Figure 2. Sample screenshot of Internet Evidence Finder Interface

Source: JAD Software at http://www.jadsoftware.com/go/wp-content/themes/jadsoftv2 / images/iefv4-1.png

Moreover, IEF v4 also has some useful features for social networking site applications, including:

1. Facebook live chat search has been updated to locate additional chat (including damaged fragments); the vendor adds that messages sent and received using the Facebook live chat feature. Information found with the message can include the Facebook profile ID used to send/receive the message, the from/to names and ID's, and the date/time (in UTC) that the message was sent; however, there are a few different formats of Facebook chat and not all formats include all this data).

2. Facebook unicode text is now converted.

3. Facebook page fragments: Facebook related web pages, including but not limited to the Inbox page, emails, photo galleries, groups, and so on. Most recovered items will be fragments and not the complete page, but attempts are made to recover the entire page and filter out false positives. A header is added to the fragment to aid in viewing the page in its original format.

4. Updated MSN/Windows Live Messenger search re-written to find more chat faster.

5. New Portable Edition that can run on live systems

6. Yahoo! Messenger existing log files are now parsed without requiring usernames.

7. Yahoo! Messenger chat log validation has been improved, with support for date ranges and message text filtering (Internet Evidence Finder v4 -- Standard Edition, 2011, para. 2-3).

A mixed methodology consisting of both qualitative as well as quantitative elements will be used to conduct the analytical comparison of the EnCase and IEF v4 products. The quantitative elements will consist of how many instances of specified key word searches and other functions of each product results in the desired outcomes (i.e., the identification of desired evidentiary information) using five hard drives containing Facebook chat that will be created specifically for this purpose. Because both software applications are expected to perform within reasonably comparable timeframes (e.g., a few seconds), the time required to perform each function will not be included in the data analysis. The numeric totals of each such desired outcomes will be collected for each product, but quantitative data only will...

Therefore, a weight will be assigned to each product's data analysis results to indicate their quality, scope and reliability. This approach is congruent with Neuman's (2003) guidance concerning conducting analytical comparisons. According to Neuman, an analytic comparison "identifies many characteristics and a key outcome, then checks the agreement and difference among the characteristics to learn which ones are associated with the outcome" (p. 458). The results of this weighted comparison of the EnCase and IEF v4 products will be presented in tabular and graphic formats, and interpreted in a narrative fashion.
Finally, to improve the trustworthiness of the findings, the case management recommendations provided by EnCase will be followed for conducting the analytical comparison of both vendors' software application products as follows:

1. Separate folders for each case; use unique directory names.

2. Use large capacity, high RPM (revolutions per minute) hard drives with single partition for evidence files

3. Wipe the drive to eliminate any claims or arguments of cross-contamination.

4. Give the hard drive a unique label prior to acquisitions to differentiate your drives from the suspect's.

5. Create default Evidence, Export, and Temp folders for each case (EnCase Methodology, 2011).