RECON LAB Manual

  1. INTRODUCTION
    1. WHY USE A MAC FOR FORENSIC ANALYSIS?
      1. APPLE EXTENDED ATTRIBUTES
      2. VIEWING PROPER TIMESTAMPS
      3. VIEWING FILES NATIVELY
      4. APPLE FILE SYSTEM (APFS)
      5. LOCAL TIME MACHINE SNAPSHOTS (APFS)
      6. FILEVAULT
      7. SUPPORT FOR OTHER FILE SYSTEMS
    2. HYBRID PROCESSING ENGINE
    3. THREE STAGE ANALYSIS
    4. SUPPORT FOR OVER 270 TIMESTAMPS
    5. ADVANCED TIMELINES
    6. ADVANCED DATA CORRELATION
    7. ADVANCED REPORTING WITH FULL CONTROL
  2. RECOMMENDED MINIMUM REQUIREMENTS
  3. HELPFUL HINTS
  4. GETTING SUPPORT
  5. RENEWING RECON LAB
  6. TRAINING
  7. INSTALLATION
    1. INSTALLING XCODE AND COMMAND LINE TOOLS
    2. INSTALLING FUSE FOR macOS
    3. INSTALLING PARAGON DRIVERS
    4. DOWNLOADING RECON LAB UPDATES
    5. INSTALLING RECON LAB
    6. GRANTING PRIVILEGES
      1. FULL DISK ACCESS
    7. ENERGY AND SLEEP SETTINGS
  8. STARTING RECON LAB
    1. ADDING YOUR LICENSE
    2. INSTALLING PYTHON
    3. ADMIN PASSWORD
    4. ACCESS WARNING MESSAGES
    5. RECON LAB WELCOME SCREEN
  9. CONFIGURATION
    1. EXAMINER DETAILS
    2. ARTIFACTS AND PLUGINS
    3. USER DEFINED EXTENSIONS
    4. USER DEFINED FILE SIGNATURES
    5. KEYWORD LISTS
    6. TEXT INDEXING FILTERS
    7. APPLE METADATA FILTERS
    8. EXIF METADATA FILTERS
    9. VOLATILITY PATH
    10. SYSTEM PASSWORD
    11. TEXT VIEW SETTINGS
    12. EXTERNAL APPLICATIONS
  10. STARTING A NEW CASE
    1. CASE INFO
    2. ADDING SOURCE DATA TO PROCESS
      1. MOUNTED VOLUMES
      2. FORENSICS IMAGES
      3. FILEVAULT IMAGE
      4. FUSION IMAGE
      5. OPTICAL DISC IMAGE
      6. RAM IMAGE
      7. IOS BACKUP
      8. TIME MACHINE BACKUP
      9. GOOGLE TAKEOUT
      10. MACOS HOME DIRECTORY
      11. FOLDER
      12. FILE
      13. ADB ANDROID BACKUP
      14. RECON LOGICAL IMAGE
    3. ADDING SOURCE INFORMATION
    4. ADDING MULTIPLE SOURCES
    5. CASE DIRECTORY
    6. DATE AND TIME SETTINGS
    7. FILE SYSTEM MODULES SELECTION
      1. APPLE METADATA MODULE
      2. MIME TYPES MODULE
      3. SIGNATURE ANALYSIS MODULE
      4. EXIF METADATA Module
      5. HASHES MODULE
    8. ARTIFACT PLUGIN SELECTION MODULE
  11. RELOADING A CASE
  12. RECON LAB INTERFACE
    1. PROCESSING STATUS WINDOW
    2. CASE VIEW
    3. TOP MENU
    4. MAIN COLUMNS
    5. CASE SIDEBAR
    6. MAIN VIEWER WINDOW
      1. TABLE VIEW
        1. RECURSIVE VIEW
        2. EXPORT TO CSV
        3. TABLE VIEW FILTER AND SEARCH
        4. NAVIGATION BUTTONS
      2. GALLERY VIEW
    7. MULTIMEDIA PREVIEW PANE
    8. VIEWER PANES
      1. DETAILED INFORMATION PANE
      2. HEX VIEW PANE
      3. TEXT VIEW PANE
      4. STRINGS VIEW PANE
      5. EXIF METADATA VIEW PANE
      6. APPLE METADATA VIEW PANE
      7. MAPS PREVIEW PANE
  13. REMOVING A SOURCE
  14. RIGHT-CLICK OPTIONS
  15. PREVIEWING FILES
  16. AUTOMATED ANALYSIS
  17. BOOKMARK AND TAGGING EVIDENCE
  18. INDEXING
  19. SEARCH OPTIONS
    1. ARTIFACTS KEYWORD SEARCH
    2. FILE SEARCH
    3. CONTENT SEARCH
    4. APPLE METADATA SEARCH
  20. ADVANCED VIEWERS
    1. PLIST VIEWER
    2. HEX VIEWER
    3. SQLITE VIEWER
    4. REGISTRY VIEWER
  21. EXPORTING OPTIONS
  22. CARVING
    1. FILE CARVING
    2. DATA CARVING
    3. CARVING UNALLOCATED SPACE
  23. USING HASH SETS
    1. CREATING HASH SETS
    2. IMPORTING HASH SETS
    3. REMOVING FILES FROM CASE USING HASH SETS
  24. HIDE OR SHOW FILES
  25. PROJECT VIC
  26. EMAIL ANALYSIS
  27. TIMELINE ANALYSIS
    1. SUPER TIMELINE
    2. ARTIFACTS TIMELINE
  28. REDEFINED RESULTS
    1. COLLATED LOCATION HISTORY
    2. COLLATED MESSAGING
    3. COLLATED WEB HISTORY
  29. RAM ANALYSIS
  30. APFS SNAPSHOT ANALYSIS
  31. ACQUIRE IOS DEVICES
  32. REPORTING
    1. PLUGIN REPORTS
    2. GLOBAL ARTIFACT REPORTS
    3. STORY BOARD - WYSIWYG REPORTS
  33. SHUTDOWN
  34. EULA

1.Introduction

 

RECON LAB is a full Forensic Suite that supports numerous file systems such as Windows, macOS, Linux, iOS, Android and more.  RECON LAB was created to solve multiple problems inherent in other forensic tools and to expedite processing and analysis without sacrificing the quality of the exam.

RECON LAB was designed, developed and runs on macOS.  This was the only logical choice for developing a modern forensic tool to support the largest amount of file systems and artifacts without losing data.

The most difficult file system and operating system (OS) for most forensic tools to support is macOS.  Mac understands itself and can interpret its own artifacts.  This is not true of other file systems, operating systems, and other forensic tools as they do not natively support macOS and its artifacts.

Additionally, in addition to supporting its own file system and artifacts, macOS supports a multitude of other file systems and the artifacts of Windows, Linux, Unix and many more.

RECON LAB is the only full Forensic Suite designed from the ground up on macOS to take full advantage of the power within macOS.  Other forensic tools that run on a Mac were ported from other non-Mac operating systems and experience limitations.  Instead of utilizing native macOS libraries they rely on reverse engineering and third-party applications.

As RECON LAB relies on native macOS libraries, support for new macOS file systems and/or artifacts is quick or instantaneous.

RECON LAB comes with one full year of free updates and support.

1.1.Why Use a Mac for Forensic Analysis?

Until the release of RECON LAB, no other forensic tool properly processed or utilized the correct timestamps for macOS.

This is only one example of an extremely important artifact that is improperly interpreted or missed completely by other forensic tools.

It is imperative to understand the importance of macOS in forensic exams and what may be missed by other forensic tools.

1.1.1.Apple Extended Attributes

Apple Extended Attributes are special metadata created only within macOS to allow searches via the macOS search utility, Spotlight.

Apple Extended Attributes contain extremely valuable information for investigations.  This special metadata cannot be seen in Windows.  Most Windows forensic tools ignore or have a limited ability to display Apple Extended Attributes as they are not natively supported.

Images and data collected by SUMURI’s RECON IMAGER and processed by RECON LAB provide the most extensive views of Apple Extended Metadata.

Understanding Apple Extended Metadata is critical to investigations.

1.1.2.Viewing Proper Timestamps

Apple’s macOS utilizes Apple Extended Extended Attributes for timestamps in favor of POSIX (Unix) timestamps.

RECON IMAGER, when used with RECON LAB, is the only solution to properly view and utilize the correct macOS timestamps.

1.1.3.Viewing Files Natively

There are many file types and artifacts proprietary to macOS.  As RECON LAB is designed on macOS it supports all macOS files and artifacts natively.

For example, Applications in macOS are actually “bundle” files.  Everything needed for the application to run is found within the bundle file.  What looks and appears to a single file to the Mac user is actually thousands of innocuous files and folders.  In traditional forensic tools, these bundle files are expanded adding unnecessary artifacts to your case.

RECON LAB also is integrated with macOS’s Quick Look which natively supports viewing hundreds of file types without needing or using the original application.  Unlike other forensic tools, the files do not have to be exported first to view.

1.1.4.Apple File System (APFS)

Apple File System (APFS) is a proprietary file system from Apple and utilized for macOS, iOS, watchOS, and tvOS.  APFS is natively and fully supported on macOS High Sierra (10.13) and above. APFS has limited support in macOS Sierra (10.12).  APFS has no support within Windows operating systems.  Any support for APFS on Windows and/or Windows forensic tools are using reversed engineered non-native technologies.

SUMURI’s RECON IMAGER can create forensic images that can be processed and analyzed with RECON LAB natively.

RECON IMAGER and RECON LAB also automatically supports the imaging and processing macOS 10.15 System and user DATA partitions.

1.1.5.Local Time Machine Snapshots (APFS)

Time Machine is a utility in macOS that is used for creating backups.  Time Machine must be activated by the user and requires a local or remote disk to store the backups (Time Machine disk).  If the Time Machine disk is not available the backups are stored locally.  These backups are known as “Local Time Machine Snapshots” in APFS.  They are also sometimes referred to as APFS Snapshots.

RECON IMAGER along with RECON LAB is the only solution that can display, image, hash and analyze Local Time Machine Snapshots in Macs with T2 Security Chipsets and without.

1.1.6.FileVault

FileVault (version 2) is macOS full volume encryption of which there are no backdoors.  FileVault is mounted and decrypted with the user’s login password or Recovery Key which is created when FileVault was originally enabled.  

RECON LAB allows the examiner to decrypt the forensic image of a Mac encrypted with FileVault natively using either the password or Recovery Key.

1.1.7.Support for Other File Systems

RECON LAB was designed to harness the power of macOS.  Whatever the Mac can mount we can process.

macOS natively supports APFS, macOS Extended (HFS+), MS-DOS FAT, ExFAT and NTFS (as read-only).

Using freely available open-source FUSE solutions and Paragon Software drivers (included) just about any file system can be mounted and processed with RECON LAB such as Linux ext2, ext3, and ext4.

1.2.Hybrid Processing Engine

Unlike any other forensic solution, RECON LAB utilizes a Hybrid Processing Engine.

The Hybrid Processing Engine processes a forensic image both inside RECON LAB and mounted outside RECON LAB using macOS.

The Hybrid Process Engine maximizes the recovery of artifacts and simultaneously increases the speed of processing.

Additionally, this approach uniquely allows RECON LAB to utilize the power of macOS natively.

1.3.Three Stage Analysis

RECON LAB offers three-stages of analysis.

Stage One – Parse and recovery thousands of artifacts with Automated Analysis of Windows, macOS, iOS, AndroidOS, and Google Takeout.

Stage Two – Four Advanced Forensic Viewers assist in parsing and examining macOS Property Lists (.plist), SQLite Databases, Hex, and the Window’s Registry.

Stage Three – Utilize hundreds of features built into RECON LAB make manual analysis easier.

1.4.Support for Over 270 Timestamps

RECON LAB currently supports over 270 individual timestamps.  These include timestamps from all file systems, Apple Extended Metadata and application-specific.

These timestamps are integrated throughout RECON LAB to provide “one of a kind” analysis and exponential reporting options.

Additionally, RECON LAB provides a “second to none” chronological analysis and reporting.

1.5.Advanced Timelines

With such large support for hundreds of timestamps, RECON LAB can generate both textual and graphical views of events to make analysis easier.

Placing these events in chronological order allows an examiner to see events unfold minute by minute or even second by second.

Having the ability to see events in order based on time allows an examiner to solve cases and render opinions faster and more accurately.

1.6.Advanced Data Correlation

In a single day, a person of interest will probably use several devices capable of storing electronic data.  For example, they may use a laptop or tablet at home, a mobile phone on their way to work and a desktop computer when they arrive.  On each of these devices, our person of interest could use multiple web browsers and messaging apps.  To add more complexity, our person of interest is moving to different locations throughout the day and generating different location artifacts.

To get a clear picture of what our person of interest has done in a day RECON LAB has developed Advanced Data Correlation to collate all of this information into single views regardless of device or application.

Advanced Data Correlation as Redefined Results along with support for over 270 timestamps provides an examiner with amazing investigative insight.

1.7.Advanced Reporting With Full Control

RECON LAB provides you with exponential reporting options from the granular level (single artifact) to the global level (all artifacts included).

Additionally, RECON LAB includes the first of its kind WYSIWYG (What You See Is What You Get) reporting mode called Story Board.

Story Board allows the user to have full control over the reporting process and is as easy to use as a word processor.

The examiner has the ability to add, remove or annotate bookmarks anywhere in the report at any time.

Story Board also allows you to add your bookmarks and tags in chronological order to make it easier to understand the timeline of events.

3.Helpful Hints

Before starting a new case with RECON LAB please refer to these helpful tips.

Use macOS Extended for Evidence Drives

The macOS can support a variety of file systems, however, in testing, we have the best results with macOS Extended (HFS+).  If you want to mount your macOS Extended evidence drive on Windows use the HFS+ for Windows drivers from Paragon Software that are provided to you with your purchase of RECON LAB.

Additionally, if you are creating logical images of Mac data to any non-Mac file system you will lose the Apple Extended Metadata.

Use Apple Disk Image Format (.dmg) for Imaging Evidence

The Apple Disk Image that is created with RECON IMAGER or PALADIN is a RAW image format that can be loaded into any forensic tool that supports RAW images.  The .dmg image is natively supported by the Mac.

Although RECON LAB supports Expert Witness Formats (.E01, .Ex01) it is not native to the Mac and requires the use of FUSE.  FUSE acts as an interpreter to mount non-native file systems.  Because RECON LAB uses a Hybrid Processing approach where a forensic image is mounted both inside and outside the tool, less is more.

Avoid Segmentation of Forensic Image Files

RECON LAB supports segmented image files.  However, with extremely large disk sizes found in modern devices, thousands of segments can be created which may cause issues.  If possible, avoid segmenting forensic images and use a single file.

4.Getting Support

Support for RECON LAB is available via our Support Center by submitting a ticket here: https://helpdesk.sumuri.com

During regular business hours, we strive to respond in less than one hour but no longer than 24 hours.

SUMURI is based in the State of Delaware USA (Eastern Time Zone – EST/EDT).  Our office hours are 0900-1700 (9 a.m. – 5 p.m.).  SUMURI is closed for US Federal Holidays.

Law Enforcement Emergency Support

If you are law enforcement and in need of immediate emergency assistance please contact us anytime at +1 302.570.0015.

5.Renewing RECON LAB

RECON LAB comes with one full year of support and updates.  Once RECON LAB expires you will need to renew the license in order to continue to receive updates and support.

RECON LAB can be renewed online via our website here: https://sumuri.com/product/recon-lab-annual-renewal/

Or, you may simply contact us directly.

6.Training

SUMURI offers vendor-neutral training on Mac Forensics.  These courses will provide you with the concepts and knowledge to use RECON LAB (or other tools) to process Mac artifacts and file systems.

If you are interested in hosting a training course and getting free seats please contact via the link below.

7.Installation

RECON LAB includes and relies on native and some third-party applications and utilities to ensure that largest amount of data can be processed and analyzed.

Please install all the recommended applications, in order, and one at a time using the instructions below.

Due to Mac’s strict adherence to security, you may be asked to provide your password during the installs.

After installing all the supporting applications periodically check to make sure these applications are updated.

7.1.Installing Xcode and Command Line Tools.

Xcode is a free development environment provided by Apple.  Xcode and Xcode Command Line Tools include additional binaries and applications which are used in RECON LAB.

Installing Xcode

1.) Apple Xcode is available for free using Apple’s App Store or found by clicking here.

2.) Click the “Get” button to install Xcode on your Mac via the Apple App Store.

Installing Xcode Command Line Tools 

To install or check to see if Xcode Command Line Tools are installed follow the instructions below.

1.) Open the Terminal Application – /Applications/Utilities/Terminal

2.) Type the following command and hit return:  

3.) Follow the instructions provided by the application.

7.2.Installing FUSE for macOS

FUSE for macOS is a free open-source application that acts as an interpreter for non-native file systems.  FUSE for macOS assists in loading Expert Witness Format (EWF) forensic images such as .E01 and .Ex01.  FUSE for maOS must be installed to mount and process EWF images.

Installing FUSE for macOS

1.) Navigate to the FUSE for macOS website and download the version that matches your macOS from here: https://osxfuse.github.io/

2.) Double-click on the .dmg file downloaded.

3.) Double-click on the “FUSE for macOS” icon to install.

4.) Follow the application instructions for completing the install.

7.3.INSTALLING PARAGON DRIVERS

SUMURI has partnered with Paragon Software to include helpful file system drivers for both Mac and Windows.  You will receive a license code for downloading and activating Paragon Software applications when you purchase a full version of RECON LAB.

To download and install Paragon Software applications follow the instructions below.

Accessing Paragon Software Applications

1.) Navigate to Paragon Software’s website and create an account if you do not already have one here: https://my.paragon-software.com/#/login

2.) Navigate to “Register New Product” and enter the code provided to you when you purchased RECON LAB.

3.) Navigate to “My Products” after entering the code to access and download your applications.

Installing extFS for Mac by Paragon Software

1.) Download extFS for Mac following the instructions above.

2.) Double-click on the .dmg downloaded from Paragon.

3.) Double-click on “Install extFS for Mac” to install drivers for Linux file systems.

4.) Complete the installation by following the instructions provided.

 

7.4.Downloading RECON LAB Updates

Before installing RECON LAB please make sure that you have the latest update.

RECON LAB updates can be found here: https://goo.gl/wWm2qi

Download the latest version (highest-numbered) and move the .dmg to your Desktop.

Notifications for new updates will be sent out to the email address that we have on file.  If you are not sure if you are on the RECON LAB update list and would like to be notified when updates are released please let us know at hello@sumuri.com.

7.5.Installing RECON LAB

Make sure that you have downloaded the most current version of RECON LAB and follow the instructions below to install.

Move the RECON LAB installer .dmg to your Desktop and double-click to mount the installer.

A notification window will appear to ask if you want to open the application.  Choose “Open”.

The RECON LAB Installer window will now appear.

Choose one of the following options:

Install – Updates existing RECON LAB installations preserving your settings, examiner and agency information.

Clean Install – Use this for first time installs or to reset RECON LAB to its original settings.

Uninstall – Use this option to remove RECON LAB from your Mac.

When compete quit the installer and eject the RECON LAB Installer disk image (right-click “Eject”).

7.6.Granting Privileges

Before launching RECON LAB for the first time, RECON LAB will need to be given Full Disk Access.  This allows RECON LAB to gain access to areas and files restricted by standard permissions.

7.6.1.Full Disk Access

To give RECON LAB Full Disk Access navigate to System Preferences using the Apple Menu found in the top left corner.

Apple Menu – System Preferences

From System Preferences select the “Security & Privacy” icon.

Now follow the steps below to add RECON LAB to “Full Disk Access”.

1.) Click on the lock icon and enter your password to unlock to change settings.

2.) Select the “Privacy” tab and then “Full Disk Access” in the sidebar.

3.) Click the “+” symbol to navigate to RECON LAB which is found in your Applications directory.

4.) Highlight RECON LAB and select it to give Full Disk Access permissions.

5.) Click the lock icon one more time to “lock” the settings.

7.7.Energy and Sleep Settings

Allowing your Mac to go to sleep in the middle of processing a case will most likely cause issues.  Make sure that you disable any settings that “Put hard disks to sleep when possible” or allows the computer to sleep when working with RECON LAB.

These settings can be changed in System Preferences (Apple Menu – System Preferences).

Look for the Energy Saver icon.

Then check both of the settings for “Battery” and “Power Adapter”.

8.Starting RECON LAB

Once installed, RECON LAB can be found in your Applications directory.

For quick access, you can grab the RECON LAB icon and drag it to your dock to create a shortcut.

To start RECON LAB, double-click the icon in the Applications folder or single-click if you created a shortcut within the dock.

8.1.Adding Your License

When you run RECON LAB for the first time after installation you will be prompted to add your license.

Your license can be found on your RECON LAB USB which also acts as your security dongle.  The RECON LAB USB will need to be attached to your Mac in order to run.

If you requested a demo or if you have renewed RECON LAB you will receive your license via email.  Please keep your license someplace safe.

If you are prompted to add your license choose “Browse” and navigate to your license file.

Select your license file and choose “Open”.

RECON LAB will add your license and restart.

8.2.Installing Python

Python, which is a common scripting language used in forensics, is utilized for some features in RECON LAB and should be installed.  Make sure that Xcode, and its Command Line Tools, were previously installed.

Installing Python

Open the Terminal app and run the following commands.

/usr/bin/ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”

brew install python3

python3 -m pip install lz4 enum34

8.3.Admin Password

Upon the first run of RECON LAB you will be prompted to enter your admin password one time.  Enter your admin password and click “OK”.

8.4.Access Warning Messages

When starting RECON LAB a message window appears with some important information.  This information may change so please review from time to time.

If you do not want the message to appear when you start RECON IMAGER select “Don’t show this message again”.

8.5.RECON LAB Welcome Screen

Upon starting RECON LAB you will be presented with Welcome Screen.

The Version Number for RECON LAB is found in the title bar.

In the bottom right corner, the Licensee, Purchase Date and Expiration Date are displayed for your reference.

The buttons along the bottom of the Welcome Screen are:

About RECON – Access to RECON LAB’s EULA, changelogs, exceptions and/or known issues, special requirements, support and updates information.

RECON Config – Allows the examiner to create persistent settings.

Acquire iOS Device – Opens RECON LAB iOS Imager interface.

New Case – Starts the New Case Wizard.

Load Case – Allow an examiner to select a RECON LAB Case Folder.

 

9.Configuration

Every examiner has their own unique approach to an examination.

RECON LAB allows an examiner to configure a variety of settings prior to starting a case.  Configuration settings are persistent and will automatically be set for each new case.

This approach saves a lot of time.  Configuration settings can be overridden at any time if required.

Below is an explanation of each configuration settings window.

9.1.Examiner Details

The Examiner Details settings allow entry of the following information:

Agency Name – Name of the examination agency.

Examiner – Name of the examiner.

Examiner Phone – Phone number for the examiner.

Agency Address – Agency address.

The agency logo can be changed by selecting the three dots under the current logo.

Any graphic can be selected for the agency logo.  RECON LAB supports adding  PNG or JPEG image formats.

Any information entered here will automatically be added to any reports generated by RECON LAB.

9.2.Artifacts and Plugins

RECON LAB includes hundreds of plugins that recover thousands of artifacts automatically from Windows, macOS, iOS, Android and Google Takeout.

RECON LAB allows you to enable plugins to run on every case and/or create templates for specific investigations.

Above is the interface for RECON LAB’s Plugin and Artifact selection. Columns and dots were added to the interface to help you quickly see if a plugin is supported within a specific platform.

Each plugin can have multiple artifacts.  Activating a checkbox will

On the left side, there are filters at the top for “All Plugins” and specific operating systems (i.e. “winOS”) and platforms (i.e. “Google Takeout”).  Selecting any filter on the left-side removes all plugins from the Plugin Window on the right-side except for what is relevant to the operating system or platform selected.  For example, if you select the “iOS Plugins” filter on the left you will only see plugins relating to iOS on the right.

Similarly, there is a Plugin Search box in the upper right corner that can be used to quickly filter all plugins.  In the example above, the keyword “photo” was used to show all plugins that contained the word “photo” (i.e. Android Photos, Photo Booth).

At the bottom of the window, there is a “Save Template” button.  Checking this box and providing a name will make a permanent template that can be used again.

Saving a Template for Plugins and Artifacts

  1. Using the example above, the Plugin Search was used to find all plugins with the word “photo”.
  2. Each of these plugins was selected using the checkboxes.
  3. The “Save Template” box was checked and the name “Photo Search” was given to the template.
  4. To save the new template the “Add” button was clicked.
  5. The new template can now be selected and applied in the dropdown box at the top of the window.

Remember, settings can always be changed at any time within the case.

 

9.3.User Defined Extensions

User-Defined Extention settings allow the examiner to create “buckets” (categories) for various file extensions.  These categories will appear in the RECON LAB Sidebar.  Any files with a matching file extension included in a Category will automatically be filtered and appear in the “bucket” in RECON LAB’s sidebar.

In the example above, the category “Image” contains the file extensions .png, .jpg, .jpeg, .ico and .gif.  When a new case is started, any files matching these extensions will automatically be found in the Sidebar in a “bucket” named “Image”.

Adding or Removing Categories and Extensions

To create a new Category or to add an Extension simply click the “+” button.  Enter the text and hit return.

To remove a Category or Extension select the item and click the “-” button.

To add multiple extensions at the same time use the “paste” or clipboard button.  Make sure that your text is entered as on item per line with a single carriage return.  Copy all the text to your Clipboard and then use the “paste” (clipboard) button to add multiple items at the same time.

9.4.User Defined File Signatures

User-Defined File Signature settings allow the examiner to create “buckets” (categories) using a file’s signature.  File signatures help identify files in the absence of extensions or if the file extension is incorrect.

The categories created will appear in the RECON LAB Sidebar.  Any files with a matching a file’s signature included in a Category will automatically be filtered and appear in the “bucket” in RECON LAB’s sidebar.

In the example above, the category “Finacial Database Files” contains the file signatures for Quicken backup and database files.  When a new case is started, any files matching these signatures will automatically be found in the Sidebar in a “bucket” named “Financial Database Files”.

Adding or Removing File Signatures

To create a new Category or to add a new File Signature simply click the “+” button.

Use the “Label” field to provide a name.

  1. Add the signature as HEX or ASCII and select the appropriate button.
  2. If the file signature begins at a specific offset add the value in the “Offset” field.
  3. Click “Add”.

To remove a Category or File Signature select the time and then click the “-” button.

Editing a File Signature

To edit a previously stored File Signature click the “Edit” (pencil icon) button.  Make the required changes and click “Add” to save.

9.5.Keyword Lists

The Keyword List settings allow the examiner to create lists ahead of time for content-based searches.  Various search options will be explained later in this manual.

Keywords can be grouped into categories.  Content keywords can be plain text or regular expressions (REGEX) that conform to dtSearch rules.

dtSearch’s Quick Reference Guide can be found here: http://support.dtsearch.com/Support/forms/iframes_advanced/default.html

In the example above a category was created for “Phone Numbers”.  Four phone numbers were entered as keywords.  The first three are standard text.  The last one (“+919876?????”) is an example of a regular expression to find an Indian phone number where we know the first six numbers but we do not know the last five.  We checked the “Regex” checkbox to let RECON LAB know that the text entered should be treated as a regular expression.

Adding or Removing Categories or Keywords

To create a new Category or Keyword simply click the “+” button.  Enter the text and hit return.

If the Keyword is to be treated as a regular expression click the “Regex” box.

To remove a Category or Keyword select the entry and click the “-” button.

To add multiple keywords at the same time use the “paste” or clipboard button.  Make sure that your text is entered as on item per line with a single carriage return.  Copy all the text to your Clipboard and then use the “paste” (clipboard) button to add multiple items at the same time.

Editing a Keyword

To edit a previously entered keyword click the “Edit” (pencil icon) button.  Make the required changes and click “Add” to save.

9.6.Text Indexing Filters

RECON LAB has included features to speed up your examination.

Text Indexing Filter settings allow you to set files to index or not index during a case ahead of time.

Default Index – No Filter

The default setting for indexing is “No Filter”.  Leave this setting if you want to index all files.

Indexing Specific Files Only

To speed up processing you can have RECON LAB index only certain file types (based on extension) by selecting “Index these files”.

In the example below, a category was created for “Documents”.  In the “Documents” category three file types were added (.rtf, .doc, .pdf).  With these settings, RECON LAB will only index RTF, Word Document and PDF files and ignore all other file types.

 

Eliminating Files From Indexing

Also, to speed up processing RECON LAB can ignore indexing specific file types (based on extension) by selecting “Do not index these files”.

In the example below, a category for “Virtual Disk” was created.  Within the category the extensions of .iso, .vdi, .vhd, and .vmdk were added.  This category will reduce our processing time dramatically as RECON LAB will index all files except for those added to the lists below.

Adding or Removing Categories and Extensions

To create a new Category or to add an Extension simply click the “+” button.  Enter the text and hit return.

To remove a Category or Extension select the item and click the “-” button.

To add multiple extensions at the same time use the “paste” or clipboard button.  Make sure that your text is entered as on item per line with a single carriage return.  Copy all the text to your Clipboard and then use the “paste” (clipboard) button to add multiple items at the same time.

9.7.Apple Metadata Filters

RECON LAB is the only forensic suite that is developed on a Mac to utilize macOS libraries natively.  This allows RECON LAB to see and fully utilize Apple Extended Metadata.  Other solutions do not natively support Apple Extended Metadata and rely on third-party and reversed engineered solutions that may not see or support all the metadata that exists which can lead to missed evidence.

Within the main RECON LAB interface, all Apple Extended Metadata is visible.

For the Apple Metadata Filter settings, we have selected some of the most common and important Apple Extended Metadata attributes which can be set to always show in the RECON LAB sidebar or within reports.

Apple Metadata Filter Column Descriptions

D – Check this box to add this Apple Extended Attribute to the RECON LAB Sidebar.  Any files matching selected attributes will automatically be filtered and placed in the Sidebar.

R – Checking this box will include the selected attribute’s metadata automatically to reports.

Title – The common name of the Apple Extended Attribute.

Attribute – The specific name of the Apple Extended Attribute.

Description – The official description of the Apple Extended Attribute.

9.8.EXIF Metadata Filters

RECON LAB also parses EXIF metadata.  The EXIF Metadata Filters allows an examiner to automatically filter out files with specific EXIF attributes to the RECON LAB Sidebar and/or always include select attributes in reports.

 

EXIF Metadata Filter Column Descriptions

D – Check this box to add the EXIF Metadata to the RECON LAB Sidebar.  Any files matching selected metadata will automatically be filtered and placed in the Sidebar.

R – Checking this box will include the selected EXIF metadata automatically to reports.

Title – The common name of the EXIF Metadata.

Description – The official description of the Apple Extended Attribute.

9.9.Volatility Path

RECON LAB supports Volatility for RAM analysis.  Volatility can be downloaded from https://www.volatilityfoundation.org/

Once downloaded, Volatility can be configured to work with RECON LAB.

To use Volatility within RECON LAB select the three dots in the Volatility Path settings.  Navigate to and select the “vol.py” file to save the path.

Please refer to Volatility documentation for downloading and setting up Volatility profiles and plugins here: https://github.com/volatilityfoundation/volatility/wiki

9.10.System Password

When you start RECON LAB for the first time or if you reset RECON LAB you will be prompted to enter your Admin password.  If you change your password after installing RECON LAB you will have to update it using the System Password settings.

To update, enter your new password and click the pencil icon.

9.11.Text View Settings

To speed up processing RECON LAB allows you to set the Maximum File Size for the Text View.  The default setting is 20 MB.

To increase or decrease the size, enter any value.  Keep in mind the value will be interpreted as megabytes.

9.12.External Applications

RECON LAB allows files to be sent to and opened in external applications.

To add an application select the “Add” button.  Navigate to and select the application that you would like to add.

To remove an application, highlight the application to remove and select the “Remove” button.

10.Starting A New Case

To start a case with RECON LAB select “New Case” from the Welcome Screen.

10.1.Case Info

When you start a new case with RECON LAB the Case Wizard starts with the Case Info screen.  If any information was added previously in the RECON Configuration settings that info will automatically be included.  The information entered here will be included in RECON LAB reports.  Certain fields are mandatory and must be entered to proceed to the next screen.  These fields are marked with an asterisk.

The following information can be entered into the Case Info window.

Case No. (mandatory) – A unique case number.

Case Name (mandatory) – Name for your case.

Location – Location of the incident or the exam.

Case Notes – free form to add any notes required.

Examiner (mandatory) – Examiner name.

Examiner Phone – Phone number for the examiner.

Examiner Email – Email for the examiner.

Agency – Agency name.

Agency Address – Address for the agency.

After you have entered the mandatory information and any additional information that you want then click “Next”.

10.2.Adding Source Data to Process

RECON LAB can accept a variety of sources to process.

To select a source to process use the “Add Source” dropdown and select a source to process.

10.2.1.Mounted Volumes

Selecting Mounted Volumes presents you with a selection box.  Any currently mounted volumes with be displayed.

To add, check the box next to the volume path and then click “Add”.

10.2.2.Forensics Images

RECON LAB supports just about any forensic image format.

Currently accepted formats are:

RAW Images – .dd, .000, .00001, .raw

Apple Disk Images – .dmg, .sparsebundle, .sparseimage

Expert Witness Format (EWF) – .E01, .Ex01, .L01, .S01

To select a supported forensic image use the dropdown in “Add Source” and select “Forensic Image”.  Navigate to the forensic image and click “Open”.

 

10.2.3.FileVault Image

RECON LAB supports forensic images of macOS FileVault and allows for decryption using the Admin password or Recovery Key.

Currently accepted formats are:

RAW Images – .dd, .000, .00001, .raw

Apple Disk Images – .dmg, .sparsebundle, .sparseimage

Expert Witness Format (EWF) – .E01, .Ex01, .L01, .S01

To select a supported FileVault forensic image use the dropdown in “Add Source” and select “Forensic Image”.  Navigate to the forensic image and click “Open”.

After selecting the FileVault forensic image a popup window will appear allowing you to enter the Password or Recovery Key.  You can use the “eye” icon to show the password if necessary.

 

10.2.4.Fusion Image

Fusion drives are two separate physical disks that are seen as one in a Mac environment.

RECON LAB supports adding physical images for each disk of the Fusion drive to allow the processing of its file system.

RECON LAB supports a variety of physical forensic image formats for the Fusion drive disks.

Currently accepted physical formats for Fusion drive disks are:

RAW Images – .dd, .000, .00001, .raw

Apple Disk Images – .dmg

Expert Witness Format (EWF) – .E01, .Ex01, .S01

To select a supported forensic image of a Fusion drive disk use the dropdown in “Add Source” and select “Fusion Image”.  Navigate to the forensic image and click “Open”.

Do this for both disk images (“SSD” and “Platter”).

Make sure that the smallest image is linked to the “SSD”.

Once both images are selected click “Add”.

10.2.5.Optical Disc Image

RECON LAB can support Optical Disc image formats as a source.

RECON LAB currently supports .ISO and .cdr Optical Disc formats.

To select an Optical Disc image use the dropdown in “Add Source” and select “Optical Disc Image”.  Navigate to the image and click “Open”.

10.2.6.RAM Image

RECON LAB supports loading RAM images which are usually in raw format.

To load a RAM image use the dropdown in “Add Source” and select “RAM Image”.  Navigate to the RAM image and click “Open”.

10.2.7.iOS Backup

RECON LAB suppors the analysis of Apple iOS backups.

Most forensic tools that image iOS devices utilize the iTunes engine to create an iTunes backup to process.

RECON LAB also has the ability to image and iOS device and create an iOS backup which is discussed later in this manual.

To add an iOS backup as a source navigate to the iOS backup directory and select the Manifest.db or Manifest.mbdb file. Once selected, click “Open”.

10.2.8.Time Machine Backup

RECON LAB supports the processing and automated analysis of individual macOS Time Machine Backups.

To load a Time Machine backup for analysis select “Time Machine Backup” from the “Add Source” dropdown.  Navigate to the directory of the backup in which you would like to process.  Select “Choose” to add the backup directory as a source.

 

10.2.9.Google Takeout

RECON LAB supports data downloaded from Google Takeout: https://takeout.google.com

RECON LAB has numerous plugins to automate the analysis of Google Takeout data.

To load data from Google Takeout select “Google Takeout” from the “Add Source” dropdown.  Navigate to the directory with the Google Takeout data and select “Choose”.

10.2.10.macOS Home Directory

There are many situations in Mac investigations where only a single user’s home directory can be acquired.  RECON LAB supports adding and automatically processing a macOS Home Directory.

To load a Mac user’s home directory as a source select “macOS Home Directory” from the “Add Source” dropdown list.  Type in a name for the user and click “Add”.

Navigate to the Mac user’s home directory and click “Choose”.

10.2.11.Folder

Individual folders can be added as a source to process.

To add a folder as a source select “Folder” from the “Add Source” dropdown list.  Select the directory to add and click “Choose”.

10.2.12.File

Individual files can be added as a source to process.

To add a file as a source select “File” from the “Add Source” dropdown list.  Select the file to add and click “Open”.

10.2.13.ADB Android Backup

RECON LAB supports processing Android Debug Bridge (ADB) files and backups of Android Devices.

To add an ADB file (.ab) or backup folder as a source, select “ADB Android Backup” from the “Add Source” dropdown list.  Select the “.ab File” or “Backup Folder” option.  Navigate to the ADB file or backup directory and select “Add” or “Choose”.

10.2.14.RECON Logical Image

When creating a logical image, timestamps can change as files are sent from the source to the destination file or container.  Some forensic programs address this issue by not showing any timestamps for the files in the logical extraction or image.

This scenario is common when imaging Macs with T2 Security Chipsets as they can only be imaged logically.

RECON IMAGER, when used with RECON LAB, is able to preserve the original timestamps.

In order to display the proper timestamps from a logical image select “RECON Logical Image” from the “Add Source” dropdown list.

Select “RECON-Sparseimage” or “RECON-DMG” depending on what was chosen when using RECON IMAGER.

10.3.Adding Source Information

Once a Source has been selected the Source Information window will appear.

Here you can add a unique evidence number (“Evidence No.”) and a description of the evidence.

After entering the information click “Ok”.

10.4.Adding Multiple Sources

RECON LAB can process multiple sources at the same time.

To add more than one source use the “Add Source” button.  Additional sources will be listed once added.  To remove a source before processing begins click the “X” button.

10.5.Case Directory

After adding your sources to process you have to select the location for your RECON LAB Case Directory.  This directory is used to store everything and can become quite large in size depending on the amount of data to be processed.  Make sure that there is enough space on the media where the Case Directory is placed.

It is recommended to use a macOS Extended (HFS+) formatted drive for the location of the Case Directory.

To select the location for the Case Directory click the three dots.  Navigate to the desired location and click “Choose”.

 

 

10.6.Date and Time Settings

RECON LAB has several options for setting time zones.

UTC – Coordinated Universal Time or +00:00

Machine Time Zone – This is the time zone of your examination system.

Other Time Zone – This dropdown menu will allow you to pick any time zone in the world.

RECON LAB also has several options for the Date Format.  Whatever Date Format is chosen here will take effect globally in RECON LAB.

10.7.File System Modules Selection

RECON LAB was designed to give you as much control as possible.  This control can help you complete your investigations and analysis faster.

The examiner has the option of enabling or disabling individual Filesystem Modules.

For example, if your case does not require the need for signature analysis then you do not have to activate this module which will save processing time.

 

10.7.1.Apple Metadata Module

To activate the Apple Metadata module for macOS sources, check the box next to “Extract Apple Metadata”.

If you have previously configured this module your selections will be present.  At this time you can add or remove attributes.

 

Apple Metadata Filter Column Descriptions

D – Check this box to add this Apple Extended Attribute to the RECON LAB Sidebar.  Any files matching selected attributes will automatically be filtered and placed in the Sidebar.

R – Checking this box will include the selected attribute’s metadata automatically to reports.

Title – The common name of the Apple Extended Attribute.

Attribute – The specific name of the Apple Extended Attribute.

Description – The official description of the Apple Extended Attribute.

10.7.2.MIME Types Module

MIME Types are used to identify and categorize files and are similar to file signature analysis.  Selecting “Extract MIME Type” will tell RECON LAB to identity and document files based on their MIME type.

10.7.3.Signature Analysis Module

Selecting “Analyse User Defined File Signatures” run a module to identify files based on the file’s headers (or signature).  The file signatures can be added in the Case Wizard or previously in RECON LAB Configuration.

To learn how to enter or remove a file signature please refer to the previous instruction in the “Configuration” section of this manual.

10.7.4.EXIF Metadata Module

Selecting “Extract Exif Metadata” tells RECON LAB to recover any EXIF metadata selected in this module.

EXIF Metadata Filter Column Descriptions

D – Check this box to add the EXIF Metadata to the RECON LAB Sidebar.  Any files matching selected metadata will automatically be filtered and placed in the Sidebar.

R – Checking this box will include the selected EXIF metadata automatically to reports.

Title – The common name of the EXIF Metadata.

Description – The official description of the Apple Extended Attribute.

10.7.5.Hashes Module

If you will be utilizing pre-configured hash sets in your investigation or analysis choose “Analyse Hashes”.

RECON LAB will create hashes of all files within the case.

10.8.Artifact Plugin Selection Module

As described previously in the “Configuration” part of this manual, RECON LAB automatical processes and analyzes thousands of artifacts using hundreds of plugins for Windows, macOS, iOS, Android and Google.

Select any plugins or artifacts that you want to run.

To begin processing of all sources with the selected Filesystem Modules and Automatic Artifact Analysis, click “Start”.

11.Reloading a Case

To open a previously created case, select Load Case from the initial splash screen.

The popup window instructs the examiner to navigate to the desired case folder and click Open.

The naming structure of the folder will consist of the Case Name-YYYY-MTH-DYTHH-MM-SC (i.e. Fraud_Investigation_2018-SEP-19T13-25-44)

The following screen will ask the examiner if they want the original sources mounted.

The sources must be mounted for RECON LAB to function properly.

If the sources have moved RECON LAB will prompt you to locate them.

12.RECON LAB Interface

The RECON LAB Main Interface is designed to be intuitive and simple to use.  The views in the main window will change depending on what is selected.

12.1.Processing Status Window

RECON LAB will let you begin working in minutes.

RECON LAB automatically and intelligently runs multiple tasks and processes at the same time.  RECON LAB adjusts the different tasks based on the available resources to complete processing as quickly as possible.

RECON LAB first process is to “Add source to case”.  This must be completed before you can manually review the evidence.

However, almost simultaneously, the automated analysis of artifacts begins (“Extracting Artifacts) and starts populating the Sidebar.  As soon as a plugin is complete you can immediately begin reviewing the results.

Next, if selected Apple Extended Timestamps are extracted for macOS file systems.  Apple Extended Attributes are the timestamps utilized by macOS.

Other forensic tools extract and display macOS POSIX (Unix) timestamps.  Favoring POSIX timestamps over Apple Extended Attribute timestamps will cause you to miss important evidentiary information and can lead to incorrect conclusions.  RECON LAB along with RECON IMAGER is the only solution that allows you to properly capture, analyze and utilize Apple Extended Metadata timestamps within a forensic tool.

After the Apple Extended Attribute Timestamps module has started the identification and categorization of files based on MIME types begins.

This is followed by the Apple Metadata, Signature Analysis, and EXIF Metadata modules.

Finally, the Hashes module is run.

The information generated by each module is available as soon as it completes and can be reviewed immediately.

Modules can be canceled by clicking the “X” button.  Keep in mind it may take some time before the module quits completely after the “X” button is pressed.

The Processing Status Window can be minimized by clicking the triangle icon in the bottom right corner.

12.2.Case View

The Case View can be activated by selecting the “briefcase” icon at the top of the Sidebar.

In Main Window you will find the Case Details, Examiner Details and Source information.

If multiple partitions exist they can be seen by clicking on the main source item (i.e. “Catalina.sparseimage”).

Clicking any of the partitions will display additional information for the source (i.e. “OS Version”).

The information found in the Case Details are almost always added automatically to any generated reports.

12.3.Top Menu

RECON LAB’s Top Menu is broken into a right side and a left side.  There are a total of twenty (20) icons.

  1. Add Source – Used to add additional sources after the case has begun.
  2. Run Artifacts – Calls the Artifacts and Plugins module for automated analysis.
  3. RAM Analysis – Opens the RAM Analysis module which is a GUI for Volatility and may include a “Carve Password” feature (vetted agencies only).
  4. Artifacts Timeline – Opens the Artifacts Timeline module used for generating timelines and graphs for timestamps recovered from the Artifacts and Plugin module.
  5. Global Report – Automatic Report generation.
  6. Tagged File Export – Allows the export of files that have been tagged or bookmarked.
  7. Artifacts Keyword Search – Allows the examiner to conduct a single keyword search quickly within all recovered artifacts.
  8. Content Search – Calls the Content Search configuration window to allow searching with keywords.
  9. File Search – Allows for locating files based on a combination of timestamps, file names, extensions, file sizes and more.
  10. Apple Metadata Search – Allows for locating files based on Apple Extended Metadata.
  11. Text Indexing – Allows the indexing of files and directories.
  12. Super Timeline – Creates an enhanced timeline using all timestamps available from file and file artifacts.
  13. Processing Status – Displays all added sources and the status of modules run against the sources.  Sources can be removed as well.
  14. Configuration – Allows changes to configuration settings.
  15. Hash Sets – Allows creation or importing of hash sets.
  16. Screenshot – Allows the user to create a screenshot that can be added to reports.
  17. Quick Look – Activates the native macOS file viewer supporting hundreds of file types.
  18. Story Board – Creates a new report in a WYSIWYG report editor.
  19. Show/Hide Sidebar – Pressing this button will show or hide the Sidebar.
  20. Show Detailed Information – Pressing this button will show or hide the Detailed Information Window.

 

12.4.Main Columns

There are three main columns at the top of the Main Window for RECON LAB.  These columns can be used for quick navigation.

When you navigate to different modules or views these columns will keep a history of these.  Clicking on the columns will allow you to return to a previous module or view.

Views or modules can be removed by selecting the “X” button.

Sidebar Column

The Sidebar Column allows quick access to the modules and views located in the Sidebar.

Select Category Column

The Select Category Column keeps a history of modules and sources previously viewed.  Clicking the title of the column will show previous items.  Select any item to return to the module or source.

Select Feature Column

The Select Feature Column keeps a history of different windows viewed.  Clicking the title of the column will show previous items.  Select any item to return to a previous window.

12.5.Case Sidebar

The Sidebar is used to quickly access data recovered from processing, analysis, and reporting.  It is also used for manually navigating through the source data.

Clicking the triangle next to a category or feature will expand the category.

The Quick Search field can be used to quickly find a plugin or module.

12.6.Main Viewer Window

The Main Viewer window has a Table View and a Gallery View.   The following is an example of the Table View when a source is selected in the Sidebar.  Specifically, this is a user’s Download folder.

The first column with the checkbox is to bookmark the file.

The second column with the checkbox is for marking a file as “seen” by the examiner.  Call it the “been there, done that” tag.

Record No. – This is a unique number assigned to a record by RECON LAB.

Inode No./File ID – Shows the Inode, FileID or CNID number of a file.

File Name – The name of the file.

Extension – The extension of the file.

File Path – The path of the file in relation to the source.

File Size – Size of the file in bytes.

Mime Type – Shows the type of file as identified by MIME Types.

HashSet Name – If the file hash matches a hash found within a HashSet the name of the HashSet is shown.

MD5 – The calculated MD5 hash of a file.

SHA1 – The calculated SHA-1 hash of a file.

Decompression Status – Shows if a file (i.e. zip file) has been expanded.  If expanded, the word “Decompressed” will show.

Date Modified – Standard timestamp for Date Modified.

Date Change – Standard timestamp for Date Changed.

Date Accessed – Standard timestamp for Date Accessed.

Date Added – macOS Apple Extended Attribute for when a file was added to the volume.

Content Creation Date – macOS Apple Extended Attribute for when the content of the file was created.

Content Modification Date – macOS Apple Extended Attribute for when the content of the file was modified.

Last Used Date – macOS Apple Extended Attribute for when the file was last opened by a human (double-click to open).

Use Count – macOS Apple Extended Attribute that approximates how many times a file was opened by a human (double-click to open).

12.6.1.Table View

12.6.1.1.Recursive View

The Recursive View feature will recursively expand any subdirectories in the current view.  This is frequently done prior do creating a full file listing.

To expand all directories recursively, click the Recursive View button.

12.6.1.2.Export to CSV

The “Export as CSV” feature allows an examiner to create a file listing of the current Screen Items or Current Directory.  If you select a directory you have the option of including all files recursively by checking the “Recursive” button.

Provide a File Name for the report and choose the location for the report.  When done, click “Export”.

A folder will be created in the location you chose and RECON LAB will ask you if you would like to open the CSV file created.

 

 

12.7.Multimedia Preview Pane

The bottom right corner of the RECON LAB interface contains the Multimedia Preview Pane.  The Preview Pane supports a variety of images, audio and video files.

Any file selected in the Main Viewer window that is supported by the Preview Pane will be displayed.

12.8.Viewer Panes

RECON LAB has multiple viewer panes to assist with presenting additional information or views of files.

Detailed Information – Shows the location of a file within the source, dates and times, examiner’s notes and more.

Hex View – Shows the file in Hex View.

Text View – Shows the file text view.

Strings View – Shows the text view of a file with binary data removed.

Exif Metadata – Interprets and shows special metadata contained in specific files.

Apple Metadata – Shows all of the Apple Extended Metadata of a macOS file.

Maps – Shows both online and offline maps for files that contain location data.

 

12.8.1.Detailed Information Pane

When a file or item is highlighted in the Main Viewer the Detailed Information pane will show as much information as possible.  The content will change depending on what is selected in the Main Viewer.

In the example above the Google Chrome application was selected.

The application’s name, path, dates and times, tags and examiner notes are displayed.  Additionally, some useful Apple Extended Attributes are shown (Use Count and Used Dates).

12.8.2.Hex View Pane

When a file is highlighted in the Main Viewer the Hex View pane will show its hex view.  Both hex and ASCII will be shown.

In the example above an image file was selected.

Hex or text can be highlighted and additional options for tagging, bookmarking or copying data can be applied with a right-click.

12.8.3.Text View Pane

When a file or item is highlighted in the Main Viewer the Text View pane will show the file as text (ASCII) or Unicode.  This can be changed with the dropdown box in the upper right corner.

The Text View pane also includes a quick search feature.

In the example above the keyword, “adobe” was entered and the “Search” button was clicked.

All instances of “adobe” are now highlighted in red.

12.8.4.Strings View Pane

When a file or item is highlighted in the Main Viewer the Strings View pane will show the file with binary data removed (non-human readable characters).

The Strings View pane also includes a quick search feature.

In the example above the keyword, “adobe” was entered and the “Search” button was clicked.

All instances of “adobe” are now highlighted in red.

12.8.5.EXIF Metadata View Pane

When a file or item is highlighted in the Main Viewer the Exif View pane will show any Exif metadata of the file.

Clicking the checkbox next to the Exif metadata will add that information to reports.

12.8.6.Apple Metadata View Pane

When a file or item is highlighted in the Main Viewer has Apple Extended Metadata the Apple Metadata pane will show the attributes.

Clicking the checkbox next to an Extended Attribute will add that information to reports.

12.8.7.Maps Preview Pane

When a file or item is highlighted in the Main Viewer contains the location information the Maps Preview Pane will show the location in offline maps.

If the examination system is connected to the Internet there is the option to “Open with Google”.

Clicking the “Save” button will bookmark the location and add the information to “Saved Maps” in the Sidebar.

13.Removing a Source

If necessary, it is possible to remove a source after the case has processed.

To remove a source, open the Processing Status window.  Identify the source to remove from the case and then click the “Remove” button.

Once you choose to “Remove” a source a warning message will appear.

Make sure you quit and restart RECON LAB if you choose to remove a source.

14.Right-Click Options

Right-clicking on a file in the Main Viewer provides a host of options and features.  The menus will change depending on the current window or item selected.

 

Add file to hash set database – Add selected file to a pre-configured hash set database.

Add Note – Allows the examiner to enter notes for a file or item.

Add to Text Indexing Queue – Adds selected files or folders to the queue as an item to be indexed.

Bookmark – Adds a basic bookmark to a file or item.

Remove Bookmarks – Removes a file’s bookmark.

Carve Data – Files are searched for data such as URLs, credit card numbers, phone numbers and more.

Carve Files – Activates the built-in data carver to recover files.

Copy to Clipboard – Copies the detailed information about the file to the clipboard.

Decompress File – Expands compressed files and adds them to the case.

Export – Provides options for exporting files or directories to a .zip file or folder.

Export as KML – Creates a file in KML (Keyhole Markup Language) is supported.

Export Hashes As Vic – Option to create Project Vic hashes from selected files.

Go to Source – Opens the location where the selected file or artifact exists in the source.

Hide Seen Files – Hide files from the case marked as “Seen”.

Mark as Seen –  Mark files seen by the examiner.

Mark as Unseen – Remove the “Seen” tag.

Open Detailed Information – Opens a floating window with the file or artifact’s detailed information.

Open with External Application – Open file in an external application (does not require exporting).

Open With – Opens the file in RECON LAB’s built-in Plist, Hex, SQLite or Registry Viewer.

Quick Look – Activates the macOS file viewer to preview a file or show additional information.

Remove Bookmarks – Remove the bookmark tag.

Remove Note – Removes examiner’s notes for a file or item.

Run Filesystem Modules – Run file system modules against individual files or directories.

Search file with the same hash – Finds any files with the same hash in pre-configured hash sets.

Send to Bucket – Sends the file to RECON LAB’s built-in Plist, Hex, SQLite or Registry Viewer in the Sidebar in the “Bucket” category.

Show Seen Files – Unhide files marked as “Seen” and hidden.

Tags – Allows the examiner to “tag” a file with a color or custom name.

15.Previewing Files

RECON LAB supports previewing hundreds of file types even if the parent applications are not installed.  For example, if MS Word is not installed, RECON LAB can still preview the MS Word document file.

As RECON LAB is designed on a Mac it takes advantage of macOS’s Quick Look.  To activate Quick Look to preview a file right-click and select “Quick Look” or tap your spacebar.

Additionally, you can highlight a file and click the Quick Look in the Top Menu.

16.Automated Analysis

RECON LAB includes hundreds of plugins that recover thousands of artifacts automatically from Windows, macOS, iOS, Android and Google Takeout.

To have RECON LAB automatically recover artifacts click the “Run Artifacts” button to bring up the configuration window.  Refer to the “Artifact and Plugin” section of this manual found under “Configuration” for information on using this module.

Select the artifacts of interest and click “Start”.

Once completed the recovered artifacts will populate in the sidebar under the “Artifacts” category.

The artifacts are grouped into categories and can be expanded by clicking the triangle icon.

The number listed next to the plugin is the number of artifacts recovered.  Double-clicking on the plugin opens the data in the Main Viewer window.

Plugins can have multiple artifacts that are usually separated into tabs.  In the example above, the Google Chrome plugin is selected and the “History” tab is highlighted.  The “History” tab is showing all of the Google Chrome history recovered from the sources.

Filtering Data with Keyword Searches

There is the ability to search within this plugin to filter the data using the Keyword Search box.

Using the Keyword Search box the keyword “Google Search” was entered.  RECON LAB quickly filters the data to show any Google Chrome history with the keyword “Google Search”.

Setting a Timeline to Filter Data

Using the timeline feature by clicking the “TimeLine” button we can refine the results even more to a specific date range.

This time we enter the word “sig” into the Keyword Search box.

Activate the set timeline by checking the box next to the “Time Line” button and click Search.

Generating Reports from Plugin Window

Reports in various formats can easily be generated from the plugin window.  Reports can be in HTML, PDF, CSV, XML or KML formats.

Reporting options include Tags (bookmarks), the Full module or just the items on the screen.

If interested in exporting associated files the examiner can click the “Export” button.

Once you have bookmarked items of interest and you have chosen your reporting settings click “Report”.  RECON LAB will ask if you want to open the report once it is generated.

 

 

17.Bookmarks and Tagging Evidence

Bookmarks

Bookmarks are the simplest way to mark items of interest in RECON LAB.  In almost every area of RECON LAB there will be a checkbox next to any item that can be bookmarked.  To bookmark a file just check the box with the “bookmark” icon in the column.

Files can also be bookmarked via the right-click options or by using the “B” key.

Tags

Tags are custom bookmarks.  Tags can be colored markers, custom names or both.

Tags are created by right-clicking on the item of interest and selecting “Tags”.  An examiner can select one of the four colors to tag the file or “Create New Tag”.

Selecting “Create New Tag” allows the examiner to create a new Tag Category and assign a color (optional).

 

 

 

 

 

 

 

 

Clicking “Save” will tag the file with the new tag name and color in the Table View and in the Detailed Information.

Finding Tags and Bookmarks in Sidebar

Tags and bookmarks can always be located, accessed and sorted in the Sidebar.

Removing Tags and Bookmarks

To remove a Tag or Bookmark from any item of interest simply right-click and select “Remove Bookmark” or “Tags -> Remove Tag”.

18.Indexing

With the increased size of media and the number of sources seized RECON LAB takes a different approach to indexing.

Traditionally, forensic tools gave the examiner the option of indexing everything or not at all.  Examiner dreaded the thought of a full index due to long processing times.

RECON LAB handles index at a granular level using the leading indexing and search solution – dtSearch.

With RECON LAB an examiner has the ability to index a single file, the entire source or any combination in-between.  Additionally, with the ability to white-list or black-list files RECON LAB’s indexing is intelligent and useful.

The goal is to perform surgical indexing and searches to find the information needed in less time.

Indexing Example with RECON LAB

Let’s use this as an example.  You are tasked with finding any emails containing information about a company named “SUMURI” and we know the person of interest uses the Apple Mail client.  You had the ability to image his company MacBook and are now performing the analysis.

The caveman approach is to index everything and wait days for the indexing to finish.

Or, we can use RECON LAB’s indexing in a more intelligent way.

We start by setting up a white-list in the Configuration Text Indexing Filters.  Here we create a category for “Mail” and add Apple Mail file formats (.eml, .emlx. .mbox), select “Index these files”, then “Apply”.

We now navigate to the folders where the Apple Mail client stores emails and “Add to Text Indexing Queue” using the right-click option.

We now select Text Indexing from the Top Menu and confirm that the files or directories that we want to parse are there.  We now click “Start Indexing”.

After indexing is complete we can now perform a Content Search for the keyword “SUMURI” and review the results.

We can preview the email hits using Quick Look or any of RECON LAB’s other viewers.

 

 

19.Search Options

RECON LAB has many different ways to search for files and data.  They can be broken into two categories.  The first are “local” searches that relate to individual Plugin results and Viewers.  The second are “global” searches that search across all sources and their data.

Local Search Options

  • Keyword search and filters within the Plugin results view.
  • Keyword search and filters within viewers (Hex, Text, Strings, etc.)

Global Search Options

  • Global Artifact Keyword Search
  • Global File Search
  • Global Content Search
  • Global Apple Extended Metadata Search.

19.2.File Search

RECON LAB’s File Search can be used to search by file and folder names along with file size and their dates and times.  This is not a content search.

To start a File Search click the “File Search” icon found in the Top Menu.

The File Search configuration window will appear.

Use the File Name field to enter the keyword to be searched.  Options for the file name can be “Contains, Matches, Starts with, Ends with”.

File Size can be used as a parameter for the search.

To activate File Size filters, check the box next to File Size.  Options for the File Size filter can be “Greater than, Less than, Exact, Between”.  Also, as seen above, the unit of measure for the file size can also be adjusted.

Both standard date attributes and Apple Extended Attributes can be used as filters for a File Search as well.

To activate any Date filter just check the box next to the date attribute to be used.  Additional options for the date filter are “Between, Before, After”.

A File Search can be conducted using all sources or a combination of sources.  Additionally, there is the option for using All Filters or Any Filter.

To select more than one source check “Select Source” then the “Select Source” button.

Select any source by checking the box next to the Source of interest then click “OK”.

When ready, provide the search a unique name and click “Search”.

Once the search is complete you will be provided the option of reviewing the search.

If you click “YES”, any search results will appear in the Main Viewer window for additional analysis and bookmarking.

20.Advanced Viewers

Integrated into RECON LAB are four advanced viewers.

  • Property List Viewer – for Apple binary and standard plist files.
  • HEX Viewer – a full Hex viewer with advanced functions for forensic investigations.
  • SQLite Viewer – a forensic SQLite viewer with the ability to create custom SQLite queries.
  • Registry Viewer – for analysis and documentation of Windows Registry files.

20.1.Plist Viewer

The Property List Viewer (Plist Viewer) works with both standard and binary macOS Property Lists (.plist files).  Property List files are one of two common storage formats for Mac data.

To examine a file using the Property List Viewer, right-click on a property list file and select “Open With – Plist Viewer”.

If you would like to add the file to review later in the Sidebar Bucket select “Send to Bucket – Plist Viewer”.

The Property List Viewer opens the plist in the Main Viewer window.  Search options and reporting options are available.

In the example above, the “com.apple.finder.plist” was opened in the Property List Viewer.  The keyword “Desktop” was entered for a search term.  All hits are highlighted in yellow.

20.2.Hex Viewer

The Advanced Hex Viewer within RECON LAB is extremely powerful and full of helpful features.

Open File in Hex Viewer

To open a file in the Hex Viewer, right-click and select “Open With – Hex Viewer”.

If you would like to add the file to review later in the Sidebar Bucket select “Send to Bucket – Hex Viewer”.

The Hex Viewer will open in the Main Viewer window.

The number of “Bytes per line” can be adjusted using the dropdown box with values between 2 and 32.

Search in Hex Viewer

To search within the hex select the “Search” button to presented with the Search options box.  Options allow for the search term to be entered as hex, ASCII, or UTF-16 (Unicode).

After entering the search term click “Search”.

Hits will be highlighted in yellow.  Use the backward and forward buttons (next to the Search button) to move between hits.

Jump to an Offset

To jump to a specific offset click the “Go to Offset” button at the top of the Hex Viewer.  Enter a value and select a multiplier (between 1 and 8192).

Select where to begin:

From Start – from the beginning of the file.

From Cursor Position – from where the cursor currently sits.

From End – From the end of the file.

Tag Selected Bytes

Data can be tagged within the Hex Viewer by “swiping” over or highlighting the data.

Right-click on the data to be tagged and select “Tag Selected bytes”.

Assign the data to an existing “Saved Tags” or create a new tag by checking the “Create New” box, entering a name and selecting a color.  The tagged data will appear in the Sidebar under “Tags”.

Tags can also be recalled by selecting the “Show Tags” button at the top of the Hex Viewer.

Hex Viewer Information Pane

The Information Pane on the right side of the Hex Viewer will display the values of swiped or highlighted data.  It can also be used to toggle Little Endian/Big Endian interpretation on and off using the checkbox.

20.3.SQLite Viewer

The Advanced SQLite Viewer within RECON LAB has the ability to search, filter and execute SQLite queries to make it easier to document evidence found in SQLite files.

Open File in SQLite Viewer

To open a file in the SQLite Viewer, right-click and select “Open With – SQLite Viewer”.

If you would like to add the file to review later in the Sidebar Bucket select “Send to Bucket – SQLite Viewer”.

The SQLite Viewer will open in the Main Viewer window.

Filtering Table Data

Individual SQLite tables can be selected by using the Tables dropdown box.

Columns can be turned on and off by checking or unchecking the box underneath “Column Name”.

Likewise, the ability to search through individual columns can be turned on and off by checking or unchecking the box underneath “Search”.

Searching in the SQLite Viewer

After selecting a table of interest enter a keyword in the search field and click “Search”.  Items in the table matching the keyword will remain and can be reviewed and/or bookmarked.

Executing a SQLite Query

Instruction for SQLite queries is beyond the scope of this manual.  However, there are many great resources available online.

To execute an SQLite query first select a table then click the “Execute SQL” tab.

RECON LAB will pre-populate the work area with existing column names from the table.  This can be modified to using common SQLite syntax.

Once the query has been entered click the “Execute Query” button to view the results.

20.4.Registry Viewer

When a source is added to RECON LAB that contains Windows registry information it is automatically parsed and added to the Sidebar Bucket under Registry Viewer.

If you need to manually load a Windows registry artifact right-click on the file and select “Open With – Registry Viewer”.

To add the registry artifact to the Sidebar choose “Send to Bucket – Registry Viewer”.

To examine Windows registry artifacts select a registry hive to open in the Sidebar.  The registry hive will open in the Registry Viewer in the Main Window.

The registry hives and keys can now be explored and bookmarked.

To search inside a hive enter a keyword in the search field and click “Search”.

Select the “Searched Items” tab to review the results.

In the example above the keyword, “SanDisk” was used as the search term.

21.Exporting Options

There are two ways to export files in RECON LAB.

Selecting “Export” options when reports are generated (covered later in the “Reporting” section of this manual).

Right-click and export from Table View.

Exporting From Table View

To export from Table View, highlight the files or folders to export and then right-click.

The File Export window will open.

The examiner has the option of exporting all of the files to a Zip file to a Folder.  The examiner can choose to “Keep the directory structure” by selecting the checkbox.

To export choose the path to send the exported files and click “Export“.

In the example above a BMP file was selected for export with the option of keeping the directory structure.

 

22.Carving

Both data and files can be carved in RECON LAB.  There are three options available for carving.

File Carving – recover files from any source.

Data Carving – recovery of information such as email addresses, social security numbers, URLs, etc.

Carving Unallocated Space – a search of files from the unallocated space of supported file systems.

22.1.File Carving

To carve files from within the Table View right-click on an item to process and select “Carve Files”.

In the example above we are asking RECON LAB to carve files from the pagefile.sys file.  A window will appear allowing the selection of files to carve.

During the carving, a Finder window will appear with live results.  These carved files will be added back to RECON LAB for review and documentation when the carving is complete.

When the carving is complete, the results can be found under “Carved Files” in the Sidebar.

Selecting the item in the Sidebar will load the results of the carving in the Main Viewer window.

22.2.Data Carving

To carve data from within the Table View right-click on an item to process and select “Carve Data”.

In the example above we are asking RECON LAB to carve data from the hiberfil.sys file.  A window will appear allowing the selection of files to carve.

When the carving is complete, the results can be found under “Carved Files” in the Sidebar.

Selecting the item in the Sidebar will load the results of the data carving in the Main Viewer window.

22.3.Carving Unallocated Space

To carve files from the unallocated space of a supported file system right-click on the volume under the Source in the Sidebar and select “Carve Unallocated Space”.

In the example above we are asking RECON LAB to carve files from the unallocated space of an NTFS volume.  A window will appear allowing the selection of files to carve.

During the carving, a Finder window will appear with live results.  These carved files will be added back to RECON LAB for review and documentation when the carving is complete.

When the carving is complete, the results can be found under “Carved Files” in the Sidebar.

Selecting the item in the Sidebar will load the results of the carving in the Main Viewer window.

23.Hash Sets

RECON LAB has the ability to create and import commonly used forensic hash set databases.

The hash sets can help an examiner identify files and/or remove files from a case.

Before using hash set databases RECON LAB will need to hash the files in the source first.  To find out if hashing is completed for a source click the Processing Status icon in the Top Menu.

If the hashes have not been calculated for a Source click the checkbox and “Start”.

 

 

23.1.Creating Hash Sets

Before working with hash set features, a hash set category must be created and file hashes must be added.

To create a new hash set click on the HashSet icon in the Top Menu.

The Hash Set main window will appear.

Click “Create” and enter a name for your new hash set and click “Create” again.

The new hash set category is now created.

To add files to the new category right-click on any files that have previously been hashed and select “Add file to hashset database”.

Any files matching the hashes within the hash set database will be identified in the Table View Column “Hashset Name” and in the Detailed Information pane.

Archiving the Hash Set Database

If you want to archive your newly created hash set database so it can be imported into other cases navigate the “Lab_Conf – Hashset” directory in your RECON LAB Case Folder.  Here you will find the hash set databases to archive.

23.2.Importing Hash Sets

RECON LAB can import the following hash set database formats:

  • RECON LAB SQLite
  • Project VIC
  • NSRL
  • CSV

To import a hash set database click on the “Hashset” icon in the Top Menu.  Use the dropdown box to select a hash set database format.

Navigate to the location of the database and click “Open”.

You may be prompted to select a specific table in order to import.  For RECON LAB SQLite databases select the “saved_hashsets” table and the “md5_hash” column.

After clicking “Save” the new hash set will be available for use.

23.3.Removing Files From Case Using Hash Sets

RECON LAB provides the option of removing (hiding) files in a case that match hashes found in a hash set database.  This is useful for hiding benign system files that are irrelevant to your investigation.

To remove files from a case with hashes click on the “Hashset” icon in the Top Menu.

Click the checkbox next to the hash set under the column “Hide Matched Files” and then “Apply”.

Files matching the hashes in the hash set database will be hidden.

To unhide the files uncheck the checkbox and hit “Apply” again.

24.Hide or Show Files

RECON LAB includes a feature to “Mark files as Seen”.  This is a way of tracking files that you have already reviewed.  To mark a file as seen click the checkbox in the “Seen” column.

Files marked as seen can also be “hidden” from the case view.  To “Hide Seen Files” or “Show Seen Files” right-click on any file and make a selection.

In the below image “Hide Seen Files” was activated.  Only the files that were left unchecked above are still visible.

25.Project Vic

RECON LAB supports Project VIC database formats Versions 1.1, 1.2 and 1.3.

For more information about Project VIC please visit their website here: https://www.projectvic.org

Exporting as Project VIC Format

To export files in one of Project VIC formats select the files of interest and right-click.  Select “Export Hashes as VIC” and select the version of choice.

Below is an example of a Project VIC export using RECON LAB.

 

26.Email Analysis

There are two ways to conduct email analysis in RECON LAB.

  1. Automated Artifact Analysis using plugins.
  2. Email Files Module

Automated Artifacts Analysis

There are a variety of automated plugins for various email clients.  If an automated analysis is run and artifacts are found for a specific email client the results will be loaded in the Sidebar for access.  To view the results in the Main Viewer window select the plugin in the Sidebar.

Email Files Module

A separate “Email Files Module” can be found in the Sidebar.  This module attempts to unify as many mail accounts as possible into one review platform.

The upper left panel is the “Accounts” pane.  All supported mail accounts will be found here along with their mailboxes.

The right panel contains a table view of supported mail messages.

Additional information is provided below when a mail message is selected.

The “Message” tab seen above shows the message in HTML view.

Attachments

If an attachment exists they will be listed in the “Attachments” tab.  Two links are provided for opening the file in the source (“Open in Source”) and to preview the file with “Quick Look”.

Viewing Message As Raw Data

The last tab interprets the message as text.  This view is commonly used to see email header information.

27.Timeline Analysis

The ability to sort data by timestamps is found throughout RECON LAB.

RECON LAB includes two special ways to create amazing timelines with support for over 270 unique timestamps.

  1. Super Timeline – creates a CSV or SQLite database of standard system timestamps and/or Artifact Plugin timestamps.
  2. Artifacts Timeline – visual view of events based on timestamps from automated analysis.

27.1.Super Timeline

The Super Timeline can be activated by clicking on the “Super Timeline” icon in the Top Menu.

Once selected the Super Timeline configuration window will appear.

The Output Format can either be SQLite (recommended) or CSV.  If you choose CSV the number of records is limited to 1,ooo,ooo.

An examiner can choose to include the standard timestamps of File System Records, timestamps of Artifacts Plugin Records or both.

A Start Time and an End Time can also be provided.

To create the Super Timeline provide a File Name, File Path and click OK.

Once the Super Timeline is created you will be prompted to review the results.

27.2.Artifacts Timeline

In order for the Artifacts Timeline to create a timeline make sure that you have run some or all of the Artifacts and Plugin modules for automatic analysis.

To start an Artifacts Timeline click the “Artifacts Timeline” icon in the Top Menu bar.

Start by selecting the artifacts of interest in the Artifacts List and timestamps of interest in the Timestamp List.

Next, select your Start and End dates and click Apply to create the Timeline.

Once complete you will have a graphical view of all the parsed and selected artifacts along a graphical timeline.

The timeline can be viewed by Year, Month, Daywise and  Hourly.

To move backward and forwards through the timeline pages use the navigation buttons or go directly to a page by using the “Go to Page” option.

In the graphical view, you can save a picture of the current graph by clicking the “Save” button.

To export the data into a CSV file click the Export button.

To review the results in a table view click the “Tableview” button.

Each color in the graph represents a different artifact.  Hovering over the color will display a popup window with additional information about the plugin.

Double-clicking on a plugin in the graph will open its results in a table view.

The results can be exported to a CSV file using the “Export” button.

Selecting the “Save” button will save this table to the Sidebar and can be found under “Artifacts Timeline”.

Clicking the “Close” button will close the graph.

28.Redefined Results

Redefined Results are a way to collate data across different devices that use different applications.  It allows a complete picture of events even when a person is using a mobile device, laptop, and a computer in a single day.

Redefined Results are available for Web History, Messaging and Location Data.

Redefined Results can be found in the Sidebar and viewed by double-clicking on the result of your choice.

28.1.Collated Location History

Any data containing location data will be collated in the Redefined Results for Location History.

28.2.Collated Messaging

Messenger Redefined Results collate different messenger applications from different sources into one.

The Event View tab provides a table view of all the data.  The results can be filtered using the Search box.

A Start Time and End Time can be applied to the results by clicking the Timeline button.

The Graph View provides a visual view of the messaging data in a timeline.

The Pie View tab provides another visual analysis of the data based on percentages.

28.3.Collated Web History

Browser History Redefined Results collate different web browsing applications from different sources into one.

The Event View tab provides a table view of all the data.  The results can be filtered using the Search box.

A Start Time and End Time can be applied to the results by clicking the Timeline button.

The Graph View provides a visual view of web browser data in a timeline.

The Top URLs tab is a graphical view the shows the most visited websites based on frequency.

29.RAM Analysis

In Progress.

30.APFS Snapshot Analysis

In Progress.

31.Acquire iOS Devices with RECON LAB

In the initial Splash screen, examiners have the ability to acquire an iOS image from an iPhone, iPod, or iPad that is connected to their forensic Mac.  The examiner will need the login credentials for the iOS device and the ability to interact with the iOS display (i.e. a functioning screen). iTunes must be installed on the Mac and it has to be up to date.

The examiner will select Acquire iOS Device button (see image below).

 

The examiner can plug the iOS device into the Mac before selecting Acquire iOS Device.  Once it is plugged in, ensure you select Trust on the iOS device during the “Trust This Computer?” prompt.  iTunes will also prompt “Do you want to allow this computer to access information on “user’s iPhone”?  Select Continue.  

You’ll then be instructed to enter the login credentials for the iOS device.  If the iOS device is not visible, click on the Refresh button to retry accessing the iOS device.   

Once the iOS device’s information is displayed, you can obtain key information such as the phone number, International Mobile Equipment Identifier (IMEI) and the International Mobile Subscriber Identity (IMSI) in the lower window.

Once the examiner confirms the attached iOS device is the intended acquisition target, click on Acquire. Then select the output directory for the iOS data acquisition.  Once the extraction is complete, you can load the iOS backup into RECON LAB by navigating to the manifest.db found within the acquisition folder.

32.Reporting

In Progress.

32.1.Plugin Reports

In Progress.

32.2.Global Artifact Reports

In Progress.

32.3.Story Board Reports - WYSIWYG Reports

In Progress.

33.Shutdown RECON LAB

To quit RECON LAB select “Quit RECON_LAB” from the top menu.

34.End User License Agreement

RECON Lab – Lab Edition

Copyright 2013-2019 – SUMURI LLC

www.sumuri.com

IMPORTANT, PLEASE READ CAREFULLY. THIS IS A LICENSE AGREEMENT

This RECON Lab is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. This RECON Lab is licensed, not sold.

End User License Agreement

This End User License Agreement (‘EULA’) is a legal agreement between you (either an individual or a single entity) and SUMURI LLC with regard to the copyrighted software (herein referred to as RECON Lab  or ‘software’) provided with this EULA.   The RECON Lab  includes computer software, the associated media, any printed materials, and any ‘online’ or electronic documentation. Use of any software and related documentation (‘software’) provided to you by RECON Lab  in whatever form or media, will constitute your acceptance of these terms, unless separate terms are provided by the software supplier, in which case certain additional or different terms may apply. If you do not agree with the terms of this EULA, do not download, install, copy or use the software. By installing, copying or otherwise using RECON Lab, you agree to be bound by the terms of this EULA.  If you do not agree to the terms of this EULA, SUMURI LLC is unwilling to license RECON Lab to you.

Eligible License – This software is available for license solely to software owners, with no right of duplication or further distribution, licensing, or sub-licensing.

License Grant – SUMURI LLC grants to you a personal, non-transferable and non-exclusive right to use the copy of the software provided with this EULA. You agree you will not copy or duplicate the software. You agree that you may not copy the written materials accompanying the software. Modifying, translating, renting, copying, transferring or assigning all or part of the software, or any rights granted hereunder, to any other persons and removing any proprietary notices, labels or marks from the software is strictly prohibited.  Furthermore, you hereby agree not to create derivative works based on the software.  You may not transfer this software.

Copyright –  The software is licensed, not sold.  You acknowledge that no title to the intellectual property in the software is transferred to you. You further acknowledge that title and full ownership rights to the software will remain the exclusive property of SUMURI LLC and/or its suppliers, and you will not acquire any rights to the software, except as expressly set forth above. All copies of the software will contain the same proprietary notices as contained in or on the software. All title and copyrights in and to RECON Lab  (including but not limited to any images, photographs, animations, video, audio, music, text and ”applets,” incorporated into RECON Lab), the accompanying printed materials, and any copies of RECON Lab, are owned by SUMURI LLC.  RECON Lab is protected by copyright laws and international treaty provisions.  You may not copy the printed materials accompanying RECON Lab.

Reverse Engineering – You agree that you will not attempt, and if you are a corporation, you will use your best efforts to prevent your employees and contractors from attempting to reverse compile, modify, translate or disassemble the software in whole or in part. Any failure to comply with the above or any other terms and conditions contained herein will result in the automatic termination of this license and the reversion of the rights granted hereunder to SUMURI LLC.

Disclaimer of Warranty – The software is provided ‘AS IS’ without warranty of any kind. SUMURI LLC and its suppliers disclaim and make no express or implied warranties and specifically disclaim the warranties of merchantability, fitness for a particular purpose, and non-infringement of third-party rights. The entire risk as to the quality and performance of the software is with you. Neither SUMURI LLC nor its suppliers warrant that the functions contained in the software will meet your requirements or that the operation of the software will be uninterrupted or error-free. SUMURI LLC is not obligated to provide any updates to the software for any user who does not have a software maintenance subscription.

Limitation of Liability – SUMURI LLC’s entire liability and your exclusive remedy under this EULA shall not exceed the price paid for the software, if any.  In no event shall SUMURI LLC or its suppliers be liable to you for any consequential, special, incidental or indirect damages of any kind arising out of the use or inability to use the software, even if SUMURI LLC or its supplier has been advised of the possibility of such damages, or any claim by a third party.

Rental – You may not loan, rent, or lease the software.

Transfer – You may not transfer the software to a third party, without written consent from SUMURI LLC and written acceptance of the terms of this Agreement by the transferee. Your license is automatically terminated if you transfer the software without the written consent of SUMURI LLC. You are to ensure that the software is not made available in any form to anyone not subject to this Agreement. A transfer fee of $150 USD will be charged to transfer the software (not applicable to transfers associated with orders from distributors, or resellers or intra-company transfers).

Upgrades – If the software is an upgrade from an earlier release or previously released version, you now may use that upgraded product only in accordance with this EULA.  If RECON Lab is an upgrade of a software program which you licensed as a single product, then RECON Lab may be used only as part of that single product package and may not be separated for use on more than one computer.

OEM Product Support – Product support for RECON Lab is provided by SUMURI LLC.  For product support, please call SUMURI LLC.  Should you have any questions concerning this, please refer to the address provided in the documentation.

No Liability for Consequential Damages – In no event shall SUMURI LLC or its suppliers be liable for any damages whatsoever (including, without limitation, incidental, direct, indirect special and consequential damages, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use or inability to use this ‘SUMURI LLC’ product, even if SUMURI LLC has been advised of the possibility of such damages.  Because some states/countries do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

Indemnification By You – If you distribute the software in violation of this Agreement, you agree to indemnify, hold harmless and defend SUMURI LLC and its suppliers from and against any claims or lawsuits, including attorney’s fees that arise or result from the use or distribution of the software in violation of this Agreement.

Jurisdiction – The parties consent to the exclusive jurisdiction and venue of the federal and state courts located in the State of Delaware, USA, in any action arising out of or relating to this Agreement. The parties waive any other venue to which either party might be entitled by domicile or otherwise.

Suggest Edit