- Analysis Pack Tools: Event, Cloud, Email-Link, Lead-Link and Virus and Trojan Detection!
- Expert Witness Image Format Support
- Virtual Machine Runtime Environment Support
- IVault – Analysis-Review Platform for ILookIX
- PST-OST Extended Media Email Recovery
- Developer Interface (IDE)
- Miniapp IDE & Miniapp Runtime Access for Plugins
- IXImager v3
- System Requirements for ILooKIX
- A New Vertical Integration Efficient Design
- The Case Category Explorer for all evidence
- The Email Explorer
- The Archive Explorer
- The Salvage Explorer
- The Registry Explorer
- A Generalized Toolbox Expandable Design
- Toolbox - Hashing Functions
- Toolbox - Indexing Functions
- Toolbox - Searching Functions
- Toolbox - Salvage Functions
- Toolbox Data Reduction Functions
- Toolbox Dictionary Generation
- Toolbox Analysis Functions
- Analysis Functions - Events
- Analysis Functions - Virus & Trojan Detections
- Analysis Functions - illicit Image Detection
- Analysis Functions - MiniApp IDE Runtime
- Reports & Export Formats
- IVault Evidence Review
- Filelist Capability
- Object Properties
- Literally NO Menus to Memorize
- Stream Objects are a Better Method
- ILook - Always Unicode
- Millions of Search Hits
- The 1st Forensic Programming
- Standards Environment
- Data capture, analysis, investigation and dissemination
- The most advanced imaging solution available
- An easy-to-use interface
- Five built-in, fast and thorough search engines
- Built-in development environment
- Built-in file viewers for hundreds of file types
- The leading salvage engine
- Extremely fast hash engines and automated data reduction techniques
- Built-in e-mail store processing, searching and viewing
- Filesystem, file and e-mail recovery
- Multiple categorization features
- Registry viewing and searching
- Virus/Trojan search and identification
- VMware virtual disk production from devices or images
- Context dictionary production for password cracking
- IVault data store preparation and production
- Support for all common archive file formats
- Deconstruction of evidentially useful file types
- Sorting, grouping and filtering of files and e-mail.
- Advanced analysis functions
- Advanced MS Outlook e-mail recovery
- illicit image and movie detection
- Password protected file detection
Starting with the world’s first Law Enforcement Windows forensics toolset, ILookIX, now redefines the future of computer forensic investigations. Unparalleled in its feature sets, depth of analysis, and ease of use, ILookIX changes the playing field in more ways than any tools have done to date. XFR – Xtreme File Recovery now available for NTFS, FAT HFS, and Extended 4 and 3 linux systems, has no equal in any toolset that exists anywhere.
It empowers any end user, from novice to expert, to conduct an investigation quickly, with a reliability scale unmatched in any other tool. At the center of over a decade of investment in quality demanded by intelligence and military agencies, ILookIX now for the first time takes a position as a commercial product. This integrated and advanced digital evidence toolset includes capabilities not existing in any other commercial forensics platforms:
- Virus and Trojan detection capability built directly into the analysis functions of the tool.
- Complex visualization analysis features designed to radically reduce investigative elapsed time while providing focus and clarity never seen before in any tools.
- Super-fast, super stable, SQL Server 2008 R2 64 bit from Microsoft.With no limits on the power to automate the data reduction techniques first brought to computer forensics by ILook, or the storage requirements of the future. It is unique in Windows Database systems and has no realistic volume storage limits.
- The first ever IDE system compiler and build system integrating standard programming processes instead of product specific shell scripting. For the first time, common programming capabilities can be carried from any application resource into the forensic analytical tools space, to bring unparalleled power to the process.
- The only 100% qualified forensic imaging software system on earth. IXImager3, provides a complete imaging solution for not just Intel based systems, that would simply be to easy, or the other 18 processor types it supports, but also for any Mac computer system going from today’s Mac Air, all the way back t0 13 year old G3 ‘s. Bootable power to image a device, and in particular, RAIDS, just by booting the device in real time. It does not restrict a user to Firewire target disk mode on Apple or require computer disassembly to remove drives. No write blockers, or disassembly of raid systems to make forensic quality images of literally anything that stores data on mass storage devices.
Have you ever wondered why computer forensics interfaces have to be so complex?
The reason is simply development logic based on a proven model. They were built up over the last decade by the simple expedient of putting new pieces on top of tried and true ones. We built V7 and later V8 much the same way as everyone else built their tools. Retesting of processes is so arduous and a users apathy toward change so great, there is no incentive for anything except to slow down or stop any learning curve by the end user. That design method however, does not fit well with the current state of systems under investigation or the improvements in processing inherent in new design tools and more advanced processors over the past 10 years.
Times have changed, and it was past time for a quantum leap into the future. If you take away everything but the knowledge of what exists today in computer forensics, not 15 years ago, and use today’s requirements as a guide, with a bit of the known future thrown in, you can literally reinvent the proverbial wheel. You can expand into a new form of application base that can grow into the future with ease and agility.
A new method of performance, ease of use and functionality is designed from the ground up in ILookIX. It reflects the heritage of ILook and the data content handling required for the future expansion intrinsic in this field. We see a future not bounded by high memory requirements or high priced equipment. Instead, we see a unique place in this venue for these tools where there is a need for the very best that can be created.
Every major functional area in ILookIX has an Explorer interface that reflects a specific group of information, consistently across all forms of systems, and which has consistent interface action tools that work across all groups. The first Explorer is the FileSystem itself, where all loaded evidence items per case are loaded and where they are independently locked into place. The Evidence can be deleted if necessary, and hidden from view by simple item selection menus. “Now you see it, now you don’t”, literally by touching one button.
The second Explorer is the Category Explorer. Within it, all totals for all evidence items in a case are correlated into one cohesive set of views which represent the entirety of the case on one view tab.
Here, you can see accumulated totals for 1 hard drive, or 62, by type, and by signature and by Virtual Categories defined by the user or built in by ILookIX for you.
You will see new forms of presentation, for instance Deconstructable vs. Deconstructed categories. Where you can elect to deconstruct nothing or 100,000 files by type at one time after loading an evidence item, usually a hard drive image. But it can just as easily be any data source: VMDK images, physical disks, Raw bitstream (DD) images, CD-ROM’s, Thumbdrives, Floppy Disks, or Filesystem based categories.
The third tab down (but what is down could be up, you can move anything – literally anywhere) is the Email Explorer. All control interfaces can be rearranged to any number of monitors. The explorer presents a concentric view of all email by ANY type in the entire case, not just the single evidence item. You could have 1000 email stores of any type, MBox, mbx, PST, OST, EML, EMLX, DBX, AOL, Lotus NOTES, whatever the type of mail, all of the output is formed into the identical Perlustro object model within this explorer and its adjacent Email item view tabs. Email has its own precise listing control which only returns email objects and allows multi-function output including 7 export types for reports or presentations. You can include or exclude attachments, you can change a view to thumbnail and then change the thumbnails to any size with custom built in filters. You can eliminate items through email filters or even report them using the same functions.
The next tab vertically is the Archive tab. Here, 71 different types of archives and containers like thumbscache, are presented exactly in the same method and view as the Email tab presentation. The archive contents are produced either by the auto processing of an evidence item, or the users processing through the TOOLS available in the deconstuctable category. In some cases they can be auto deconstructed as part of other processes and can be fully recursive at user discretion from other objects such as nested archives or containers or in emails.
The Salvage explorer produces output during salvage processes exactly like the Archive explorer . All salvage as defined by the Salvage processing engine, is presented all in one place in the one Explorer tab. You do not have to figure out where something was ever salvaged from, or which group it belongs to.
Registry files from any NTFS system or location can also be viewed in an identically formatted Registry Explorer tab. Unique only to ILookIX, you now have access to every HIDDEN registry key in addition to all deleted keys within any hive file. This is a view which has 100% interface consistency for not only the keys and values, and hidden versions of both, but also the search output itself.
Co-located in the same explorer is a new form of registry generated search output called “shortcut” explorer, which allows any keys, including wildcard values, to be User defined and auto-searched against any hive. You essentially convert the shortcut into a “VIEW” of that one hive file. The shortcut includes default values as seen here, but is unlimited by key definitions. It makes it easy to locate keys critical to the investigation and eliminates the need to search all hives – they simply are in “view” , when you click on the hive itself. All non user specified hive values are thereby hidden from view. You generate them one time for all hives, then apply the view to any particular hive you select.
Functions generally, and options in particular, all have a home in the TOOLBOX design. Each floating menu item acts independently of any other. The use of multi-threading deconstruction tools allows for functions not run during Image load, to be run from the toolbox independently, at any stage or future point in time. Other deconstructions are executed simply by where files are located in virtual categories, placed there automatically by ILookIX. There are only a few functions that are required on the image load and mapping of an analyzed file system, and only because later potential functions have post action dependencies.
The top menu in the Toolbox functions is the Hashing function. The classes of items which can be hashed are also joined with individual menu systems which allow hashing down to the level of single files or up to entire file systems.
The Indexing functions are all clearly selected by category of data. While the same functions are available within the starting wizard, they can be skipped from the initial data load for any image set and customized to one image by itself or the more granular areas within an image or data set.
Searching Functions work slightly differently. One seldom knows at data load time what the search term type would be: regex, simple, or indexed. For this reason the Search features of the toolbox serveto execute searches by category and output them all directly into the search output stream engine where they are further delineated as to their source and location. The inventive use of this approach segregates searches into more easily visible component groups for faster and easier analysis or reporting.
Hash Deduplication, first brought to forensics by ILook, and Exclusion hashing, are obviously easy to elect. If you load 10 images and hash them, you can remove the duplicate files in just seconds for all image sets at one time in one function and see the results on one screen at one time in the Category Explorer.
The dictionary generation inside ILook has for years been a very overlooked feature when it came to encryption issues. Previously, with no built in Decryption, it had only external values when used with other tools. But now, it could not be simpler to generate dictionaries for any or all loaded evidence data and there is a default dictionary included with ILookIX. Passware is auto driven by these dictionaries.
The Analysis tab Toolbox primarily lists options. The options available to the user are all visible in this one option list. The ones listed here are all composites of one option with the exception of the illicit image / human scan option at the bottom. Event, Cloud, Email, Virus and Trojan Detect, and Lead Analysis are in one option pack.
Password detection is NOT an option, nor is password breaking, it is included in the base analysis function group. It is also part of the overall Passware Password breaking processing.
The Event Viewer option : process all events by type into a visual map of timeline data, according to any group of items selected.
A first in forensics tools, AV detection is now a reality. It’s as simple as it looks, detect Trojans and Virus files within any system and report them in any form before they cause reviewer harm – or – provide the evidence needed to support the proposition that the content of the machine was not the fault of the user.
The following screen shows the identification of a virus within a zip file and the associated property report.
For the first time you can identify human forms among millions of files – and salvage artifacts – with a single click option – in a fully automatic process. It is performed in a high speed pass against 5 types of movie files, and 7 types of graphics files in two modes, one with an 80% postive rate of return and one with a 95%.
Miniapp IDE and Runtime are both options. IDE is the developer version of the ILookIX programming environment, and the Miniapp Runtime, is a separate component option to execute applications generated for or within the IDE. In simple terms, you can develop your own .NET applications using anything in ILookIX, even the controls and compile it to run on any other installation of ILookIX which has the Runtime option enabled.
The toolbox Reports menu generates reports of any case or any evidence item based on the classification of Virtual Categories, invented by ILook years ago in Version 7. Items associated with a Virtual Category can be assigned to different reports of different types and saved or exported as one of 7 different data types including: PDF, HTML, MHT, RTF, Excel, TEXT, CSV or even sent as e-mail to any reviewer.
For the first time, the commercial sector of forensics can have the only 100% self-contained data review and response tool that 100% protects an end user’s machine from damage, from data infiltration, or from information spillage. You can 100% avoid the leading problem facing all e-discovery and investigative agencies : data contamination across cases or investigations, by using IVault in a secure and safe environment . A tool that is simple enough for the most novice computer user.
IVault – in use for several years in Federal Government service – uniquely provides the reviewer with the full standalone capacity to do what they have always needed, but no single product or even a group of products has previously provided in the marketplace.
- Built in Viewer capability
- Built in Index and Regular and fuzzy search capabilities
- Built in Exporting to safe formats such as PDF with attachments
- Built in protection of the end users machine using the I-Protect management interface.
- Built in Hex Viewer for review of non typical file types.
- Even Bates numbering of the exported data – Ivault does it all.
In order to communicate with the ILookIX investigator, the Review end user of IVault generates a simple binary file of selected output tagged items that re-generates the findings on the ILook users analysis machine for further study. The file is small enough, and both compressed and encrypted, that it can be conveyed simply by internet email.Filelist Capability
Generally all files in existence, or even unallocated blocks are reviewed in the primary file list on the right top single screen view. The uniqueness of this viewer composer is vastly more powerful and complex than it might appear at first glance. It has the exceptional flexibility in the Query capabilities of unlimited dimension built into each column type. You can instantiate any number of Query’s through filters on any number of types all at the same time, and modify each filter independently of any other.
This falls under the odds and ends category. Unique to ILookIX every item in every classification of existence has its own property sheet which details all of the information contained within that object. Each can be fast printed by clicking a tool button.
The point of the view here is simple: you will not find right and left click menus here. There is a primary one that exists in any explorer group. You execute all commands from explorer specific tool bar buttons.
Have you ever found it challenging to partner a file or object with a report of further analysis ? If so, this method will be more than slightly helpful to you. All object reports become directly associated with any item they apply to specifically by the use of STREAM generated attachments to the object. You no longer can lose the report, it stays within the NTFS file system stream on which all output objects are based.
An odyssey that never ends. ILook – the first product to bring to computer forensics full Unicode searching is of course, as it has been for years, fully Unicode compliant. It is important to mention for those who never deal with Unicode or multi-language data that this is a base requirement of any computer forensic application.
Earlier, we noted the Search Functions executed from the toolbox. Here, we see the execution screen where one of the search modes is selected, and the qualifications of the search are input by the user. The items of evidence selected dictate the search output data-engine store and store reports which are presented for historical purposes on their own output tab.
Here we want to find out how many times the word Microsoft appears in this image set. The word appeared exactly 6935 times, and you can see that almost all occurrences (not 100%, however) were found in files.
Here we see the search output reported directly to Excel – if you do not have Office or Excel, a free viewer is available from Microsoft.
Simply select the particular search result set and ILookIX finds all of the objects for you instantly and gives a calendar timeline of the search hits themselves. You can filter the file objects by dates to further refine the type, periods, or hit quantities of the files found.
We saved the best for last. Although in other places here we’ve described the full IDE option, here you can see a real application sample codebase that is included in the IDE integration. It is indeed programming, but it also is REAL programming, in a REAL developer environment , which provides unlimited power to those inclined to develop their own solutions or to help others by providing independent solutions.