Forensics 101

How To: Integrate LACE Carver With Griffeye Analyze DI Pro

Let’s talk about the exciting new LACE Carver Integration with Analyze DI Pro. Once you have the proper license, you can head over to your Downloads page on MyGriffeye.com and go to the LACE Carver download. Once the app package has been downloaded, we can go back to Griffeye and install it under Settings, Plugins, and click on the Install button, selecting the file we just downloaded from the internet.

Once the file is fully extracted and the plugin has been installed, you can head over to the Analyze Forensic Marketplace, where we now have LACE Carver integration. If you click on it, you can get Introduction, Installation information, and how to use it as well.

Now let’s create a new and check out the additional processing features available to us with the LACE Carver integration. The first thing you’ll notice is we have an additional selection, Physical Media. The LACE Carver integration allows Griffeye Analyze DI to point directly to a physically connected device.

Notice that when we select the device, we can either look at it on the physical level or the logical level, whichever you prefer. None of my physically connected devices are right-locked, so I’m going to use a forensic image file that I’ve already created.

Once I select the image file, notice it gives me additional options on how to process this forensic image. If I select Import Forensic Image, I get the standard Analyze DI Import, which does not get unallocated files. But if I select Carve Forensic Image with Lace, it handles the entire processing of the EO1 file to include valid files and unallocated [01:54] files. It also gives me several carving options and an Advanced button if I want to further refine what I’m looking for – it could be images, videos, documents, deleted files, unallocated files, and some other file formats.

Because we chose the integrated Lace Carver to handle the forensic image file import, there’s no need to bring in an additional folder containing carved unallocated files. It’s all contained in the same source ID in this investigation. So, we can continue to process our case as we normally would. The Integrated LACE Carver will begin to carve the forensic image. Now, remember, this is getting valid files as well as deleted and unallocated files. Once the LACE Carver has completed processing the forensic image file, the results will be imported into the Griffeye case, as it normally would. Using the Integrated LACE Carver to process our forensic image, we found 33,804 files as a part of our investigation.

Now let’s take a look at a case I created using the same forensic image file, but selecting the standard import, not using the LACE Carver. I was only able to find 1,893 files in that forensic image. Now let’s take a look at the information we have within the case, about our files. In the grid view, the unallocated column now contains checkboxes on all the files that were found in unallocated space, as well as the physical file location or physical sector where that file was found. We also now have the ability to filter files that we found in unallocated space by going over to our filters, the File tab, and to the unallocated filter, and select Is Unallocated, and now we filter down to just the files we’ve found in unallocated space.

Thanks for watching. If you have any questions or comments, hit us up in the forms or send an email to support@griffeye.com.

About scar

Scar de Courcier is an assistant editor at Forensic Focus.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,152 other followers

%d bloggers like this: