Analysis Pack Tools: Event, Cloud, Email-Link, Lead-Link and Virus and Trojan Detection!

What is Event Analysis?

large_event

view larger version

Event Analysis is a type of frequency analysis. In this case, the analyzed frequency is that of particular filesystem events within the case data. The analysis is presented in an interactive bar chart form, removing the complexity of the underlying analysis and presenting the user with an easy-to-understand “picture” of the analysis. The analysis is based on your current mapped filesystems. The event types are presented as colored bars and frequency is presented as a function of bar height. Therefore, the larger the bar, the more frequent the event. Each bar represents the frequency of one event type per month, and the color of a bar represents the event type.

An event anlysis is very simple to make. To begin, the user generates an analysis from the Analysis section of the tool box, by selecting Event Analysis. The event analysis interface will appear, and will initially be blank. Select one or more mapped filesystems from the selection list to run the analysis, and it will appear in the interface. Depending upon the capabilities of the user’s PC, it may take a few seconds to show the analysis.

What is Cloud Analysis?

  • Cloud Analysis is a type of frequency analysis. In this case, the analyzed frequency is that of distinct words within the case data. The cloud is formed from complex mathematical models of the words contained in the indexes of the case. The more words, the more complexity, and the more intensive the processing takes to formulate the solutions in the cloud. (Note: marginal computer systems are not recommended for this functionality.)

    piscr-tlb-option-cloud1-unzoomed_large

    view larger version

  • The analysis is presented in data cloud form, removing the complexity of the underlying analysis and presenting the user with an easy-to-understand “picture” of the word analysis. The cloud is an interactive pictorial display of part of the underlying frequency analysis.
  • The analysis is based on the user’s current index case database, so the case data must be indexed prior to initiating an analysis.
  • Words are presented as a cloud of words and frequency is presented as a function of text size. The larger the text font size, the more frequent the word.
  • Like any summary analysis of this type, it is necessary to hone the analysis in various ways to get the best results possible. The cloud analysis has a number of features designed to make it very easy for the user to refine the analysis and bring case relevant data to the forefront in an investigation.

    piscr-tlb-option-cloud2_large

    view larger version

  • Users can auto-zoom the interface so that the entire cloud is visible, and reset the view to normal zoom via buttons on the mini tool bar.
  • Users can generate a print report from the current analysis using the print button on the mini tool bar.
  • Users can save the analysis state at any time using the SAVE button on the mini tool bar.
  • If the user double-clicks on any word, ILook will initiate a search on that word and deposit a search record in the Search History area. This enables the user to view the case objects from which the word originated.

What is Email-Link Analysis?

view demo movie

view demo movie

Email linkage analysis is an interactive evidence model. The aim of email linkage analysis is to help you discover links between the correspondents within your email data.

The analysis is presented as an easy-to-use link model. The complexity of the modelling is removed to give you the clearest possible method of discovery.

You may save your analysis at the end of your modeling session so you can edit the analysis model and save any changes if you wish.

large_piscr-tlb-option-email-linkage-analysis1

view larger version

The email option in the analysis tools is designed to provide a summary visualization view of the email items that comprise one or multiple email stores. These stores can be of any email type, and any that are selected within the tool, are incorporated into the graphical view.

The views purpose is to allow the examiner to focus clearly and quickly on the pertinent responsive emails that comprise the group as selected. The selection of any node within the representation allows email list selection of those specific emails.

The value of quantity is represented by the darkness of the thread lines, the thicker the line the more traffic there is. The deletion of unimportant email addresses is accomplished by simple delete key removal of those emails. The sender/recipient links are established on the sender side of the rules on which the email analysis is based. The selection of entire groups within the control view and the email list view inside ILookIX, can be used to remove unwanted or unresponsive emails by direct list elimination at that point. All eliminated emails then reside virtually in the central category explorer eliminated list item. You can filter the analysis such that it only includes linkage from email accounts that you specify, you do this by entering a value in the ‘From’ filter box on the mini-tool bar. Large knots of addressee nodes and lines indicate correspondence hot-spots. Green nodes indicate the sender of data and Yellow nodes indicate the receiver of data. Blue nodes indicate a correspondent who has both received and sent data.

What is Lead-Link Analysis?

view demo movie

view demo movie

Lead Analysis is an interactive evidence model. The objective of lead analysis is to help the user discover information links within the case data being analyzed. The mathematical analysis derived from indexing case data is used to form linkage between objects, which contain related data, without requiring the user to first find and then later identify a missing relationship. In essence, the relationships are found through the user providing the lead system with information regarding what is known and what is unknown.

The analysis is presented as an easy-to-use link model. The complexity of the modeling is removed within the interface to give the user the clearest possible method of discovery for relationships and linkages to other pieces of the case.

view larger version

view larger version

The analysis is saved at the end of the modeling session, so the user can build it up in a series of stages if desired.

The left side is the Lead Objects section. The user can drag these objects to the canvas to set up start points for the analysis, or to manually model linkage.

At the top right is the Potential Links list. At the bottom right is the Skip List, which is the same global Skip List that is also used by the Cloud Analysis.

view larger version

view larger version

The user can auto-zoom the interface so that the entire analysis is visible, and reset the view to normal zoom via buttons on the mini tool bar.

The user can generate a print report from the current analysis using the print button on the mini tool bar.

If the user double-clicks on any word, ILook will initiate a search on that word and deposit a search record in the Search History area, enabling the user to view the case objects from which the word originated.

The user can save the analysis state at any time using the Save button on the mini tool bar.

view larger version

view larger version

The first task is for the user to state some facts about the case, which will serve as the starting point of the analysis. The facts are stated by establishing start points on the canvas, which is done by dragging lead objects (from the Lead Objects section) onto the canvas. The user will choose a lead object that represents the piece of information being searched for and drag it onto the canvas, then click on the object’s text tag (it will shift into edit mode) and replace the default text with something specific to the lead – like a person’s surname for instance.

Each of the stated facts becomes one starting lead on the canvas. If the user’s nodes are related, the user can model that relationship by manually linking them together; select the first lead object to be linked, right click, and select Add a New Port from the menu. The same should be done for the second lead object to be linked. The new port (a small circle) of the object the user wishes to link from should be selected and dragged to the port of the lead object to be linked to and a line will appear linking the two together. The lead nodes can be repositioned by dragging them around, and the line tag should be edited to provide a description of the link. The user can delete leads or links by selecting them and then pressing the delete key.

Once the starting lead objects are chosen the discovery can begin. The user should right click on a lead object and use the Find Links function.

If there are any links they will be displayed in the Potential Links list, if no links are present the user might need to refine the object lead’s text, or increase the Speculative Level from the drop down box on the mini tool bar.

When a generated a list of potential links has been obtained, the user should review them for any links that are potentially relevant. Those that are relevant should be transferred to the canvas, by highlighting the links and clicking on the green link transfer button on the Potential Link’s mini tool bar. This will transfer the links to the canvas and link them to the object that generated the link. The user iterates this process using each start node or discovered node until the total case data makes sense.

Finally, the user can generate a list of documents supporting the analysis model by clicking the Generate button on the tool bar. This action produces a search history record, including all necessary documents. The documents supporting the model may then be reviewed to glean further information.

What is ILookIX Virus and Trojan Detect?  A first in the computer forensics field !

piscr-tlb-option-antivirus_large

view larger version

ILookIX includes the ability to find and mark files that contain either a virus or a Trojan, regardless of where it is in the file system. Virus and trojan detection is provided for forensic purposes only, it is not intended for general system protection external to ILookIX.   It provides a protective envelope for IVault creations and presents the issues for Evidence discovery that are necessary for a full and impartial analysis of the issues this presents.   For the first time in any tool, even Freespace can be analyzed without jeopardy to the forensics platform.

This tool has the capacity to find rootkits natively in windows and to find virus contamination in Unix, Apple or Linux systems in addition to Windows systems.  How else would you propose to do that becomes the obvious question ?  Should you be required to use different tools for different operating systems, or does it make more sense to standardize on an approach that you can place your own trust in.

There are no AV tools that test freespace on a drive, and there are no invincible root kit revealer removal programs since that would prove rootkits were banished from all systems.  But the avenue of approach is always better when the lowest denominator of examination can be run, and that is a “dead” system, not a live booted or running one.

To use this feature, select the Virus/Trojan Scan function or the Virus/Trojan Deep Scan function, from the Analysis section of the Tool Box.

How does it work ?

In ILookIX, you’ll be shown a dialog where you can choose the evidence items you’d like to scan, select them by checking the checkbox against each item, then click on the OK button.

You can monitor the task via the Task Progress panel.

You can view files found and marked as infected by clicking on the Infected Files category in the Category Explorer.  Once tagged as virus infected, the files will be further segregated by Icon markers throughout the explorer groups.  Files are also marked by their virus status in the FileList – yellow=not checked, green=checked/clean, red=checked/infected. In addition, you have bug icons that tell you, at a glance, which are identified.

The deep scan function executes additional virus and trojan checks against the filesystem mapped, however, to do this, it must extract each file from the image to your control point (a location on disk where the case data is stored). It is essential that you exclude the control point folder from any external AV package before you run a deep scan, otherwise, any virus detected may trigger your AV package with unpredictable results.

When you view the properties of a file in the properties panel it will show the virus and trojan detection status of the object. Either the object will not have been scanned, the object will have been scanned but will not be infected, or the object will be infected. If the object is infected then the virus or trojan name will also be displayed in the properties.

Both the case report and an IVault file can include files from your case.  If you include a file in a case report or an IVault that has not been scanned, then a log warning will be generated. If you include a file in a case report or an IVault which has been flagged as infected, you will generate a further log warning. These warnings will also generate a warning sound.

In summary, the issues presented to defendants and prosecutors alike in criminal cases, to the civil community who faces the costs of these challenges every day, or even High School teachers accused of porn trafficking,  all paths culminate in a failure of forensics tools to provide the truth.   Instead, there is a reliance and responsibility shift to some other process and some other software and some other method which yields no solution at all because it is incomplete and deficient when it comes to computer forensics.  This is a real world problem that required a real world solution for now and the future.