With more than a dozen out-of-the-box Search Profiles inside Digital Evidence Investigator® (DEI) and all the ADF digital forensic and triage tools, the ADF Digital Forensic team has created software that enables investigators and forensic examiners to capture files, artifacts, and the digital evidence needed in a wide variety of evidence collection situations.
What is a Digital Forensic Search Profile?
A Digital Forensic Search Profile is a combination of Artifact and File Captures. Artifact Captures recover specific records or information e.g. browsing history records or user account information. File Captures recover files matching certain criteria such as file properties, inclusion of keywords or matching hash values. File Captures are supplied within the ADF software program and can be user created.
ADF Search Profiles
- General Profiling (Quick): Runs all artifact Captures, except Email and Peer-to-Peer (P2P), searches for anti-forensic traces, remote access traces and pictures in browser cache
- General Profiling (Intermediate): Runs all artifact captures, excluding P2P captures, collects pictures, video frames , and Office documents in user folders. Searches for anti-forensic traces, remote access traces and social media traces. Collects protected files and files not processed by parser.
- General Profiling (Comprehensive - Speed Optimized): Runs all artifact Captures, excluding P2P Captures, collects allocated, embedded, and deleted pictures, videos, and frames from videos over 100MB and Office documents using the Thorough Identification for Files Without Extensions. Collects Registry files, searches for anti-forensic applications and more.
- General Profiling (Comprehensive): Runs all artifact Captures, excluding P2P Captures, collects allocated, embedded, and deleted pictures, videos, and frames from videos over 100MB and Office documents. Collects Registry files, searches for anti-forensic applications remote access traces, social media traces, and more.
- Collection - iOS Backup (Quick): Collects all files from an iOS backup.
- Email (Intermediate): Recovers messages and attachments from outlook, Apple Mail, Windows Mail and Windows Live Mail. Collects protected files and files not processed by parser.
- Collect Pictures from Free Space (Comprehensive): Searches Unallocated Clusters for Deleted Pictures.
- Child Exploitation - CE (Quick): Runs all artifact Captures, except Email, collects pictures and video frames in web browser caches, and searches for common child exploitation keywords in file names and artifacts. Searches for P2P traces and files in the Skype caches.
- Child Exploitation - CE (Intermediate): Runs all artifact Captures, collects pictures and video frames in user folders, searches for common child exploitation keywords in user folders, and searches user folders for known has values. Searches for anti-forensic traces, remote access traces, and files in Skype caches. Collects protected files and more.
- Child Exploitation - CE (Comprehensive Speed Optimized): Runs all artifact Captures, collects allocated, embedded, and deleted pictures and videos using the Thorough Identification for Files Without Extension option. Searches for common child exploitation keywords, and searches for known hash values (Project VIC, CAID).
- Child Exploitation - CE (Comprehensive): Runs all artifact Captures, collects allocated, embedded, and deleted pictures and videos. Searches for common child exploitation keywords, and searches for known hash values (Project VIC, CAID). Searches for anti-forensics traces, remote access traces, P2P traces and files from Skype caches, and more.
Note: Child Exploitation (CE) Search Profiles were formerly called Indecent Pictures of Children (IPOC).
Create Custom Search Profiles
ADF Software is built with non-technical users in mind. It's easy to create a new Custom Search Profile from scratch but DEI users can also begin by copying an out-of-the-box Search Profile and then customizing Captures to suit operational objectives.
Importing and Exporting Search Profiles
Search Profiles can be imported and exported so that they can be used on another computer. This functionality enables users to build Custom Search Profiles and share them with team members or for staff conducting specific onsite examinations.
Digital Evidence Investigator® allows the creation of custom Search Profiles containing a combination of default and user-created Captures. Copies of the default Search Profiles may also be modified to suit operational requirements.