NetX Triage Getting Started Guide · examiner with both the license and the software on a single...

NetX Getting Started Guide of 36

SiQuest Corporation

27 - 1300 King Street East

Suite 134

Oshawa, ON L1H 8J4

Canada

Support: (905) 686-6801

Sales: (905) 686-6801

e-mail: [email protected]

web: www.siquest.com

NetX and NetX Triage® (Revision 2012.10.14)

Copyright © 2012, SiQuest Corporation.

Internet Examiner is a registered trademark of SiQuest Corporation.

All rights reserved.

No part of this publication may be copied without the express written permission of SiQuest Corporation,

1300 King Street East, Unit 27, Suite 134, Ontario, Canada L1H 8J4

NetX

Getting Started Guide


TABLE OF CONTENTS

TABLE OF CONTENTS .......................................................................................................................................... 2

OVERVIEW .............................................................................................................................................................. 4

INSTALLING THE PROGRAM ............................................................................................................................. 7

COMMAND LINE SWITCHES .............................................................................................................................. 8

Introduction ................................................................................................................................................................... 8

Switches and Menu Options .......................................................................................................................................... 9

GREP EXPRESSIONS ...........................................................................................................................................15

Using Escape Characters .............................................................................................................................................. 16

Email Address Keyword Example ................................................................................................................................. 17

Facebook ID Example ................................................................................................................................................... 19

BUILT-IN RECOVERY OPTIONS ......................................................................................................................21

Recovering Internet History ......................................................................................................................................... 21

Recovering JPEGS ......................................................................................................................................................... 23

Recovering Only JPEGs of a Certain Size Range ......................................................................................................... 23

Recovering Photographic Quality (High Res) Images ................................................................................................. 23

Customizing the Read Buffer ..................................................................................................................................... 24

ADVANCED OPTIONS .........................................................................................................................................25

Changing the Background and Foreground Color ......................................................................................................... 25


Compiling Keyword Hits Into A Single MATCHES.TXT File............................................................................................. 26

Using NULL, Double NULL & High Ascii Trim Options ................................................................................................... 27

Extracting Email Messages ........................................................................................................................................... 28

TIPS FOR ENCASE USERS ..................................................................................................................................34

FAQ ..........................................................................................................................................................................35


OVERVIEW

NetX® is a console application that is designed to run within a Windows Command Prompt window. It

uses a series of command line switches to define the criteria used to search computer hard drives for

internet evidence (or any other evidence).

One of the major advantages of using this type of interface is that the program has few dependencies

and it runs faster than traditional graphical user interface applications. NetX requires only the .NET

Framework Version 2 to be installed on the target machine. Since almost all distributions of Microsoft

Windows have this version of the .NET Framework pre-installed, NetX is therefore considered portable.

NetX Triage is licensed by a special 1GB flash memory USB Security Key (dongle). This provides an

examiner with both the license and the software on a single USB device. Additional flash drive

capacities are available.

With NetX, you can recover just about anything you can define as a discoverable piece of information.

By default, NetX can recover internet history records from Unallocated Space for Internet Explorer with

support for other browsers in development. It can also recover JPEGs natively and provides an option

to define the size of the files to be recovered.

NetX was designed to be a swiss army knife for carving data out of hard drives both at the logical level

and the physical disk sector level. The latter feature provides the ability to search MAC formatted

drives, sector by sector. This should also make it possible to search Unix-based formatted drives.

The following is a screenshot of the main menu for NetX as viewed within the Command Prompt shell

window.


INSTALLING THE PROGRAM

NetX, by default, will attempt to install to C:\Program Files (x86) directory, under “SiQuest” in a sub-

folder called “NetX”. It is recommended that you copy the NetX folder in its entirety to the root of

your C: drive to make it easier to access. Having the folder close to the root makes it easier to use in a

lab environment since there are almost no sub-folder to recurse manually within a Command Prompt

window. This also makes it easier to deploy in the field using a simply XCOPY approach where the

entire folder is simply copied to a flash drive.

The only dependencies required for NetX to run on a Windows system is the presence of the .NET

Framework 2.0. NetX should check your system for the presence of this library and if it is found to be

missing, then NetX will download and install it from the Microsoft website.


COMMAND LINE SWITCHES

Introduction

To run NetX, you first need to understand that it is possible search a VOLUME (a partition), a DISK

(a physical disk) and a DIRECTORY (or folder, including sub-folders). It is NOT possible to combine

these search options.

The simplest use of NetX is as follows. Note that it does not matter if you type in the comman in

uppercase or lowercase or both. However, “lowercase” is recommended.

netx /v:c /t:uph /h

The above example searches the C: drive’s Unallocated Clusters, Pagefile.sys and Hiberfil.sys for

internet history. By default, NetX will only COUNT the hits but not carve them out. To carve the

results to a folder on your computer, you would use the following:

netx /v:c /t:uph /h /p:s:\results

In the above example, the /P (path) switch defines the output folder. In this case, the output

folder is “S:\Results”. If the folder does not exist, an error will be reported.

TIP: Use the F3 key to recall the last command line typed.


Switches and Menu Options

PRIMARY SEARCH OPTIONS:

/V = Search one or more logical volumes

EXAMPLE: /V:DE

- Searches volumes D: and E:

/T = (optional) Target objects to search (ALLOCATED

CLUSTERS=all files, HIBERFIL.SYS, PAGEFILE.SYS,

UNALLOCATED CLUSTERS). Can only be used with the

/V (volume) search option.

EXAMPLE: /T:AHPU

- Searches all four target locations sector by

sector

NOTE: To search files on a given volume, use the

/F switch

/D = Search one or more PHYSICAL disks sector by

sector

EXAMPLE: /D:1

- Searches the 2nd physical disk (zero-based)

- Use the DISKS menu option to identify all disks

NOTE: Use /T:A option to search the entire FILE

SYSTEM, including file slack space.

/B = (optional) BUFFER SIZE in sectors. Default is

19,532 sectors which = ~10MB. Use this option to

tweak performance. Lower = slower but provides

more statistical updates and reduces wait periods


for complex GREP expressions to be evaluated

during each read.

USAGE: /RS:9766

- if bytes-per-sector = 512, then buffer size is =

~5MB.

FILE SYSTEM:

/F = (optional) Searches FILE(s) in the specified FILE

or DIRECTORY for keywords

USAGE: /F:C:\USERS

- Searches the C:\USERS directory

/R = (optional) Instructs NETX to recurse subfolders

SPECIFIC ARTIFACTS:

/H = (optional) Searches for internet history -

Internet Explorer by default

USAGE: /IH:E

- E = Internet Explorer (other browsers coming

soon)

/J = (optional) Search for JPEGs using known file

signature. Option to specify file size range in

KB. Default usage: /J

USAGE: /J:10-500


- Searches for JPEGs 10KB to 500KB in size only

USAGE: /J:400-3000%15-40

- Searches for JPEGs that have a WIDTH between 400

and 3000 pixels AND that has a Photograph Aspect

Ratio Differential value between 15% and 40%.

This option is used to locate photographic quality

and/or high resolution images.

KEYWORD FEATURES:

/K = (optional) Keyword(s) to locate. Matches are

exported to specifed output folder using the /C

switch. Keywords can be any valid GREP

expression. The KEYWORDS.TXT file must exist in

the same folder as NETX. Use /L to specify custom

keyword filename.

NOTE: The optional “P” attribute can be used

instruct NetX to search ONLY the FILE / FOLDER

“PATH” as opposed to searching the file contents

which is the default.

USAGE: /A:U

NOTE: Can be used safely in conjunction with /C:A

/C = Copies the KEYWORD or the file in which the

keyword is found. Data is copied to the folder

specified using the /P (path) switch (see below).

USAGE: /C

- Copies the KEYWORD match to a new file


USAGE: /C:A

- Copies KEYWORD MATCH to a single MATCHES file

(the A is for Append)

USAGE: /C:F

- Copies the FILE in which the keyword is found

USAGE: /C:1024

- Copies the KEYWORD match plus an additional 1024

bytes. NOTE: Max export size is 2,000,000 bytes

(2MB)

USAGE: /C:-200:1024

- Same as above BUT ALSO copies the first 200

bytes that come immediately before the keyword

hit

/L = (optional) Specifies the file name of the LOCAL

keywords file to use in search.

USAGE: /L:keywords.txt

- NOTE: No spaces allowed in file name.

- File must reside in same folder as NETX.EXE

/A = (optional) Appends keyword hits to a single

MATCHES.TXT in the output folder.

NOTE: The optional “U” attribute can be used to

to request that only Unique keyword matches be

appended to the file.

/HI = (optional) Trims keyword match (L&R) on the first


HIGH ASCII character > 127

/N = (optional) Trims keyword match (L&R) on the first

NULL (\x00) character

/NN = (optional) Trims keyword match (L&R) on the first

DOUBLE NULL (\x00 \x00) (Unicode) character

/P = (optional) FULL or RELATIVE path to folder where

search results will be copied

EXAMPLE: /P:C:\Temp

- Results will be copied to this folder. If path

is missing, then current program folder is used.

EXAMPLE: /P:Evidence

- EVIDENCE is a folder in the same directory as

NETX.EXE

/X = (optional) Specifies file extension to use for

exported keywords.

USAGE: /X:html

- All files harvested will have a HTML file

extension

OTHER:

DISKS = Displays list of installed disks and volumes,

included mounted items

FAQ = Displays list of frequently asked questions


GREP = Displays a list of GREP symbols with examples

MENU = Prints this menu to the locally installed printer

GUIDE = Displays the NETX GETTING STARTED GUIDE (PDF)

NOTES = Displays the latest Release Notes (PDF)

/? = Displays this help menu

EXAMPLE = Displays a few examples of how to use the various

switches

ABOUT = Displays general information about this program

EXIT = Closes program


GREP EXPRESSIONS

Using Regular Expressions or GREP Expressions is what really provides the power for NetX Triage.

Although creating syntactically correct expressions may take some practice, once you have a valid

expression, it is then easy to build on it.

In order to use GREP expressions, you must first have a keyword file. By default, NetX will always

look for a file called “keywords.txt” in the same directory where the NETX.EXE resides. It is

possible to specify custom keyword files using the /L switch as follows:

netx /v:c /k /l:email_addresses.txt

Note the use of the /K switch. This switch is required anytime you want NetX to search for

keywords. If you specify a custom keyword file using the /L switch, then the default

“keywords.txt” file will be ignored.


Using Escape Characters

When creating custom GREP expressions, it is very important to distinguish between reserved

GREP “symbols” and regular ascii characters.

For instance, the symbol “.” (a single period) represents an “any character” placeholder. But, if

we want that to be “a single period” and NOT an “any character” placeholder, then we need to

“escape” the character using a backslash “\” character.

Another example where you would need to use an escape character is if you are using the

reserved range “[ ]” brackets. To hard code that character, we again would need to use the

backslash like this:

\[ and \]

Hexadecimal values also have to be escaped so that the compiler recognizes the characters that

follow as a hex character or hex value. For example, a single period “.” can be also represented

as a hex value like this:

\x2E (1-byte ASCII)

\u002E (2-byte Unicode)

NOTE: When using the Unicode version of a character, NetX will match on either the 1-byte ASCII

version, as well as the 2-byte Unicode version. For this reason, it is recommended that you use

the Unicode version of any hex characters – unless you know for sure that a 1-byte option is the

only likely format to be found.


Email Address Keyword Example

For our first example, let’s consider the challenges of searching for email addresses. Since an

email address can take on several forms, writing a single GREP expression to capture each one

can be challenging – but the good news is that it can be done.

Here are some common forms for email addresses although our examples use some fictitious

domains for illustration purposes:

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

[email protected]

Now, to write a GREP expression for the first address is pretty easy. Notice the escaped period:

[a-z]+@hotmail\.com

A more generic approach would look like this:

[a-z]+@[a-z]+\.com

In the above example, you will notice the “+” symbol which means “1 or more”. The range [a-z]

is case sensitive. To capture uppercase letters, we should use “[a-zA-Z]”.

An finally, here is a ‘catch-all’ GREP that should work in most cases:

[a-zA-Z]+[a-zA-Z0-9\_\-\.]+@[a-zA-Z0-9]+[a-zA-Z0-9\_\-\.]+\.[a-z][a-z][a-z]?

Let’s break this down…



The red portion searches for an address that starts with a letter.


Which can then be followed by any letter, number, underscore, hyphen or period.


Then we need to find the @ symbol. Escaping this type of character is optional.


Next, the domain portion of the address must start with a letter or number.


Which can then be followed by any letter, number, underscore, hyphen or period. This

will also capture nested sub-domain elements.


We are then looking for an actual period (“.”).


Followed by 2 letters.


And finally, an optional third letter.


Facebook ID Example

In some cases, it is helpful to know if someone has accessed another person’s Facebook profile.

Since it will be less likely to find actual web pages to prove this, one sure way is to locate a

reference to the file path (URL) of the person’s profile picture.

The common profile picture URL format looks like this:

http://profile.ak.fbcdn.net/hprofile-ak-

snc4/hs223.ash2/48927_100001776758716_6880799_n.jpg

The portion of this URL that is of importance is the section in RED below:

http://profile.ak.fbcdn.net/hprofile-ak-

snc4/hs223.ash2/48927_100001776758716_6880799_n.jpg

The first number portion (48927) is a random number.

The middle number (100001776758716) is the user’s unique Facebook profile ID.

The last number portion (6880799) is another random number.

To search for this type of evidence, we would use a GREP expression that looks for the number

portion of the URL only like this:

\/[0-9]+\_100001776758716\_[0-9]+\_n\.jpg

Notice that we had to escape (“ \ “) the first forward slash, the underscores, and the period (“.”).

CARVING TIP:

To carve out all references to the above, we can use a proximity search option and extract the

data in .HTML file formats. To do this, we need to do the following:


1. Create a custom keyword file using the above GREP and call the file “facebook.txt”.

2. Next, we need to search the target drive by specifying the /K switch (for keyword searches)

and the /C switch (which tells NetX to COPY the result).

3. To capture the data surrounding the keyword hit, we can pick an arbitrary number like “500”

bytes BEFORE and perhaps “1000” bytes AFTER the hit.

4. We also need to specify the keyword file to use and the output folder.

5. To “clean” the data, we can STOP our search backwards or forwards from the hit (within the

500 or 1000 bytes respectively) whenever we encounter a NULL (zero) value or a HIGH ASCII

character (greater than 127). This is done using the /N and /HI switches.

6. Lastly, any carved hits should be given the .HTML file extension since most hits will likely be

web-based and therefore viewable within a browser.

Here’s how this might look if we are search the entire physical disk identified as drive zero (using

the NetX “disks” menu option):

netx /d:0 /k /c:-500+1000 /n /hi /l:facebook.txt /p:s:\output /x:html


BUILT-IN RECOVERY OPTIONS

Recovering Internet History

NetX can quickly and easily recover lost or deleted internet history records for Internet Explorer.

This includes IE cache found in Temporary Internet Files and IE history found in daily and weekly

index.dat files.

NetX provides this functionality using the /H switch and by default, will search for Internet

Explorer history records only. The option to specify which browser type to search for can added

by using the first letter of the browser. In this case, /H:I (uppercase i) would search for history

records for Internet Explorer. Again, this browser type is the default therefore the type option is

not necessary.

Support for other browsers may be implemented in a future update.

The following is a sample use of the /H switch:

netx /v:c /t:u /h

In the above example, NetX will search the C: volume’s unallocated space. Without any other

switches, the results will only be reported in the Console window (on screen). To copy the results

out to disk, we would use the following, as another example:

netx /v:c /t:u /h /c /p:c:\temp

In the above example, NetX uses the /C (copy) switch to tell the compiler to harvest any results

to the path (/P switch) defined as C:\temp.


NOTE: NetX will carve out each URL record into a separate, custom binary file using the file

extension: IXDAT. This file format is recognized by SiQuest’s Internet Examiner Version 3.8.11

software to facilitate further analysis and reporting of the results. In addition, NetX will create a

master index file comprising all of the discovered history records. This is a tab separated values

file which can be then easily viewed by third party tools such as Microsoft Excel.


Recovering JPEGS

NetX has a built-in command line switch designed to optimize and expedite the recovery of JPEGs

from existing files, or hidden disk space (e.g., Unallocated Space).

The /J switch can be used all by itself which tells NetX to recover any size of JPEG.

Recovering Only JPEGs of a Certain Size Range

If you would like to recover JPEGs of a certain size range (in KB), then you can define this

condition using the range attribute like this:

netx /j:10-100

Remember, the range values represent sizes in KB (kilobytes).

Recovering Photographic Quality (High Res) Images

NetX has the ability to located JPEG images that have a specific “aspect ratio”. SiQuest has

developed an algorithm that measures the difference between the height and width of an image,

but as a percentage value. NetX refers to this unique value as the Photograph Aspect Ratio

Differential which is calculated as follows:

PARD = 100 percent - ( (shortestSizeInPixels x 100) / longestSizeInPixels)

SiQuest developed this approach to categorize images in 2004. Based on their studies, the

optimal P.A.R.D. range is 15% to %40.


NetX adopts this algorithm as an attribute to the /J switch and implements it as follows:

/j:400-3000%15-40

The above example filters images that have a WIDTH that is between 400 pixels and 3000 pixels --

AND -- that has a calculated PARD value that is between 15% and 40%.

NOTE: The “%” symbol is used to indicate to NetX that the range (e.g., 400-3000) is to treated as

WIDTH in PIXELS --- as opposed to a FILE SIZE range in KB.

Customizing the Read Buffer

IMPORTANT:

If the upper value of your size range is greater than 500 (e.g., 500KB), then you should consider

increasing the Read Buffer size using the /B (buffer) switch option. By increasing the size of the

buffer for each disk read, you increase the likelihood of NetX being able to located JPEGs that are

greater than 500KB.

The /B (buffer) switch takes 1 attribute which the size of the buffer in sectors. Most disk sectors

are 512 bytes in size. The default buffer size is 10MB. So if you plan on searching for large JPEGs,

you should consider a buffer size that is approx. 50MB. Here’s how you would define this option:

netx /j:500-2000 /b:97656

Here, the value 97,656 is the number of 512 byte sectors that are contained in 50MB (or

50,000,000 bytes). The JPEG range attribute is looking for JPEGs that are between 500KB and

2MB.


ADVANCED OPTIONS

Changing the Background and Foreground Color

NetX makes it possible to customize the appearance of the Console window’s background color

and font color (foreground color). By default, NetX uses a black background and white font.

This feature might be useful when compiling a batch file with multiple NetX command lines, each

command line serving a different search function. In this case, it might be visually intuitive to

have each search window configured to use a different color scheme.

To change the background color, we use the /BGD switch.

To change the foreground color, we use the /FGD switch.

The colors supported by NetX are: White, Red, Green, Yellow, Blue, Gray and Black. The use of

both switches in the same command line is strictly optional. Whichever switch is omitted, NetX

will simply use the default instead.

EXAMPLES:

netx /bgd:red /fgd:white

netx /bgd:gray

netx /bgd:blue /fgd:yellow


Compiling Keyword Hits Into A Single MATCHES.TXT File

Sometimes, our keywords are GREP expressions intended only to capture a specific sequence of

characters (e.g., credit card numbers, email addresses, Facebook IDs).

Rather than copying / carving out each result (or hit) to a separate disk file, it can sometimes be

more efficient and meaningful to have the results compiled into a single list.

For this reason, NetX provides the /A switch for “Appending” results to a single results file –

which will always be called “matches.csv”.

The following example illustrates the power and simplicity of this feature. Let’s assume we have

a “keywords.txt” file (default filename) that contains one or more GREP keywords that are meant

to match on email addresses. To search the Unallocated Space of the C: drive and get the results

into a single MATCHES.TXT file using the /A switch, we would type in the following sample

commandline:

netx /v:c /t:u /k /a /p:s:\output

NOTE: The contents of the MATCHES.TXT file comprise of tab delimited columns for each found

record. This enables the file’s contents to be easily imported into other programs such as

Microsoft Excel. Each record in the file contains (a) the physical sector number for the hit, and

(b) the actual keyword match value.


Using NULL, Double NULL & High Ascii Trim Options

One of the most powerful features of NetX is the ability to eliminate garbage or irrelevant

information when carving data.

A proximity search is a search that locates a keyword (or GREP expression) and then captures

data that is adjacent or surrounding the found artifact. The inherent problem is trying to

determine when or where to limit the capture.

Let’s discuss email messages found in Unallocated Space. Quite often, email messages may be

partially overwritten, however the main substance of the messages are intact. Finding a

particular message is rather easy. But carving it is a bit tricky. Some tools that implement a

proximity search will carve the found keyword, but will also copy out an arbitrary number of

bytes found before and/or after the keyword. Unfortunately, the arbitrary nature of this

approach is flawed because it either captures too little or too much. In cases where too much

data is capture, it usually includes garbage data which can sometimes produce dozens or more of

paged results for disclosure.

NetX solves this problem by implementing special trim character options which can be used when

searching for keywords. Before we discuss these characters, it is first important to know that the

trim options are used exclusively with the /K (keyword) and /C (copy) switches.

There are 3 trim characters:

1. NULL, which is represented as 0x00 in hex.

2. Double NULL (or NULL Unicode), which is represented as 0x00 0x00 in hex.

3. High Ascii character, which is any ASCII character higher than 127 in the ASCII Table.

The next section Extracting Email Messages specifically and effectively implements the NULL and

High Ascii trim character options.


Extracting Email Messages

At some point or another, you have undoubtedly run into the daunting task of having to (a)

search for, (b) identify, and then (c) recover e-mail messages from a computer’s hard drive.

While the common Outlook .PST file itself is commonplace and easy enough to explore, the real

difficulty lies in having to recover emails from Unallocated Space, Pagefile.sys and Hiberfil.sys

locations, to name a few.

NetX approaches this challenge by looking at the message “boundary” byte values to allow for a

much cleaner and more accurate means of identifying an collecting messages. How is this done?

Quite simply: messages are typically formatted in a plan ASCII text format which utilizes only the

bytes 10, 13 and 32 through to 127 on the internationally recognized ASCII Table.

To be more specific, bytes 10 (0x0D) is a “newline” or “linefeed” character. Byte 13 (0x0A) is a

“carriage return”. Byte 32 is a [SPACE] and the rest are numbers and other characters.

NetX takes the approach of searching for “markers” or “special keywords” that will likely

landmark on a valid email message (assuming that the keyword is related to an email message).

Next, using special “proximity” attributes of the /C (copy) switch, we can scan BEFORE and AFTER

the keyword hit by X number of characters. But the “cleaning” part comes in when NetX “trims”

the block of data by the FIRST encountered NULL and/or HIGH ASCII character, in either direction

from the found hit.

The following command line will carve email messages cleanly from the sample C: drive’s

Unallocated Space, Pagefile.sys and Hiberfil.sys locations. It assumes that the user-defined

“emails.txt” keyword file contains the keyword “Return-Path”. It specifies that any found

messages are to be copied out to the C:\Temp directory and given a .TXT file extension.

netx /v:c /t:uph /k /c:-8192+20480 /x:txt /p:c:\temp /n /hi


NOTE: This unique approach will also capture BASE 64 attachments in their entirety, if present

and if not overwritten.

The following diagrams illustrate a sample Outlook email message found in Unallocated Space.

You will notice that the first image shows the initial keyword hit. The 2nd

and 3rd

images

demonstrate the “boundary” characters used to “clean” the carved result.

Image 1.0 – Keyword match on “Return-Path”


Image 1.2 – Boundary character is the first encountered NULL (0x00) – BEFORE keyword hit


Image 1.3 – Boundary character is the first encountered NULL (0x00) – AFTER keyword hit


The following image is a screenshot of Windows Explorer listing the results in the output folder.

You will notice that each artifact is assigned an ordinal (index) number, followed by the Physical

Sector number where the hit was found. This is extremely helpful for locating the original hit in

the source evidence (e.g., hard drive image file).

Image 1.4 – The outputted results


Image 1.5 – Contents of one of the sample recovered messages

Note how clean the message appears. There is no garbage data to get in the way of examining

the results.


TIPS FOR ENCASE USERS

One of the best ways to examine data that has been collected with NetX is by creating a Logical

Evidence File using EnCase. Guidance Software’s EnCase software provides a nice way to encapsulate

specific groups of files for standalone analysis by creating a single logical image of the NetX results

folder.

A particularly useful way to disclose email recovered with NetX (see section on Outlook email) is to

create a single report of all the contents of each file recovered. This makes it easy to identify using

NetX’s descriptive filename. It also makes it easy to report the results in Word format making it easy

for evidence reviewers to search the results.

Since NetX’s email recovery sample can recover Base 64 attachments, EnCase could then easily decode

these files for even further analysis.


FAQ

Q. What’s the difference between NetX and NetX Triage?

NetX is the software. NetX Triage is the software which is accompanied by a USB 1GB Flash Memory

Security Key. NetX is offered to existing licensed users of SiQuest’s Internet Examiner software at no

additional cost. New users that purchase NetX Triage by itself will receive both the software and the

USB 1GB Flash Memory Security Key.

Q. I am an existing SiQuest customer and NetX user. Can I upgrade to the Triage edition by getting

the USB 1GB Flash Memory Security Key?

Yes. For a small fee, the flash key can be sent to existing customers. Please note that in doing so, the

new key will function only with NetX and no other SiQuest product. A plan is currently in development

to eventually allow SiQuest customers to “move” their licenses from non-flash memory keys to the new

flash memory keys.

Q. Can NetX search MAC hard drives?

Yes. NetX can search MAC file system formatted hard drives at the physical level only. This is done by

searching the entire drive’s contents sector by sector.

Q. Can NetX search Unix-like system drives?

Theoretically yes. However, like the MAC, NetX would only be able to search the drive at the physical

sector level.

Q. Is it possible to run several commands at the same time? What is the best way to do so?

Yes. The easiest way is to create a single BATCH file. Simply create a new plain text file, and create a

specific NetX command line for each type of search you want to perform concurrently. Make sure that


“each line” in the text file contains ONLY 1 valid NetX command line. This should technically spawn off

multiple instances of NetX with each search being reported in a separate Console window.

Q. I installed NetX but when I run it, the program simply does nothing. What’s wrong?

For some reason, your system is missing a dependency file of some sort. This may occur if you have

other software installed on your system that happens to make use of the same dependency files. The

NetX Setup Program may, in rare situations, may skip the installation of these files which may be

outdated. In most cases, this problem will revolve around the Visual C++ 2010 SP1 Redistribute (x86)

library which many vendor products make use of. If this happens, simply download this update from

Microsoft’s website which will ensure that your system is brought up to date.

Q. When I run a search for my custom keywords, NetX runs but then seems to get stuck or freezes?

Check your GREP expressions very carefully. Try validating your expressions by creating some sample

data using Notepad and put them in a separate folder. Run NetX on that short sample data using the /F

switch option for speed while testing. If your test fails to finish OR NetX hangs OR the search

completes but instantly -- then chances are your GREP expressions are poorly designed. This is often

caused by the use of too many wildcards and/or an ambiguous search term.

TIP: If NetX complains when using certain characters in your GREP (e.g., an underscore), try using an

ESCAPE character (e.g., \_ ) or for better accuracy, use the HEX variation instead (e.g., \x95 or \u0095

for Unicode).

NetX Triage Getting Started Guide · examiner with both the license and the software on a single...

Documents

Transcript of NetX Triage Getting Started Guide · examiner with both the license and the software on a single...