows you to perform searches in dump file data added as evidence to the case.

To perform searching, do the following:

145

How to Investigate E3 Mobile Data Case

The investigation of E3 mobile data cases is possible with the following packages: • E3: Universal • E3: P2C • E3: DS • E3: Viewer

How to Investigate E3 Mobile Data Case

Electronic Evidence Examiner allows you to investigate the contents of acquired/imported mobile data and cases created in Paraben’s DS or E3:DS.

To investigate an E3 mobile data case, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Paraben Tools. In the Source Type list, select E3 mobile data case file. Click OK.

146

3. In the standard Open window, navigate to the desired E3 mobile data case file (*.ds). Click OK. 4. Enter the Evidence name (opened E3 mobile data case file name by default) and click OK. 5. The E3 mobile data case evidence is added to Electronic Evidence Examiner case. 6. The nodes and folders containing data are displayed in the Case Content pane (to the left). Grids with parsed information and files with unparsed binary data are displayed in the Data View pane (to the right). 7. Select the node/folder in the Case Content pane to view its content. 8. If an E3 mobile data case contains external files, they are stored along with the case and can be opened from it. You can view the files attached to the case in the Attached files node of E3 mobile data case evidence. The files can be viewed as a regular filesystem evidence.

147

How to View Parsed Recovered Data

Electronic Evidence Examiner allows you to view parsed recovered data from an E3 mobile data case in detail.

To view parsed recovered data, do the following:

1. Add the E3 mobile data case evidence to a new or existing case (for more information, please see the How to investigate E3 mobile data case topic). 2. The structure of the E3 mobile data case is displayed in the Case Content pane (to the left), parsed data in the grids and binary files are displayed in the Data View pane (to the right). 3. Select the desired record in the grid, and click the Attachment Binary file in the Attachments pane. 4. The opened file can be viewed in Text and Hex Viewers.

How to Search in E3 Mobile Data Case

Electronic Evidence Examiner allows you to perform searches in the E3 mobile data case added as evidence to Electronic Evidence Examiner case.

To perform searching, do the following:

148

5. Enter the Search Parameters (for more information, please see the help file). The following group of parameters is available: • Common parameters: These parameters include general information about what is to be searched.

• Search Area parameters: These parameters define where data is to be searched. Please note that searching by file mask is available for binary files only.

• File System Data parameters. File Attributes: These parameters define the attributes of files that will be searched if searching in embedded disk image is selected in the Search Area parameters. 6. Click Start. 7. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using Stop, Pause, or Start/Resume buttons). 8. The search results are displayed in the bottom part of the Search pane. 9. Double-click the search result to view its properties in the Properties pane. Select Navigate to Path in the right-click menu to view the file containing the search result.

How to Investigate iTunes Backup Data

The investigation of iTunes backup data evidence is possible with the following packages: • E3: Universal • E3: P2C

149

You can also import iTunes backup files to a case with E3: DS package via the Import wizard.

How to Investigate iTunes Backup Data

Electronic Evidence Examiner allows you to investigate iPhone/iPad/iPod Touch backup data created via iTunes and stored in a folder that contains the following files:

• Info.plist • Manifest.mdbd • Manifest.plist • Status.plist iTunes backup data default location: Windows 7/8/10 C:\Users\\AppData\Roaming\Apple Computer\MobileSync\Backup\{UDID} or %APPDATA%\Apple Computer\MobileSync\Backup\{UDID} OS X ~/Library/Application Support/MobileSync/Backup/{UDID}

To investigate the iTunes backup evidence, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Other. In the Source Type list, select iTunes Backup. Click OK.

150

3. Navigate to the Evidence Source (a folder that contains iPhone/iPad/iPod Touch backup files) and select it. Click OK. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. The iTunes backup evidence is added to the case. 6. The nodes and folders containing data are displayed in the Case Content pane (to the left). Grids with parsed information and files with unparsed binary data are displayed in the Data View pane (to the right). 7. Select the node/folder in the Case Content pane to view its content.

How to View Parsed Recovered Data

Electronic Evidence Examiner allows you to view parsed recovered data from iPhone/iPad/iPod Touch backup in detail.

To view parsed recovered data, do the following:

1. Add the iPhone/iPad/iPod Touch backup evidence to a new case or an existing one (for more information, please see the How to Investigate iTunes Backup Data topic). 2. Select the desired record in the Data View pane. 3. Click the Attachment file in the Attachments pane for a selected record. 4. The record is displayed in Text and Hex viewers.

How to View Password-Protected iTunes Backup

Electronic Evidence Examiner allows you to add and view password-protected iTunes backup data.

To investigate password-protected iTunes backup data, do the following:

1. Add the iTunes backup evidence to a new case or an existing one (for more information, please see the How to Investigate iTunes Backup Data topic). 2. Click the iPhone backup node. In the Please enter a password window, enter the correct password and click OK. 3. If the password is correct, the node is decrypted. Click the folder in the Case Content pane (to the left). Its contents are displayed in the Data View pane (to the right). 4. If the password is not correct or you click Cancel in the Please enter a password window, the backup will not be opened.

151

How to Search in iTunes Backup

Electronic Evidence Examiner allows you to perform searches in iTunes backup added as evidence to Electronic Evidence Examiner case.

To perform searching, do the following:

5. On the Search Area tab, click Browse to specify the subfolders of the selected folder where you want to search for data.

152

6. Enter the Search parameters (for more information, please see the help file). The following groups of parameters are available: • Common parameters: These parameters include general information about what is to be searched.

• Search Area parameters: These parameters define where data is to be searched. Please note that searching by file mask is available for binary files only.

• File System Data parameters. Search Text Scope: These parameters define where data is to be searched. They allow the user to define file attributes and file mask. The date parameters can be defined here as well. Please note that searching by these parameters will be performed in binary files only, so grids with parsed data will not be found. 7. Click Start or press Enter. 8. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there. 9. The search results are displayed in the bottom part of the Search viewer. 10. After double-clicking the search result, it will be opened in the Data View pane.

How to Export iTunes Backup Data

Electronic Evidence Examiner allows you to export iTunes backup data from the case. Exporting means making an exact copy of data on the computer where Electronic Evidence Examiner is installed.

153

To export iTunes backup data, do the following:

1. Add the iTunes backup evidence to a new or existing case (for more information, please see the How to Investigate iTunes Backup Data topic). 2. The iTunes backup structure is displayed in the Case Content pane (to the left), the files are displayed in the Data View pane (to the right). 3. In the Data View pane, select the file (or several files) that you want to export. Use the Ctrl and Shift keys to select more than one file. 4. On the Export tab, in the Common Export group, click Export, or right-click the file (files) and select Export. 5. In the Exporting Options window, set the options you need:

• Export to folder: Click this option if you want to export file(s) to a folder on the computer.

• Export to forensic container: Click this option if you want to export file(s) to an encrypted forensic container (for more information on forensic containers, please see the help file).

• Destination Path: Define the location of the exported data. Click Browse to navigate to the desired location.

• Password: Enter the password that was set during the forensic container creation (required if Export to forensic container is selected).

6. Click Export. The export process is displayed in the Tasks pane. 7. To view the results:

154

How to Investigate JTAG Memory Dumps

The investigation of JTAG memory dump evidence is possible with the following packages: • E3: Universal • E3: P2C • E3: DS

How to Investigate JTAG Memory Dumps

Electronic Evidence Examiner allows you to view and analyze raw images of device physical memory created with the help of the RIFF Box (RIFF JTAG) hardware.

To investigate a JTAG memory dump evidence, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Mobile Data. In the Source Type list, select JTAG Memory Dump. Click OK.

155

3. In the standard Open window, navigate to the location of a JTAG memory dump file. Click Open. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. The JTAG memory dump evidence is added to the case. 6. Select the JTAG Memory Dump in the Case Content pane to view its content.

How to Search in JTAG Memory Dump Evidence

Electronic Evidence Examiner allows you to perform searches in JTAG memory dumps added as evidence to a case.

To perform searching, do the following:

156

How to Investigate SQLite Databases

The investigation of SQLite database evidence is possible with the following packages: • E3: Universal • E3: P2C

How to Investigate SQLite Databases Electronic Evidence Examiner allows you to view SQLite database data. SQLite database file extensions are .db, .Sqlite, .Sqlite3, .sqlitedb, and .db3. The databases with other extensions or without any extensions can be opened in Electronic Evidence Examiner as well.

To investigate SQLite database data, do the following:

1. Have the Add New Evidence window open. 2. Select the Other evidence category and SQLite Database source type. Click OK.

3. Navigate to the Evidence Source and select it. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK.

157

5. The SQLite database evidence is added to the case. 6. The tables containing data are displayed in the Case Content pane (to the left). Grids with parsed information from the tables are displayed in the Data View pane (to the right). 7. Select the node/table in the Case Content pane to view its content.

How to View Embedded Binary Files

If the SQLite database contains binary files embedded in the database, these files can be viewed. To investigate embedded binary files in detail, do the following: 1. Add the SQLite database evidence to a new case or an existing one (for more information, please see the How to investigate SQLite databases topic). 2. The structure of the SQLite database case is displayed in the Case Content pane (to the left). Grids with parsed information from the tables are displayed in the Data View pane (to the right). 3. Select the desired table in the Case Content pane. 4. Select the desired record in the Data View pane. 5. Click the Attachment file in the Attachments pane for the selected record. If the record contains several embedded files, they are all displayed in one list. 6. The file is displayed in Text, Hex and File viewers.

How to Search in SQLite Databases

Electronic Evidence Examiner allows you to perform searches in SQLite databases added as evidence to Electronic Evidence Examiner case.

1. Add the SQLite database evidence to a new case or an existing one (for more information, please see the How to investigate SQLite databases topic). 2. Select the database, table, or the line in the grid to be searched. 3. Right-click and select Advanced Search or click Advanced Search on the Analysis tab, in the Search group. 4. The Search pane opens (to the right).

158

5. If you have selected the evidence node, the evidence type node, or the Tables node, click Browse to specify the item(s) for which the search will be performed. 6. Enter the Search parameters (for more information, please see the help file). 7. Click Start or press Enter. 8. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there. 9. The search results are displayed in the bottom part of the Search viewer. 10. After double-clicking the search result, it will be opened in the Data View pane.

How to Investigate Project-a-Phone Data

The investigation of Project-a-Phone Data evidence is possible with the following packages: • E3: Universal • E3: DS • E3: Viewer How to Investigate Project-a-Phone Data

Electronic Evidence Examiner allows you to work with files created by Paraben's Project-a- Phone, a special tool for taking high resolution screenshots of mobile devices.

The Project-a-Phone tool automatically stores acquired data in the following folder: C:\Users\\Pictures\LifeCam Files. Before adding Project-a-Phone Data

evidence, please make sure the Project-a-Phone files have not been moved away from this folder.

To investigate Project-a-Phone data, do the following:

1. Have the Add New Evidence window open.

159

2. In the Category list, select Logical Drive or Folder. In the Source Type list, select Project-a-Phone Data.

3. The path to the Project-a-Phone Data evidence is selected automatically (C:\Users\\Pictures\LifeCam Files). 4. Enter the Evidence name (opened folder name by default) and click OK. 5. The Project-a-Phone Data evidence is added to the case.

How to View Project-a-Phone Data

To view Project-a-Phone data, do the following:

1. Add the Project-a-Phone data evidence to a new or existing case (for more information, please see the How to investigate Project-a-Phone data topic). 2. In the Case Content pane, navigate to the folder whose contents you want to be displayed. 3. The contents of the selected folder are displayed in the Data View pane (to the right). The deleted data is restored automatically and marked with a red "X". 4. Click the file in the Data View pane. Its contents are displayed in Hex, Text, File, and File Slack (Hex and Text) viewers (make sure that the viewers are enabled). 5. To enable Hex, Text, and File viewers, click the corresponding item on the View tab.

File Slack Hex and File Slack Text viewers are enabled automatically when you enable the Text and Hex viewers.

160

6. To view EXIF information, click the EXIF tab in the Properties pane. The EXIF tab is displayed only if the image contains EXIF information.

How to Search in Project-a-Phone Data

1. Add the Project-a-Phone evidence to a new or existing case (for more information, please see the How to investigate Xbox data topic). 2. Select the evidence node, evidence type node, folder, or file where you want to search for data. 3. Right-click and select Advanced Search or click Advanced Search on the Analysis tab, in the Search group. 4. The Search pane opens (to the right).

5. Click Browse to specify the subfolders of the selected folder where you want to search for data. 6. Enter the Search parameters (for more information, please see the help file). 7. Click Start or press Enter. 8. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there. 9. The search results are displayed in the bottom part of the Search viewer. 10. After double-clicking the search result, it will be opened in the Data View pane.

How to Investigate Xbox Data

The investigation of Xbox data evidence is possible with the following packages: • E3: Universal • E3: P2C

161

How to Investigate Xbox Data Electronic Evidence Examiner allows you to work with evidence extracted from Xbox 360 game consoles.

Xbox evidence is mainly stored in FATX file system clusters which contain STFS packages and XDBF databases inside.

• FATX partition image is a logical partition image of Xbox physical drive.

• STFS partition image. STFS (Secure Transacted File System) is a file format used to store packages created and downloaded by the Xbox 360 system. The packages may contain save files, content, games, pictures, etc. STFS packages include both the real files and the metadata like title, licenses and RSA signature which is used to verify the package.

• XDBF (XboxDataBaseFormat) storage is a database format which is used as a container for gamer profile data, such as information about the games played, the user's settings, achievements, and images. XDBF also contains SPA (Statistics, Presence and Achievements) files for each user.

For detailed instructions on how to extract Xbox evidence, please see the help file. To investigate Xbox data, do the following:

1. Have the Add New Evidence window open. 2. In the Category list, select Game Console Data. In the Source Type list, select one of the following source types:

• Drive image • FATX partition image • STFS partition image • XDBF storage

162

3. Navigate to the Evidence Source and select it. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. The Xbox evidence of the selected type is added to the case. 6. Select the node/table in the Case Content pane to view its content.

How to View Xbox Data

To view Xbox data, do the following:

1. Add the Xbox evidence to a new or existing case (for more information, please see the How to investigate Xbox data topic). 2. In the Case Content pane, navigate to the folder whose contents you want to be displayed. 3. The contents of the selected folder are displayed in the Data View pane (to the right). The deleted data is restored automatically and marked with a red "X". 4. Click the file in the Data View pane. Its contents are displayed in Hex, Text, File, and File Slack (Hex and Text) viewers (make sure that the viewers are enabled). 5. To enable Hex, Text, and File viewers, click the corresponding item on the View tab.

File Slack Hex and File Slack Text viewers are enabled automatically when you enable the Text and Hex viewers.

163

How to Search in Xbox Data

1. Add the Xbox evidence to a new or existing case (for more information, please see the How to investigate Xbox data topic). 2. Select the evidence node, evidence type node, folder, or file where you want to search for data. 3. Right-click and select Advanced Search or click Advanced Search on the Analysis tab, in the Search group. 4. The Search pane opens (to the right).

• Common parameters: These parameters include general information about what is to be searched.

• Search Area parameters: These parameters define where data is to be searched. • File System Data parameters. Search Text Scope: These parameters define where data is to be searched. They allow the user to define file attributes and file mask. The date parameters can be defined here as well.

7. Click Start or press Enter. 8. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there. 9. The search results are displayed in the bottom part of the Search viewer. 10. After double-clicking the search result, it will be opened in the Data View pane.

164

How to Work with Forensic Container Data

The investigation of Forensic Container data evidence is possible with the following packages: • E3: Universal • E3: P2C • E3: Viewer

How to Create New Forensic Container

Forensic Container is a secure encrypted database that contains data acquired by Electronic Evidence Examiner or DP2C. Data in a forensic container is encrypted and cannot be accessed by any other means except Electronic Evidence Examiner or Evidence Reviewer.

Electronic Evidence Examiner allows you to create a new forensic container (*.p2d).

To create a new forensic container:

1. Create a new case (for more information, please see the How to Create New Case topic). 2. On the Tools tab, in the Additional tools group, select Create Forensic Container, or right-click the case node and select Create Forensic Container.

3. The Create Forensic Container window opens. 4. In the Forensic Container type, select Paraben dynamic forensic container (*.p2d). 5. In the Storage location, define where the container will be located and its name. Click Browse to navigate to the desired location. 6. Enter the password in the Password box and confirm it in Confirm password box. Click OK.

165

7. The forensic container is created.

8. The forensic container consists of files of two types:

• The main file: This file contains the container hierarchy. The file name is .p2d. • Data file: This file contains the data acquired by Electronic Evidence Examiner. The newly created container has only one such file. When new data is added to the container, the number of these files grows. Each file name is _part.

You need to make sure that Forensic Container data files are stored in the same folder with the forensic container main file and none of them is missing or

renamed. If any of the Forensic Container files are missing or renamed, you will not be able to open a Forensic Container evidence in Electronic Evidence Examiner.

How to View Forensic Container Data

Electronic Evidence Examiner allows you to open an existing forensic container file (*.p2d) as evidence and view its contents.

You need to make sure that Forensic Container data files are stored in the same folder with the forensic container main file and none of them is missing or

renamed. If any of the Forensic Container files are missing or renamed, you will not be able to open a Forensic Container evidence in Electronic Evidence Examiner.

166

To view a forensic container, do the following:

1. Have the Add New Evidence window open (by adding new evidence to a new or existing case). 2. In the Category list, select Paraben Tools. In the Source Type list, select Forensic container file. Click OK.

3. In the standard Open window, navigate to the desired file. Click Open. 4. Enter the Evidence name (by default, the name of the file to be added) and click OK. 5. In the Forensic Container password window, enter the password defined while creating a forensic container, and click OK.

6. The forensic container is added to the case. If there is a symbol next to the file in the Data View pane, it means the file can be parsed. Double-click these files to add them as embedded evidence and view their content (for more information, please see the help file).

167

How to View Audit Log

Electronic Evidence Examiner allows you to view the Audit Log of a forensic container. The Audit Log contains the information about all events that happened in the forensic container since its creation.

To view Audit Log, do the following:

1. Add the Forensic Container to a new or existing case. 2. In the Case Content pane (to the left), navigate to the Forensic Container Audit Log node. The content of the Audit Log is displayed in the Data View pane (to the right).

3. In the Category drop-down list, select the category of the events that should be displayed in the grid. 4. Select the time interval during which the event happened. Select the corresponding check boxes and enter the start date in the From field and the final date in the To field. If the From check box is not selected, the time interval will begin with the date/time when the forensic container was created. If the To check box is not selected, then time interval will end with the current time. 5. Click Run Query. The result generation process begins and the first page of results is displayed. 6. To generate the next page of results, click Continue Query. 7. Click Stop Query to stop receiving results. 8. When all the result pages are generated or Stop Query is clicked, the result generation process stops.

How to Search in Forensic Container Data

Electronic Evidence Examiner allows you to perform searches in forensic container data added as evidence to the case.

168

The search is performed in the same way as in file system evidence. If there is data that can be parsed, add it as embedded evidence to enable searching in it (for more information, please see the How to Investigate Embedded Data topic).

To perform searching, do the following:

1. Add the forensic container to a new or existing case (for more information, please see How to View Forensic Container Data topic). 2. The forensic container structure is displayed in the Case Content pane (to the left), data stored in it is displayed in the Data View pane (to the right). 3. Select the node in the File Viewer pane, the folder, or the file where you want to search for data. 4. Right-click and select Advanced Search or click Advanced Search on the Analysis tab, in the Search group. 5. The Search pane opens (to the right).

6. Click the Search Area tab in the Search pane. 7. In the Recursive search in group of options, select the types of embedded evidence where the recursive search will be performed. When selecting E-mail databases, Chat databases, Registry data, and Internet Browser data options, additional tabs open in the Search pane. 8. Define other search parameters if necessary (for more information, please see the help file). After all the parameters are defined, click Start.

169

9. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using the Stop, Pause, or Start/Resume buttons). 10. The search results are displayed at the bottom part of the Search pane. 11. Double-click the search result to open it in the Data View pane, or in Hex, Text, or File viewers.

170

How to Acquire and Investigate Mobile Device Data

Drivers Installation

After installing Electronic Evidence Examiner, you are proposed to download the E3 mobile driver pack, which contains drivers for supported devices (it can be downloaded and installed from https://paraben.com/paraben-downloads/).

To open the webpage where you can find the E3 mobile driver pack installation file, on the Completing the Paraben’s Electronic Evidence Examiner installation page, select the Open the Electronic Evidence Examiner Driver Pack page option and click Finish.

The driver pack includes drivers for the following devices:

• Apple iPhone/iPad/iPod Touch • Acer • Advent • Alcatel • Asus • Archos • BamesNoble • BlackBerry • Dell • Garmin GPS • Google • HTC • Huawei • KindleFire • Kyocera • LG • MassStorage • Motorola • NEC • Nokia • Palm OS • PocketBook • Prolific • Samsung • Sanyo • Sciphone • Sony Ericsson • Triple-S • ViewPad • ZTE

171

In addition, it contains the following components for working with Windows Mobile and Windows Phone devices:

• Active Sync application • Windows Mobile Device Center application

During the installation/uninstallation of the Driver Pack, some antivirus software may alert you of a potential threat, so it is recommended to turn off the antivirus protection during the procedure. The Driver Pack does not bear any potential harm to your computer. This is a known issue that will be fixed in the future release. Please don't forget to turn the protection on after the process is complete.

If you have problems with the acquisition of some Android OS based devices, try installing drivers from the device manufacturer web-site (see the help file for more information). How to Check That Drivers Are Installed

The following drivers are detected without connecting the corresponding device to the computer:

• Garmin Mass Storage • SIM card/memory card • Mass storage/portable device • TomTom

The following drivers are detected after you connect the device to computer via USB port and the computer installs driver software:

• Alcatel • Android OS • Apple iPhone • Garmin GPS • Kyocera • LG • Motorola • Nokia • Palm OS • RIM Blackberry • Samsung • Sanyo • Siemens • Sony Ericsson • Symbian • TomTom GPS • Web OS • Windows Mobile • ZTE

172

To check that the drivers are installed, do the following:

1. Select Start - Run or press Windows+R. 2. The Run window opens in the bottom left corner. 3. In the Open box, type cmd and click OK.

4. From the command line, type driverquery.

5. The list of all drivers installed on the computer appears. Please note that some drivers appear in the list only after the corresponding device is connected to the computer.

Detected drivers can vary depending on the model of your device. The following list of detected drivers is the most common:

• For Alcatel cell phones (driver is displayed after the device is connected to the computer): • If COM port is selected in USB config on the device:

173

If Mass storage is selected in USB config on the device:

• For Android OS devices (Electronic Evidence Examiner Driver Pack must be installed on the computer; drivers will be displayed only when the device is connected to the computer):

174

• For Apple iPhone devices (Electronic Evidence Examiner Driver Pack must be installed on the computer; driver will be displayed after the device is connected to the computer):

• For Garmin GPS devices (driver will be displayed after the device is connected to the computer):

175

• For Garmin mass storage devices:

• For LG cell phones (driver will be displayed after the device is connected to the computer):

• For Motorola cell phones (driver will be displayed after the device is connected to the computer):

176

• For Nokia cell phones (driver will be displayed after the device is connected to the computer):

• For PalmOS based devices (driver will be displayed after the device is connected to the computer):

• For RIM Blackberry devices (driver will be displayed after the device is connected to the computer):

177

• For Samsung cell phones (driver will be displayed after the device is connected to the computer):

• For Sanyo cell phones (driver will be displayed after the device is connected to the computer):

• For SIM cards/memory cards/mass storages:

• For Sony Ericsson cell phones (driver will be displayed after the device is connected to the computer):

178

The driver name depends on the model of your device.

• For TomTom devices:

and

• For WebOS based devices (driver will be displayed after the device is connected to the computer):

179

• For Windows Mobile devices (Windows Mobile Device Center must be installed on the computer for Windows 7; driver will be displayed after the device is connected to the computer):

The name of the driver may vary depending on the model of your device.

How to Check That Device Is Detected

Before acquisition, you need to connect the device to the computer where Electronic Evidence Examiner is installed. If the device is not detected (Windows does not recognize it), the acquisition will not be successful. If Windows can’t see the device, Electronic Evidence Examiner can’t either.

You can use either COM or USB data cables. Generally, COM ports do not have any problems with device detection. The only problem that may occur is that your COM cable may be damaged.

Most devices will be displayed on the Home page of the Acquisition Wizard. If automatic detection for your device is not available (like devices with only COM port connection) or your device does not appear on the Home page, check that your device is detected by Windows.

To check that the device is detected via a USB connection, do the following:

1. Turn on the device. 2. Connect the device to the USB port of your computer using the USB cable. 3. In the right bottom corner of the screen, you will see the Found New Hardware message. 4. When the driver installation for the new hardware finishes, you will see the message that your hardware is ready to use.

180

5. Open Device Manager and check that the device is detected. No question or exclamation marks should be displayed near the detected device. Usually, you can find the device in the following places:

• Universal Serial Bus Controllers (iPhone/iPad/iPod Touch devices, Android OS devices, LG CDMA cell phones, Samsung GSM cell phones, Samsung CDMA cell phones, Sanyo cell phones, iPod devices, etc.); • Disk Drives (TomTom GPS device); • Modems (Alcatel cell phones, Motorola iDEN cell phones, ZTE cell phones, etc.); • Ports (Sony Ericsson cell phones, Siemens cell phones, Nokia GSM cell phones, etc.); • As a separate device category (Palm OS based devices, Web OS based devices, etc.).

6. The detected device can be displayed in one device category or in several device categories.

181

7. When the device is detected in Device Manager, it is ready for acquisition. How to Acquire Different Types of Devices

How to Acquire Data from iPhone/iPad/iPod Touch/iPod Devices

How to Acquire Data from iPhone Devices

Electronic Evidence Examiner allows you to acquire data from Apple iPhone devices. The current version of Electronic Evidence Examiner supports acquisition from Apple iPhones with iOS 1.x–12 for logical acquisition and from 3rd and 4th generation of iPhones for physical acquisitions.

We recommend performing the acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

Please note, if you want to acquire iOS keychain data, such as saved web-form passwords, accounts, and pin codes, you need to create an encrypted iOS 7–10.2 backup and import data from it to Electronic Evidence Examiner (see the help file for more information).

182

To prepare the device for acquisition:

1. Install the Apple iPhone drivers. To do this, download and install the Electronic Evidence Examiner Driver Pack from https://paraben.com/paraben-downloads/.

If you have iTunes installed on your computer, you can start acquisition without installing any other drivers.

2. Turn on the iPhone device for logical acquisition or, if your device is not jailbroken, put the iPhone into the DFU mode for physical acquisition. 3. Connect the device to your computer using the cable.

For iOS 7 and higher devices, before the acquisition starts, you need to tap Trust on the device to establish a trusted connection between the device and the computer and enter the passcode upon request. Please note, that the passcode request may appear with some delay.

4. Before starting the logical acquisition, the device should be unlocked. To disable the Auto-Lock option on the device: 1. Go to the Settings. 2. Tap Display & Brightness. 3. Tap Auto-Lock. 4. Tap Never. The Auto-Lock option is disabled. 5. Press Home.

To acquire data from an iPhone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your iPhone device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

183

3. On the Acquisition Type page, select the type of acquisition you want to perform.

The physical acquisition of iPhone/iPad/iPod Touch devices acquires the Bit- by-Bit Image of a device, which equals the size of the total device memory.

4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition.

184

5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

185

6. When data acquisition finishes, click Finish. 7. The acquired data is saved to a mobile data case, which is then automatically added to the opened E3 case as an evidence. 8. Disconnect your device from the computer.

To acquire data from an iPhone via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection.

3. On the Plug-in Selection page, select the required plug-in and click Continue. The following options are available:

• iPhone/iPad/iPod Touch Advanced (logical): Select this plug-in to acquire the backup data from the iPhone device (including jailbroken devices). The data will be acquired in a parsed format (for standard devices: Address book, SMS history, Call logs, Calendar, Installed applications, Notes, iMessages, Maps bookmarks, Maps history, and Maps directions, for jailbroken devices: Address book, SMS history, Call logs, Calendar, Installed applications, iMessages, Emails, and Notes) and file system. Please note that the file system is acquired only partly. • iPhone/iPad/iPod Touch (physical): Select this plug-in to acquire all data stored on the iPhone. Acquired data will contain parsed data (as the results of the iPhone/iPad/iPod Touch Advanced (logical) plug-in work), recovered deleted data, file system files (both User and System), and a bit-by-bit image of the device memory. Before starting this type of acquisition, you need to put iPhone in DFU mode.

186

The iPhone/iPad/iPod Touch (physical) plug-in acquires the Bit-by-Bit Image of a device, which equals the size of the total device memory.

4. On the Connection Selection page, select the connection type. Click Start Acquisition.

187

5. If you selected iPhone/iPad/iPod Touch Advanced Logical plug-in, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition.

6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

188

7. When data acquisition finishes, click Finish. 8. The acquired data is saved to a mobile data case, which is then automatically added to the opened E3 case as an evidence. 9. Disconnect your device from the computer.

How to Acquire Data from iPad Devices

Electronic Evidence Examiner allows you to acquire data from Apple iPad devices. The current version of Electronic Evidence Examiner supports acquisitions from Apple iPads with iOS 1.x– 10.2 for logical acquisitions and from the iPad of the 1st generation for physical acquisitions.

We recommend performing the acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

To prepare the device for acquisition:

1. Install the Apple iPad drivers. To do this, download and install the Electronic Evidence Examiner Driver Pack from https://paraben.com/paraben-downloads/.

189

If you have iTunes installed on your computer, you can start acquisition without installing any other drivers.

2. Turn on the iPad device for logical acquisition or, if your device is not jailbroken, put the iPad into the DFU mode for physical acquisition. 3. Connect the device to your computer using the cable.

For iOS 7 and higher devices, before the acquisition starts, you need to tap Trust on the device to establish a trusted connection between the device and the computer.

To acquire data from an iPad via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your iPad device will be displayed as iPhone device. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform.

190

The physical acquisition of iPhone/iPad/iPod Touch devices acquires the Bit- by-Bit Image of a device, which equals the size of the total device memory.

4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from an iPad via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection.

191

3. On the Plug-in Selection page, select the required plug-in and click Continue. The following options are available:

• iPhone/iPad/iPod Touch Advanced (logical): Select this option to acquire the backup data from the iPad device (including jailbroken devices). The data will be acquired in a parsed format (for standard devices: Address book, SMS history, Call logs, Calendar, Installed applications, Notes, iMessages, Maps bookmarks, Maps history, and Maps directions, for jailbroken devices: Address book, SMS history, Call logs, Calendar, Installed applications, iMessages, Emails, and Notes) and file system. Please note that the file system is acquired only partly. • iPhone/iPad/iPod Touch (physical): Select this option to acquire all data stored on the iPad. Acquired data will contain parsed data (as the results of the iPhone/iPad/iPod Touch Advanced (logical) plug-in work), recovered deleted data, file system files (both User and System), and a bit-by-bit image of the device memory. Before starting this type of acquisition, you need to put iPad in DFU mode.

The iPhone/iPad/iPod Touch (physical) plug-in acquires the Bit-by-Bit Image of a device, which equals the size of the total device memory.

192

4. On the Connection Selection page, select the connection type. Click Start Acquisition. 5. If you selected iPhone/iPad/iPod Touch Advanced Logical plug-in, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from iPod Touch Devices

Electronic Evidence Examiner allows you to acquire data from Apple iPod Touch devices. The current version of Electronic Evidence Examiner supports acquisition from Apple iPod Touch with iOS 1.x–10.2 for logical acquisition and from the iPod Touch of the 3rd and 4th generation for physical acquisitions.

193

We recommend performing the acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

To prepare the device for acquisition:

1. Install the Apple iPod Touch drivers. To do this, download and install the Electronic Evidence Examiner Driver Pack from https://paraben.com/paraben-downloads/.

If you have iTunes installed on your computer, you can start acquisition without installing any other drivers.

2. Turn on the iPod Touch device for logical acquisition or, if your device is not jailbroken, put the iPod Touch into the DFU mode for physical acquisition. 3. Connect the device to your computer using the cable.

For iOS 7 and higher devices, before the acquisition starts, you need to tap Trust on the device to establish a trusted connection between the device and the computer.

To acquire data from an iPod Touch via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your iPod Touch device will be displayed as an iPhone device. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform.

The physical acquisition of iPhone/iPad/iPod Touch devices acquires the Bit- by-Bit Image of a device, which equals the size of the total device memory.

194

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from an iPod Touch via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the required plug-in and click Continue. The following options are available:

• iPhone/iPad/iPod Touch Advanced (logical): Select this option to acquire the backup data from the iPod Touch device (including jailbroken devices). The data will be acquired in a parsed format (for standard devices: Address book, SMS history, Call logs, Calendar, Installed applications, Notes, iMessages, Maps bookmarks, Maps history, and Maps directions, for jailbroken devices: Address book, SMS history, Call logs, Calendar, Installed applications, iMessages, Emails, and Notes) and file system. Please note that the file system is acquired only partly. • iPhone/iPad/iPod Touch (physical): Select this option to acquire all data stored on the iPod Touch. Acquired data will contain parsed data (as the results of the iPhone/iPad/iPod Touch Advanced (logical) plug-in work), recovered deleted data, file system files (both User and System), and a bit-by-bit image of the device memory. Before starting this type of acquisition, you need to put iPod Touch in DFU mode.

The iPhone/iPad/iPod Touch (physical) plug-in acquires the Bit-by-Bit Image of a device, which equals the size of the total device memory.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

7. When data acquisition finishes, click Finish. 8. The acquired data is saved to a mobile data case, which is then automatically added to the opened E3 case as an evidence.

195

9. Disconnect your device from the computer.

How to Acquire Data from iPod Devices

Electronic Evidence Examiner allows you to acquire data from Apple iPod devices.

To acquire prepare the device for acquisition:

1. Install the Apple iPod drivers. To do this, download and install the Electronic Evidence Examiner Driver Pack from https://paraben.com/paraben-downloads/. 2. Connect the device to your computer using the data cable. 3. Open Device Manager and check if the device is detected.

To acquire data from an iPod via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your iPod device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

196

3. On the Acquisition Type page, click Physical Acquisition.

197

4. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

5. When data acquisition finishes, click Finish. 6. The acquired data is saved to a mobile data case, which is then automatically added to the opened E3 case as an evidence. 7. Disconnect your device from the computer.

To acquire data from an iPod via manual plug-in selection:

1. Do one of the following:

• On the Welcome page, click Start Acquisition. • Create a new case or open an existing case and on the Evidence tab, in the Mobile Data group, click Start Acquisition or press F5.

2. The Acquisition Wizard opens. 3. On the Home page, click Manual plug-in selection. 4. On the Plug-in Selection page, select the iPod (physical) plug-in and click Continue. 5. On the Connection Selection page, select the connection type and click Start Acquisition.

198

6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to View Installed Application Information and Parsed Application Data

Electronic Evidence Examiner allows you to acquire and view the list of applications and application data from iOS devices.

Electronic Evidence Examiner acquires the list of all applications installed on a device, but not all application data can be parsed. See the help file for the list of parsed applications.

To view installed applications and application data:

1. Acquire an iOS device using a Full Logical Acquisition. 2. In the Folder viewer, navigate to the Installed Applications folder. 3. Do one of the following:

• Select the Application Permissions grid to view the list of permissions which applications have, their installation source, and associated application suspicion level. • Select the Installed Application List grid to view the list of applications installed on the device and information on them. • In the Application Data folder, navigate to the required application sub-folder and select the grid with parsed application data you want to view.

4. The information is displayed in the Data View pane.

How to Put Phone/iPad/iPod Touch in DFU Mode

If your device is not jailbroken, you need to put it into DFU mode before performing a physical acquisition from it (using the iPhone/iPad/iPod Touch Physical plug-in). DFU or Device Firmware Upgrade mode allows all devices to be restored from any state. Please note, no data will be damaged or lost after putting the device in DFU mode.

To put the device in DFU mode:

1. Plug your device into your computer.

199

2. Turn off the device.

3. Hold the Power button for 3 seconds. 4. Hold the Home button without releasing the Power button for 10 seconds.

200

5. Release the Power Button but keep holding the Home button

201

6. Keep holding the Home button until the device screen becomes completely blank (about 15 seconds). Please note, if the device in DFU mode is being connected to the PC for the first time the driver installation will automatically start. 7. Make sure the device screen is blank and no logos are present.

8. When the acquisition finishes, exit DFU mode on your device. To do this, hold the Home and Power Button until the Apple Logo appears.

How to Acquire Data from Android OS Devices

Electronic Evidence Examiner allows you to acquire Android OS phones (devices with Google OS). Logical acquisition should work with any device model with a data connection running Android OS 9 and lower. Physical acquisition should work with any device model with a data connection running Android OS 4.4.4 and lower.

We recommend performing acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

As Google stopped supporting the devices with Android OS 2.1 and lower, Electronic

Evidence Examiner might no longer support such devices as well.

To prepare an Android OS device for acquisition:

1. Turn on the device. 2. In the device menu, do one of the following:

202

• For Android OS lower than 4.0: Select Settings->Application Settings and select the Unknown sources option. • For Android OS 4.0 and higher: Select Settings->Security and select the Unknown sources option.

3. Enable the USB debugging mode:

• To enable the USB debugging mode on Android OS up to version 3.0, in the device menu, select Settings->Applications->Development and select the USB debugging option. • To enable the USB debugging mode on Android OS 4.0 or 4.1, in the device menu, select Settings->Developer options and select USB debugging. • To enable the USB debugging mode on Android OS 4.2 and higher, in the device menu, select Settings->About device/tablet and tap Build number 7 times, then go back to Settings, select Developer options, and then select USB debugging.

4. Connect the device to your computer using a data cable. Make sure that the required drivers are installed (the required drivers are included in the Electronic Evidence Examiner Driver Pack). 5. If you use a USB connection, open Device Manager and make sure that the device is detected.

203

6. Enable MTP (file transfer mode) on the device: • To enable MTP (file transfer mode) on Android OS 4.x, in the device menu, select Settings > Storage, tap More options/Menu and then tap USB computer connection. Then select the Media device (MTP) option. • To enable MTP (file transfer mode) on Android OS 5.0 and higher, in the device menu, select Settings > System > Developer options > Select USB configuration and select the MTP (Media Transfer Protocol) option. For some devices, the USB computer connection option is not available or the connection method does not change to MTP even after changing settings. In this case, try the following method: • On the device, open the Connected as/Use USB for notification and select the Media device (MTP)/File transfers option.

To acquire the device via automatic detection:

WARNING! During a data acquisition, your device may reboot a few times and you will need to enter its PIN. Make sure you know the device PIN before performing an acquisition. For devices with Android OS 4.1 and lower, you can remove the password protection during the acquisition.

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Android OS device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

204

3. On the Acquisition Type page, select the type of acquisition you want to perform.

Physical acquisition can be performed only for devices with Android OS 4.4.4 and lower.

205

4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click Continue.

5. Before starting the acquisition, on the Pre-acquisition options page, do the following: For Full Logical/Custom Logical Acquisition:

• Select Unlock the file system to unlock the device file system if the device is rootable (for more details, see the Help file).

• Select Remove password protection to remove any screen password protection on the device (password, graphical password, and PIN). If Unlock the file system is not selected, the Remove password protection option is disabled.

For Physical Acquisition: • Select Unlock the file system to unlock the device file system. If this option is not selected, the data will not be acquired.

Unlocking a device file system doesn't damage the device or any data on it.

• Select Remove password protection to remove any screen password protection on the device (password, graphical password, and PIN).

206

If the screen password still appears after removal, simply draw any pattern to remove a graphical password or enter and confirm a new PIN or password.

6. Click Start Acquisition. 7. The data acquisition process starts. Its progress is displayed on the Acquisition Progress page. 8. During acquisition, the following messages may appear on the device: • If the Allow USB Debugging message appears on the device, tap OK in it to continue acquisition. • If the Full Backup message appears on the device, tap Back up my data in it to continue acquisition. This message appears if device rooting failed. In this case, backing up data on the device allows acquiring at least some part of the device file system. • If the Waiting For Debugger message appears on the device, do not close this message, otherwise the acquisition process will fail. We guarantee that this does not affect data integrity on the device. • If the Choose Connection Mode message reappears on the device, please choose the Media device (MTP)/File transfers mode. • The Usage data access permission message appears on the devices with Android OS 5.0 and higher during full logical acquisition or custom logical acquisition with the selected User Activity Timeline feature. Tap OK on the message, select the Seizure Service in the opened window and then turn the permission toggle on.

9. When data acquisition finishes, the case is saved. Click Finish.

This process may take some time.

10. Disconnect your device from the computer.

To acquire the device via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection.

207

3. On the Plug-in Selection page, select the required plug-in and click Continue. Logical acquisition of Android OS devices is performed via the Android logical plug-in and physical acquisition – via Android physical plug-in.

208

4. On the Pre-acquisition options page, do the following: For logical acquisition: • Select Unlock the file system to unlock the device file system if the device is rootable.

For physical acquisition: • Select Unlock the file system to unlock the device file system. If this option is not selected, the data will not be acquired.

Unlocking a device file system doesn't damage the device or any data on it.

• Select Remove password protection to remove any screen password protection on the device (password, graphical password, and PIN).

If the screen password still appears after removal, simply draw any pattern to remove a graphical password or enter and confirm a new PIN or password.

5. Click Continue. 6. The Connection Selection page opens. Select the connection and click Continue. 7. The Feature Selection page opens. Select the features to be acquired, and click Start Acquisition.

The Feature Selection page opens only during manual plug-in selection. Use Custom acquisition to select features during automatic device detection.

209

• If the Waiting For Debugger message appears on the device, do not close this message, otherwise the acquisition process will fail. We guarantee that this does not affect data integrity on the device. • If the Choose Connection Mode message reappears on the device, please choose the Media device (MTP)/File transfers mode. • The Usage data access permission message appears on the devices with Android OS 5.0 and higher during full logical acquisition or custom logical acquisition with the selected User Activity Timeline feature. Tap OK on the message, select the Seizure Service in the opened window and then turn the permission toggle on. 10. When data acquisition finishes, the case is saved. Click Finish.

11. Disconnect your device from the computer.

How to Acquire Data from Advanced Android LG Devices

Electronic Evidence Examiner allows you to acquire a number of LG devices with Android OS 4.4.2–5.0.1.

In the current version of Electronic Evidence Examiner, acquisition of advanced Android LG devices can be performed only via manual plug-in selection.

To prepare an advanced Android LG device for acquisition:

1. Put the device into Firmware Update mode. 2. Make sure that the required drivers are installed (the required drivers are included in the Electronic Evidence Examiner Driver Pack). 3. Open Device Manager and make sure that the device is detected.

210

To acquire the device via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select Android LG Advanced (physical) plug-in and click Continue.

4. On the Connection Selection page, select the connection type and click Start Acquisition.

211

5. The acquisition process starts. Its progress is displayed on the Acquisition Progress page.

212

6. After the acquisition finishes, click Finish. 7. The case is saved and you can disconnect the device from the computer.

How to Acquire Data from Android Spreadtrum Devices

Electronic Evidence Examiner allows you to acquire Android OS phones (devices with Google OS) based on Spreadtrum chipset regardless of the Android OS version running on the device.

Acquisition of Android Spreadtrum devices is possible only via manual plug-in selection.

To prepare environment for device acquisition:

1. Download the Firmware Update Drivers from the trusted Internet source to the computer. 2. Download the firmware PAC file (ROM image) for your Spreadtrum device model from the trusted Internet source to the computer. The PAC file contains the boot image required for physical acquisition of the Spreadtrum device. PAC files are unique for each device model. To find out the device model, in the device settings, go to About phone > Model number. 3. Turn off the device. 4. Press and hold the Volume Up button on it. 5. Connect the device to the computer through USB. 6. A new SCI Usb2Serial port appears in the Device Manager. 7. Install the drivers and disconnect the device from the computer. 8. Connect the device onсe more. COM virtual port appears in the Device Manager. 9. Disconnect the device.

It is recommended to remove the device battery for a few seconds every time after disconnecting the device from USB.

To acquire the device via manual plug-in selection:

1. Make sure that the device is turned off and disconnected from the computer. 2. Have the Acquisition wizard open. 3. On the Home page, click Manual plug-in selection. 4. On the Plug-in Selection page, select Android Spreadtrum Expert (physical) plug-in and click Continue.

213

5. On the Pre-acquisition Options page, click Browse next to the Image file path box and navigate to the previously downloaded PAC file (ROM image).

214

6. While the device is turned off, press and hold the volume up button on it. 7. Connect the device to the computer without releasing the Volume up button. 8. Click Continue on the Pre-acquisition Options page.

You will have only 3–5 seconds to click Continue after connecting the device to the computer, after which the device returns to the standard mode. If the time runs out, disconnect the device, remove the device battery, place it back again, and repeat the steps 7–9 again.

9. On the Connection Selection page, select the connection type and click Continue.

215

216

10. The data acquisition process starts. Its progress is displayed on the Acquisition Progress page.

11. After the acquisition finishes, click Finish. 12. The acquired data is saved to a mobile data case, which is then automatically added to the opened E3 case as an evidence. 13. Disconnect your device from the computer.

How to Acquire Data from Android MTK Devices

Electronic Evidence Examiner allows you to acquire Android OS devices based on MTK chipset regardless of the Android OS version running on the device.

Acquisition of Android MTK devices is possible only via manual plug-in selection.

To prepare environment for device acquisition:

1. Make sure that the Mobile Driver Pack from https://paraben.com/paraben-downloads/ is installed. 2. Download the DA Files Collection archive from https://paraben.com/paraben-downloads/ to your computer and extract the DA files. The DA file contains the boot image required for physical acquisition of the MTK device.

217

The DA file will be loaded into the memory of the device. Once the data acquisition is completed, the file will be automatically removed from the device memory.

To acquire the device via manual plug-in selection:

5. On the Pre-acquisition Options page, click Browse next to the Image file path box and navigate to one of the downloaded DA files.

It is not possible to identify which DA file supports the device. If the acquisition process fails, please try selecting another DA file from the DA Files Collection or try downloading one from the Internet from a trusted source.

218

6. While the device is turned off, click Continue and connect the device as soon as possible, within 10 seconds at most. 7. On the Connection Selection page, select the connection and click Continue.

219

If the connection is not established, try connecting the device without the battery or select another DA file.

220

8. The data acquisition process starts. Its progress is displayed on the Acquisition Progress page.

9. After the acquisition finishes, click Finish. 10. The acquired data is saved to a mobile data case, which is then automatically added to the opened E3 case as an evidence. 11. Disconnect your device from the computer.

How to Acquire Data from Samsung Devices with Android OS 4.4.4–6.0.1

Electronic Evidence Examiner allows you to acquire and view application data from advanced Samsung devices running Android 4.4.4 – 6.0.1. To make acquisition of a Samsung device running Android 4.4.4 – 6.0.1 possible, a custom forensic recovery image has to be flashed on the device.

Acquisition of advanced Android Samsung devices can be performed only via manual plug-in selection.

Samsung Pay or Google Pay might not work on the device after performing the acquisition with the Android Samsung Bootloader (physical) plug-in.

221

To prepare the environment for acquisition of Samsung devices running Android OS 4.4.4–6.0.1, do the following:

1. Download the Recovery Collection (E3 Mobile Bootloader Drivers) from https://paraben.com/paraben-downloads/. 2. Install the Recovery Collection on your PC.

To prepare a Samsung device running Android OS 4.4.4–6.0.1 for acquisition:

1. Turn off the device. 2. Press and hold the Volume Down, Home, and Power buttons, all at the same time. 3. Release the buttons only when the “Warning!” message appears. 4. Press the Volume Up button. 5. When your device shows a green Android icon with the “Downloading… Do not turn off target” text under it, connect it to your PC.

The icon of the Download mode may vary depending on the device.

6. Start the acquisition via manual plug-in selection.

To acquire the device via manual plug-in selection

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select Android Samsung Bootloader (physical) and click Continue.

222

4. On the Model Selection page, select your device model and click Continue.

5. On the Connection Selection page, select the connection type and click Start Acquisition.

223

6. The Acquisition page opens. Wait while your device is being flashed with the recovery image file.

7. After the recovery image has been written to your device, the Preparing for the acquisition dialog opens. Follow the instructions in the dialog to reboot your device in the Recovery mode.

224

8. Once you have rebooted your device in the Recovery mode, the acquisition starts automatically. You can see its progress in the Flash Partitions and File System status lines.

225

How to Acquire Data from Samsung Devices with Android OS 4.0.3-7.x

Electronic Evidence Examiner allows you to bypass the password protection and perform the logical acquisition of Samsung devices with Android 4.0.3-7.x using Android Samsung MTP Logical plug-in. Only Samsung devices not updated since 10/27/2017 can be acquired by this plug-in.

In the current version of Electronic Evidence Examiner, Android Samsung MTP logical acquisition can be performed only via manual plug-in selection.

To prepare an Android OS device for acquisition:

1. Turn on the device. 2. If the device is unlocked, check that MTP (file transfer mode) is enabled on the device:

• For Android OS 4.x: In the device menu, select Settings > Storage, tap More options/Menu and then tap USB computer connection. Then select the Media device (MTP) option.

226

• For Android OS from 5.0 and higher: In the device menu, select Settings > System > Developer options > Select USB configuration and select the MTP (Media Transfer Protocol) option. For some devices, the USB computer connection option is not available or the connection method does not change to MTP even after changing settings. In this case, try the following method: • On the device, open the Connected as/Use USB for notification and select the Media device (MTP)/File transfers option. 3. Connect the device to your computer using a data cable. Make sure that the required drivers are installed (the required drivers are included in the Electronic Evidence Examiner Driver Pack).

To acquire the device via manual plug-in selection:

1. Make sure that the device is turned on and connected to the computer. 2. Have the Acquisition wizard open. 3. On the Home page, click Manual plug-in selection. 4. On the Plug-in Selection page, select Android Samsung MTP (logical) plug-in and click Continue.

5. On the Connection Selection page, select the connection type and click Start Acquisition.

227

6. The acquisition process starts. Its progress is displayed on the Acquisition Progress page.

228

7. After the acquisition finishes, click Finish. 8. The acquired data is saved to a mobile data case, which is then automatically added to the opened E3 case as an evidence. 9. Disconnect your device from the computer.

How to Acquire Data from Android Wear Devices

Electronic Evidence Examiner allows you to acquire Android Wear devices. Logical acquisition should work with any device model with a data connection running Android OS up to 9. Physical acquisition should work with any device model with a data connection running Android OS up to 4.4.4.

We recommend performing acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

To prepare an Android Wear device for acquisition:

1. Turn on the device. 2. In the device menu, do one of the following:

• For Android OS lower than 4.0: Select Settings->Application Settings and select the Unknown sources option.

229

• For Android OS 4.0 and higher: Select Settings->Security and select the Unknown sources option.

3. Enable the USB debugging mode:

• To enable the USB debugging mode on Android OS up to version 3.0, in the device menu, select Settings->Applications->Development and select the USB debugging option. • To enable the USB debugging mode on Android OS from 4.0 and up to 4.1, in the device menu, select Settings->Developer options and select USB debugging. • To enable the USB debugging mode on Android OS 4.2 and newer, in the device menu, select Settings->About device/tablet and tap Build number 7 times, then go back to Settings, select Developer options, and then select USB debugging.

To acquire the device via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Android Wear device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

230

3. On the Acquisition Type page, select the type of acquisition you want to perform.

Physical acquisition can be performed only for devices with Android OS 4.4.4 and lower.

231

4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click Continue.

5. Before starting the acquisition, on the Pre-acquisition options page, do the following: For Full Logical/Custom Logical Acquisition:

• Select Unlock the file system to unlock the device file system if the device is rootable.

For Physical Acquisition: • Select Unlock the file system to unlock the device file system. If this option is not selected, the data will not be acquired.

Unlocking a device file system doesn't damage the device or any data on it.

• Select Remove password protection to remove any screen password protection on the device (password, graphical password, and PIN).

If the screen password still appears after removal, simply draw any pattern to remove a graphical password or enter and confirm a new PIN or password.

232

9. When data acquisition finishes, the case is saved. Click Finish.

This process may take some time.

10. Disconnect your device from the computer.

To acquire the device via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection.

233

234

4. On the Pre-acquisition options page, do the following: For logical acquisition:

• Select Unlock the file system to unlock the device file system if the device is rootable.

For physical acquisition: • Select Unlock the file system to unlock the device file system. If this option is not selected, the data will not be acquired.

Unlocking a device file system doesn't damage the device or any data on it.

• Select Remove password protection to remove any screen password protection on the device (password, graphical password, and PIN).

If the screen password still appears after removal, simply draw any pattern to remove a graphical password or enter and confirm a new PIN or password.

235

The Feature Selection page opens only during manual plug-in selection. Use Custom acquisition to select features during automatic device detection.

8. The data acquisition process starts. Its progress is displayed on the Acquisition Progress page. 9. During acquisition, the following messages may appear on the device: • If the Allow USB Debugging message appears on the device, tap OK in it to continue acquisition. • If the Full Backup message appears on the device, tap Back up my data in it to continue acquisition. This message appears if device rooting failed. In this case, backing up data on the device allows acquiring at least some part of the device file system. • If the Waiting For Debugger message appears on the device, do not close this message, otherwise the acquisition process will fail. We guarantee that this does not affect data integrity on the device. • If the Choose Connection Mode message reappears on the device, please choose the Media device (MTP)/File transfers mode. • The Usage data access permission message appears on the devices with Android OS 5.0 and higher during full logical acquisition or custom logical acquisition with the selected User Activity Timeline feature. Tap OK on the message, select the Seizure Service in the opened window and then turn the permission toggle on. 10. When data acquisition finishes, the case is saved. Click Finish.

11. Disconnect your device from the computer.

How to Acquire Data from Kindle Fire Tablets

Electronic Evidence Examiner allows you to acquire Kindle Fire tablets. Logical acquisition should work with any device model with a data connection running Android OS up to 9. Physical acquisition should work with any device model with a data connection running Android OS up to 4.4.4.

We recommend performing acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

236

To prepare a Kindle Fire device for the acquisition, do the following: 1. On your Kindle Fire device, go to Settings. 2. Do one of the following: • For the 2nd generation devices: Select the Security category. • For the 3rd generation devices: Tap Device and select the Developer Options category. • For the 4th generation devices: Tap Device Options and select the Developer Options category.

For the 1st generation Kindle Fire devices, the required option is enabled by default.

3. Find and turn on the Enable ADB option. 4. Tap Enable in the confirmation message. 5. Connect the device to the computer with the help of a data cable. Make sure that the required drivers are installed (the required drivers are included in the Electronic Evidence Examiner Driver Pack).

To acquire the device via automatic detection:

WARNING! During a data acquisition, your device may reboot a few times and you will need to enter its password. Make sure you know the device password before performing an acquisition. For devices with Android OS 4.1 and lower, you can remove the password protection during the acquisition.

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Kindle Fire tablet will be displayed as an Android OS device. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform.

Physical acquisition can be performed only for devices with Android OS 4.4.4 and lower.

237

4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click Continue.

5. Before starting the acquisition, on the Pre-acquisition options page, do the following:

238

For Full Logical/Custom Logical Acquisition:

• Select Unlock the file system to unlock the device file system if the device is rootable.

For Physical Acquisition: • Select Unlock the file system to unlock the device file system. If this option is not selected, the data will not be acquired.

Unlocking a device file system doesn't damage the device or any data on it.

• Select Remove password protection to remove any screen password protection on the device (password, graphical password, and PIN).

If the screen password still appears after removal, simply draw any pattern to remove a graphical password or enter and confirm a new PIN or password.

9. When data acquisition finishes, the case is saved. Click Finish.

239

This process may take some time.

10. Disconnect your device from the computer.

To acquire the device via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection.

240

4. On the Pre-acquisition options page, do the following: For logical acquisition:

• Select Unlock the file system to unlock the device file system if the device is rootable (for more details, see the Help file).

For physical acquisition: • Select Unlock the file system to unlock the device file system. If this option is not selected, the data will not be acquired.

Unlocking a device file system doesn't damage the device or any data on it.

• Select Remove password protection to remove any screen password protection on the device (password, graphical password, and PIN).

If the screen password still appears after removal, simply draw any pattern to remove a graphical password or enter and confirm a new PIN or password.

241

The Feature Selection page opens only during manual plug-in selection. Use Custom acquisition to select features during automatic device detection.

11. Disconnect your device from the computer.

How to View Installed Applications Information and Parsed Applications Data

Electronic Evidence Examiner allows you to acquire and view application data from Android OS devices (phones with Google OS).

Electronic Evidence Examiner acquires the list of all applications installed on a device, but not all application data can be parsed.

242

To view installed applications and application data:

1. Acquire an Android OS device using a Full Logical Acquisition or Custom Logical Acquisition with selected Installed Applications feature. 2. In the Folder viewer, navigate to the Installed Applications folder. 3. Do one of the following:

• Select the Application Permissions grid to view the list of permissions which applications have and associated application suspicion level. • Select the Installed Application List grid to view the list of applications installed on the device and information on them. • In the Application Data folder, navigate to the required application sub-folder and select the grid with parsed application data you want to view.

4. The information is displayed in the Data View pane.

How to Put Device in Firmware Update Mode

To put an Android LG smartphone in Firmware Update mode:

1. Turn off the device.

2. Press and hold the Volume Up button.

243

3. Connect the device to a computer using a USB cable while still holding the button.

4. Keep the Volume Up button pressed until the device enters the Download Mode. 5. Wait until the required drivers are installed. 6. The device is in the Firmware Update mode.

To return the device to a normal mode, simply press and hold the Power button or remove the battery and place it back.

244

To put an Android LG smartwatch in Firmware Update mode:

1. Turn off the device.

2. Connect the device to a computer.

3. Swipe the device screen from the bottom-left to the top-right corner to put the device into the Download Mode.

245

4. The device is in the Firmware Update mode.

To return the device to a normal mode, simply disconnect it.

How to Acquire Data from Windows Phone Devices

Electronic Evidence Examiner allows you to acquire data from Windows Phone devices using the Portable Device Logical plug-in.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To prepare the device for acquisition:

1. Turn on the device. 2. Connect the device to the computer with an appropriate cable. Please note, the Windows Phone device should appear under the Portable Devices group in your computer to be acquired by the Portable Device Logical plug-in.

246

To acquire data from a Windows Phone device via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Windows Phone device will be displayed as Portable Device. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, click Acquire as Portable Device. 4. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why. The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane. 5. When data acquisition finishes, click Finish. 6. The acquired data is saved to a mobile data case, which is then automatically added to the opened E3 case as an evidence. 7. Disconnect your device from the computer.

To acquire data from a Windows Phone via manual plug-in selection:

247

5. The acquisition process starts and its process is displayed on the Acquisition Progress page. After the acquisition finishes, click Finish. 6. The case is saved and you can disconnect the device from the computer.

How to Acquire Data from RIM Blackberry Devices

Electronic Evidence Examiner allows you to acquire data from RIM Blackberry devices with BlackBerry OS 7.1 and lower. Any RIM Blackberry device model with a data connection should work with Electronic Evidence Examiner.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection. We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To prepare the device for acquisition:

1. Turn on the device. 2. Connect the device to the computer with an appropriate cradle or cable. Please make sure that the required drivers are installed. 3. If you use a USB connection, open Device Manager and make sure that the device is detected.

248

To acquire data from a RIM BlackBerry device via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, click the icon of the RIM BlackBerry device you want to acquire.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, click Physical Acquisition. 4. If the device is locked with a password, you will be asked to enter it. Enter the password and click OK.

5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a RIM BlackBerry via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the RIM BlackBerry plug-in and click Continue. 4. On the Connection Selection page, select the connection type and click Start Acquisition.

249

5. If the device is locked with a password, you will be asked to enter it. Enter the password and click OK.

6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from Tizen Devices

Electronic Evidence Examiner allows you to acquire data from Tizen devices. Any phone model with a data connection running Tizen OS 2.2.x–2.4 should work with Electronic Evidence Examiner.

We recommend performing acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

To prepare the device for acquisition: 1. In the device menu, select Settings->Device Info and select the USB debugging option. 2. Connect the device to the computer with the help of a data cable. Make sure that the required drivers are installed (the required drivers are included in the Electronic Evidence Examiner Driver Pack).

250

To acquire the device via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Tizen device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform.

251

4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click the Continue.

252

5. On the Pre-acquisition Options page, select Unlock device filesystem to unlock the device file system. This action is required to perform the acquisition if your device file system is locked. Click Start Acquisition.

Unlocking a device file system doesn't damage the device or any data on it.

6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire the device via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select Tizen (logical) and click Continue.

253

4. On the Pre-acquisition Options page, select Unlock device filesystem to unlock the device file system. This action is required to perform the acquisition if your device file system is locked. Click Continue.

Unlocking a device file system doesn't damage the device or any data on it.

5. On the Connection Selection page, select the connection type. Click the Feature Selection link. 6. On the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 7. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

8. When data acquisition finishes, click Finish. 9. The acquired data is saved to a mobile data case, which is then automatically added to the opened E3 case as an evidence. 10. Disconnect your device from the computer.

How to Acquire Data from Smartphones

How to Acquire Data from Nokia Symbian OS 9.x Devices

Electronic Evidence Examiner allows you to acquire data from devices that run Nokia Symbian OS 9.x (Nokia E51, Nokia E61i, Nokia E70, Nokia N95, etc.).

We recommend performing logical acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

To prepare the device for acquisition, do the following:

When using a USB connection, in device settings, select the PC Suite connection mode. This option usually appears on the phone once it is connected to the computer.

254

4. After connecting the device to the computer, define its mode as PC Suite. 5. If you use a USB connection, open Device Manager and make sure that the device is detected.

To acquire data from a Nokia Symbian OS 9.x device via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Nokia Symbian OS 9.x device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, click Logical Acquisition. 4. The acquisition process starts and its process is displayed on the Acquisition Progress page. After the acquisition finishes, click Finish. 5. The case is saved and you can disconnect the device from the computer.

To acquire data from a Nokia Symbian OS 9.x via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the Nokia Symbian OS 9.x (logical) plug-in and click Continue.

255

4. On the Connection Selection page, select the connection type and click Start Acquisition. 5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from WebOS Devices

Electronic Evidence Examiner allows you to acquire data from devices that run Web OS, such as Palm Pre, Palm Pixi, etc.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To prepare the device for acquisition:

1. Turn on the device. 2. Enter the main menu of the device.

256

3. Enter the developer mode activation code. To do this, type ”upupdowndownleftrightleftrightbastart”.

4. If you enter the code correctly, you will see the developer mode application icon.

5. Enter the application and turn on developer mode.

257

6. After the device reboots, developer mode is on and you are able to acquire the device.

After the Web OS device is updated, the developer mode settings are dropped down. So, the Developer Mode application can sometimes show that developer mode is on while it is actually off.

7. Connect the device to the USB port of your computer using the USB cable. Please make sure that the required drivers are installed.

It is recommended that you use only rear USB ports.

8. In device settings, select the Just Charge option. 9. Open Device Manager and make sure that the device is detected.

258

To acquire data from a WebOS device via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your WebOS device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, click Logical Acquisition. 4. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

259

To acquire data from a WebOS device via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the WebOS Based Devices (logical) plug-in and click Continue. 4. On the Connection Selection page, select the connection type and click Start Acquisition. 5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from PDAs

How to Acquire Data from Palm OS Devices

Electronic Evidence Examiner allows you to acquire data from devices that run Palm OS. Any Palm OS based device with a data connection should work with Electronic Evidence Examiner.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To prepare the device for acquisition:

1. Turn on the device. 2. Check whether it is charged. If the battery is less than half full, it is strongly recommended that you charge it before starting the data acquisition in order to prevent it from turning off in the process of acquisition. 3. Connect the device to your computer using the cradle. Please make sure that the required drivers are installed. 4. Open Device Manager and make sure that the device is detected.

260

To acquire a Palm OS device via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Palm OS device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page. 3. On the Acquisition Type page, click Physical Acquisition. 4. On the Pre-acquisition Options page, select if you want to enable pauses between acquisition steps and click the Instructions link. 5. On the Instructions page, read the acquisition instruction and click Start Acquisition. 6. Before the acquisition process starts, you need to perform some more actions.

If you are going to acquire a Memory image, you must put the device into Console mode. Do one of the following and click Continue:

• If the device has a graffiti area, write the following shortcut there: (cursive lower-case l)+dot+dot+2 ("l..2"). • If the device is a Handspring Visor using a serial connection, use the shortcut (cursive lower-case l) "l." and then hold the up button while writing the number "2". • If the device has no graffiti area (e.g., Treo 650), use the special key combination: Search (Shift)+Sync Mode. Please note that this combination may depend on the model of your device. Consult the instructions of your device to find out how to put it into Console mode.

261

Devices using a USB connection do not require this additional step.

If you are going to acquire Logical image (databases), you should put the device into Sync mode. To do this, press Sync on the cradle or activate the Sync mode through the screen dialog on the device. Click Continue.

7. If an acquisition from a Palm device is being performed for the first time, the driver for it might begin. This may lock the device.

If the device gets locked while acquiring a Logical Image (Databases), press Cancel on it. If you are acquiring a Memory Image and the device gets locked, restart the device (turn it off and then turn on).

8. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

9. When data acquisition finishes, click Finish. 10. The acquired data is saved to a mobile data case, which is then automatically added to the opened E3 case as an evidence. 11. Disconnect your device from the computer.

To acquire a Palm OS device via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the Palm OS Based Devices (physical) plug-in and click Continue. 4. On the Pre-acquisition Options page, select if you want to enable pauses between acquisition steps and click Continue. 5. On the Connection Selection page, select the connection type. Click the Instructions link. 6. On the Instructions page, read the acquisition instruction and click Start Acquisition. 7. Before the acquisition process starts, you need to perform some more actions.

If you are going to acquire a Memory image, you must put the device into Console mode. Do one of the following and click Continue:

262

model of your device. Consult the instructions of your device to find out how to put it into Console mode.

Devices using a USB connection do not require this additional step.

8. If an acquisition from a Palm device is being performed for the first time, the driver installation for it might begin. This may lock the device.

9. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

10. When data acquisition finishes, click Finish. 11. The acquired data is saved to a mobile data case, which is then automatically added to the opened E3 case as an evidence. 12. Disconnect your device from the computer.

How to Acquire Data from Windows Mobile Devices

Electronic Evidence Examiner allows you to acquire data from devices that run Windows Mobile OS. Any Windows Mobile OS based device with a data connection should work with Electronic Evidence Examiner.

We recommend performing logical acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

To prepare the device for acquisition: 1. Turn on the device. 2. Connect the device to your computer using a data cable. Please make sure that the required drivers are installed. 3. The Windows Mobile Device Center License Terms page opens automatically. 4. Carefully read license terms. Click Accept. The Windows Mobile Device Center Home page opens.

263

To acquire data from a Windows Mobile Device via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Windows Mobile device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform. 4. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

264

To acquire data from a Windows Mobile device via manual plug-in selection:

• Windows Mobile Devices (logical): Select this option to acquire the most important data from Windows Mobile devices. This allows you to acquire File system, Databases, OS Registry, and Logical memory. For some versions of Windows Mobile, more data is acquired in a parsed format (Call History, SIM Data, and Pocket Outlook Items). • Windows Mobile 5-6 Devices (physical): Select this option if your device runs Windows Mobile 5.x-6.x OS. This allows you to acquire all data from the device. This includes Internal Stores and Memory Cards FAT file system and deleted data in a not parsed format.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from Feature Phones

How to Acquire Data from Alcatel Cell Phones

Electronic Evidence Examiner allows you to acquire data from Alcatel cell phones. Any Alcatel cell phone model with a data connection should work with Electronic Evidence Examiner.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To prepare the device for acquisition:

265

3. Connect the phone to your computer using the data cable. Please make sure that the required drivers are installed. 4. Do one of the following:

• When using a USB connection, select the COM port option in device settings. • If you use a USB connection, open Device Manager and make sure that the device is detected.

To acquire data from an Alcatel cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Alcatel device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform. 4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

266

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from an Alcatel cell phone via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the Alcatel (logical) plug-in and click Continue. 4. On the Connection Selection page, select the connection type. Click Continue. 5. On the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from LG GSM Cell Phones

Electronic Evidence Examiner allows you to acquire data from LG GSM cell phones. Any LG GSM cell phone model with a data connection should work with Electronic Evidence Examiner.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To prepare the device for acquisition:

LG phones must be put into Sync Data or Modem Mode before the acquisition. If this option is not displayed on the phone upon connection, it can usually be found under

267

the settings menu of the phone. If this option is not displayed on the phone, continue with the acquisition wizard.

4. If you use a USB connection, open Device Manager and make sure that the device is detected.

To acquire data from an LG GSM cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your LG GSM device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

268

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from an LG GSM cell phone via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the LG GSM (logical) plug-in and click Continue. 4. On the Connection Selection page, select the connection type. Click Continue. 5. On the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from LG CDMA Cell Phones

Electronic Evidence Examiner allows you to acquire data from LG CDMA cell phones. Any LG CDMA model with a data connection should work with Electronic Evidence Examiner.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To prepare the device for acquisition:

269

LG phones must be put into Sync Data or Modem Mode before the acquisition. If this option is not displayed on the phone upon connection, it can be usually found under the settings menu of the phone. If this option is not displayed on the phone, continue with the acquisition wizard.

4. If you use a USB connection, open Device Manager and make sure that the device is detected.

To acquire data from an LG CDMA cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your LG CDMA device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform.

270

The physical acquisition of an LG CDMA cell phone can only be performed via manual plug-in selection with the CDMA Devices (physical) plug-in.

4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click Continue. 5. On the Pre-acquisition Options page, select the Unlock device filesystem check box and click Start Acquisition.

Unlocking the device filesystem does not damage the device or data integrity.

6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from an LG CDMA cell phone via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the LG CDMA (logical) plug-in and click Continue.

To perform the physical acquisition of an LG CDMA cell phone, use the CDMA Devices (physical) plug-in.

4. On the Pre-acquisition Options page, select the Unlock device filesystem check box and click Continue.

Unlocking the device filesystem does not damage the device or data integrity.

5. On the Connection Selection page, select the connection type. Click Continue. 6. On the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition.

271

7. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from Motorola Cell Phones

Electronic Evidence Examiner allows you to acquire data from Motorola cell phones. Any Motorola cell phone model with a data connection should work with Electronic Evidence Examiner.

We recommend performing logical acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

To prepare the device for acquisition:

1. Turn on the phone.

Some devices, e.g. Motorola VU 204, require the phone to be turned off before acquisition.

2. Check whether the device is charged. If the battery is less than half full, it is strongly recommended that you charge it before starting the data acquisition in order to prevent it from turning off in the process of acquisition. 3. Connect the device to your computer with the help of a data cable. Please make sure that the required drivers are installed.

Motorola cell phones are required to be put into Data mode or USB mode. This option can usually be found in the phone menu under Settings/Connection. If it is not available, continue with the steps of the acquisition wizard.

To acquire data from a Motorola cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Motorola device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

272

It is recommended to work with only one connected device at a time.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a Motorola cell phone via manual plug-in selection:

• Motorola (logical): Select this option to acquire the most important data from the phone in a parsed format (Phonebook, SMS history, Call history, and Datebook) and File dump. Please note that the file dump is not acquired for some old models of Motorola cell phones.

• Motorola (physical): Select this option to acquire data from the cell phone in a parsed format (SMS and quick notes dumps, Calls history, and Security information).

4. On the Connection Selection page, select the connection type. Click the link to the next page. 5. If you selected Motorola (logical) plug-in, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

273

How to Acquire Data from Motorola iDEN Phones

Electronic Evidence Examiner allows you to acquire data from Motorola iDEN phones. Any Motorola iDEN model with a data connection should work with Electronic Evidence Examiner.

We recommend performing logical acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

To prepare the device for acquisition:

1. Insert the SIM card into the phone.

Phones without SIM cards will not be acquired.

2. Turn on the phone. 3. Check whether the device is charged. If the battery is less than half full, it is strongly recommended that you charge it before starting the data acquisition in order to prevent it from turning off in the process of acquisition. 4. Connect the device to your computer with the help of a data cable. Please make sure that the required drivers are installed.

Motorola iDEN phones are required to be put into Airplane, Flight, or Transmitters Off mode. These modes can usually be found in the phone menu under Settings/Advanced/Airplane mode or Settings/Advanced/Transmitters.

5. If you use a USB connection, open Device Manager and make sure that the device is detected.

274

To acquire data from a Motorola iDEN cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Motorola iDEN device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

275

To acquire data from a Motorola iDEN cell phone via manual plug-in selection:

• Motorola iDEN (logical): Select this option to acquire the most important data from the phone in a parsed format (Phonebook and SMS history) and File system. Please note that the amount of data depends on the model of the phone.

• Motorola iDEN (physical): Select this option to acquire data from the phone memory (RAM, Flex, and User Data space).

4. On the Connection Selection page, select the connection type. Click the link to the next page. 5. If you selected Motorola iDEN (logical) plug-in, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from Nokia GSM Cell Phones

Electronic Evidence Examiner allows you to acquire data from Nokia GSM cell phones. Most Nokia GSM models with a data connection should work with Electronic Evidence Examiner.

We recommend performing logical acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

To prepare the device for acquisition:

1. Turn on the device. 2. Check whether it is charged. If the battery is less than half full, it is strongly recommended that you charge it before starting the data acquisition in order to prevent it from turning off in the process of acquisition. 3. Connect the device to your computer with the help of a data cable. Please make sure that the required drivers are installed. 4. When using a USB connection, in device settings, select the PC Suite connection mode.

276

The PC Suite option will either appear on the phone screen automatically on connecting the phone to the computer or it can be found under the Settings menu of the Nokia phone.

5. If you use a USB connection, open Device Manager and make sure that the device is detected.

To acquire data from a Nokia GSM cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Nokia GSM device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

277

5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a Nokia GSM cell phone via manual plug-in selection:

• Nokia GSM (logical): Select this option to acquire the most important data from the cell phone in a parsed format (Phonebook, SMS, Call logs, Calendar, ToDo List, Profiles, Notes, and GPS Access points), File system, WAP settings, and Start up logos. • Nokia GSM (physical): Select this option to acquire all data from the cell phone in a parsed format (Phonebook, SMS, Call logs, and Calendar) and data in a not parsed format (PM Memory).

Electronic Evidence Examiner does not support physical acquisition for all models of Nokia cell phones (for the full list of supported models, please contact [email protected]).

4. On the Connection Selection page, select the connection type. Click the link to the next page. 5. If you selected Nokia GMS (logical) plug-in, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

278

How to Acquire Data from Nokia TDMA Phones

Electronic Evidence Examiner allows you to acquire data from Nokia TDMA phones. Most Nokia TDMA models with a data connection should work with Electronic Evidence Examiner.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To prepare the device for acquisition:

1. Turn on the device. 2. Check whether it is charged. If the battery is less than half full, it is strongly recommended that you charge it before starting the data acquisition in order to prevent it from turning off in the process of acquisition. 3. Connect the device to your computer with the help of a data cable. Please make sure that the required drivers are installed. 4. If you use a USB connection, open Device Manager and make sure that the device is detected.

279

To acquire data from a Nokia TDMA cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Nokia TDMA device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page. 3. On the Acquisition Type page, select the type of acquisition you want to perform. 4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a Nokia TDMA cell phone via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select Nokia TDMA (logical) and click Continue. 4. On the Connection Selection page, select the connection type. Click Continue. 5. On the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from Samsung GSM Cell Phones

Electronic Evidence Examiner allows you to acquire data from Samsung GSM cell phones. Any Samsung GSM cell phone model with a data connection should work with Electronic Evidence Examiner.

We recommend performing logical acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

280

To prepare the device for acquisition:

1. Check whether the device is charged. If the battery is less than half full, it is strongly recommended that you charge it before starting the data acquisition in order to prevent it from turning off in the process of acquisition. 2. Connect the device to your computer with the help of a data cable. Please make sure that the required drivers are installed. 3. Do one of the following:

• If you are going to perform the logical acquisition of the device, turn on the phone and wait until it loads to the desktop or the "Enter your PIN" screen appears. If it's a flip-phone, it should be closed.

Samsung cell phones are required to be put into PC Studio or Modem mode before acquisition. These modes can usually be found under the settings menu of the Samsung phone. If this option does not appear on the device, continue with the acquisition wizard.

• If you are going to perform the physical acquisition of the device, turn it off before acquisition.

Physical acquisition of Samsung GSM cell phones can only be performed via manual plug-in selection.

4. If you use a USB connection, open Device Manager and make sure that the device is detected.

281

To acquire data from a Samsung GSM cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Samsung GSM device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a Samsung GSM cell phone via manual plug-in selection:

• Samsung GSM (logical): Select this option to acquire the most important data from the phone in a parsed format (Phonebook, Call logs, Calendar, and SMS history) and File system. Please note that file system is not acquired from old models of Samsung GSM cell phones where it is absent. • Samsung GSM (physical): Select this option to acquire all data from the cell phone in a not parsed format. Please note that Electronic Evidence Examiner does not support physical acquisition for all models of Samsung GSM cell phones (for the full list of supported models, please contact [email protected]).

4. On the Connection Selection page, select the connection type and click the link to the next page. 5. If you selected Samsung GSM (logical) plug-in, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. If you selected Samsung GSM (physical), on the Model Selection page, select the model of the phone you are going to acquire. Click the Instructions link.

282

7. For Samsung GSM (physical), On the Instructions page, read the acquisition instruction and read the instructions on how to perform the acquisition and click Start Acquisition. 8. For Samsung GSM (physical), press the Power button on the phone shortly (1-2 sec). The phone should not turn on. If the phone turns on, then turn it off and re-start the acquisition. 9. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from Samsung CDMA Cell Phones

Electronic Evidence Examiner allows you to acquire data from Samsung CDMA cell phones. Any Samsung CDMA cell phone model with a data connection should work with Electronic Evidence Examiner.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To acquire data from a Samsung CDMA cell phone, do the following:

Samsung cell phones are required to be put into PC Studio or Modem mode before acquisition. These modes can be usually found under the settings menu of the Samsung phone. If this option is not displayed on the device, continue with the acquisition wizard.

4. If you use a USB connection, open Device Manager and make sure that the device is detected.

283

To acquire data from a Samsung CDMA cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Samsung CDMA device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform.

The physical acquisition of a Samsung CDMA cell phone can only be performed via manual plug-in selection with the CDMA Devices (physical) plug-in.

4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click Continue. 5. On the Pre-acquisition Options page, select Unlock device filesystem to unlock the device file system. Click Start Acquisition.

284

Unlocking a device file system doesn't damage the device or any data on it.

6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a Samsung CDMA cell phone via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the Samsung CDMA (logical) plug-in and click Continue. To perform the physical acquisition of a Samsung CDMA cell phone, use the CDMA Devices (physical) plug-in.

4. On the Pre-acquisition Options page, select Unlock device filesystem to unlock the device file system. Click Continue.

Unlocking a device file system doesn't damage the device or any data on it.

5. On the Connection Selection page, select the connection type. Click the Continue. 6. On the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 7. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

285

How to Acquire Data from Sanyo CDMA Cell Phones

Electronic Evidence Examiner allows you to acquire data from Sanyo CDMA cell phones. Any Sanyo CDMA cell phone model with a data connection should work with Electronic Evidence Examiner.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To prepare the device for acquisition:

1. Turn on the phone. 2. Check whether the device is charged. If the battery is less than half full, it is strongly recommended that you charge it before starting the data acquisition in order to prevent it from turning off in the process of acquisition. 3. Connect the phone to the computer using the data cable. Please make sure that the required drivers are installed. 4. If you use a USB connection, open Device Manager and make sure that the device is detected.

286

To acquire data from a Sanyo CDMA cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Sanyo CDMA device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform.

The physical acquisition of a Sanyo CDMA cell phone can only be performed via manual plug-in selection with the CDMA Devices (physical) plug-in.

4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click Continue. 5. On the Pre-acquisition Options page, select Unlock device filesystem to unlock the device file system. Click Start Acquisition.

Unlocking a device file system doesn't damage the device or any data on it.

6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a Sanyo CDMA cell phone via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the Sanyo CDMA (logical) plug-in and click Continue. To perform the physical acquisition of a Sanyo CDMA cell phone, use the CDMA Devices (physical) plug-in.

287

4. On the Pre-acquisition Options page, select Unlock device filesystem to unlock the device file system. Click Continue.

Unlocking a device file system doesn't damage the device or any data on it.

5. On the Connection Selection page, select the connection type. Click Continue. 6. On the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 7. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from Siemens Cell Phones

Electronic Evidence Examiner allows you to acquire data from Siemens cell phones. Any Siemens cell phone model with a data connection should work with Electronic Evidence Examiner.

We recommend performing logical acquisition of the device via automatic detection, and using manual plug-in selection only for physical acquisition or in case there are issues with device detection.

To prepare the device for acquisition:

288

To acquire data from a Siemens cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Siemens device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform.

To perform the physical acquisition of a Siemens device, use the manual plug-in selection.

289

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a Siemens cell phone via manual plug-in selection:

• Siemens (logical): Select this option to acquire the most important data from the phone in parsed format (Phonebook and Phonebook OBEX, SMS, Call logs, and Calendar) and File system. • Siemens (physical): Select this option to acquire data stored in the memory of the mobile phone in a not parsed format.

4. On the Connection Selection page, select the connection type and click the link to the next page. 5. If you selected Siemens (logical) plug-in, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. If you selected Siemens (physical), on the Model Selection page, select the model of the phone you are going to acquire. Click the Instructions link. 7. For Siemens (physical), on the Instructions page, read the acquisition instruction and read the instructions on how to perform the acquisition and click Start Acquisition. 8. For Siemens (physical), press the Power button on the phone shortly (1-2 sec). The phone should not turn on. If the phone turns on, then turn it off and re-start the acquisition. 9. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from Sony Ericsson Cell Phones

Electronic Evidence Examiner allows you to acquire data from Sony Ericsson cell phones. Any Sony Ericsson cell phone model with a data connection should work with Electronic Evidence Examiner.

290

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To prepare the device for acquisition:

1. Turn on the phone. 2. Check whether the device is charged. If the battery is less than half full, it is strongly recommended that you charge it before starting the data acquisition in order to prevent it from turning off in the process of acquisition. 3. Connect the device to your computer using the data cable. Please make sure that the required drivers are installed. 4. After connecting it to the PC, select the device connection mode as Phone Mode. 5. If you use a USB connection, open Device Manager and make sure that the device is detected.

To acquire data from a Sony Ericsson cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Sony Ericsson device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

291

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform 4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a Sony Ericsson cell phone via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the Sony Ericsson (logical) plug-in and click Continue. 4. On the Connection Selection page, select the connection type. Click Continue. 5. On the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from ZTE Cell Phones

Electronic Evidence Examiner allows you to acquire data from ZTE GSM cell phones. Any ZTE GSM cell phone model with a data connection should work with Electronic Evidence Examiner.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

292

To prepare the device for acquisition:

1. Turn on the phone. 2. Check whether the device is charged. If the battery is less than half full, it is strongly recommended that you charge it before starting the data acquisition in order to prevent it from turning off in the process of acquisition. 3. Connect the phone to your computer using the data cable. Make sure that the required drivers are installed. 4. If you use a USB connection, open Device Manager and make sure that the device is detected.

To acquire data from a ZTE GSM cell phone via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your ZTE GSM device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform.

293

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a ZTE GSM cell phone via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the ZTE GSM (logical) plug-in and click Continue. 4. On the Connection Selection page, select the connection type. Click Continue. 5. On the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from GPS devices

How to Acquire Data from Garmin Devices

Electronic Evidence Examiner allows you to acquire data from Garmin Mass Storage devices (Garmin nuvi) and Garmin GPS devices. The following models are supported: eTrex, Geko, GPSMAP, Quest, Rino, and Edge. Most Garmin models with a USB/COM connection and Garmin Interface should work with Electronic Evidence Examiner.

We recommend performing logical acquisition via automatic detection. If your device is not detected, see the troubleshooting instructions.

294

To prepare the device for acquisition:

1. Turn on the device. 2. Check whether it is charged. If the battery is less than half full, it is strongly recommended that you charge it before starting the data acquisition in order to prevent it from turning off in the process of acquisition. 3. Connect the GPS device to your computer with the help of a data cable. Please make sure that the required drivers are installed. 4. If you use a USB connection, open Device Manager and check if the device is detected.

If you use COM connection, information about the device will not be displayed in the Device Manager.

To acquire data from a Garmin device via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your Garmin device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

295

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a Garmin device via manual plug-in selection:

• Garmin GPS (logical): Select this option to acquire the most important data from the device in a parsed format (Device Settings, Waypoints, Tracks, and Routes) and Maps. • Garmin GPS (physical): Select this option to acquire all data from the device in a not parsed format (Internal Memory Dump and Main Firmware).

The Garmin GPS (physical) plug-in is available only for GPS devices with USB connection.

4. On the Connection Selection page, select the connection type. Click the link to the next page. 5. If you selected Garmin (logical) plug-in, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

296

How to Acquire Data from TomTom GPS Devices

Electronic Evidence Examiner allows you to acquire data from TomTom GPS devices. Most TomTom GPS models should work with Electronic Evidence Examiner.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To prepare the device for acquisition:

1. Turn on the device. 2. Check whether it is charged. If the battery is less than half full, it is strongly recommended that you charge it before starting the data acquisition in order to prevent it from turning off in the process of acquisition. 3. Connect the GPS device to your computer using a data cable. Please make sure that the required drivers are installed. 4. If you use a USB connection, open Device Manager and check if the device is detected. If you use COM connection, information about the device will not be displayed in the Device Manager.

To acquire data from a TomTom GPS device via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your TomTom GPS device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

297

It is recommended to work with only one connected device at a time.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a TomTom GPS device via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the TomTom GPS (logical) plug-in and click Continue. 4. On the Connection Selection page, select the connection type. Click Continue. 5. On the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from SIM Cards

Electronic Evidence Examiner allows you to acquire data from SIM cards with the help of card readers.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

298

To prepare the SIM card for acquisition:

1. Turn off the phone. 2. Take the SIM card out of your phone. 3. Put the SIM card into the card reader. Be careful to insert it properly. Follow the instructions for the card reader. 4. Connect the card reader to the computer. Please make sure that the required drivers are installed. 5. If you use a USB connection, open Device Manager and make sure that the card reader is detected.

There are known issues with SIM card reader driver compatibility on Windows 8 OS. See the help file for information on how to install compatible drivers.

To acquire data from a SIM card via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your SIM card reader device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

3. On the Acquisition Type page, select the type of acquisition you want to perform.

299

4. If you selected Custom Logical Acquisition, on the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 5. If the card is locked by a PIN code, before the acquisition starts, you will be asked to enter it before acquisition starts. Enter the PIN code and click OK.

You only have 3 attempts to enter the PIN code. After that, the PUK code will be requested. After you enter the right PUK, the SIM card PIN will be reset to 0000.

6. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a SIM card via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the SIM Card Reader (logical) plug-in and click Continue. 4. On the Connection Selection page, select the connection type. Click Continue. 5. On the Feature Selection page, select the features you want to acquire from the device and click Start Acquisition. 6. If the card is locked by a PIN code, before the acquisition starts, you will be asked to enter it before acquisition starts. Enter the PIN code and click OK.

You only have 3 attempts to enter the PIN code. After that, the PUK code will be requested. After you enter the right PUK, the SIM card PIN will be reset to 0000.

7. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

300

How to Acquire Data from Memory Card/Mass Storage/e- Reader/Portable Devices

How to Acquire Data from Memory Cards

Electronic Evidence Examiner allows you to acquire data from memory cards with the help of card readers. Any memory card with a FAT file system (CompactFlash Card, MicroSD, Secure Digital Card, etc.) should work with Electronic Evidence Examiner.

To prepare the memory card for acquisition:

1. Put the memory card into the card reader. Be careful to insert it properly. Follow the instructions for the card reader. 2. Connect the card reader to the computer. Please make sure that the required drivers are installed. 3. If you use a USB connection, open Device Manager and make sure that the card reader is detected.

There are known issues with memory card reader driver compatibility on Windows 8 OS. See the help file for information on how to install compatible drivers.

301

To acquire data from a memory card via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your memory card reader device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page. 3. On the Acquisition Type page, click Physical Acquisition. 4. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a memory card via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the Memory card (physical) plug-in and click Continue. 4. On the Connection Selection page, select the connection type. Click Start Acquisition. 5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from Mass Storages

Electronic Evidence Examiner allows you to acquire data from mass storage devices.

Only mass storage devices with FAT file system can be acquired.

302

To prepare the device for acquisition:

1. Connect the mass storage device to the USB port of your computer. Please make sure that the required drivers are installed. 2. Open Device Manager and make sure that the mass storage device is detected.

To acquire data from a mass storage device via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your mass storage device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page. 3. On the Acquisition Type page, click Physical Acquisition. 4. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

303

To acquire data from a mass storage device via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the Mass storage/e-Reader (physical) plug-in and click Continue. 4. On the Connection Selection page, select the connection type. Click Start Acquisition. 5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from e-Readers (including Kindle Devices)

Electronic Evidence Examiner allows you to acquire data from e-Readers, such as Kindle devices.

To prepare the device for acquisition:

304

To acquire data from an e-Reader via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, depending on the type of connection of the device, the icon of your e-Reader will be displayed as a mass storage device, memory card, or a portable device. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

To acquire as much data as possible, we recommend acquiring e-Readers as mass storage devices.

3. On the Acquisition Type page, select the type of acquisition to be performed. 4. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from an e-Reader via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, do one of the following and click Continue:

• Select the Mass Storage/e-Reader (physical) plug-in to acquire the bit-stream of the device file system. • Select the Memory Card (physical) plug-in to acquire the bit-stream of the device memory card. • Select Portable Device (logical) plug-in to acquire the media content of the device (images, audio, and video files).

To acquire as much data as possible, we recommend acquiring e-Readers with the Mass Storage/e-Reader (physical) plug-in.

4. On the Connection Selection page, select the connection type. Click Start Acquisition. 5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

305

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

How to Acquire Data from Portable Devices

Electronic Evidence Examiner allows you to acquire data from a wide range of portable devices such as mobile phones, digital cameras, and portable media players.

We recommend performing acquisition of the device via automatic detection, and using manual plug-in selection only in case there are issues with device detection.

To prepare the device for acquisition:

1. Turn on the device. 2. Connect the device to the computer with an appropriate cable. The device must be displayed under the Portable Devices group in your computer.

306

To acquire data from a portable device via automatic detection:

1. Have the Acquisition wizard open. 2. On the Home page, the icon of your portable device will be displayed. Click the icon of the required device. If your device is not displayed, click the troubleshooting link in the bottom of the page.

It is recommended to work with only one connected device at a time.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

To acquire data from a portable device via manual plug-in selection:

1. Have the Acquisition wizard open. 2. On the Home page, click Manual plug-in selection. 3. On the Plug-in Selection page, select the Portable Device (logical) plug-in and click Continue. 4. On the Connection Selection page, select the connection type. Click Start Acquisition. 5. Data acquisition starts, and its progress is displayed on the Acquisition Progress page. On this page, you can see which features have been successfully acquired and which have not and why.

The new Mobile Data Acquisition task is running. You can view its progress in the Tasks pane.

307

How to Use Root Engine

The Root Engine is an advanced utility used to get the privileged (root) access on the modern Android OS devices. To root the devices using the Root Engine:

1. In the Mobile Data group, on the Evidence tab of the ribbon, click Root Android Device. The Root Engine wizard opens.

2. Connect the device for rooting and click Refresh.

In case the specific registry values are set, the Use permanent authorization keys for selected device check box will appear on the wizard page. When the check box is selected, the authorization keys will be generated just once, saved to the user’s profile and used during every connection of the device. Thus, if the check box is selected and the Always allow from this computer check box is tapped on the device, the Allow USB debugging? dialog box will never appear during the connection of the device to this computer.

3. Select the device in the list of devices (in case two or more devices are connected) and click Start.

308

4. The process of establishing connection starts. To establish the connection, tap OK in the Allow USB debugging? message on the device.

309

5. After the connection is established successfully, the Rooting Parameters page opens automatically.

6. Select whether you want to use the pre-defined parameters or want to set them manually and click Continue.

7. If the Set the rooting parameters manually option is selected, then the Rooting Parameters Selection page opens. Set the parameters to be used for obtaining root access and click Continue.

310

8. If the Use ROP/JOP technology parameter is auto-detected as recommended or selected manually, the Linux kernel file for ROP/JOP technology page opens. Click Browse and navigate to the Linux kernel file matching the device firmware, and then click Continue.

311

9. The process of searching for ROP/JOP chains is launched.

10. After ROP/JOP chains are successfully found, the Important Information page opens.

312

11. Thoroughly read the information on the page, select the I understand risks and want to continue check box and click Start Rooting.

12. The process of getting root access starts.

13. After the root access is successfully obtained, click Start Acquisition.

313

14. Follow the standard process of the device acquisition.

Do not disconnect the device after getting the root access. The Root Engine just provides the temporary root access. Once the device is disconnected, it is restored to

its original state.

How to Import Mobile Data

How to Import Data

Electronic Evidence Examiner allows you to import RIM Blackberry and iPhone 1.x–10.2 backup files, Cellebrite UFED XML report, Tower information, GrayKey cases and GPS and KML maps. After the import, you can analyze the data in Electronic Evidence Examiner.

To import a file, do the following:

1. Have the Import wizard open. 2. On the Imported data type page, select the type of data for importing. Click Next.

314

3. On the Source page, click Browse. 4. The standard Open window opens. Navigate to the location of the required file and click Open. 5. Click Finish in the Import Wizard. 6. The data importing starts and a new Import stored mobile data task is added to the Tasks pane, where you can view its general progress. The progress is also displayed on the Importing File Process page of the Import wizard. 7. If the import process completes successfully, you will see the last page of the wizard. Click Finish to exit the wizard. 8. Data is imported to the case and can be viewed.

How to Import Data from Encrypted iPhone Backups

Electronic Evidence Examiner allows you to import iPhone OS 3.x–10.2 encrypted backup files.

Some data (such as application data) can only be acquired from an iOS device, but there are some types of data that can only be parsed from iOS backups (such as keychain data). See the help file for more information.

315

To import an encrypted backup, do the following:

1. Have the Import wizard open. 2. On the Imported data type page, select iPhone Backup. Click Next.

3. On the Source page, click Browse. 4. The standard Open window opens. Navigate to the location of the required file and click Open. 5. Click Finish in the Import Wizard. 6. You will be asked to enter a password. Enter a password and click Next. 7. The data importing starts and a new Import stored mobile data task is added to the Tasks pane, where you can view its general progress. The progress is also displayed on the Importing File Process page of the Import wizard. 8. If the importing process completes successfully, you will see the last page of the wizard. Click Finish to exit the wizard. 9. Data is imported to the case and can be viewed.

316

How to Import Data from RIM BlackBerry 10 Backup

Electronic Evidence Examiner allows you to import data from encrypted RIM BlackBerry 10.0.x– 10.3.1 devices.

To import RIM BlackBerry 10 backup, do the following:

1. Have the Import wizard open. 2. On the Imported data type page, select RIM BlackBerry Backup and click Next.

3. Click Browse and navigate to the file to be imported. Click Finish. 4. You will be asked to enter a password. Enter a password and click Next.

An active Internet connection is required to obtain a decryption key from the RIM BlackBerry server after you enter the password.

5. The data importing starts and a new Import stored mobile data task is added to the Tasks pane, where you can view its general progress.

317

The progress is also displayed on the Importing File Process page of the Import wizard.

During the importing process, Electronic Evidence Examiner performs the backup decryption procedure that requires at least 3 times more space on the system disk than the size of the backup.

6. If the import finishes correctly, you will see the last page of the Import Wizard. Click Finish. 7. Data is imported to the case. How to Import Cloud Data

How to Find and Export Authentication Data

When you acquire data from an Android OS device or import an encrypted iTunes backup, an authentication data file containing device authentication tokens, user credentials, and cookies is automatically created in the case data. This file is used to import data from corresponding accounts in cloud-based services via the Cloud Data Import wizard.

To export an authentication data file, do the following:

1. Start Electronic Evidence Examiner. 2. Do one of the following:

• Open an existing case with data acquired logically from Android OS or with imported encrypted iTunes backup. • Create a new case and acquire data from an Android OS device using logical acquisition or import an encrypted iTunes backup.

3. Open the Authentication Data folder in the acquired/imported data. 4. You will find an Auth_data binary file with the device name and time of importing. 5. Click Export in the file right-click menu or select it and click Export in the Common Export group on the Export tab. 6. In the Exporting Options window, select Export to Folder and define the destination path for the file. 7. Click Export. The export process is displayed in the Tasks pane. 8. The file is exported.

How to Import Cloud Data Using Authentication Data

Electronic Evidence Examiner allows you to import data from cloud-based services using authentication data extracted from logically acquired Android OS data or imported encrypted iTunes backup data.

318

To import cloud data using authentication data file:

1. Start Electronic Evidence Examiner. 2. Export an authentication data file to your computer. 3. Do one of the following: • On the Evidence tab, in the Mobile Data group, click Import Cloud Data. • Click Add Evidence on the Welcome screen or on the Evidence tab, in the Evidence group; and then, in the Add New Evidence window, select Cloud Data Import in the Mobile Data category and click OK. 4. If there is no opened case, the New Case window opens where you can define the name and location of the created case. See the How to Define Case Name During Automatic Case Creation section for details.

If the Ask a case name during automatic case creation option in the Common options is cleared, the case will be saved automatically to the default location and its

name will be case.e3.

5. Once the case is created, the Cloud Data Import wizard opens and the Accounts and Sources page is displayed.

6. If necessary, in the Cloud investigation name box, change the name under which imported data will appear in the case. 7. Click Add Auth Data File and select the previously exported file with authentication data.

319

8. The accounts whose authentication data is present in the file are added to the accounts grid.

Some account logins may be unknown until they are authenticated.

9. Select the check boxes of the accounts from which you want to import data and click Authenticate. 10. The authentication of the selected accounts starts and its progress is displayed on the Authentication Process page.

During the authentication, all authentication data is sent directly to the corresponding authentication servers and is not saved anywhere.

320

11. After the authentication finishes, click Continue. 12. On the Data for Importing page, the list of successfully authenticated accounts will be displayed.

321

13. Do the following if necessary and click Import Data:

• Select the Select custom date range for time related data check box and select the time interval for which time related data (messages, calendar, etc.) from selected accounts must be imported.

Data that does not have timestamps, such as contacts and images, will be imported to the full extent.

• Select accounts in the accounts table and select which data must be imported from each account. To import all data from an account, select a check box near it; to not import any data, clear a check box near it.

14. The cloud data importing starts and a new Import data from cloud task is added to the Tasks pane, where you can view its general progress. The progress is also displayed on the Importing Progress page of the Cloud Data Import wizard.

15. After the importing finishes, click Finish. 16. Data is imported and appears in the case under a node with the previously defined name.

322

How to Import Cloud Data Using User Account Credentials

Electronic Evidence Examiner allows you to import data from cloud-based services using user account credentials.

To import data from iCloud, you need to install Java SE Development Kit 11 (for x64) on the computer.

Before importing iCloud backup, please turn off two-factor authentication on the device. Otherwise, the import process might fail.

To import data using user account credentials:

1. Start Electronic Evidence Examiner. 2. Do one of the following:

• On the Evidence tab, in the Mobile Data group, click Import Cloud Data. • Click Add Evidence on the Welcome screen or on the Evidence tab, in the Evidence group; and then, in the Add New Evidence window, select Cloud Data Import in the Mobile Data category and click OK. 3. If there is no opened case, the New Case window opens where you can define the name and location of the created case. See the How to Define Case Name During Automatic Case Creation section for details.

If the Ask a case name during automatic case creation option in the Common options is cleared, the case will be saved automatically to the default location and its

name will be case.e3.

4. Once the case is created, the Cloud Data Import wizard opens and the Accounts and Sources page is displayed.

323

5. If necessary, in the Cloud investigation name box, change the name under which imported data will appear in the case. 6. Click Add Account. 7. A new line is automatically added to the accounts table. 8. Select the service from which you want data to be imported in the Data Source drop- down list. 9. Enter the account login in the Account/Login box. 10. Enter the account password in the Password box.

324

11. After all required accounts are added, click Authenticate. 12. The authentication of the selected accounts starts and its progress is displayed on the Authentication Process page.

325

13. After the authentication finishes, click Continue. 14. On the Data for Importing page, the list of successfully authenticated accounts will be displayed.

15. Do the following if necessary and click Import Data: 16. Select the Select custom date range for time related data check box and select the time interval for which time related data (messages, calendar, etc.) must be imported.

Data that does not have timestamps, such as contacts and images, will be imported to the full extent.

17. Select accounts in the accounts table and select which data must be imported from each account. To import all data from an account, select a check box near it; to not import any data, clear a check box near it. 18. The cloud data importing starts and a new Import data from cloud task is added to the Tasks pane, where you can view its general progress. The progress is also displayed on the Importing Progress page of the Cloud Data Import wizard.

326

19. After the importing finishes, click Finish. 20. Data is imported and appears in a case under a node with the previously defined name.

When importing data from iCloud, Apple might block your iCloud account if it detects several downloads of the same backup.

To unlock an iCloud account, visit the following link and follow the instructions: https://iforgot.apple.com/password/verify/appleid

How to View Mobile Data

How to View Parsed Data

Electronic Evidence Examiner allows you to view acquired or imported data in details. Mobile data grids can be identified by special icons representing the type of records they contain, for example, contacts , call history , or general grids .

To view parsed recovered data, do the following:

327

3. Select the desired grid in the Case Content or double-click it in the Data View pane. 4. The grid records are displayed in the Data View pane.

How to View Parsed Recovered Data

Electronic Evidence Examiner allows you to view recovered acquired or imported data in details.

1. Acquire or import mobile data to a new or existing case (for more information, please see the corresponding topics in How to Acquire Data from Different Devices, How to Import Mobile Data, and How to Import Cloud Data sections). 2. The structure of the data is displayed in the Case Content pane (to the left). 3. Select the desired grid with parsed recovered data (such grids usually have the Recovered prefix in their name) in the Case Content or double-click it in the Data View pane. 4. The recovered records are displayed in the Data View pane. 5. To view a recovered record in the unparsed format, select the grid record binary attachment in the Attachments viewer.

For some devices, unparsed recovered records can be found in the form of binary files in the same folder in which corresponding grid is located.

How to View Attachments

Electronic Evidence Examiner allows you to view message attachments (files attached to messages and emails).

To view the attachments, do the following:

4. Messages with attachments (files attached to them) have a special symbol in the corresponding column. 5. Select a message with an attachment in the Data View pane. 6. Click the Attachments tab in the bottom of the Viewers pane to view attached files. Attachments are displayed in Hex, Text, and File viewers if they are enabled. 7. To enable the Text, Hex and File viewers, click the corresponding icon on the View tab.

328

How to View Binary Files

Electronic Evidence Examiner allows you to view binary files read from the file using different viewers.

To view binary data, do the following:

1. Acquire or import mobile data to a new or existing case (for more information, please see the corresponding topics in How to Acquire Data from Different Devices, How to Import Mobile Data, and How to Import Cloud Data sections). 2. The structure of the data is displayed in the Case Content pane (to the left). 3. In the Case Content or Data View pane, navigate to the binary file you want to view. 4. The content of the binary node is displayed in Hex and Text viewers. If possible, the contents are also displayed in the File viewer (make sure that the viewers are enabled). 5. To enable Hex, Text, and File viewers, on the View tab, in the File Viewers group, enable the corresponding options.

How to View Geolocation Data on Maps

Electronic Evidence Examiner allows you to view information stored on GPS devices (waypoints, tracks, etc.) within Open Street maps.

To view GPS data on Open Street maps, do the following:

1. Acquire data from a GPS device or import a GPS file acquired by external application. 2. Double-click the GPS file in the Data View pane. 3. The Open Street viewer opens. In the tree-view to the right, information received from the device is displayed.

You need an active Internet connection to view data on Open Street maps.

4. Select the location check box in the tree-view to mark this location on the map. 5. Click the location to navigate to it on the Open Street maps.

329

How to View Device Information

Electronic Evidence Examiner allows you to view general information about the device, such as the device name, model, and serial number, etc.

To view device information, do the following:

How to View User Activity Timeline

Electronic Evidence Examiner allows you to view what actions were performed on the device with Android OS 5.0 and higher at the certain moment of time.

330

To view the list of actions performed on the device, do the following:

1. Acquire data from a device with Android OS 5.0 and higher through the Full Logical Acquisition or Custom Logical Acquisition with the User Activity Timeline feature selected.

Before the acquisition please see the How to Acquire Data from Android OS Devices section.

2. In the Case Content pane or the Data View pane, navigate to the User Activity Timeline folder. 3. Click the User Activity Timeline grid. 4. The list of actions is displayed in the Data Pane and consists of the following columns: • Time: Date and time of the action. • Application Name: Name of the application which was running on the device. • Internal Application Name: Internal name of the application which was running on the device at the certain date and time. • Internal Activity Name: Internal name of the activity performed on the device at the certain date and time, for example: com.android.launcher2.Launcher, com.samsung.sdm.ui.ActivationFail. • Type: Event types representing the application state change, such as: • Move to background (the user did not interact with the application at the certain time). • Move to foreground (the user interacted with the application at the certain time). • Configuration change (the device configuration was changed). • None (none of the above event types can be applied to the application in question).

331

How to View Installed Applications

Electronic Evidence Examiner allows you to view the applications installed on the device and provides detailed information about them.

To view installed applications, do the following:

1. Acquire Android OS/iOS device data or import iOS device backup to a new or existing case (for more information, please see the corresponding topics in How to Acquire Data from Different Devices, How to Import Mobile Data, and How to Import Cloud Data sections). 2. The structure of the data is displayed in the Case Content pane (to the left). 3. In the Case Content pane, select the Mobile Data Triage node and select the Installed Applications sub-node. 4. The list of installed applications and information about them is displayed in the grid in the Data View pane. 5. Click the Navigate to parsed data link in the Parsed Application Data column to navigate to the folders with parsed application data. Inside these folders, you will find grids with various types of application data (such as contacts, conversations, etc.) and grids with parsed recovered application data (e.g. recovered conversations, recovered contacts, etc.)

How to View Contact Email Accounts

Electronic Evidence Examiner allows you to view contacts from Contacts/Address Book that have email account information filled in the Email column.

To view contact email accounts, do the following:

How to View ICE Contacts

Electronic Evidence Examiner allows you to view ICE (In Case of Emergency) contacts: contacts from Contacts/Address Book for which one of the following conditions is met: • At least one word starts with ‘ice’ in the Name column (e.g., ‘ice Mother’, ‘Dad ICE’, ‘IceJohn’, ‘ICE_Kevin’) • The ICE column is enabled in the Contact data.

332

To view ICE contacts, do the following:

How to View Location Data

Electronic Evidence Examiner allows you to view location data from the device and all applications where it is parsed. Location data from applications is grouped by folders with the application name.

To view location data from the device, do the following:

How to View Recent Web Searches

Electronic Evidence Examiner allows you to view recent web searches data from installed Internet browsers. Recent web searches data is grouped by folders with the corresponding Internet browser name.

To view the detected recent web searches: 1. Acquire Android OS/iOS device data or import iOS device backup to a new or existing case (for more information, please see the corresponding topics in How to Acquire Data from Different Devices, How to Import Mobile Data, and How to Import Cloud Data sections). 2. The structure of the data is displayed in the Case Content pane (to the left). 3. In the Case Content pane, select the Mobile Data Triage node and select the Recent Web Searches sub-node. 4. Select a folder with the corresponding Internet browser name and double click it. 5. The selected folder is placed as a sub-node of the Recent Web Searches node.

333

6. Double click a grid from the selected folder. 7. The recent web searches data is displayed in the grid in the Data View pane.

How to Analyze SQLite Databases

Electronic Evidence Examiner allows you to view SQLite databases used by many mobile applications for storing data. SQLite database file extensions are .db, .Sqlite, .Sqlite3, .sqlitedb, and .db3.

To find the SQLite databases in evidence, do the following:

5. Double-click a database to view it in the Data View pane.

334

6. Double-click the database again to parse its content.

7. The SQLite Database structure opens in the Case Content pane (to the left). A number near each table name displays its row count.

335

8. Double-click tables to view their contents in the grid in the Data View pane (to the right).

How to Analyze plist Files

Electronic Evidence Examiner allows you to view the Property List files (plist files) from iOS devices. Such files mainly contain the configuration information, preferences, and settings.

To view the plist files, do the following:

1. Acquire iOS device data or import iOS device backup to a new or existing case (for more information, please see the corresponding topics in How to Acquire Data from Different Devices and How to Import Cloud Data sections).

336

2. The structure of the data is displayed in the Case Content pane (to the left). 3. In the Case Content pane double-click the iOS device name to view its content. 4. To find plist files, perform a search and enter bplist or plist in the search box. 5. To view the contents of the plist file, click it. The plist files in the XML format are displayed in the File Viewer. How to Work with Data in Different Formats

How to Work with Parsed Data

Electronic Evidence Examiner allows you to view parsed data in the form of grids. A grid displays information on collections of data of the same type. Parsed data is displayed in the Data View pane. From here you can copy and export any data.

To view the parsed data, do the following:

1. Create a new case and add data to it or open an existing case with data. 2. In the Case Content pane or the Data View pane viewer, select the grid node whose content you want to be displayed. 3. The content of the selected grid is displayed in the Data View pane.

To copy the content of a row from the Data View pane, select it and click Copy in the right- click menu or in the Clipboard group on the Analysis tab.

To export data from the Data View pane to a *.csv file, right-click in the viewer and click Export Info to Spreadsheet. In the opened Export To File window, define the name and location for the exported data.

To export a specific row to a *.csv file, select it in the Data View pane and click Export Selected Rows to CSV in the right-click menu. In the opened Save As window, define the name and location for the exported data.

To add data from the viewer to the report, select the check-boxes near the rows.

How to Work with Data in Text Format

Electronic Evidence Examiner allows you to view case data in text format. Text representation is available only for binary files (for more information, see the help file).

To view data in text format, do the following:

1. Create a new case and add data to it or open an existing case with data. 2. In the Folder viewer, navigate to the required binary file, whose content you want to be displayed in the Text viewer (you can enable the Text viewer on the View tab, in the File Viewers group). 3. The content of the selected binary node is displayed in the Text viewer.

337

To change the encoding of the selected file, right-click in the Text viewer and select the required encoding in the Encoding sub-menu.

To copy text from the viewer, select it, right-click it and select Copy Text, or click Copy Text on the Analysis tab, in the Clipboard group, or press Ctrl+C.

To select all data in the viewer, right-click in it and select Select All, or click Select All on the Analysis tab, in the Clipboard group, or press Ctrl+A.

To move to a specific line in the viewer, right-click in it and select Go To or click Go To on the Analysis tab, in the Search group. In the Go To Line window, define the number of the line and click OK. The required line is selected.

How to Work with Data in Hex Format

Electronic Evidence Examiner allows you to view case data in hex format. Hex format is the representation of data in hexadecimal code. Hex representation of the file is available only for binary files (for more information, see the help file).

To view data in hex format, do the following:

1. Create a new case and add data to it or open an existing case with data. 2. In the Folder viewer, navigate to the required binary file, whose content you want to be displayed in the Hex viewer (you can enable the Hex viewer on the View tab, in the File Viewers group). 3. The contents of the selected binary node is displayed in the Hex viewer.

To copy text from the viewer, select it, right-click it, and select Copy Text, or click Copy Text on the Analysis tab, in the Clipboard group, or press Ctrl+C.

To copy hex data from the viewer, select it, right-click it, and select Copy Hex, or click Copy Hex on the Analysis tab, in the Clipboard group, or press Ctrl+C.

To select all data in the viewer, right-click in it and click Select All, or click Select All on the Analysis tab, in the Clipboard group, or press Ctrl+A.

338

How to Work with Data in Image (Graphics) Format

Electronic Evidence Examiner allows you to view case data in image format. Image format is available only for graphic files.

To view graphics, do the following:

1. Create a new case and add data to it or open an existing case with data. 2. In the Folder viewer, navigate to the required binary file, whose content you want to be displayed in the File viewer (you can enable the File viewer on the View tab, in the Viewers group). 3. The contents of the selected binary node is displayed in the File viewer.

To resize the image, use the corresponding Zoom in and Zoom out buttons at the top of the File viewer or click Fit Height, Fit Width, or Fit Size in the context menu.

To rotate the image in the viewer, use the corresponding Rotate buttons.

To return the image to its initial state, right-click it and select Original Size in the context menu.

How to Work with Data in Document Format

Electronic Evidence Examiner allows you to view case data in document format.

To resize a page, use the Zoom in, Zoom out, and Fit to page width buttons at the top of the File viewer.

To navigate between different pages of a document, use the First page, Previous page, Next page, and Last page buttons or select the page number in the corresponding drop-down list at the top of the File viewer.

339

How to Work with Data in GPS Format

Electronic Evidence Examiner allows you to view data stored in GPS devices within Open Street maps. The information is retrieved from the *.gps file that is created if the corresponding option was selected during the acquisition from a GPS device.

To view GPS data on Open Street viewer, do the following:

1. Create a new case and acquire or import GPS data to it or open an existing case with GPS data. 2. In the Data View pane, navigate to a *.gps file (it is placed as a sub-node of the mobile data evidence node) and double-click it. 3. The Open Street viewer opens. 4. In the three-view (to the right), information received from a GPS device is displayed. 5. Select the location record in the tree-view to navigate to it in the Open Street viewer.

How to Search in Mobile Data

Electronic Evidence Examiner allows you to perform searches in the mobile data acquired or imported to Electronic Evidence Examiner cases.

To search for text data, it is recommended that you use a keyword search. Keyword searches are performed much faster than regular searches. Please note that keywords in your data should be indexed before you perform a keyword search.

To perform searching, do the following:

1. Acquire or import data to a new or existing case (for more information, please see the corresponding topics in How to Acquire Data from Different Devices, How to Import Mobile Data, and How to Import Cloud Data sections). 2. In the Case Content or Data View pane (to the left), navigate to the folder, grid, or a file where you want to search for data. 3. In the context menu of the selected item, select Advanced Search, or click Advanced Search on the Analysis tab, in the Search group. 4. The Search pane opens (to the right).

5. Enter the Search Parameters (for more information, please see the help file). The following group of parameters is available:

• Common parameters: These parameters include general information about what is to be searched. • Search Area parameters: These parameters define where data is to be searched. Please note that searching by file mask is available for binary files only.

340

• File System Data parameters. Search Text Scope: These parameters define where data is to be searched. They allow the user to define file attributes and file mask. The date parameters can be defined here as well. Please note that searching by these parameters will be performed in binary files only, so grids with parsed data will not be found. 6. Click Start. 7. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using Stop, Pause, or Start/Resume buttons). 8. The search results are displayed in the bottom part of the Search pane. 9. Double-click the search result to view its properties in the Properties pane. Select Navigate to Path in the right-click menu to view the file containing the search result.

How to Validate Mobile Data Hash Code Electronic Evidence Examiner allows you to validate hash codes of mobile data to make sure it wasn’t damaged or changed with external means.

Hash code of mobile data cases created in older E3 versions (1.0 – 1.1) might be not validated in the most recent E3 versions (1.2 and higher).

To validate mobile data hash code:

1. Start Electronic Evidence Examiner. 2. Create a new case and acquire data to it or open an existing case with acquired data. 3. On the Analysis tab, in the Mobile Data group, click Validate Data. 4. The corresponding task is added to the Tasks pane to the Device Related category. 5. After the validation process finishes, you will see the results in the State column.

341

How to Work with Mobile Evidence Comparer

How to Compare Two Cases with Mobile Data

Electronic Evidence Examiner allows you to compare two cases that contain mobile data. It is useful when some data was added or deleted from the case or some changes were made in the data in the device. Cases are compared with the help of the Mobile Evidence Comparer.

To compare cases, do the following:

1. Start Electronic Evidence Examiner. 2. Do one of the following:

• Open an existing case with the acquired or imported mobile data. • Create a new case and acquire or import mobile data to it (for more information, see the help file).

3. On the Tools tab, in the Case group, click Mobile Evidence Cases. 4. The Mobile Evidence Comparer window opens

5. To add the case to the Mobile Evidence Comparer, do one of the following:

• In the top of the Mobile Evidence Comparer window, click Browse and in the standard Open window, navigate to the required case and click Open. • In the main menu of the Mobile Evidence Comparer, select File - Open First Case to add the first case. Select File - Open Second Case to open the second case.

6. Two cases are displayed in a tree-view structure in the corresponding The First Case and The Second Case columns. Differences between the cases are displayed in the Differences column. Differences are highlighted.

7. To view the difference in detail, double-click it. The differences are displayed in a separate window.

342

How to Prepare Mobile Evidence Comparer Report

Mobile Evidence Comparer allows you to prepare a report of the case comparison results that is suitable for printing, emailing, etc.

To prepare a report, do the following:

1. Start Electronic Evidence Examiner. 2. Do one of the following:

• Open an existing case with the acquired or imported mobile data. • Create a new case and acquire or import mobile data to it (for more information, see the help file).

3. On the Tools tab, in the Case group, click Mobile Evidence Comparer. 4. The Mobile Evidence Comparer window opens. 5. Do one of the following:

343

• In the top of the Mobile Evidence Comparer window, click the right Browse button and in the standard Open window, navigate to the case to be compared with the opened case and click Open. • In the main menu of the Mobile Evidence Comparer, select File - Open First Case to add the first case. Select File - Open Second Case to open the second case.

6. In the Case Comparer main menu, select File - Generate report. 7. The Mobile Evidence Comparer Report Wizard opens, click Next. 8. On the Report Scheme Selection page, select the type of the report that will be generated. Click Next. 9. Move between other pages of the wizard to define the necessary options (for more information, see the help file). 10. On the Your Selection page, check that the selected information is correct. Click Next. 11. The report is generated. Click Finish to exit the wizard. 12. The report opens automatically if the corresponding option was selected. How to Clone SIM Card from Existing Card

Electronic Evidence Examiner allows you to copy identification data from a GSM SIM card with the help of the SIM Cloner tool.

To clone a SIM card from an existing card, do the following:

1. Connect the card reader with the SIM card that you want to clone to the USB port of your computer. 2. Start Electronic Evidence Examiner. 3. Do one of the following:

• Create a new case • Open the existing case

4. On the Tools tab, in the Additional Tools group, click SIM Cloner. 5. The SIM Cloner Wizard opens.

344

6. On the Welcome page of the wizard, click Next. 7. On the Cloning Type Selection page, select the From Card option. Click Next. 8. Move between other pages of the wizard to define the necessary options (for more information, see the help file). 9. If the card is locked by a PIN code, you will need to type it in the window and click Next.

You only have 3 attempts to enter the PIN code. After that, the PUK code will be requested. After you enter the right PUK, the SIM card PIN will be reset to 0000.

10. Insert a new card to be written to. Click Next. 11. When the process of cloning finishes, you will see the last page of the SIM Cloner Wizard. Click Finish to exit the wizard. 12. The SIM card is successfully cloned.

345

How to Investigate Embedded Data

The investigation of embedded evidence is possible with the following packages:

Embedded Evidence E3: E3: DS E3: EMX/NEMX E3: Viewer Universal/P2C Archives + - - - Chat database + - - + File system * + - - + Game console XDBF - + - - storages Internet browser data + - - + iTunes backup data + - - + Mailstorage ** + - + - OLE storages + - - - Registry files + - - - SQLite databases + + - +

* – not chunked images only ** – different packages support different types of embedded mailstorages: see the corresponding chart for information on mailstorages supported by different packages How to View Mailstorage Stored in Added Disk/Disk Image

Electronic Evidence Examiner allows you to view the structure and contents of mailstorages stored on a disk or a disk image added to the case.

To view the mailstorage of a file type, do the following:

1. Add the disk or disk image with the mailstorage to a new or existing case (for more information, please see the corresponding How to investigate... topics). 2. In the Case Content pane (to the left), navigate to the folder with the mailstorage. The contents of the folder are displayed in the Data View pane (to the right).

3. The embedded mailstorage of the file type has a special symbol next to its name in the Data View pane. 4. Double-click the mailstorage in the Data View pane. 5. The mailstorage is parsed and is added to the root of the file system data tree. It can be viewed as if it was added separately to the case.

346

6. You can view messages and attachments in different viewers (for more information, please see the corresponding How to investigate... topics).

To view the mailstorages contained in folders, do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. In the Case Content pane (to the left), navigate to the folder with the mailstorage. 3. When you click the folder, you are asked to mount the mailstorage contained in it. Click Yes. 4. The mailstorage is parsed and added to the root of the file system data tree. 5. You can perform further investigation of the mailstorage (for more information, please see the corresponding How to investigate... topics).

How to View Chat Databases Stored in Added Disk/Disk Image

Electronic Evidence Examiner allows you to view the structure and contents of chat databases stored on a disk or disk image added to the case.

To view chat databases contained in a file, do the following:

1. Add the disk or disk image with a chat database to a new or existing case (for more information, please see the corresponding How to investigate... topics). 2. In the Case Content pane (to the left), navigate to the folder with the chat database. The contents of the folder are displayed in the Data View pane (to the right).

3. The embedded chat database has a special symbol next to its name in the Data View pane. 4. Double-click the chat database in the Data View pane. 5. The chat database is parsed and added to the root of the file system data tree. It can be viewed as if it was added separately to the case. 6. You can perform further investigation of the chat database (for more information, please see the corresponding How to investigate... topics).

To view chat databases contained in a folder, do the following:

347

3. When you click the folder, you are asked to mount the chat database contained in it. Click Yes. 4. The chat database is parsed and added to the root of the file system data tree. 5. You can perform further investigation of the chat database (for more information, please see the corresponding How to investigate... topics).

How to Search in Embedded Data

Electronic Evidence Examiner allows you to perform searches in embedded data (such as file system evidence from forensic images). This means that you can perform searching in the evidence of any type as well as in the evidence embedded in it. You can search in the embedded evidence of the file type (for more information, please see the help file).

To perform searching, do the following:

1. Add evidence with the embedded data to a new or existing case (for more information, please see the corresponding How to investigate... topics). 2. The structure of the added evidence is displayed in the Case Content pane (to the left), the contents of the selected folders/nodes are displayed in the Data View pane (to the right). 3. Select the file, folder, node, etc. where you want to search for data. 4. Right-click and select Advanced Search or click Advanced Search on the Analysis tab, in the Search group. 5. The Search pane opens (to the right). 6. Select the Search Area tab. 7. In the Recursive search in group of options, select the types of embedded evidence where the recursive search will be performed. When selecting E-mail databases, Chat databases, Registry data, and Internet Browser data options, additional tabs open in the Search pane. 8. Enter the Search Parameters (for more information, please see the help file). Click Start. 9. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using the Stop, Pause, or Start/Resume buttons). 10. The search results are displayed at the bottom part of the Search pane. 11. Double-click the search result to open it.

348

How to Perform Content Analysis in Embedded Data

Electronic Evidence Examiner allows you to perform content analysis in embedded evidence. This means that you can perform content analysis in the evidence of any type as well as in the evidence embedded in it. You can perform content analysis in the embedded evidence of the file type (for more information, please see the help file).

To perform content analysis in embedded data, do the following:

1. Add evidence with the embedded data to a new or existing case (for more information, please see the corresponding How to investigate... topic). 2. The structure of the added evidence is displayed in the Case Content pane (to the left), contents of the selected folder/node are displayed in the Data View pane (to the right). 3. Select the node, folder, file, etc. where you want to perform content analysis. 4. Right-click and select Content Analysis from the Content Analysis sub-menu, or on the Evidence tab, in the Content Analysis group, click Content Analysis and then click Content Analysis in the drop-down menu. 5. The Content Analysis wizard opens. On the General Options page, define the types of embedded evidence where you want to perform content analysis. Select the corresponding check boxes.

349

6. Define any other content analysis options if necessary (for more information, please see the help file). Click Finish. 7. The content analysis process is displayed in the Tasks pane where it can be stopped, paused, and started from there (via the right-click menu or using Stop, Pause, or Start/Resume buttons). 8. Once the content analysis process is completed, you can start a keyword search for this evidence. 9. To view sorted files, click the Sorted Files tab. 10. To view the results of text extraction, select the analyzed graphic file and select the Extracted Text viewer. 11. To view the results of a malware scan, select the scanned portable executable file and select the Properties pane. The results will be displayed on the Content Analysis tab.

350

How to Perform Export

How to Export Messages from Several Databases

Batch Export allows you to perform searches and filtering in multiple mailstorages of different formats and export the results to EML, EMX, MHT, MSG, PST, and Attachments only formats without starting Electronic Evidence Examiner.

To export messages, do the following:

1. Start Paraben's Batch Export Wizard from the Welcome screen, or select Batch Export on the Export tab in the Mailstorage Export group. 2. The Batch Export Wizard opens.

3. If the Show Batch Export wizard Welcome page option is selected in the options, the Welcome page of the Batch Export Wizard will be displayed on its startup. Click Next to continue.

351

4. On the Source options page, click Add File/Add Folder to add files/folders where the to-be-exported mailstorages will be detected (for more information, please see the help file).

You can either add a mailstorage file/folder manually or define its location, e.g. C:\, and Electronic Evidence Examiner will detect mailstorages automatically.

5. In the Source detection options, do one of the following:

• Select the type of mailstorage to be exported from the list box. You can select more than one type using the Ctrl and Shift keys. • Select the Auto detect source check box to enable the automatic detection of the source format. Otherwise, only mail storages of the selected type will be analyzed.

352

8. On the Common options page, define the common options for the export process. Select the Open folder with exported data after finish option to open the destination folder automatically.

9. When all the parameters are defined, click Finish. 10. The export progress is displayed on the Batch Export Progress page. Once the export process is completed, the folder with the exported results opens automatically. 11. Click Finish to exit the wizard.

How to Add Messages with Certain Parameters to New Case

Electronic Evidence Examiner allows you to export messages from external mailstorages and add them to a newly created case using Batch Export.

353

To add messages, do the following:

1. Start Paraben's Batch Export Wizard from the Welcome screen, or click Batch Export on the Export tab in the Mailstorage Export group. 2. The Batch Export Wizard opens.

3. If the Show Batch Export wizard Welcome page option is selected in the Electronic Evidence Examiner options, the Welcome page of the Batch Export Wizard will be displayed on its startup. Click Next to continue. 4. On the Source options page, click Add File/Add Folder to add files/folders where the to-be-exported mailstorages will be detected (for more information, please see the help file).

You can either add a mailstorage file/folder manually or define its location, e.g. C:\, and Electronic Evidence Examiner will detect mailstorages automatically.

354

5. In the Source detection options, do one of the following:

6. On the Filter options page, define the parameters for selecting data from source mailstorages, such as search in text, filtering by dates, etc. 7. On the Export options page, define the output format and the destination folder for the exported data. 8. On the Common options page, define the common options for the export process. Select the Open exported e-mails in a new Electronic Evidence Examiner case after finish option to enable opening a new case and adding the exported messages to it after the export finishes.

9. When all the parameters are defined, click Finish.

355

10. The export progress is displayed in the Batch export Progress page. Click Finish after the export is completed. 11. The Electronic Evidence Examiner opens. On its startup, you are asked to create a new case (for more information, please see the help file). 12. The exported messages are added to the newly created case.

How to Export Messages in Mailstorage Without Saving Its Attachments

Electronic Evidence Examiner allows you to export messages from the selected mailstorage without saving attachments (files attached to messages).

To export messages without attachments, do the following:

1. Add the mailstorage database to a new or existing case (for more information, please see the corresponding How to investigate... topics). 2. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right). 3. In the Data View pane, select the message or a group of messages (using the Shift and Ctrl keys) to be exported, or in the Case Content pane, select the folder with messages for exporting. 4. Right-click and select Export, or on the Export tab, in the Common Export group, click Export. 5. The Export Wizard opens.

356

6. On the Source and Output page, define the output format and the destination folder for the exported data. 7. On the Export Options page, clear the Include Attachments check box.

8. Move between other pages of the wizard to set the options you need. 9. After all the selections are made, click Finish. 10. The export process is displayed in the Tasks pane. 11. Once the export process is completed, navigate to the destination folder to view the results. When the export is performed, MD5 is calculated for the exported data. It is placed in a separate file with the .MD5 name.

How to Export All Graphics/Multimedia Files Stored in Evidence/Mobile Data

Electronic Evidence Examiner allows you to find and export all multimedia and graphics files stored in an evidence or mobile data. Files will be exported to the computer with Electronic Evidence Examiner installed and can be played with media players and image viewers.

357

To export all multimedia files, do the following:

1. Create a new case and add data to it or open an existing case with data. 2. The structure of the evidence/mobile data is displayed in the Case Content pane (to the left), content of the selected folder/file is displayed in the Data View pane (to the right). 3. Perform sorting of the evidence/mobile data or a separate evidence (for more information, please see the How to perform sorting in evidence/mobile data topic). 4. After the sorting finishes, on the Export tab, in the Common Export group, click Export Graphics and Multimedia. 5. Select the folder to which data is to be exported and click OK. 6. Data is exported.

How to Export Files

Electronic Evidence Examiner allows you to export files from a case. Exporting means making an exact copy of data on the computer where Electronic Evidence Examiner is installed.

To export a file, do the following:

1. Create a new case and add data to it or open an existing case with data. 2. The structure of the evidence/mobile data is displayed in the Case Content pane (to the left), the contents of the selected folder/file are displayed in the Data View pane (to the right). 3. Select the file to be exported in the Data View pane or in the Attachments tab of the E- mail Data pane (at the bottom). Use Ctrl and Shift keys to select more than one file. 4. Right-click and select Export, or on the Export tab, in the Common Export group, click Export. 5. In the Exporting Options window, set the options.

• Export to folder: Click this option if you want to export file(s) to a folder.

• Export to forensic container: Click this option if you want to export file(s) to an encrypted forensic container (for more information on forensic containers, please see the help file). • Destination Path: Define the location of the exported data. Click Browse to navigate to the desired location.

• Password: Enter the password that you set during the forensic container creation (required if Export to forensic container is selected).

358

6. Click Export. The export process is displayed in the Tasks pane. 7. To view the results: • If data was exported to a folder, navigate to the selected folder to view the exported file(s).

• If the data was exported to a forensic container, add the desired forensic container as evidence and view the results.

How to Export Folders

Electronic Evidence Examiner allows you to export folders from a case. Exporting means making an exact copy of data on the computer where Electronic Evidence Examiner is installed.

To export folders, do the following:

When selecting the folder in the Data View pane, you can select more than one folder using the Ctrl and Shift keys.

4. Right-click and select Export, or on the Export tab, in the Common Export group, click Export.

359

5. In the Exporting Options window, define the folder export options and destination. The following export options are available:

• Export type:

o Recursive: If this option is selected, then the folder will be exported with all its subfolders.

o Non recursive: If this option is selected, then only files stored directly in the folder will be exported and the subfolder contents will not be exported.

• Export to:

• Destination:

o Destination Path: Define the location of the exported data. Сlick Browse to navigate to the desired location.

o Password: Enter the password that you set during the forensic container creation (required if Export to forensic container is selected).

6. Click Export. 7. The export process is displayed in the Tasks pane.

360

8. To view the results:

• If the data was exported to a folder, navigate to the selected folder to view the exported data. • If the data was exported to a forensic container, add the desired forensic container as evidence and view the results.

How to Export GPS Data to MapLink

Electronic Evidence Examiner allows you to export geographical data from a case. Exporting means making an exact copy of data on the computer where Electronic Evidence Examiner is installed.

To export GPS data to MapLink, do the following:

1. Create a new case and add data to it or open an existing case with data. 2. The structure of the evidence/mobile data is displayed in the Case Content pane (to the left), the contents of the selected folder/file are displayed in the Data View pane (to the right). 3. In the Sorted Files pane or Data View pane, select a .kml file that you want to export. 4. In the GPS Data Export group, on the Export tab, click Export to MapLink.

5. In the Exporting Options window, set the options.

• Export to folder: Click this option if you want to export file(s) to a folder. • Export to forensic container: Click this option if you want to export file(s) to an encrypted forensic container (for more information on forensic containers, please see the help file).

361

• Destination Path: Define the location of the exported data. Click Browse to navigate to the desired location. • Password: Enter the password that you set during the forensic container creation (required if Export to forensic container is selected).

6. Click Export. 7. The export process is displayed in the Tasks pane. 8. To view the results:

• If the data was exported to a folder, navigate to the selected folder to view the exported data. You can open it in MapLink. • If the data was exported to a forensic container, add the desired forensic container as evidence and view the results.

362

How to Work with Auto-Exam

Electronic Evidence Examiner’s Auto-Exam allows you to have your evidence processed automatically. You can select a sequence of actions to have performed on your evidence and let Electronic Evidence Examiner work with your data without your interaction.

The feature is available in E3: Universal for all types of evidence except memory dumps. How to Process Evidence with Auto-Exam

1. Add evidence to the case. 2. Select the case node, evidence type node, or folder you want to autoprocess. 3. On the Analysis tab, in the Auto-Exam group, click Auto-Exam. 4. The Auto-Exam wizard opens.

363

5. Define the sorting, search, and report generation options for your evidence (for more details, see the Help file). 6. Click Start Auto-Exam. 7. The evidence analysis tasks are displayed in the Tasks pane where they can be stopped, paused, and started from there (through the right-click menu or using the Stop, Pause, or Start/Resume buttons). 8. To view the sorted files, click the Sorted Files tab. 9. To view the search results when the search is completed, in the Tasks pane, on the Completed tab, find the Searching task and double-click it. The Advanced Search pane will open with the search results. 10. The generated reports will open automatically when the corresponding Reporting tasks are completed. How to Enable and Disable Auto-Exam Wizard Automatic Pop- up Option

By default, the Auto-Exam wizard opens after adding a new evidence to the case.

To disable the Auto-Exam wizard automatic pop-up option, select Do not show this window on adding evidence at the bottom of the the Auto-Exam window.

To enable the Auto-Exam wizard automatic pop-up option, do the following:

1. In the Case menu, select Options. 2. In the opened Options window, select the Common category of options (to the left).

364

3. Select Show Auto-Exam dialog on adding evidence. 4. Click OK to apply the settings. 5. The Auto-Exam wizard will open automatically after adding a new evidence to the case.

365

How to Perform Content Analysis

How to Perform Sorting in Evidence/Mobile Data

Electronic Evidence Examiner allows you to perform sorting of files in evidence/mobile data, i.e. to define the file types. The following file types are detected after sorting: Documents, Email, Chats, Databases, Compressed, Encrypted, Spreadsheets, Graphics, Executable, Multimedia, Text, XML, Financial files, Game Console files, Others (Unknown), and Unallocated Files. To perform sorting, do the following:

1. Create a new case and add data to it or open an existing case with data. 2. The structure of evidence/mobile data is displayed in the Case Content pane (to the left), contents of the selected folder/file are displayed in the Data View pane (to the right). 3. Select a folder where you want to perform sorting. 4. Right-click and select Sort Data from the Content Analysis sub-menu, or on the Evidence tab, in the Content Analysis group, click Content Analysis and then click Sort Data. 5. The Content Analysis wizard opens.

6. Define the sorting options (for more information, please see the help file).

366

7. After all the selections are made, click Finish. 8. The sorting process is displayed in the Tasks pane where it can be stopped, paused, and started from there (through the right-click menu or using the Stop, Pause, or Start/Resume buttons). 9. To view the sorted files, click the Sorted Files tab. 10. The files are sorted by categories according to their file types, and are displayed in a tree-view structure. 11. To view the sorted files of the desired category, select the corresponding category in the Sorted Files pane (to the left). The contents are displayed in the Data View pane (to the right).

How to Perform Keyword Indexing in Evidence/Mobile Data

Electronic Evidence Examiner allows you to perform keyword indexing in data added to a case. Indexing keywords means saving information about all keywords found in evidence/mobile data to a database. Indexed keywords are then easily found when a Keyword search is performed. A keyword is a sequence of symbols that is limited either by a space or by a punctuation mark.

The database with indexed keywords is placed next to the corresponding case and has the _keyword_indexing name.

Do not move, rename, or delete any part of the keyword indexing database because it will make indexing information unavailable. Keyword searches for this

evidence will not be performed, or will contain incomplete results.

To perform keyword indexing, do the following:

1. Create a new case and add data to it or open an existing case with data. 2. The structure of the case data is displayed in the Case Content pane (to the left), content of the selected folder/file are displayed in the Data View pane (to the right). 3. Select a folder, file, etc. where you want to perform keyword indexing. 4. Right-click and select Index Keywords from the Content Analysis sub-menu, or on the Evidence tab, in the Content Analysis group, click Content Analysis and then click Index Keywords. 5. The Content Analysis wizard opens.

367

6. Define the keyword indexing options (for more information, please see the help file). 7. After all the selections are made, click Finish. 8. The keyword indexing process is displayed in the Tasks pane where it can be stopped, paused, and started from there (through the right-click menu or using the Stop, Pause, or Start/Resume buttons). 9. Once the keyword indexing process is completed, you can start a keyword search for this evidence/mobile data.

How to Analyze Sorted Graphic Files Using Thumbnails Viewer

Electronic Evidence Examiner allows you to analyze the sorted graphic files from all the categories in the Sorted Files pane using the Thumbnails viewer and select the required graphic files with the help of the check boxes for the further analysis. The selected graphic files can be added to the bookmarks or exported.

368

The check boxes state is preserved during the work with the case or evidence. After closing the case, removing evidence or clearing content analysis results, all selected

check boxes will be cleared.

To select the graphic files in the Thumbnails viewer:

1. In the Sorted Files pane, select a category containing graphic files. The list of files is displayed in the Data View pane. 2. In the Data View pane, set the number of items to be displayed on a page. 3. Select the required page or move between the pages starting from the first one. 4. Open the Thumbnails viewer. 5. Scroll down a page in the Thumbnails viewer and select the check boxes on the left of the thumbnails you are interested in. 6. To select all the thumbnails on the page, right-click any thumbnail in the Thumbnails viewer and choose Select All. 7. To clear all the thumbnails on the page, right-click any thumbnail in the Thumbnails viewer and choose Clear All.

Files selected in the Thumbnails viewer for sorted files are not marked for adding to the report. To add the selected files to the report, you need to select check boxes near

them from the Case Content pane.

To add the graphic files to the bookmark:

1. Select the check boxes near the thumbnails of the graphic files you want to add to the bookmark. 2. Right-click any thumbnail and select Bookmark Selected Files. The Bookmark Selected Data window opens. 3. Type the name of the bookmark and its detailed description (optional). In the Parent folder pane, select in which user-created folder the bookmark will be stored. Click OK. 4. The bookmark is added and can be viewed in the Bookmarks pane. 5. Double-click the bookmark in the Bookmarks pane. The bookmarked files will be listed on the Sorted Files tab in the Data View pane and can be analyzed via the Thumbnails viewer.

To export the graphic files:

1. Select the check boxes near the thumbnails of the graphic files you want to export. 2. Right-click any thumbnail and select Export Selected Files. The Browse For Folder window opens. 3. Select a folder for exporting files and click OK. The selected files will be exported to the selected folder.

369

How to Find All Graphic Files Stored in File System Evidence/Mobile Data

Electronic Evidence Examiner allows you to easily find all graphic data stored in the added file system evidence or acquired/imported mobile data. Graphic files are sorted and placed to a separate category of sorted files.

To find all graphic files in evidence/mobile data, do the following:

1. Add the file system evidence or acquire/import mobile data to a new or existing case (for more information, please see the corresponding topic from the How to investigate... sections). 2. The structure of the evidence/mobile data is displayed in the Case Content pane (to the left), the contents of the selected folder/node are displayed in the Data View pane (to the right). 3. Sort the selected evidence/mobile data or its part (for more information, please see the How to Perform Sorting in Evidence/Mobile Data topic). 4. In the Sorted Files pane, select the Graphics category.

5. The contents of the selected category are displayed in the Data View pane (to the right). Graphic files are also displayed in the Thumbnails pane (in the bottom part). 6. Select a file in the Data View pane. 7. The file contents are displayed in the File, Hex, and Text viewers (make sure that the viewers are enabled).

370

How to Perform Malware Scan

Electronic Evidence Examiner allows you to scan portable executable files for the signs of being malware.

To perform malware scan on executable files, do the following:

1. Add evidence or acquire/import mobile data to a new or existing case (for more information, please see the corresponding topic from the How to investigate... sections). 2. The structure of the evidence/mobile data is displayed in the Case Content pane (to the left), the contents of the selected folder/file are displayed in the Data View pane (to the right). 3. Select a folder or file that you want to scan for signs of being malware. 4. Right-click and select Scan for Malware from the Content Analysis sub-menu, or on the Evidence tab, in the Content Analysis group, click Content Analysis and then click Scan for Malware. 5. The Content Analysis wizard opens.

371

6. On the General options page, select Scan Windows PE files for malware. 7. Set other content analysis options (for more information, please see the help file). 8. After all the selections are made, click Finish. 9. The process of scanning for malware is displayed in the Tasks pane where it can be stopped, paused, and started from there (through the right-click menu or using the Stop, Pause, or Start/Resume buttons). 10. To view the results of the malware scan, do one of the following:

• Select a scanned file and select the Properties viewer. The signs of a file being malware are displayed on the Content Analysis tab of the Properties viewer. • Generate a malware scan report (for more information, please see the corresponding How to prepare report topic).

How to Extract Text Data in Default Language from Graphic Files

If graphic files stored in evidence/mobile data contain any text, it can be extracted and viewed in the Extracted Text viewer. When the extracted text is parsed and indexed, you can start keyword search in it, which is performed much faster than regular searches.

Electronic Evidence Examiner allows you to extract text data from graphic files when you perform content analysis.

To extract text data, do the following:

1. Add evidence or acquire/import mobile data to a new or existing case (for more information, please see the corresponding topic from the How to investigate... sections). 2. Right-click and select Index Keywords in Images (OCR) from the Content Analysis sub-menu or on the Evidence tab, in the Content Analysis group, click Content Analysis and then click Index Keywords in Images (OCR). 3. The Content Analysis wizard opens.

372

4. On the General options page, select Extract and index text from graphic files (OCR). 5. Set other content analysis options if necessary (for more information, please see the help file). 6. After all the selections are made, click Finish. 7. The text extraction process starts. Its progress is displayed in the Tasks pane. 8. Once the process is completed, you can view the extracted text for the selected graphic file in the Extracted Text viewer and perform searches in the extracted text data.

How to Extract Text Data in Non-Default Language from Graphic Files

If graphic files stored in the added evidence contain some text in a language other than the default one, Electronic Evidence Examiner allows you to select the desired language for extraction. By default, only the English language is available but other language packs can be downloaded from Paraben’s web-site: https://paraben.com/paraben-e3-drivers/.

373

To add the downloaded language pack to Electronic Evidence Examiner, do the following: 1. Download the desired language pack from the website. 2. Extract the files from the archive. 3. Copy the files to C:\Program Files (x86)\Paraben Corporation\Electronic Evidence Examiner\tessdata. 4. If your Electronic Evidence Examiner application was running, close it and then start again. 5. In the Case menu, select Options. 6. In the opened Options window, select the Common category of options (to the left). 7. Choose the desired language from the Default language for text data extracted from images (OCR) list (to the right). 8. Click OK to apply the settings.

To extract text data in a non-default language, do the following:

374

4. On the General options page, select Extract and index text from graphic files (OCR). 5. Select the language. 6. Set other content analysis options if necessary (for more information, please see the help file). 7. After all the selections are made, click Finish. 8. The text extraction process starts. Its progress is displayed in the Tasks pane. 9. Once the process is completed, you can view the extracted text for the selected graphic file in the Extracted Text viewer and perform searches in the extracted text data. 10. To select the desired non-default language for text data extraction when viewing the image in the Extracted Text viewer, right-click the viewer and select the language you want from the list.

375

How to Search in Sorted Data

Electronic Evidence Examiner allows you to perform searches in sorted files using special parameters.

To perform searching, do the following:

1. Add evidence or acquire/import mobile data to a new or existing case (for more information, please see the corresponding topic from the How to investigate... sections). 2. The structure of the evidence/mobile data is displayed in the Case Content pane (to the left), the content of the selected folder/node is displayed in the Data View pane (to the right). 3. Sort files in the evidence/mobile data (for more information, please see the How to perform sorting in evidence/mobile data topic). 4. On the Analysis tab, in the Search group, click Sorted Files Search. 5. The Sorted Files Search pane opens.

6. Define the Sorted Files Search parameters (for more information, please see the help file).

To find all sorted files, leave all boxes empty.

7. Click Run Query. The Sorted Files Search results are displayed in the bottom of the Sorted Files Search pane.

376

How to Search for Text Data Electronic Evidence Examiner allows you to perform searches for text data in an added evidence. Keyword searches are performed much faster than regular searches. Please note that keywords in an evidence need to be indexed before you perform a keyword search.

To perform a keyword search, do the following:

1. Select the case node, evidence node, folder, message, etc. where you want to search for data. 2. Perform keyword indexing in the evidence/mobile data (for more information, please see the How to perform keyword indexing in evidence/mobile data topic). 3. Right-click and select Keyword Search, or on the Analysis tab, in the Search group, click Keyword Search. 4. The Keyword Search pane opens (to the right).

5. Enter the Search Parameters.

• In the Search what box, enter the desired keywords using Boolean logic. Click Load Words to load text expressions from a text file or use one of the pre-defined search terms lists. • Whole word option: If this check box is selected, whole words are searched during the text search (e.g., if you search for "cat" with this parameter, the word "catalog" will not be found). • Search in (for email databases only): Select places in email databases where the search will be performed. The following options are available:

377

o Subject: Select this option to search in the message subject.

o Body: Select this option to search in the message body. o Contacts: Select this option to search in mailbox contacts.

o Calendars: Select this option to search in mailbox calendars. o Attachment file names: Select this option to search in the file names of message attachments.

o Attachments: Select this option to search in attachment bodies. o Sender: Select this option to search in the email Sender field.

o Recipient: Select this option to search in the Recipient, CC, BCC fields of an email.

6. Click Start. 7. The search starts. Its status is displayed in the Tasks pane and it can be stopped, paused, and started from there (through the right-click menu or using the Stop, Pause, or Start/Resume buttons). 8. Search results are displayed at the bottom part of the Search pane. 9. Double-click the search result to open it in the Viewers pane.

How to Search in Extracted Text Data

When searching for text data in an evidence/mobile data, you can also search in texts extracted from graphic images during the search. If you performed text extraction from images prior to starting a search, you can perform a keyword search (please see the corresponding How to search in text data topic) in the extracted text, which is much faster than a regular search.

To perform searches in the extracted text data, do the following: 1. Add evidence or acquire/import mobile data to a new or existing case (for more information, please see the corresponding topic from the How to investigate... sections). 2. Right-click and select Advanced Search or click Advanced Search on the Analysis tab, in the Search group. 3. The Search pane opens.

378

4. Select the File System Data>Search Text Scope tab and then select the Extracted text data for images (OCR) option and optionally change the language for extraction. You can download additional language packs from Paraben website: https://paraben.com/paraben-e3-drivers/. (For more information, please see How to Extract Text Data in Non-Default Language from Graphic Files topic.) 5. Enter other Search parameters if necessary. 6. Click Start or press Enter. 7. The search will begin. Its status will be displayed in the Tasks pane where it can be stopped, paused, and started. 8. The search results will be displayed at the bottom part of the Search pane. 9. Each result found in the extracted text data will be opened and highlighted in the Extracted Text viewer after you double-click it.

The text will be displayed in the default language set in Electronic Evidence Examiner Options. You can change the language by right-clicking the viewer and

selecting the language in the right-click menu.

How to Use Image Analyzer

The Image Analyzer feature allows you to find the potentially illicit images falling under the following categories: Drugs, Gore, Porn, Swim underwear, Extremism, Weapons, and Suspicious.

To use the Image Analyzer during the sorting, do the following:

1. Make sure that E3 Image Analysis Boost package is activated. 2. Select a folder where you want to perform sorting. 3. Right-click and select Sort Data from the Content Analysis sub-menu, or on the Evidence tab, in the Content Analysis group, click Content Analysis and then click Sort Data.

379

4. The Content Analysis wizard opens. 5. Select the Image Analyzer Options page. 6. On the Image Analyzer Options page, select the Use Image Analyzer check box. 7. Set the Engine sensitivity rate. Increasing the engine sensitivity decreases the number of false positives (non-illicit images being placed in the wrong category) and vice versa. 8. To use the file filter, select the Use file filter check box. If this check box is selected, then only files of the defined size will be checked by the Image Analyzer. Define the file size in Kb in the corresponding boxes (From-To). 9. To use the resolution filter, select the Use resolution filter check box. If this check box is selected, only images of the defined size will be checked by the Image Analyzer. Define the vertical and horizontal image resolution in pixels in the corresponding boxes (From-To). 10. After defining all the settings, click Finish.

11. After the sorting process is completed, the graphic files will be sorted into nine categories in the Sorted Files pane: Drugs, Gore, Porn, Swim underwear, Extremism, Weapons, Suspicious, Clean, and Skipped.

380

12. To view images sorted with the help of Image Analyzer, select the Image Analyzer Results node in the Sorted Files pane. 13. Click the Image Analyzer category. The list of the images is displayed in the Data View pane and the images are displayed in the Thumbnails viewer to the right of the Data View pane. 14. Select an image in the Data View pane and view it in the File viewer. 15. In the File viewer, use the File viewer toolbar to rotate and zoom the image.

381

How to Work with Hash Databases

How to Use NIST Hash Database

The NIST hash database contains the hash codes of known system files. The Common Files (NIST) database can be installed via a special installation file downloaded from https://paraben.com/paraben-downloads/. After the installation, the Common Files (NIST) database will be converted to Electronic Evidence Examiner format (*.nst), imported to Electronic Evidence Examiner and automatically attached to the case opened or created in it.

To use the NIST hash database, do the following:

1. Install the NIST hash database (for more information, please see the help file). 2. Start Electronic Evidence Examiner. 3. Add evidence or acquire/import mobile data to a new or existing case (for more information, please see the corresponding topic from the How to investigate... sections). 4. Sort files in the added evidence (please see the corresponding How to perform sorting in the added evidence topic). 5. On the Analysis tab, in the Search group, click Sorted Files Search. 6. The Sorted Files Search pane opens (to the right). 7. Click the Hash Databases tab on the Sorted Files Search pane. 8. By default, the NIST hash database is located in the Denied databases list. It includes hash codes of the files to be eliminated from search. 9. Define other parameters for the search in the sorted files if necessary (for more information, please see the help file). 10. After all the parameters are defined, click Run Query. The sorted files search starts. 11. The search process is displayed in the Tasks pane. 12. The sorted files search results are displayed in the bottom of the Sorted Files Search pane.

How to Use User-Created Hash Databases

User hash databases are hash code databases created by Electronic Evidence Examiner users. They contain the hash codes of files that can be used when searching for or filtering files based on hash values. User hash databases have a *.pdh extension.

382

To use a user-created hash database, do the following:

1. Create a new case. 2. Create a new hash database (for more information, please see the help file). 3. The database is created and attached to the case. 4. Right-click the hash database and select Add New Group/MD5. 5. In the opened Add New MD5 window, enter the name of the group and the MD5 of the file that you want to add to the hash database.

6. The MD5 is added to the hash database. 7. Sort files in the added evidence (please see the corresponding How to Perform Sorting in Added Evidence topic). 8. On the Analysis tab, in the Search group, click Sorted Files Search. 9. The Sorted Files Search pane opens (to the right). 10. Click the Hash Databases tab on the Sorted Files Search pane. 11. Move the user-created hash database from the Hash databases list to the Accepted databases list to search (filter) for files whose MD5s match the ones in the hash database. Move the user-created hash database to the Denied databases list to search (filter) for all files other than those whose MD5s match the ones in the hash database. 12. Define other parameters for the search in the sorted files if necessary (for more information, please see the help file).

383

13. After all the parameters are defined, click Run Query. The sorted files search starts. 14. The search process is displayed in the Tasks pane. 15. The sorted files search results are displayed at the bottom of the Sorted Files Search pane.

384

How to Prepare Report

Electronic Evidence Examiner allows you to make a summary of the currently open case, i.e., to generate a report.

To generate a report, do the following:

1. Add evidence or acquire/import mobile data to a new or existing case (for more information, please see the corresponding topic from the How to investigate... sections). 2. The structure of the evidence/mobile data is displayed in the Case Content pane (to the left), the contents of the selected folder/node are displayed in the Data View pane (to the right). 3. In the Case Content pane or in the Data View pane, check the data you want to add to the report. You can check the evidence or a part of it, a category of sorted files, or bookmarks. 4. On the Reports tab, in the Reports group, click Generate Report. 5. The Reports Wizard opens.

385

6. On the General Options page, define the type of report and the destination folder for it. 7. Move between other pages of the wizard to set the options you need (for more information, please see the help file). 8. After all the selections are made, click Finish to generate a report. 9. The report generation process is displayed in the Tasks pane. 10. Once the report is generated, you can open it either directly from the folder to which it was generated or by right-clicking the completed report generating task in the Tasks pane.

How to Add Graphics from Message Attachments to Report

Electronic Evidence Examiner allows you to add graphic files from message attachments to a generated report.

To generate a report with graphics from message attachments, do the following:

1. Add mailstorage evidence to a new or existing case (for more information, please see the corresponding How to investigate... topics). 2. The structure of the added mailstorage is displayed in the Case Content pane (to the left), the contents of the selected folder/node are displayed in the Data View pane (to the right). 3. In the Case Content pane or in the Data View pane, check the data you want to add to the report. You can select the mailstorage or a part of it, a category of sorted files, or bookmarks. 4. On the Reports tab, in the Reports group, click Generate Report. 5. The Reports Wizard opens.

386

6. On the General Options page, define the type of report and the destination folder for it. 7. On the Mailstorage Evidence page, select Include graphics from the attachments (will be added as thumbnails) to add graphic files from the message attachments to the report.

387

8. Move between other pages of the wizard to set the options you need (for more information, please see the help file). 9. After all the selections are made, click Finish to generate a report. 10. The report generation process is displayed in the Tasks pane. 11. When the report is generated, you can open it either directly from the folder to which it was generated or by right-clicking the completed report generating task in the Tasks pane.

388

How to Generate Search Results Report

When the search is finished, its results can be added to a special Search results report. This report is a summary of the currently open case whose contents are controlled by the examiner and can be printed, e-mailed, etc.

To generate a Search results report, do the following:

1. Perform a search (for more information, please see the corresponding How to search... topics). 2. Right-click the search result(s) in the Search results area of the Search pane and select Generate Search Results Report. Multi-selection is available. 3. The Search Results Report window opens.

4. Select the type of report: HTML or CSV. 5. Select the Include investigator information check box to add the investigator information to the report. 6. Select the Export found files and folders to the external folder and add links check box to export the files/folders to which the search results point, and add hyperlinks to the report. 7. Click Browse to navigate to the folder where the report will be generated. 8. Click Generate to generate the Search results report. The report generation process is displayed in the Tasks pane.

389

9. Once the report is generated, you can open it either directly from the folder where it was generated or by right-clicking the completed Report Generating task in the Tasks pane. 10. The Search Result Report is displayed.

390

How to Use Data Triage

How to View Email Databases Detected via the Registry

Using Electronic Evidence Examiner, you can view the email databases installed on the investigated computer. Electronic Evidence Examiner searches for the installed databases in the Registry. The list of all detected email databases is displayed to the user and then databases can be parsed.

Auto-detection is available only for system/physical disks or images of system/physical disks.

To view the email databases in the Registry, do the following:

1. Add system disk or physical drive evidence to a new or existing case (for more information, please see the corresponding How to investigate... topics). 2. The structure of the added evidence is displayed in the Case Content pane (to the left). 3. In the Case Content pane, expand the evidence tree. If you add physical drive evidence, the Data Triage node will be placed under partition nodes on the same level. If you add system disk evidence, the Data Triage node will be placed under the Trash node on the same level as Root and Trash nodes. 4. Select the Email Databases node. The contents of the node are displayed in the Data View pane (to the right). Deleted email databases are marked red; email databases stored in another location are marked gray; email databases that are available and whose structure and contents can be viewed are marked black. 5. Double-click the desired database. The selected database is parsed and placed as a sub-node of the Email Databases node. 6. You can view its structure and contents (for more information, please see the corresponding How to investigate... topics).

How to View Chat Databases in the Registry

With the help of Electronic Evidence Examiner, you can view the chat databases installed on the investigated computer. Electronic Evidence Examiner searches for installed databases in the Registry. The list of all detected chat databases is displayed to the user and then databases can be parsed.

Auto-detection is available only for system/physical disks or images of system/physical disks.

391

To view the chat database in the Registry, do the following:

1. Add system disk or physical drive evidence to a new or existing case (for more information, please see the corresponding How to investigate... topics). 2. The structure of the added evidence is displayed in the Case Content pane (to the left). 3. In the Case Content pane, expand the evidence tree. If you add physical drive evidence, the Data Triage node will be placed under partition nodes on the same level. If you add system disk evidence, the Data Triage node will be placed under the Trash node on the same level as Root and Trash nodes. 4. Select the Chat Databases node. The contents of the node are displayed in the Data View pane (to the right). Deleted chat databases are marked red; chat databases stored in another location are marked gray; chat databases that are available and whose structure and contents can be viewed are marked black. 5. Double-click the desired database. The selected database is parsed and placed as a sub-node of the Chat Databases node. 6. You can view its structure and contents (for more information, please see the corresponding How to investigate... topics).

How to View Internet Browser Data in the Registry

Electronic Evidence Examiner allows you to view data of the Internet browsers installed on the investigated computer. Electronic Evidence Examiner searches for installed browsers in the Registry. The list of all detected Internet browsers is displayed to the user and then databases can be parsed.

Auto-detection is available only for system/physical disks or images of system/physical disks.

To view the Internet browser data in the Registry, do the following:

392

5. Double-click the desired Internet Browser data. The selected Internet Browser data is parsed and placed as a sub-node of Internet Browser Data node. 6. You can view its structure and contents (for more information, please see the corresponding How to investigate... topics).

How to View Detected My Documents Folders

Using Electronic Evidence Examiner, you can view the location of the My Documents folder(s) on the investigated computer. Electronic Evidence Examiner searches for the My Documents folder(s) in the Registry. The detected folder is displayed to the user and then its contents can be viewed.

Auto-detection is available only for system/physical disks or images of system/physical disks.

To view the My Documents folder in the Registry, do the following:

1. Add system disk or physical drive evidence to a new or existing case (for more information, please see the corresponding How to investigate... topics). 2. The structure of the added evidence is displayed in the Case Content pane (to the left). 3. In the Case Content pane, expand the evidence tree. If you add physical drive evidence, the Data Triage node will be placed under partition nodes on the same level. If you add system disk evidence, the Data Triage node will be placed under the Trash node on the same level as Root and Trash nodes. 4. Select the My Documents Folders node. The contents of the node are displayed in the Data View pane (to the right). Deleted data is marked red; data stored in another location is marked gray; data that is available and whose structure and contents can be viewed is marked black. 5. Double-click the desired folder. The selected folder is parsed and placed as a sub-node of the My Documents Folders node. 6. You can view its structure and contents (for more information, please see the corresponding How to investigate... topics).

How to View Detected Recently Used Files

Electronic Evidence Examiner allows you to view files and documents that were most recently used. Information about these files includes file names, locations, file types, names of users, and status (can be available or not). The list of the detected recently used files is displayed to the user. If these files include files that can be parsed (OLE Storages, email databases, etc.), there will be a special mark next to the name of the file.

Auto-detection is available only for system/physical disks or images of system/physical disks.

393

To view the recently used files in the Registry, do the following:

1. Add system disk or physical drive evidence to a new or existing case (for more information, please see the corresponding How to investigate... topics). 2. The structure of the added evidence is displayed in the Case Content pane (to the left). 3. In the Case Content pane, expand the evidence tree. If you add physical drive evidence, the Data Triage node will be placed under partition nodes on the same level. If you add system disk evidence, the Data Triage node will be placed under the Trash node on the same level as Root and Trash nodes. 4. Select the Recently Used Files node. The contents of the node are displayed in the Data View pane (to the right). Deleted files are marked red; files placed in another location are marked gray; files that are available and whose structure and contents can be viewed are marked black. 5. Double-click the desired file. The selected file is parsed and placed as a sub-node of the Recently Used Files node. 6. You can view its structure and contents (for more information, please see the corresponding How to investigate... topics).

How to View Media Databases

With the use of Electronic Evidence Examiner, you can view the databases with information about user’s media file collections on the investigated computer. The list of all detected media databases is displayed to the user and then databases can be parsed.

Auto-detection is available only for system/physical disks or images of system/physical disks.

To view the media databases, do the following:

394

5. Double-click the desired database. The selected database is parsed and placed as a sub-node of the Media Data node. 6. You can view its structure and contents (for more information, please see the corresponding How to investigate... topics). 7. Open the Folder table to view the names of media collections (Folder_DisplayName column) and their path names (Folder_Path column). 8. Open the Item table to view the names of media files (Item_FileName column) and media collections they belong to (Item_ParentFolderId column).

How to View Cortana Search Suggestions, Search Results and Voice Commands

Electronic Evidence Examiner allows you to view folders with Cortana search suggestions, search results and voice commands on the investigated computer. The detected folders are displayed to the user and then their contents can be viewed.

To view the folders with Cortana search suggestions, search results and voice commands, do the following:

1. Add system disk or physical drive evidence to a new or existing case (for more information, please see the corresponding How to investigate... topics). 2. The structure of the added evidence is displayed in the Case Content pane (to the left). 3. In the Case Content pane, expand the evidence tree. If you add physical drive evidence, the Data Triage node will be placed under partition nodes on the same level. If you add system disk evidence, the Data Triage node will be placed under the Trash node on the same level as Root and Trash nodes. 4. Select the Windows Search & Communication node. The contents of the node are displayed in the Data View pane (to the right). Deleted data is marked red; data stored in another location is marked gray; data that is available and whose structure and contents can be viewed is marked black. 5. Double-click the folder. To view Cortana search suggestions and search results, open the INetCache folder. 6. To view the records of user voice commands, open the Speech folder. The voice commands are saved in the WAV audio file format and can be played with the external player. 7. The selected folder is placed as a sub-node of the Windows Search & Communication node. 8. You can view its structure and contents (for more information, please see the corresponding How to investigate... topics).

395

How to View Data from the Communications Apps

Electronic Evidence Examiner allows you to view the folders with Communications Apps data (data from the People and Mail and Calendar apps) on the investigated computer. The detected folders are displayed to the user and then their contents can be viewed.

Auto-detection is available only for system/physical disks or images of system/physical disks.

To view the folders with Communications Apps, do the following:

1. Add system disk or physical drive evidence to a new or existing case (for more information, please see the corresponding How to investigate... topics). 2. The structure of the added evidence is displayed in the Case Content pane (to the left). 3. In the Case Content pane, expand the evidence tree. If you add physical drive evidence, the Data Triage node will be placed under partition nodes on the same level. If you add system disk evidence, the Data Triage node will be placed under the Trash node on the same level as Root and Trash nodes. 4. Select the Windows Search & Communication node. The contents of the node are displayed in the Data View pane (to the right). Deleted data is marked red; data stored in another location is marked gray; data that is available and whose structure and contents can be viewed is marked black. 5. Double-click the folder. To view the Communications Apps data, open the microsoft.windowscommunicationsapps folder. 6. The selected folder is placed as a sub-node of the Windows Search & Communication node. 7. You can view its structure and contents (for more information, please see the corresponding How to investigate... topics).

How to View Windows Apps and Packages Data

Electronic Evidence Examiner allows you to view the folders with Windows applications and Windows packages available on the investigated computer, as well as a folder with deleted Windows applications.

To view folders with Windows apps and packages data, do the following:

396

3. In the Case Content pane, expand the evidence tree. If you add physical drive evidence, the Data Triage node will be placed under partition nodes on the same level. If you add system disk evidence, the Data Triage node will be placed under the Trash node on the same level as Root and Trash nodes. 4. Select the Windows Apps and Packages node. The list of folders is displayed in the Data View pane (to the right). Deleted data is marked red; data stored in another location is marked gray; data that is available and whose structure and contents can be viewed is marked black. 5. Double-click the folder. To view the Windows applications data, open the Windows Apps folder. 6. To view the Windows packages data, open the Packages folder. 7. To view the deleted Windows applications data, open the Deleted folder. 8. The selected folder is placed as a sub-node of the Windows Apps and Packages node. 9. You can view its structure and contents (for more information, please see the corresponding How to investigate... topics).

How to View File History Data

Electronic Evidence Examiner allows you to view the information on the backup files (Contacts, Desktop, Downloads, Favorites, Searches etc.) saved to the File History folder and their location in .xml format.

The File History data is only available when the File History is enabled on the investigated computer.

To view file history data, do the following:

397

6. The content of the Config#.xml file can be viewed in the File Viewer. It contains the list of folders and files being backed up and the path to the backed up data.

How to View Cloud Storages Data

Electronic Evidence Examiner allows you to view the folders with user’s files stored in OneDrive and Dropbox if such cloud storage services are installed on the investigated computer.

To find folders with cloud storage data, do the following:

1. Add system disk or physical drive evidence to a new or existing case (for more information, please see the corresponding How to investigate... topics). 2. The structure of the added evidence is displayed in the Case Content pane (to the left). 3. In the Case Content pane, expand the evidence tree. If you add physical drive evidence, the Data Triage node will be placed under partition nodes on the same level. If you add system disk evidence, the Data Triage node will be placed under the Trash node on the same level as Root and Trash nodes. 4. Select the Cloud Storages node. The contents of the node are displayed in the Data View pane (to the right). Deleted data is marked red; data stored in another location is marked gray; data that is available and whose structure and contents can be viewed is marked black. 5. Double-click the folder. To view the cloud storage data, open the OneDrive and Dropbox folders. 6. The selected folder is placed as a sub-node of the Cloud Storages node. 7. You can view its structure and contents (for more information, please see the corresponding How to investigate... topics).

How to View Recent Typed URLs

Using the Data Triage, you can view Recent Typed URLs of different users.

The Data Triage is intended for detecting installed e-mail databases, chat databases, etc. by analyzing the registry files stored on a system disk.

The Data Triage is available for Physical drives and images of the physical drives that have a system partition, System logical drives and images of the system

logical drives, and Registry hives.

398

To view recent typed URLs, do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. Navigate to the Data Triage node in the Case Content pane (to the left). 3. Select the Parsed Registry Data sub-node. 4. Select the operating system for which you want to find the list of URLs recently typed by a user(s). 5. Select the Users Info sub-node. A list of available users opens. 6. Select the desired user name. Select the TypedURLs node. A list of the URLs typed by the selected user opens. 7. You can view the recently typed URLs in the Data field in the Data viewer.

How to View Recent Searches Performed via Windows Explorer

Using the Data Triage, you can view a list of recent searches performed via Windows Explorer by a specific user.

The Data Triage is intended for detecting installed e-mail databases, chat databases, etc. by analyzing the registry files stored on a system disk.

The Data Triage is available for Physical drives and images of physical drives that have a system partition, System logical drives and images of system logical drives,

and Registry hives.

To view a list of recent searches performed via Windows Explorer for a user(s), do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. Navigate to the Data Triage node in the Case Content pane (to the left). 3. Select the Parsed Registry Data sub-node. 4. Select the operating system for which you want to find a list of recent searches performed via Windows Explorer for a specific user. 5. Select the Users Info sub-node. A list of available users opens. 6. Select the desired user name. Select the WordWheelQuery node. A list of recent searches performed via Windows Explorer by the selected user opens.

399

7. You can view the REG_BINARY registry values in the Hex viewer to see the text of the search entries.

How to View Recently Opened and Saved Documents

Using the Data Triage, you can view what documents a user(s) opened or saved recently.

The Data Triage is intended for detecting installed e-mail databases, chat databases, etc. by analyzing the registry files stored on a system disk.

The Data Triage is available for Physical drives and images of physical drives that have a system partition, System logical drives and images of system logical drives,

and Registry hives.

To view recently opened and saved documents, do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. Navigate to the Data Triage node in the Case Content pane (to the left). 3. Select the Parsed Registry Data sub-node. 4. Select the operating system for which you want to find the files that were recently opened or saved by a specific user. 5. Select the Users Info sub-node. The list of available users opens. 6. Select the desired user name. Select the RecentDocs node. A list of files that were recently opened or saved by the selected user opens. 7. You can view the Name, Type, and Data for the selected document. You can also view the Security Key Data for the selected document (for more information, please see the help file).

How to View a List of Programs Set to Autorun for the User

Using the Data Triage, you can view the list of programs that were in the Autorun list of the user(s).

The Data Triage is intended for detecting installed e-mail databases, chat databases, etc. by analyzing the registry files stored on a system disk.

The Data Triage is available for Physical drives and images of physical drives that have a system partition, System logical drives and images of system logical drives,

and Registry hives.

400

To view a list of programs set to Autorun for a user(s), do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. Navigate to the Data Triage node in the Case Content pane (to the left). 3. Select the Parsed Registry Data sub-node. 4. Select the operating system for which you want to find the list of programs that were on the Autorun list for a specific user. 5. Select the Users Info sub-node. The list of available users opens. 6. Select the desired user name. Select the Run node. The list of programs that were in the Autorun list for that user opens. 7. You can view the Name of the program, Type, and Data for the selected program. The Data field contains the path to the program.

How to View a List of Run Commands

Using the Data Triage, you can view a list of commands executed using the Start>Run command by a specific user.

The Data Triage is intended for detecting installed e-mail databases, chat databases, etc. by analyzing the registry files stored on a system disk.

The Data Triage is available for Physical drives and images of physical drives that have a system partition, System logical drives and images of system logical drives,

and Registry hives.

To view a list of entries executed using the Start>Run commands for a user(s), do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. Navigate to the Data Triage node in the Case Content pane (to the left). 3. Select the Parsed Registry Data sub-node. 4. Select the operating system for which you want to find the list of entries executed using the Start>Run commands for a specific user. 5. Select the Users Info sub-node. A list of available users opens. 6. Select the desired user name. Select the RunMRU node. A list of entries executed using the Start>Run commands by the selected user opens.

401

7. You can view Name of the program, Type, and Data for the selected program. The Data field contains the command written in Start>Run to start the program.

How to Get Information on Mounted Storage Devices and External Memory Cards

Using the Data Triage, you can get information on the mounted storage devices and external memory cards.

The Data Triage is intended for detecting the installed e-mail databases, chat databases, etc. by analyzing the registry files stored on a system disk.

The Data Triage is available for Physical drives and images of physical drives that have a system partition, System logical drives and images of system logical drives,

and Registry hives.

To get a list of mounted storage devices and external memory cards, do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidence, please see the corresponding How to investigate... topic). 2. Navigate to the Data Triage node in the Case Content pane (to the left). 3. Select the Parsed Registry Data sub-node. 4. Select the operating system on which you want to get information. 5. Select the Devices sub-node. 6. The list of mounted storage devices is displayed in the Data View pane (to the right). 7. Choose the desired storage device to get information about it. 8. The information about the desired mounted storage device is displayed in the Data View pane (to the right). 9. You can view the Name, Type, and Data for the selected file. You can also view the Security Key Data for the selected file (for more information, please see the help file).

How to View a List of Installed Programs

Using the Data Triage, you can view a list of the installed programs that can be uninstalled, Shared DLLs, registry subkeys that are used to register and control the behavior of the system on behalf of applications, etc.

The Data Triage is intended for detecting the installed e-mail databases, chat databases, etc. by analyzing the registry files stored on a system disk.

402

The Data Triage is available for Physical drives and images of physical drives that have a system partition, System logical drives and images of system logical drives,

and Registry hives.

To view a list of installed programs, do the following:

1. Add evidence to a new or existing case (for more information on adding different types of evidences, please see the corresponding How to investigate... topic). 2. Navigate to the Data Triage node in the Case Content pane (to the left). 3. Select the Parsed Registry Data sub-node. 4. Select the operating system where you want to find the list of installed programs. 5. Select the Programs sub-node. 6. Select the required sub-node. 7. The information about the installed programs is displayed in the Data View pane (to the right). 8. You can view the Security Key Data for each program (for more information, please see the help file).

How to Get Operating System Information

Using the Data Triage, you can get full information on the installed operating system. You can view the system properties including name, version, location of the system folder, registered owner, product ID, etc.

The Data Triage is intended for detecting installed e-mail databases, chat databases, etc. by analyzing the registry files stored on a system disk.

The Data Triage is available for Physical drives and images of physical drives that have a system partition, System logical drives and images of system logical drives,

and Registry hives.

To get information on the operating system, do the following:

403

6. The information on the operating system is displayed in the Data View pane (to the right).

The following information on the operating system is available:

• ComputerName: This key contains the name of the defined computer.

• ProductName: This value contains the formal name of the product.

• CurrentVersion: This value contains the operating system version which is installed on the defined PC.

• CurrentBuild: This value contains the current build version of the operating system.

• CSDBuildNumber: This value contains the additional revision number of the Service Pack.

• CurrentMajorVersionNumber and CurrentMinorVersionNumber: These values contain the operating system version (only for Windows 10).

• SystemRoot: This value contains the location of the system folder including the drive and path. • PathName: This value contains the path to the system folder.

• RegisteredOwner: This value contains the name of the person who has the right to own the system.

• RegisteredOrganisation: This value contains the name of the organization which has the right to own the system. • ProductID: This value contains the special number of the product.

• EditionID: This value contains an identification number that represents the installed product edition.

• CurrentType: This value contains the operating system type.

• SoftwareType: This value contains the operating system software type. • InstallationType: This value contains the operating system installation type.

• BuildBranch: This value contains the branch version of the operating system build.

• ReleasedId: This value contains the released ID version. • InstallDate: This value contains the installation date of the operating system.

• InstallTime: This value contains the installation date of the operating system (only for Windows 10).

• TimeZoneInformation: This key contains the time zone of the defined computer.

• Customizations: This value contains the user’s customization settings. • EMDMgmt: This key contains information about the external storage devices connected to the computer.

404

• SystemRestore: This key contains information about the restore of the operating system.

How to View Deleted Recent Documents

Using the Data Triage, you can view deleted files that were recently used.

The Data Triage is intended for detecting installed e-mail databases, chat databases, etc. by analyzing the registry files stored on a system disk.

The Data Triage is available for Physical drives and images of physical drives that have a system partition, System logical drives and images of system logical drives,

and Registry hives.

Finding deleted Recently Used Files mounts a document for NTFS documents or archives.

To view deleted Recently Used Files, do the following:

The following information about Recently Used Files is available:

• Name: This field contains the file name and its extension.

• Type: This field contains the file type. When the file is moved or deleted, the file type is not defined. • Path: This field contains the full file path.

• User Name: This field contains the name of the user who used the file. • Status: Moved/Deleted.

How to Get Information on Last Logged on User

Using the Data Triage, you can view the information about the last user who logged on to the operation system.

The Data Triage is intended for detecting the installed e-mail databases, chat databases, etc. by analyzing the registry files stored on a system disk.

405

The Data Triage is available for Physical drives and images of physical drives that have a system partition, System logical drives and images of system logical drives,

and Registry hives.

To view the information about the last logged on user, do the following:

How to Get Information on Network Connections

Using the Data Triage, you can view the information about the wired, wireless, and remote desktop connections on the computer.

The Data Triage is intended for detecting the installed e-mail databases, chat databases, etc. by analyzing the registry files stored on a system disk.

The Data Triage is available for Physical drives and images of physical drives that have a system partition, System logical drives and images of system logical drives,

and Registry hives.

To view the information about the last logged on user, do the following:

406

How to Work with Regular Expressions

A regular expression is a special text string for describing a search pattern. Regular expressions allow you to find data like IP addresses, phone numbers, postal codes, personal identifiers, e- mails, dates and time, etc.

How to Find Credit Card Numbers in Added Evidence

Electronic Evidence Examiner allows you to search for credit card numbers, including Visa, Master Card, American Express, Discover, etc. Electronic Evidence Examiner searches for this data in all types evidence and mobile data. The search is performed using regular expressions.

To find credit card numbers, do the following:

1. Add evidence or acquire/import mobile data to a new or existing case (for more information, please see the corresponding topic from the How to investigate... sections). 2. In the Case Content pane (to the left), navigate to the database file or folder where you want to search for data, right-click and select Advanced Search or click Advanced Search on the Analysis tab, in the Search group. 3. The Search pane opens (to the right). 4. In the Use drop-down list, select the Regular expressions option. 5. Click Use Template. The Regular Expression Templates window opens. 6. Select the Personal Identifiers category and, in the list of expressions (to the right), select the required regular expression.

407

7. Click OK. The selected regular expression appears in the Search what box in the Search pane. 8. Enter other search parameters if necessary (for more information, please see the help file). 9. Click Start to start the search.

How to Find All Email Addresses in Added Evidence

Electronic Evidence Examiner allows you to search for email addresses in evidence/mobile data. E-mail addresses can be stored in message bodies inside added mailstorage evidence, in files inside added file system evidence, in files stored in archives, etc. The search is performed using regular expressions.

To find email addresses, do the following:

1. Add evidence or acquire/import mobile data to a new or existing case (for more information, please see the corresponding topic from the How to investigate... sections). 2. In the Case Content pane (to the left), navigate to the database file or folder where you want to search for data, right-click and select Advanced Search or click Advanced Search on the Analysis tab, in the Search group. 3. Select the evidence/mobile data or its part where the search will be performed. 4. The Search pane opens (to the right). 5. In the Use drop-down list, select the Regular expressions option. 6. Click Use Template. The Regular Expression Templates window opens. 7. Select the Emails category and, in the list of expressions (to the right), select the required regular expression.

408

8. Click OK. The selected regular expression appears in the Search what box in the Search pane. 9. Enter other search parameters if necessary (for more information, please see the help file). 10. Click Start to start the search.

How to Find IP Addresses

Electronic Evidence Examiner allows you to search for IP Addresses using regular expressions.

To find IP Addresses, do the following:

1. Add evidence or acquire/import mobile data to a new or existing case (for more information, please see the corresponding topic from the How to investigate... sections). 2. In the Case Content pane (to the left), navigate to the database file or folder where you want to search for data, right-click and select Advanced Search or click Advanced Search on the Analysis tab, in the Search group. 3. The Search pane opens (to the right). 4. In the Use drop-down list, select Regular expressions. 5. Click Use Template. The Regular Expression Templates window opens.

409

6. Select the IP Addresses, URLs & Paths regular expression category at the left of the window. 7. Select the required regular expression at the right of the window. 8. Click OK. The selected regular expression appears in the Search what box in the Search pane. 9. Enter other search parameters if necessary. Click Start to start the search.

How to Find the Phone Numbers for Different Countries

Electronic Evidence Examiner allows you to search for phone numbers with various dial codes using regular expressions.

To find Phone Numbers for a specific country, do the following:

1. Add evidence or acquire/import mobile data to a new or existing case (for more information, please see the corresponding topic from the How to investigate... sections). 2. In the Case Content pane (to the left), navigate to the database file or folder where you want to search for data, right-click and select Advanced Search or click Advanced Search on the Analysis tab, in the Search group. 3. The Search pane opens (to the right). 4. In the Use drop-down list, select Regular expressions. 5. Click Use Template. The Regular Expression Templates window opens.

410

6. Select the Phone Numbers & Postal Codes regular expression category at the left of the window. 7. Select the required regular expression at the right of the window.

8. Click OK. The selected regular expression appears in the Search what box in the Search pane. 9. Enter other search parameters if necessary. Click Start to start the search.

How to Find URL Address

Electronic Evidence Examiner allows you to search for URLs using regular expressions.

To find URLs, do the following:

1. Add evidence or acquire/import mobile data to a new or existing case (for more information, please see the corresponding topic from the How to investigate... sections). 2. In the Case Content pane (to the left), navigate to the database file or folder where you want to search for data, right-click and select Advanced Search or click Advanced Search on the Analysis tab, in the Search group. 3. The Search pane opens (to the right). 4. In the Use drop-down list, select Regular expressions. 5. Click Use Template. The Regular Expression Templates window opens.

411

6. Select the IP Addresses, URLs & Paths regular expression category at the left of the window.

7. Select the required regular expression at the right of the window. 8. Click OK. The selected regular expression appears in the Search what box in the Search pane. 9. Change the URL parameters and enter other search parameters if necessary. Click Start to start the search.

How to Create Special Template for Searching

You can create your own regular expressions using special symbols and letters.

To create a special template for searching, do the following:

412

5. Click Use Template. The Regular Expression Templates window opens. 6. Select the User templates regular expression category at the left of the window. 7. Enter and select your regular expression template using special symbols (for more information, please see the help file).

8. Click OK. The selected regular expression appears in the Search what box in the Search pane. 9. Enter other search parameters if necessary. Click Start to start the search.

413

How to Use Python SDK

E3 Python SDK is a module for development of automation scripts and applications using Python (More detailed information on Python SDK you can find in the Help file).

Python SDK runs under the same license as Electronic Evidence Examiner.

Before using the SDK, you need to start Electronic Evidence Examiner and activate it.

To use the Python SDK, you need to install the p2csdk package:

1. Run the Command Prompt (cmd.exe) as administrator. 2. Check that Python version matches the Electronic Evidence Examiner version. To check the Python version, do the following: 1) Run the non-argument Python in the command prompt. In the first line, there will be the 32-bit Intel text for x86 version or 64-bit (AMD64) text – for x64 version. 2) Exit from the Python interpreter (type exit() and press Enter or Control + Z and then Enter). 3) After finding the path to the required Python version, use that path in the following commands (hereinafter the path to python.exe is specified as %PYTHON PATH%). 3. Open the \Paraben Corporation\Electronic Evidence Examiner\SDK\install folder. 4. Initialize the p2csdk package, using the following command: "%PYTHON_PATH%" -m pip install p2csdk-- py3-none-any.whl

In the current version the command is

"%PYTHON_PATH%" -m pip install p2csdk-p2csdk-1.0-py3-none-any.whl

5. The package is initialized.

To run the managed samples, do the following:

1. Run the Command Prompt (cmd.exe). 2. Open Paraben Corporation\Electronic Evidence Examiner\SDK\samples\managed\bin folder. 3. Execute the following command: .exe -sdkdir 4. The sample is running (you will be notified if it is required to specify the additional arguments).

414

To run the Python samples, do the following:

1. Run the Command Prompt (cmd.exe). 2. Check that the p2csdk package is initialized. 3. Open Paraben Corporation\Electronic Evidence Examiner\SDK\samples\python folder. 4. Execute the following command: “%PYTHON PATH%” .py The p2csdk package can find the path to the installed Electronic Evidence Examiner version automatically. You will be notified if it is required to specify the additional arguments.

415