Insight Tab in new version 1.9.1

[JNevins]

Hello!  Love the new Insight metrics tab released in version 1.9.x.  Here is some feedback.  Please comment or advise if I am misinterpreting.

 

I have noticed on two separate cases the USB mass storage device data is lacking any date reference (first/last connection date/time).  I have verified through other tools the HIVE contains the date/time data but it does not seem to be parsed by Intella.  Also, the web browser function seems to be a bit spotty.  One recent case showed no browser activity after processing through Intella, yet a second tool parsed out thousands of URL/cookie/artifacts.  This might be related to the point below.  

 

Also, in one case Intella failed to list all USER accounts.  In this instance, the source disk imaged was of a SSD from a Dell Latitude with three partitions named REDEPLOY, DATA, and OS.  Intella seemed to parse the user directory from the OS partition but not the DATA partition where the known user's directory resided. 

 

By the way, I am indexing a RAW image file of a complete physical disk and asking Intella to process all known files with no filtering of file types.

 

Thanks for the continued improvement on the software!

[arjohn]

Hi,

 

Thanks for your feedback and good to hear that you love the new functionality.

 

USB mass storage dates: we have deliberately excluded these dates for now as they are notoriously inaccurate form time to time. For example, some dates for devices are updated when other devices are plugged in. As such, it takes quite a bit forensic knowledge to interpret these dates correctly. We do intend to include these dates in a later release, when we can present these in a way that doesn't put investigators on the wrong track.

 

Browser activity: can you let us know where these URLs, cookies and artifacts were found? I.e.: the (anonymized) paths to the files?

 

User accounts: are you referring to Windows user accounts here? These accounts are extracted from the registry, which very likely resided on the OS partition. I'm not sure how to read "did not parse the DATA partition". Do you mean that Intella didn't process any files from this partition? If so, please verify that the source doesn't have any file path exclude filters applied. Also, please check if there are any errors in the case log files that could explain this. See also: Reading an interpreting log files.