Forensics Investigations

National Cyber Security Investigations (NCSI) can find and analyzes more than 800 types of forensically important artifacts in any imaginable data sources: physical and logical drives, disk images, cloud, mobile device backups, virtual machines, memory dumps, and many others.

Mobile and Computer device examination.Supporting all major desktop and mobile operating systems. It can parse real and logical drives and drive images, virtual machines, mobile device backups, UFED and OFB images, JTAG and chip-off dumps.
Smart and Comprehensive Analysis. NCSI looks everywhere on the device completely automatically and can successfully identify over 800 types of digital artifacts. Convenient Evidence Search feature helps to narrow down the findings using filters, pre-defined search, or other options.
Powerful Carving. Data carving allows to locate evidence that was deleted, destroyed, or never stored on the hard drive at all (page file, hibernation file, RAM contents). Besides, advanced carving mode called NCSICarving is available, making it possible to reconstruct fragmented chunks into contiguous pieces of information that would otherwise not be accessible at all.
Native SQLite Parsing. Recovers corrupted and incomplete SQLite databases, restores deleted records and cleared history files. Processes freelists, write-ahead logs and journal files, and SQLite unallocated space.
Live RAM Analysis. NCSI Evidence Center can extract potentially crucial information from volatile memory, such as: in-private browsing and cleared browser histories, online chats and social networks, cloud service usage history, and much more.
Handy Built-in Tools. PList, Registry, and SQLite viewers allow you to work more thoroughly with particular types of data and find even more evidence than automatic search was able to discover.
Low-level Investigations. Our technology is equipped with File System Explorer, Hex Viewer, and Type Converter, will allow us to perform deep examination of the contents of files and folders on the device.

The following types of data sources are supported:

Computer

Operating systems: Windows (all versions, including Windows 10), macOS, Unix-based systems (Linux, FreeBSD, etc.)
Storage devices: hard drives and removable media
Disk images: EnCase, L01/Lx01, FTK, DD, SMART, X-Ways, Atola, DMG
Virtual machines: VMWare, Virtual PC, VirtualBox, XenServer
Memory: RAM dumps, Hibernation files, Page files
File systems: FAT, exFAT, NTFS, APFS, HFS, HFS+, ext2, ext3, ext4, YAFFS, YAFFS2

Mobile

Operating systems: iOS (iPhone/iPad), Android, Windows Phone 8/8.1, Blackberry
Data sources: Mobile backups, UFED and OFB images, chip-off dumps, JTAG dumps

Cloud

Google Clouds: Google Drive, Google Plus, GMail, Google Timeline
EMail: Yahoo, Hotmail, Opera, Yandex, Mac.com and 25 more webmail clouds
Instagram
WhatsApp Google

The following types of artifacts can be extracted and analyzed:

Pictures and Videos

Supported picture formats:3FR, ARW, BAY, BMP, BMQ, CAP, CINE, CR2, CRW, CS1, CUT, DC2, DCR, DDS, DIB, DNG, DRF, DSC, EMF, ERF, EXIF, EXR, FAX, FFF, G3, GIF, HDR, HEIC, IA, ICO, IFF, IIQ, J2C, J2K, JFIF, JNG, JP2, JPE, JPEG, JPG, K25, KC2, KDC, KOA, LBM, MDC, MEF, MNG, MOS, MRV, NEF, NRW, ORF, PBM, PCD, PCT, PCX, PEF, PFM, PGM, PIC, PICT, PNG, PNM, PPM, PSD, PTX, PXN, QTK, RAF, RAS, RAW, RDC, RLE, RPBM, RPGM, RPPM, RW2, RWZ, SGI, SR2, SRF, STI, TGA, TIF, TIFF, WBM, WBMP, WMF, XBM, XPM.
Picture analysis allows detection of texts, faces, and skin tone. Detection of photo manipulation (forgery) is available with Forgery Detection plugin (extra module)
The following formats can be carved: GIF, JPEG/JPG, PNG, BMP, WMF
Supported video formats: 3GP, 3G2, ASF, AVI, DIVX, DRC, F4A, F4B, F4P, F4V, FLV, IFO, M2V, M4P, M4V, MK3D, MKA, MKS, MP2, MP4, MKV, MOV, MPE, MPEG, MPG, MPV, NSV, OGG, OGV, QT, RM, RMV8, SVI, TS, VOB, WEBM, WMV
Key frame analysis available for 3GP, 3G2, AVI, MP4, MPEG, MPG, WMV, MOV videos

Email Clients

Outlook 2013, 2010, 2007 and older, Outlook Express
Apple Mail
Android Mail
Blackberry Mail
Mail 163
Gmail, Hotmail, Yahoo Mail
Windows Live Mail
Mozilla Thunderbird
The Bat
Mail.ru, Yandex Mail
MIME, EML, MBOX, MSG Emails

Browsers

Adobe Flash
Baidu Browser
Chrome
Edge
Firefox
Internet Explorer
Maxthon 5
Opera
Qihoo 360
QQ Browser
Safari
Sogou Explorer

Mobile Applications

Android:Standard Apps
- Calendar
- Calls
- Contacts
- Installed Applications
- SMS
Browsers
- Baidu
- Chrome
- Default Browser App
- Dolphin
- Downloads
- Firefox
- Maxthon
- Mercury
- Opera
Messengers
- AIM
- Badoo
- BBM
- Brosix
- ChatON
- CommFort
- eBuddy XMS
- Facebook Messenger
- FireChat
- Fring
- Google+
- Grindr
- Growlr
- Hangouts
- HeyTell
- ICQ
- Im+
- IMO
- Instagram Direct
- KakaoTalk
- KateMobile
- Kik
- Line
- Mail.ru Agent
- MeetMe
- Meow Chat
- NextPlus
- Odnoklassniki/OK
- ooVoo
- Paltalk
- Signal
- Skype
- Slack
- Snapchat
- Tango
- Telegram
- Text Plus
- Textie
- TextMe
- Touch
- Tumblr
- Twitter
- Viber
- Vipole
- Vkontakte/VK
- Voxer
- Wamba
- WeChat
- WhatsApp
- Xabber
- Yahoo Messenger
- YouMagic
Other Apps
- Any.do
- Evernote
- Foursquare
- Gettaxi
- Instagram
- LinkedIn
- Pinterest
- Pokemon GO
- Richnote
- Sina Weibo
- Swarm
- Tinder
- Uber
- Whisper
- YandexTaxi
- Zalo
- Zello
Payment Systems
- Android Bitcoin Wallet
- Bitcoin Armory Wallet
- Bitcoin Core Wallet
- Jaxx
- Qiwi Wallet
iOS:Standard Apps
- Calendar
- Calls
- Contacts
- Installed applications
- Notes
- SMS
- Voice mail
Browsers
- Chrome
- Dolphin
- Firefox
- Maxthon
- Mercury
- Opera
- Safari
Messengers
- Brosix
- ChatOn
- eBuddy XMS
- Facebook Messenger
- FireChat
- Fring
- Grindr
- Growlr
- HeyTell
- ICQ
- Im+
- IMO
- KakaoTalk
- Kik
- Line
- MeetMe
- Meow Chat
- NextPlus
- Odnoklassniki/OK
- ooVoo
- Paltalk
- Recents
- Skype
- Tango
- Text Plus
- Textie
- TextMe
- Touch
- Tumblr
- Twitter
- Viber
- Vipole
- WeChat
- WhatsApp
- Yahoo Messenger
Other Apps
- Any.do
- Evernote
- Gettaxi
- LiveMe
- Pokemon GO
- Richnote
- Snapchat
- Tinder
- Uber
- Whisper
- Zello
Blackberry:Standard Apps
- Calendar
- Calls
- Contacts
- Notes
- SMS
- Voice Mail

Instant Messengers

&RQ
Adium
AIM
AIM Express
aMSN
Badoo
Brosix
BBM
ChatOn
Chatzilla
CommFort
Contacts
Digbsy
eBuddy XMS
eM Client
Emesene
Empathy
Facebook Messenger
Fire
FireChat
Fring
Gadu-Gadu
Gajim
Gigatribe
Google+
Google Hello
Google Talk
Grindr
Growlr
GTalk
Hangouts
Hey Tell
Hotmail
iChat
ICQ
Im+
IMO
InstantBird
Ircle
Jclaim
Jitsi
Kadu
KakaoTalk
KateMobile
Kik
KMess
Kopete
Line
Mail.ru Agent
Meebo
MeetMe
MeowChat
Mercury
MessageMe
Messenger Plus!
Miranda IM
mIRC
MSN/Live Messenger
MySpace IM
Nate ON
NextPlus
Nimbuzz
Odnoklassniki/OK
ooVoo
Paltalk
Pidgin
Psi
Recents
QIP
QIP Infinum
QQ
qutIM
SIM
Skype
Slack
Snak
Snapchat
Tango
Team Viewer
Telegram
Text Plus
Textie
TextMe
Touch
Trillian
Tumblr
Twitter
Viber
Vipole
Virtus
Vkontakte/VK
Voxer
Wamba
WeChat
WhatsApp
Xabber
X-Chat Aqua
Yahoo! Messenger
Ya-Online
YouMagic

Zello

Office Documents

Microsoft Office: Excel (.xls, .xlsx), Word (.doc, .docx), PowerPoint (.ppt, .pptx)
Open Office: Documents (.odt), Spreadsheets (.ods), Presentations (.odp)
macOS: Keynote, Numbers, Pages
PDF
RTF

Peer-toPeer Software

Area Galaxy
eMule
Frostwire
Gigatribe
Shareaza
Torrent

Social Networks, Cloud Services and Online Games

Social Networks: Bebo, Facebook, Facebook Messenger, Google+, Myspace, Odnoklassniki/OK, Orkut, Twitter, VKontakte/VK
Cloud Services: Dropbox, Flickr, Google Drive, SkyDive, OneDrive, Yandex Disk
Multi-user Online Games: Karos, Lineage, World of Warcraft

Windows Registry Files

- Accounts (user name, last login time, last failed login time, last password changed time, user RID, LM-hash, NT-hash)
- Autorun (USBs, CDs, DVDs)
- Common file dialogs
- Computer name
- Event log location
- Internet Explorer
- List of USB devices ever connected to the system
- List of mounted devices
- MS Paint
- Network cards
- Operating system version and installation date
- Prefetch files
- Program startup
- Recently opened and saved documents for MS Office Word, Excel, PowerPoint
- Search Assistant
- Shellbags
- System shutdown time
- Timezone
- Trillian
- UserAssists
- User name and SID
- Windows Explorer
- Windows Media Player
- Wireless profiles

System Files and Configurations

Windows

Jumplists
Link files
Prefetch files
System event logs
Thumbnails
Windows notifications

macOS

Bluetooth
Installed applications
System configurations
Wi-Fi connections

Android, iOS

IP connections
Thumbnails
Wi-Fi connections

Encrypted Files and Volumes

Acrobat 3.0, 4.0, 5.0, 6.0, 7.0, 8.0, 9.0
eBook document
Symantec ACT! 2.0, 3.0, 4.0, 2000
ACT! by Sage 2005, 2006, 2007, Sage 2008, 2009
Apple iTunes PLIST
BestCrypt 6.0, 7.0, 8.0
FileMaker Pro 3.0, 4.0, 5.0, 6.0, 7.0, 8.x, 9.0, 10.0, 11.0
ICQ 2000 – 2003 (.dat), 99a (.dat)
ICQ Lite (.fb)
Lotus 1-2-3 1.1+
Lotus Notes 4.x, 6.x, 7.0, 8.0
Lotus Notes Client
Lotus Organizer 1.0, 2.0, 3.0, 4.0, 5.0, 6.0
Lotus WordPro
macOS Keychain
MS Access 2.0
MS Access 2.0 System Database
MS Access 95, 97, 2000, 2002, 2003, 2007, 2010, 2013
MS Access 97 System Database, 2000 System Database, 2003 System Database, 2007 System Database, 2010 System Database
MS Backup
MS Excel 4.0, 5.0, 95, 97, 2000, 2002, 2003, 2007, 2010, 2013
MS Pocket Excel
MS Mail
Money 99 or earlier, 2000 – 2007
MS OneNote 2003 Section, 2007 Section, 2010 Section
MS Outlook 2000 Personal Storage, 2003 Personal Storage, 2007 Personal Storage, 2010 Personal Storage
MS Outlook 2000 Form Template, 2003 Form Template, 2007 Form Template, 2010 Form Template
MS PowerPoint 2002, 2003, 2007, 2010, 2013
MS Project 95, 98, 2000, 2002, 2003, 2007
MS Schedule Schedule+ 1.0, 7.x
MS SQL 2000, 2005, 2008
MS Word 1.0, 2.0, 3.0, 4.0, 5.0, 6.0, 95, 97, 2000, 2002, 2003, 2007, 2010, 2013
MYOB earlier than 2004, 2004-2009
Norton Backup
Paradox Database
Peachtree 2002 – 2006, 2007
PGP Desktop Zip
PGP Desktop Private Keyring
PGP Desktop Virtual Disk
PGP Desktop Self-Decrypting Archive
Quattro Pro 5 – 6, 7 – 8, 9 – 12, X3, X4
QuickBooks 3.x – 4.x, 5.x, 6.x – 8.x, 99, 2000-2012
Quicken 95/6.0, 98, 99, 2000, 2001, 2002, 2003, 2007-2012
RAR Archives
Remote Desktop Connection Document
Visual Basic for Applications Projects
WordPerfect 5.x, 6.0, 6.1, 7 – 12, X3, X4
Zip Archives
7-Zip Archives