Review of SiQuest’s Internet Examiner ToolKit v4

Internet Examiner ToolKit (IXTK) version 4 is the latest iteration of SiQuest’s Internet activity examination software. In 2004 SiQuest CEO John Bradley created IXTK – then called “CacheBack” – in order to address the need he had as a law enforcement officer to quickly and automatically reassemble visited web pages, which at the time was a tedious manual process.  John was kind enough to give me an exclusive preview of IXTK, which as you soon see is an impressive product. First and foremost, IXTK v4 was completely re-written from the ground up. Users of IXTK v3 will notice that v4 it is markedly faster when it comes to tasks like ingesting files, which used to take hours, now take minutes, and in some cases seconds. Ingested files are organized into an intuitive investigation and case management system within IXTK.

Design consistency to virtually every windowpane and screen was another great improvement.  I particularly liked the fact that you no longer have to “right-click” to carry out a specific task; there is literally a “Do” button at the top of each screen which, when clicked, presents you with all the valid tasks you can accomplish with the evidence you currently have selected. This eliminates any confusion an analyst might have with what they can actually do with an item they have selected.

IXTK v4 not only parses internet activity (such as your routine browser history and cache), it also opens files like SQLite databases.  You could be looking at a reconstructed page in the “bad guy’s” browser history and at the same time pull it up live on the internet, without having to switch over to any additional tools, and the version that is live on the internet can easily be added to your evidence collection.

We all know that what might seem like a small case when you start can quickly increase in scope, and IXTK v4 is ready for just that situation.  Using its case management system you can record phone calls, notes, have a running time clock to tell you how long you have been working, and so forth. Those seemingly small features built into the tool keeps a range of information associated with your case and reduces the chances you would lose it on a Post-It note left on your desk.

IXTK v4’s evidence processing engine is also much improved. Rather than simply write a word matching tool that would, say, identify a Google search from keywords in a URL, their engine is based on a sophisticated framework that examines many aspects of the data before it declares an artifact as relevant.  The framework is designed to allow additional functionality to be added at a later date in order to find new types of evidence.

Additionally, with in IXTK v4 you can:

  • Create child bookmarks from parent bookmarks
  • Easily view EXIF information
  • Watch movies on the evidence drive without worrying about if you have the right Codec installed
  • View the disk just like you would see it in a hex editor which helps discover and export relevant fragmented artifacts
  • View evidence from cloud based services very easily in its own dedicated section of IXTK
  • Create a word dictionary from every word found in the evidence
  • List every host (or domain) visited and it is displayed to you alphabetically
  • Aggregate two completely different groups of items together into one section to view them as a whole
  • Support for mobile devices
  • Support for facial recognition
  • Quickly pull up the evidence that contained the most recent activity
  • Mount evidence files as virtual disks on your forensic workstation and IXTK v4 can remember where they were mounted the next time you open your case in order to have them mounted and all ready for you to continue

Arguably my favorite feature is the “Evidentiary Value Score” (EVS) categorization system.  EVS allows you to add color-coded markers to files and artifacts as you are examining, filtering, and combing through your evidence.  Among other things, this helps you prioritize items for later, deeper examination, and makes reporting items by relative severity or concern much easier.

This latest version of IXTK will make my a lot job easier and faster. More importantly, instead of lugging around a toolbox with ten tools, all of which do pieces-parts of the same thing, I can accomplish everything those other tools do (and more) without having to leave IXTK.

A beta version of IXTK is expected to be available in later September 2013.

Neither the author nor Kyrus has received any compensation for this review.