Thanks for browsing to this article. If you require global forensic imaging or any other of our litigation services, please don’t hesitate to contact us!

The Current Market

eDiscovery tools Summation, Relativity, Intella and Nuix all have their place in the litigation support arena. As a technology agnostic myself I tend to try and find the best tool for my client in terms dependent on the size of the case and other factors such as if the data involves more than just documents and emails.

I was discouraged to discover that there was no solution for small to medium-sized cases. The answers I found would not cope with additional reviewers, more data and other factors.

GoldFynch eDiscovery Tool

A few weeks ago I came across Goldfynch and thought I would review some of the features involved in the tool. The website promises Cloud-based eDiscovery, Bank Grade Security, OCR processing, Pay as you go pricing (averages $6/GB/month), No contracts, no commitments and Unlimited users. I started to wonder if it also did the review for my clients too! The company slogan is “If you can use a search engine you can use GoldFynch.” Interestingly GoldFynch is owned by firm search engine firm Mazira who built the tool from the ground up to be intuitive.

GoldFynch is free to trial for the first case limited to 512mb of data. This means reviewers can train using this tool before the case being initiated and pricing is scalable.

Limitations as of 2018

Unfortunately, at the time of writing AD1, XWF, E01, AFF and other forensic container formats were not supported. These formats are used so a litigator can be sure of the integrity and original path of the files has been preserved when the items were captured at the source.  The collection, documentation and preparation of the ESI, therefore, requires a computer forensic expert to prepare the dataset before upload. Additionally, if you have ESI in more exotic formats such as NSF Lotus Notes or Android Mobile SQL Emails the files may need to be converted which takes some time and skill.

The server location may be relevant in multijurisdictional cases, and the cloud processing server is based in the USA currently. I have conversed with GoldFynch, and they are looking at opening servers some other jurisdictions including Europe as the firm develops.

Platform Review

I signed up for GoldFynch cloud platform free 512mb trial and decided to try my hand at processing a sample case with public domain data. The sample dataset included PST, PDF, TIFF, OFFICE and JPG files. The website states, at the time of writing, that PDF, PST, MBOX, MSG, EML, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, POTX, ODT, TIFF, JPEG, ZIP and RAR files are supported. In fact, I discovered that GoldFynch supports 7z (7zip) and a plethora of other data types not listed.

The datasets were compressed as Zip and 7zip file types. Uploading the data was as easy as selecting an ‘Upload Now’ button in the ‘Files’ tab of the web-based interface.

The upload on my enterprise 50mb broadband connection for the dataset took about 20 minutes. Processing took just under an hour to complete for 556.5 MB of data or 11,861 files. This performance isn’t bad if you factor in the wasted time of software setup, tweaking and moving data to a physical data centre.

If you want to add or remove users, this can be done instantly using the ‘Sharing’ tab. The number of users that can be added to the case is unlimited.  The user is sent a registration email when a valid address is entered. There are three types of user Owner, Admin or User each with their own set of permissions which the new user can be assigned as to avoid unintentional modifications to the case by a reviewer.

When the files are uploading PDF’s and images are automatically OCR’d (made searchable), assigned unique Bate’s numbers and scanned for issues. In the test, GoldFynch’s scanning engine identified seven attachments that required passwords to open and previously non-OCR’d documents were flagged in the search.

Decrypting these files is as comfortable as adding passwords to a bulk password list before or after processing event. These could also be exported out and cracked by a computer forensic examiner.

The ‘Overview’ tab displays a chart as so you can see how much data has been uploaded to a case and the status of the processing of the items.  The Activity sub-tab allows the reviewer to go through the changes regarding tagging the reviewers of the case have made.

The ‘Search’ tab allows examiners to run keyword searches against the dataset. The right-hand column provides for reviewers to filter by file type and date as to quickly find the responsive data. Data can be tagged as CONFIDENTIAL, IMPORTANT, IRRELEVANT, NON-RESPONSIVE or PRIVILEGED. Admin users can easily assign their own bespoke tags.

The advanced search allows for multiple queries to be compounded so that you could easily find results containing just the term ‘GUNS’ equal to or after the 01/01/2018 as shown below.

The ‘Doc Review’ tab has redaction, tagging, download and directory browsing features as found in most review tools. New items are populated fairly quickly, and the interface is intuitive.

The ‘Production’ tab allows the user to export tagged files using a wizard. Paid versions allow export in TIFF, Load File and even Relativity or Concordance formats.

Summary

Goldfynch is a transparently priced tool that could be very useful in small to medium size cases. The power of a cloud-based tool means a forensic expert or IT technician to collect and upload data to the cloud and assign reviewers of that data non-dependant of location. The functionality covers all the fundamental requirements for a review tool and is easy to use.  I am sure new features will be added, without the need for a software upgrade as the service evolves.

Thanks for reading!

Thank you for visiting this post hope you find it useful. Please email expert@compute-forensics.com for assistance in lab implementation, investigation, data collection, consultancy or anything else.

Introduction

This ‘how to’ is a simple guide to virtualise your forensic or test disk image file in Windows without converting it, directly with VirtualBox, forensically as not to change the image but to save the IO writes to a temporary location.

Why would you want to Virtualise a Forensic Image?

Examining from outside the native operating system and including your image for processing in tools such as Autopsy, FTK and X-ways are all well and good, but it can lead to dreaded ‘scope creep’, and it is always good to observe the operating system as the suspect would see it.

The effectiveness of booting the image in court or using screenshots of a virtualised image to highlight specific examination points such as drug paraphernalia used as Windows wallpaper, for example, can be invaluable in demonstrating a point. The method works for Linux and Windows, the Apple Mac guide for doing this is coming soon!

Primary reasons for Virtualising a Forensic Image

• To provide a better insight into how the accused used the system
• To run live forensic tools such as Nirsoft and OSforensics in the Windows environment
• To analyse the memory or RAM to see if any Malware or Rootkits only detectable on a live system exists
• To display user behaviour and layout of the desktop to clients
• To access bespoke tools such as QuickBooks or booking systems in their natural test environment
• To decrypt and create a logical image of non-TPM PGP, Bitlockered, Trucrypted or Veracrypted volumes where the password is known or to test techniques where one may have a limited amount of tries

In the past, this has been costly or cumbersome. Recently a tool has been released free of charge, from Nanni Bassetti, the creator of Caine live suite of tools, called Imm2Virtual.

The technique relies on three tools, and you need a full forensic image for this to work. This technique is safe as the image, of course, won’t be blocked but also use a working copy to do this, don’t do this with the only copy of the evidence! Using this method all significant forensic image and RAW formats are supported (AFF, E01, E01x, DD, 001, IMG.)

WARNING: Make sure you disable internet access on yours or the virtual machine. You do not want to connect to illegal sites or even the suspect’s cloud or private websites. Without a subpoena, you are breaking the law!

Free Software Tools Needed to Download and Install on your Windows Forensic Machine

1. Arsenal Image Mounter
2. VirtualBox 
3. Imm2Virtual

Steps to Making and Booting Your VDMK File

• Install or run ‘As Admin’ the items above. It is essential to run the programs above as admin otherwise disks won’t be visible and you will come across a whole host of other errors.

• Run Virtual Box as an administrator. Create a new virtual machine, using you suspect image types OS, but do not add a hard disk just yet. Remember to add more RAM to the virtual machine setup. Make a note of the path your VMDK machine was created. The default will be ‘C:\Users\YOURUSERNAME\VirtualBox VMs’.

• Run Arsenal Image Mounter as an admin. Mount the forensic image to allow temporary writes to the system cache, not the image! Take note of the physical disk number windows allocated to the virtually mounted disk.

• Select your search bar in Windows and search for CMD. Right-click and run a CMD Window as an administrator. Type DISKPART, then LIST DISK, check the disk number of your mounted disk and type SELECT DISK [INSERT NUMBER]. Now offline the disk by typing OFFLINE DISK.

• Now run IMM2VIRTUAL as an administrator. In the disk-name slot type the exact name that you called your disk and input your physical drive number. In this case, it is ‘5’, and the name was as stated earlier ‘VM1’.

• CMD should open a Window with ‘RAW host disk access VMDK file C:\Users\YOURUSERNAME\VirtualBox VMs\VM1\VM1.vmdk created successfully.’ If not you probably have the wrong disk number, name, you didn’t know offline the correct disk, or you didn’t run a program as admin.

• Now run VirtualBox as admin. Navigate to Settings>Storage. Add the modified VDMK file as a disk. You may need to play around with settings such as disk type, OS and RAM amount to get the virtual disk to boot. After some tinkering, you should be able to boot your image.

There you have it. Remember you can use iso’s such as Kon Boot or others to bypass the Windows. The beauty of it is if you mess up the installation you can go back to default settings as you are not modifying the original copy, just the cache.

If you liked this guide please like, share and comment on this page.

Compiled here is the Top Ten of FREE Computer Forensic/eDiscovery software picks for 2018. Sometimes you do not need to spend £1000’s to get the job done. Paid software has its place but sometimes when you want one particular function only or to test out a hypothesis. So get downloading and examining using the software! Please email me at expert@compute-forensics.com with any suggestions for 2019. Contact us should you have an enquiry! Written by Alistair Ewing

1) Autopsy developed by Brian Carrier, Basis Technology, Dan Farmer and Wietse Venema

Autopsy is The Sleuth Kit’s shiny Windows front-end offering. The features are impressive for a free program; some stand up there with the paid for forensic tools Encase, FTK, X-ways and more recently Nuix Investigator. The suite of tools includes:

• Data Recovery using photorec as a carver module
• Indexing for Keyword Searching The program creates a text index for instantaneous keyword searches.
• Known Hash Set Filtering Do you have hash (SHA1/MD5) fingerprints for known noise files or known contraband files? These can be filtered in or out without having to examine the data yourself manually.
• Media Metadata EXIF metadata can be examined, sorted and filtered to find what device was used to make a recording or file, when and sometimes where using geotags.
• Timeline Analysis Autopsy draws file MAC times (created, modified etc.) from files, website visits and other data such as GPS and EXIF. The program is also beginning to support ‘plaso’ files generated using log2timeline although the author states on their website that this time of writing this is in a BETA stage.
• Website Records Supports parsing of current browser records including Firefox, Chrome and Internet Explorer.

Autopsy doesn’t have all the bells and whistles as some of the paid-for software, but don’t underestimate the tool’s features. Many of the features aren’t immediately apparent to the uninitiated, but this program has progressed by leaps and bounds.

I tested Autopsy 4.6.0 on a 1gb test image in the industry standard E01 format. The scanning engine quickly discovered signature mismatches (when someone tries to mask a file by changing its extension), file encryption, attached USB devices, web browsing history and more. The GUI interface is not unlike the functional but dated Encase v6 layout. (See Below). You may be a student or a ninja, in any case give Autopsy a whirl.

2) Caine by Nanni Bassetti

Caine is a 64bit bootable Linux suite of tools that can be used to forensically image Mac’s and Windows Machines, triage machines without writing to the disk inside and perform partial and full analysis of forensic images and disks. Caine is loaded with Windows executable tools as well for use on a live system if a computer is discovered in a switched-on state and triage or unencrypted image is desired for acquisition. My personal experience is that Caine images most disks without error and has Veracrypt installed so you can package the forensic copies onto an encrypted disk as to remain compliant with your client’s data protection rules. The ISO can be downloaded from the website. The ISO can be made USB bootable by using UNETBOOTIN or Rufus. A must for any examiner’s toolkit.

3) RegRipper by Harlan Carvey

Forged using python and operated user-side with an easy to use GUI frontend, Regripper parses registry hives (or even a mounted forensic image with a mod) and outputs the humanly readable data as a text file that can be searched using Notepad++ or similar. Want to find a user’s SID code, the Windows installation dates or MRU (most recently used/viewed items) fast? Then use RR.

4) Arsenal Image Mounter by Arsenal Recon

The function of mounting a forensic image in Windows is nothing new but AIM is especially proficient. FTK imager has a built-in image mounter, but this one is a little more advanced, and disks are seen in Windows where others have failed due to it’s faked SCSI driver. Arsenal mounts in many different and rarer image formats and even fakes disk serial number if required if mounting errors occur. *FREE for non-commercial use

5) Nirsoft Tools by Nir Sofer

A full suite of analysis tools for Windows artefacts. For forensic analysis, objects may have to be exported out, or examination must take place to a blocked mounted forensic image visible in Windows.

6) PhotoRec Christopher Grenier

Whether its a deleted Microsoft email PST item or a lost Encase E01 file, photorec is a data recovery tool that seems to perform well compared to the rest. The list of carvers preloaded is formidable, and the speed is swift. The carving can be completed on a mounted forensic image as to protect the integrity and only on the volumes free space to save time.

7) Log2timeline maintained by Kristinn Gudjonsson

This parser is the no one supertimeline tool and can be used in an advanced forensic analysis to extract event times from 1000’s of log/database filetypes and place them into one plaso file output or CSV spreadsheet for analysis natively or using a graphical program. Most paid for or built-in timeline tools just take into account MAC times and can’t parse as many file, registry or database types as log2timeline. If you need to put together times, user actions and other artefacts in one place then log2timeline is the tool of choice.

8) FTK Imager by AccessData

Imager needs no introduction. Imager does what it says on the tin and more! FTK imager has little-known eDiscovery uses as the software can image by SID owner, create directory listings and image logically to an AD1 format by folder location. Additionally, the tool includes a hex viewer. In incident response, the suite can be used to collect volatile memory as well as a live registry.

9) ddrescue GUI by Hamish McIntyre-Bhatty

This Linux GUI tool that simply put “copies data from one file or block device (hard disc, cd-rom, etc) to another, trying to rescue the good parts first in case of read errors.” ddrescue also produces a map file so you can go back to reimage the old parts of the disk that didn’t copy the first time in order to get a full transversal. It won’t only create an image filled 0s on the parts it can’t read as most imaging tools do. *Available on Caine

10) Acquire by Magnet Forensics

To get this hidden gem, you will have to register on Magnets website. Aquire has the imaging functions you find typically in FTK imager and others. MA shines when collecting from smartphones such as Apple and Android devices (forget about Blackberry!) The program will also take a full physical image of rooted android devices and output the data in an agnostic format. The items are best examined using Magnet’s Axiom or IEF.

In real cases these tools require specialist training, don’t hesitate to contact us should you have an enquiry!