IVault – Analysis-Review Platform for ILookIX

large-ivault_pi1

view larger version

IVault, the ILookIX produced end user review tool is installed somewhat simlar to ILookIX itself, on any end users machine.   It only requires the .NET Framework prior to install.   It requires a signing key like ILookIX.   It provides a fully protected reviewer interface in which to review any data retrieved from the forensics process, a first in this field.

IVault is produced within ILookIX by a very simple process. You simply allocate any object to an existing or new virtual category, then elect the menu option within the ILookIX toolbox to create the IVault. It is created to any path visible to the machine. It is compressed and encrypted and the formation of the IVault is created independently of ILook. The file is encrypted during the creation process.  From that point on, the encryption on the container itself (an .IVault file type), protects the file in any location and requires a password for data access.  It can never be decrypted in any form except through the IVault interface itself.

The ILookIX investigator/producer can elect to limit the end user reviewer’s access to perform certain Ivault Application functions such as searching the data, file extraction from the IVault container, or copying of the data by the reviewer to another location.

The Ivault application is previewed in the following screen, and allows for the reviewer, in 100% safety, to review, select, and categorize any objects in the IVault file container. The user can even manage the resources in the patent-pending I-Protect Interface which protects the user’s computer, or any computing system, during the use of IVault on the client machine.  The structure of all files or objects captured within the IVault container is displayed in a more easily understandable form for novice reviewers unfamiliar with the details of computer forensics. The objects, usually files within the container, can be printed into multiple formats, or they can be exported to disk in both native and “safe” printed formats.  Documents of multiple objects are printed to PDF’s by default which protects both the integrity of the metadata of the objects as well as maintaining the original parent->child relationship between multiple objects.  This object relationship is provided especially for email export forms.  In cases such as email where files were attached to original emails they are attached as PDF attachments in the exported form.

large-ivault_pi2

view larger version

In this example, we simply selected all gif files from a test image, exported them to an IVault and then opened them with the IVault Viewer. The files that were in the ILookIX mapped image set are seen here as they exist directly in the IVault view of the IVault container file. After they reach this container status, they are not just preserved and protected within the container by encryption and compression, they are also restrained into the container on the review computer system so that nothing can escape to the outside process and contaminate the review platform even when the contents are searched, analyzed or even printed to PDF form.

The next screen shows an expansion of the filtering available in both IVault as well as in ILookIX.  The user can filter on any group of columns or even generate complex filter queries with this single function control. By using the filters for columns and custom select filters for individual searches, even without the use of advanced searching, including indexed searching, an average user can quickly find the information he or she is seeking.

large-ivault_pi3

view larger version

The selections visible here include the users ability to select categories for assignment to the objects seen or viewed in the view panel, which also includes a Hex viewer for files which have no included viewer within the application controls.

A short IVault summary – An Integrated, Evidence Container Review Tool

  • Easy data review for a non-technical audience.
  • Easy to use interface, straightforward and uncomplicated.
  • Two, inbuilt, fast and thorough search engines.
  • Inbuilt file viewers for hundreds of file types.
  • Inbuilt e-mail searching and viewing.
  • Multiple categorization features.
  • Crumbs feature, recording the data that has been reviewed already.