E3 Forensic Platform Release

The new edition of the E3 Forensic Platform adds new functionality for malware and ransomware investigations that allow for a comprehensive review of Windows systems. Other enhancements include changes for crypto-currency searching, iOS meta data details, and more.

What’s new in E3?

Windows 11 Email Support

Support for the built-in email client for Windows 11 has now been added to E3. 

Windows 10 & 11 Artifact Improvements

Support for the system folders containing Event Logs and Prefetch files.  

Compliance Archive Support

Support of Compliance Archives from many popular social media platforms is now available with E3:UNIVERSAl, E3:DS, and E3:P2C licenses.

Data Triage

New support for data triage categories for Office Backstage, and Malware.

New Registry Keys

New keys are added to the Parsed Registry Data category in the Data Triage including Office 365 (Word) MRU, Office 365 (Excel) MRU, Office 365 (PowerPoint) MRU.

Malware Detection

A new category has been added to the Registry part of the Data Triage. It includes the keys that might be useful during malware detection investigation.

  • Auto-run: Shows what programs are started automatically on the PC.
  • RunOnce: Shows the commands to be executed in the system once and then deleted.
  • Run Virtual: Shows the locally installed apps that are set to be run in a virtual environment.
  • AppCompatFlags: Shows the compatibility options for the programs.
  • Winlogon: Shows information about user authorization and Windows activation checks.
  • Terminal Server: Shows the configuration of the Terminal Server and all its services.
  • Storage Devices: Shows the list of detected storage devices that were used on the Investigated PC.
  • Users Info: Information about the existing Windows users. The following information is provided about each user: <name of the user>
  • Auto-run: Shows what programs are started automatically for the selected user.
  • RunOnce: Shows the commands to be executed in the system once and then deleted for the selected user.
  • Run Virtual: Shows the locally installed apps that are set to be run in a virtual environment for the selected user.
  • TypedURLs: Shows a list of 25 recent URLs (or file paths) that were typed in the Internet Explorer(IE) or Windows Explorer address bar.
  • TypedPaths: Shows a list of paths typed in the path bar of the File Explorer.
  • MUICache: Shows a list of programs that have been used.
  • Feature Usage: Shows the number of times the application was clicked.
  • AppCompatFlags: Shows the compatibility options for the programs for the user.
  • WordWheelQuery: Shows a list of recent searches performed via Windows Explorer.

Timeline Data

Timeline’s category contains timelines for the most popular registry keys. Also, for some keys, which are not parsed in other parts of Data Triage, this category contains parsed data.

  • Summary Timeline: The full timeline for all keys for all computer-specific categories except the user-specific categories displayed under the Users Info node.
  • Amcache Timeline: Information contained in the Amcache registry hive.
  • AppCompatCache Timeline: Information from the Application Compatibility flags database.
  • App Paths Timeline: Information from the App Paths subkeys from the Software hive.
  • Background Activity Moderator Driver Timeline: Information on the Background Activity Moderator Driver (bam.sys) controlling the activity of the background applications.
  • DirectX Most Recent Applications Timeline: Information on the most recent applications using DirectX.
  • NetworkList Timeline: Information from the NetworkList key, including the MAC address of the default gateway.
  • Print Monitor Timeline: Information on the print monitors.
  • SAM Timeline: Information about the Security Accounts Manager service.
  • Shimcache Timeline: Information about application compatibility cache.
  • TaskCache Timeline: Information about the tasks that might be used by the threat actors during the engagement.
  • Tasks Timeline: Information about scheduled tasks created on the PC.
  • Tracing Timeline: Information on the applications that can be traced.
  • Uninstall Timeline: Information on the applications that can be uninstalled.
  • Users Info: Information about the existing Windows users. The following information is provided about each user: <name of the user>
  • Summary Timeline: The full timeline for all keys for all user-specific categories for the selected user.
  • Audio Mixer Timeline: Information on the audio mixer usage for a specific user.
  • App Paths Timeline: Information from the App Paths subkeys for a specific user.
  • Microsoft Office Trusted Records Timeline: Information on the Microsoft Office documents (Word, Excel, PowerPoint, and Access), for which the user selected to accept bypassing the default security settings for the application.
  • Microsoft Office Docs Timeline: Information on the recently used Microsoft Office documents (Word, Excel, PowerPoint, and Access).
  • MMC Timeline: Information from the Microsoft Management Console recent file list.
  • Recent Docs Timeline: A list of files recently executed or opened through Windows Explorer.
  • RunMRU Timeline: A list of entries (e.g., full file path or commands like cmd, regedit, compmgmt.msc) executed using the Start>Run commands.
  • Shellbags Timeline: Information about the folder structure and view preferences. The keys may be used to find out information about the folders and remote machines or servers a user accessed through Windows Explorer.
  • SysInternals Timeline: Information on the SysInternals apps keys.
  • Terminal Service Client Timeline: Contents of the Terminal Server Client key for a specific user.
  • Text to Speech Timeline: Information related to the Windows text-to-speech functionality.
  • TypedPaths Timeline: A list of paths typed in the path bar of the File Explorer.
  • TypedURLs Timeline: A list of 25 recent URLs (or file paths) that were typed in the Internet Explorer(IE) or Windows Explorer address bar.
  • Uninstall Timeline: A list of the user-specific applications that can be uninstalled.
  • UserAssist Timeline: The contents of the UserAssist subkeys.
  • WinRAR Timeline: Subkeys associated with the WinRAR activity.
  • WordWheelQuery Timeline: Shows a list of recent searches performed via Windows Explorer.
  • Windows Subsystem for Linux Timeline: Data from the Windows\CurrentVersion\Applets Recent File List values

App Permission Details

The Permissions Details grid is added for data received during the logical acquisition from the iOS devices and iOS backup import. The Permissions Details grid contains information about the permission modification date and reason.

Root Kernals

New kernel files to be used with the Root Engine have been added to the collection available for downloading on the Paraben site allowing additional rooting options for Android devices.

Logs & Artifact Exports

New Logs & Artifacts export has been implemented, It allows exporting data detected in Data Triage to CSV files for future analysis via Microsoft Excel. A new version of E3 allows exporting of Event Logs, Link Files, and Jump Lists.   

Image Analyzer Enhancements

New support for the detection of data from Chat, Currency, Documents, ID_Credit Card, Map, QR_Barcodes, Tattoos, and Vehicles.

Decoded Date & Time

Decoding of date/time values has been added for the Registry part of the Data Triage.

Text of Binary Data

Textual representation of the binary data values in the registry part of the Data Triage has been implemented.

Advanced Analysis Grid Filtering

The Advanced Analysis Grid Filtering in the Data View pane for Filesystem evidence with the NTFS filesystem.

U

Search Enhancements

New cryptocurrency-related search term list and regular expressions. Other regular expression enhancements

E3 Offers a New Approach to Data

If you can’t see it you do not know what you are missing. E3 makes the collection, and processing of data easy with quick references, and parsing of valuable artifacts that bring you to the answers you are looking for.

Computers

Smartphones & IoT

Cloud Data

Email Data

Standing Out in a Crowd

23-years of DFIR Support

Paraben is about great technology with great support. You get the full package with software, service, and training at modest prices that can work into any sized budget.

Our Top Titles

Paraben offers flexible licensing options to work with any organization’s needs. From the all-in-one option with E3:Universal to only processing email you have choices when you work with the E3 Forensic Platform. 

P.O. Box 277, Aldie VA 20105 USA

1.801.796.0944

sales@paraben.com

U.S. Woman-Owned Business