DFIR Training Blog



Yes, I know it’s wrong, but I don’t usually RTFM first…..

Yes, I know it’s wrong, but I don’t usually RTFM first…..

Yes, I usually skip reading the friendly manual before trying out a forensic tool, but the reasoning is sound! I want to know how intuitive a DFIR GUI tool is before I dive into the instructions. And I watch the instructional videos. And I browse the support forums. And I test the new tools against my others. And I compare everything.  And I take training too.

But jumping right in helps me quickly determine a few things as to what to expect:

  • Did the developer design the tool with user intuitiveness in mind?
  • Does the workflow flow?
  • Do I get lost easily or is it easy to find my way around?
  • Are the help files helpful?
  • Can I see the data the way that I want to see it and how I expect to see it?

With every case and every evidence item, there are several tools that will do practically everything that you need to do with that evidence. Sometimes, you put on your swim trunks and dive into hex to get the most minute detailed view of data. Other times, you put on your aviator shades and look at all evidence from 40,000 feet to get the big picture.

So, this is what I did over the past week was getting to know Paraben’s Electronic Evidence Examiner before putting it to work. I’ll get to my thoughts on Paraben shortly but until then…

Which tool to pick?

We are all tool hounds, even when we don’t want to admit it. We want to think that we are able to magically carve out data ourselves, but in reality, we need some tool to do that work for us. We can’t scrape out the registry with our thumbs.

With that, how do you know which tool to pick for your next case or even your current case? The way that I do it is to have a collection of tools available, some that I am intimately familiar with and others that I am aware of the capabilities, but maybe not as fluent because not using them as often as my ‘go to’ tools.

The reason to have a bunch of standby tools that you don’t usually use is that that one case will come to your desk that your ‘go to’ tool isn’t the best. Having something at arm’s reach, that you are somewhat familiar with, will save you lots of time in planning and analysis.

That’s how I choose my tools. Some I use a lot. Others not so much. Some hardly at all. But with all of them, I have spent enough time to know which type of case will fit each tool and which tool will fit each type of case. You can’t do everything with a just hex editor as you can’t do everything with an endpoint tool.

I suggest that when you are doing tests, research, and just going through your toolbox, do a good search of what is new and what you can get with a demo of a tool that you just may need one day. Be a little familiar with it and when the time comes, you will have a list of several tools that will fit the bill of the case that lands on your desk. The day that you stick with one tool, and only one tool, is the day that every DFIR problem starts looking like a nail for your one hammer.

Paraben’s Electronic Evidence Examiner

Let me get the big elephant out of the way first (it’s actually not a big elephant): Cost .

Paraben has always had a reasonable price of entry for all its applications, and this suite is no different. For some, money is not an issue, but for (most all) others, it is always an issue. But one thing is for sure. There have been some really good suites coming out in the past few years with great pricing, and Paraben has held solid ground with them, providing powerful forensics tools with great pricing.

Jumping right in before reading the "how to use" Paraben's E3 Electronic Evidence Examiner , you can quickly see that it is going to be intuitive. I did find that for everything that needs more explanation, there are lots of YouTube videos and a detailed manual for guides. Easy enough. Layout is plainly simple, and by simple, I mean that when a complicated forensic application looks “simple” that usually means an amazing amount of time, effort, and creativity was needed to accomplish the simplicity.

The old days are long gone when deadbox forensics and a write blocker as the only way, where physical memory was not even a consideration, and many of the tools available were not only clunky and counter-intuitive but were also apparently designed that way on purpose.  A few of the tools of that day are still in use, because for some, there are no replacements. But for the rest, we are solidly in a world where automation has improved to the point of allowing examiners to focus on the interpretation of data more than the fighting to get data presented in a manner to even understand it.

Today’s forensic apps, and Paraben is no exception, make a large chunk of the work effort, effortless. Files are categorized, separated, and neatly displayed for the high view. And for a deeper view of individual files, you can do that too. Some tools specialize in different areas, but overall, the manner of operation (which is largely personal preference) makes the difference.

As a forensic suite , Paraben's E3 does in fact handle what you hope a forensic suite can handle. Capabilities like, mobile devices, the cloud, triage, email, social media, and AWS & Azure are all there.

SC Magazine lists Paraben’s E3 as a finalize as “Best Computer Forensic Solution” I

I saw that Paraben’s E3 was listed as a finalist for Best Computer Forensic Solution ( https://www.scmagazine.com/scawards/best-computer-forensic-solution-finalists/ ), and I can see why because, just like others that are finalist, much of your work for your forensics work has been done in the application, so that you can focus on the interpretation of data more than other aspects that automation can handle for you. On top of that comes remote acquisition capabilities, along with mobile forensic features, ingestion of practically any type of electronic evidence, and automation of tasks.

My opinion

Give Paraben E3 a test run to see if you like the way it operates.  I think that you will be impressed. As far as accuracy and my personal tests, not a single issue or question as E3 does work as Paraben says it does. Insofar as having a suite like Paraben’s E3, or any of the suites in the same class, I strongly believe that if you do forensics, you need at least one of them to balance out your toolbox with a tool that does practically everything you could ask.

The first things that set the tone of what to expect with a forensic app (as far as I am concerned) are:

  • How to add evidence
  • What types of evidence can I add

If I can't figure this in a few seconds, I start to dread how difficult it will be to find artifacts if I can't figure out how to add the source in the first place. Remember, I started long enough ago that to add evidence to some tools, you had to know the secret sequence of clicks to add only the types of data allowed.

You may do IR all day and a touch of deep forensics on a drive, or maybe just the opposite, but either way, have some tools at hand or at least be aware of what is available at the drop of a hat. Paraben’s E3 fits right in that sweet spot.

About Paraben

There are so so so many forensic apps in the wild that it is impossible to not only be proficient in them but also impossible to even know which tools actually exist!  However, there are some that are so well-known that they can be considered to be in the 'club'. The club includes all the names that you have seen for decades, used in almost every lab, taught in schools, written about in books, and constantly being improved. There are quite a few tools in this club, and Paraben is in it due in no small part to Amber Schroader . That's pretty cool. DFIR cool.           




Written by :Brett Shavers

{rscomments option="com_rsblog" id="153"}