Do I have to be "technical" to use BitFlare?
Who should use BitFlare?
When and how can BitFlare help?
What is an Evidence Discovery Pack (EDP)?
How much does BitFlare cost?
Does it cost money to perform a keyword search?
BitFlare says that I will need to obtain an Evidence Discovery Pack to preserve a drive. Will this cost money?
How long will it take to preserve a drive?
Is there flat rate pricing for Law Enforcement agencies?
BitFlare Capability and Operation FAQ
How do I start using BitFlare?
Do I have to install BitFlare?
What do I need to Preserve a drive or extract relevant data?
Are Evidence Discovery Packs associated with a specific drive? Can I use an EDP for multiple hard drives?
Can BitFlare help me read deleted files?
Can BitFlare help me see what websites a user has accessed?
Can BitFlare help me identify if a PC has been used to download pornography?
An employee is leaving our company and we want to preserve all of the documents on his machine. Should we preserve the entire drive or just extract the documents?
Why are the "Web Fragments" and "File Residue" tabs currently unavailable?
BitFlare Extracted Data and Preserved Drive FAQ
What do I get after running an Evidence Discovery Pack on BitFlare?
Will BitFlare overwrite files on my USB destination drive?
After files have been extracted, what is the best way to review the files?
What can you do once a preserve drive has been completed?
After preserving a hard drive, can I analyze the preserved drive?
How do I handle the data from a Preserved Drive?
How can I validate the data extracted by BitFlare?
BitFlare Technical FAQ
BitFlare Troubleshooting FAQ
What can I do if BitFlare does not work on my computer?
Why isn't BitFlare detecting the USB drive I have connected as a destination drive?
When purchasing an Evidence Discovery Pack I entered the wrong Drive Key for my computer. What do I do now?
Preserve Drive has completed and I have received an error code. The page also says that the digital signatures do not match. What does this mean?
What do I do when I receive an error saying I do not have USB 2.0?
What do I do when I receive an error saying I do not have any USB or any other I/O devices available?
What do I do if I receive a message when I start BitFlare indicating that I do not have enough memory?
What do I do if I receive an error message indicating that the CD or CD drive is defective?
No. BitFlare is designed to enable non-technical users to perform computer investigations and handle many electronic discovery matters.
Litigation attorneys, their support staff, Human Resources managers, IT professionals, private investigators, concerned spouse, and parents are just a few examples of people who can benefit from using BitFlare.
BitFlare can help evaluate computer data that is suspected to contain relevant electronic evidence. If the BitFlare evaluation indicates that potential evidence exists, BitFlare extracts the potential evidence and protects the chain of custody to prevent corruption or destruction of the evidence. BitFlare does all of this without the need for expensive computer forensics experts.
Learn more about the specific ways BitFlare can help attorneys, HR professionals, and IT support staff here.
An Evidence Discovery Pack is a highly customized software application that enables a user to extract data from a specific computer. The BitFlare CD uses EDPs to recover visible, hidden, obscure, and previously deleted data for preservation and further examination. EDPs are unique and include security precautions to help verify that the data came from the PC in question and that the data were not modified once collected. Such precautions help to increase admissibility of the data as evidence in a court of law.
EDPs can be created, purchased, and downloaded from the BitFlare Web site at www.bitflare.com/EDP.
The BitFlare software license allows for a freely distributable CD. This allows BitFlare users to analyze the data on a PC to see if responsive data exist before making an investment.
If a user wishes to preserve the data, he or she must obtain an Evidence Discovery Pack. EDP prices vary based on the amount and type of data targeted for extraction. Prices can range from free for an EDP that simply preserves a drive to approximately $900 for a fairly comprehensive EDP.
A free keyword search can be performed on BitFlare's Examine Storage Device page. This search can provide you with a count of the number of instances your keyword appears on the drive. Depending on the search options you select, the forensic portions of the hard drive may also be included in the free keyword search.
If you wish to retrieve the documents and file fragments in which keyword hits were found, you will need to purchase the appropriately configured keyword Evidence Discovery Pack Item.
BitFlare uses the USB 2.0 interface of the computer to create and transfer a forensic copy of the hard drive to the external drive. Because the process creates a full forensic quality copy of the drive, every portion of the drive is transferred, including "unused" drive space.
Generally, preserving a 60GB drive with a USB 2.0 interface will take between three to four hours. Variations in computer hardware can affect this estimate.
Yes! Depending on your group's needs, flat rate pricing may be available for use by Law Enforcement agencies. Contact SunBlock Systems at (703) 485-4515 for more information.
BitFlare Capability and Operation FAQ
To begin using BitFlare, you must obtain a copy of the CD. This may be done electronically by downloading BitFlare, or by requesting a CD. Once you have the CD, you must ensure that the suspect computer boots from the BitFlare CD. Once BitFlare has loaded, instructions will appear on a series of screens.
No. BitFlare does not require any installation. BitFlare runs by booting your computer off the BitFlare CD. The BitFlare software will automatically load and reside exclusively in the computer memory. This prevents data from the hard drive from being modified, which eliminates any trace of use or spoliation of evidence.
The following is required to save data or to Preserve a drive with BitFlare:
- BitFlare CD
- Suspect computer meeting minimum system requirements
- External USB drives with enough free space (multiple destination drives can be used)
- An accurate time source, such as a cell phone (recommended)
- Access to the make, model, and serial number of the computer if available (this information assists with the chain of custody log)
- An Internet-connected computer capable of accessing the BitFlare Web site.
Evidence Discovery Packs are highly customized to the drive for which they will be used. In addition to the physical drive, EDPs are specific to the state of the data on that drive during analysis.
Each unique EDP can be run only on the drive for which it was configured. In addition, any change in the suspect drive's data will render the EDP unusable for that drive. As long as the suspect drive's data have not been modified, however, the EDP may be run multiple times, if necessary, to re-extract data.
Depending on how recently the files were deleted and how extensively the computer has been used since then, it may be possible to retrieve deleted files or parts or those files. Most computer systems will only mark a file as deleted, rather than actually overwriting the portion of the hard drive containing the data.
As the computer is used after the deletion of files, other files may be written to the portion that was previously allocated to the deleted files. In such cases, it may be possible to retrieve a fragment of the deleted files, but success is not guaranteed.
To recover deleted data, a BitFlare user can employ a combination of the following:
- A Deleted Files Evidence Discovery Pack Item. This is most likely to recover the full contents of a file if it still exists on the hard drive.
- A Keyword Search with the File Residue option enabled. If parts of a file are deleted and the entire file is not recoverable, residue of the file may still exist on the computer. Targeted keyword search terms can be used to locate these file residue fragments.
Can BitFlare help me see what Web sites a user has accessed?
Yes. The IE Web Surfing History Evidence Discovery Pack Item will produce a document detailing sites accessed using Microsoft Internet Explorer.
Yes. The Evidence Discovery Pack Items named IE Web Surfing History, Image and Video Files, and All Deleted Files can assist a BitFlare user in identifying patterns of pornography access and downloads.
This decision will depend on many factors. If the goal is simply to extract user documents and there is no potential for litigation, purchasing the appropriately configured Evidence Discovery Pack will satisfy your needs quickly and easily. Preserving the entire drive requires more time because the data need to be transferred and the preserved drive will need to be sent to SunBlock Systems for processing.
However, if the potential for litigation exists the entire drive should be preserved. By preserving the entire drive, you will not only copy the user files but also forensic data on the hard drive, including deleted files, file residue, and other usage activity. All these data could become very significant at a later date should litigation become an issue.
Because the Preserve Drive EDP Item is free, many users choose to first preserve the entire drive and execute other EDPs to obtain data needed for operational purposes. This strategy ensures that all potential needs are addressed.
These features will be made available in an upcoming release.
BitFlare Extracted Data and Preserved Drive FAQ
The BitFlare wizard will guide you through the process of extracting data or preserving a drive to a USB destination drive.
All data will be saved in a newly created folder on the USB destination drive, named with the convention "BitFlareYYMMDD". Inside this directory you will find
- One or more Directories after by Drive Keys. Each of these directories contains data relevant to a particular hard drive analyzed. This directory contains subdirectories for Preserved Drive images, drive Table of Contents listings, visible files, deleted files, and file residue fragments extracted by EDPs. Files are stored in directories, reflecting their location on the original hard drive. In addition, this directory contains result logs in the form of spreadsheets indexing all files extracted by each EDP for quick and convenient review.
- A "Logs" Directory. This directory contains encrypted logs used by SunBlock Systems for independent validation of BitFlare's usage and data extracted.
If there is any possibility you will require independent review and validation of the data in the future, it is important that the extracted data and the log file directories are kept together and unmodified.
No. When BitFlare encounters a file or folder with the same name, it changes the filename slightly so the original file and the new one can coexist. For example, if BitFlare would like to save the file 'business.doc', and another file of the same name is in the same directory, it would save the second file as 'business_1.doc'. This type of situation tends to occur when a user runs Evidence Discovery Packs on the same source drive more than once and saves the files to the same destination device or runs an EDP that recovers a duplicate item. The EDP results log will indicate the original name of the file.
SunBlock Systems recommends that users make a copy of the BitFlareYYMMDD directory before reviewing any files. In the case of accidental file modification the user will still have a copy of the unaltered files, which will pass independent validation.
After preserving a drive, a user can store the drive image and logs for an indefinite period of time.
If there is any possibility you will require independent review and validation of the data in the future, it is essential that the extracted data and the log file directories are kept together
If you need to recover data from the preserved drive image, you can send the image and log files to SunBlock Systems for analysis. Contact SunBlock Systems support for more information.
You can only use BitFlare to analyze the original hard drive.
The preserved drive data are in an encrypted state, protecting the data's chain of custody in case of future litigation. If you wish to analyze the drive, you may continue using BitFlare on the original hard drive or send the preserved copy to SunBlock Systems for analysis. Contact SunBlock Systems support for more information.
BitFlare stores the data from a Preserved Drive in a directory on the USB destination drive. Depending on the size of the original drive and the format of the destination drive, the data may be contained in multiple files.
Preserved Drive data are encrypted and protected from tampering. As a result, a user is unable to access the data. However, a user is free to move these files and logs to a different storage drive if needed. If possible, it is best to keep all the data in the directory together to avoid losing track of the files. Multiple preserved drives may be kept on a USB destination drive. You are limited only by drive space and organization.
Users have found that proper naming of directories and labeling of the drives make it easier to determine which drive contains a user's data and/or whether it can be permanently deleted.
You may store the destination drive based on your organization's data retention policy. If you have a need to examine the data in the future, you can send the data to SunBlock Systems for analysis. Contact SunBlock Systems support for more information.
As part of the data extraction, BitFlare creates an encrypted validation log. Among the data included in this log is information about the Evidence Discovery Packs executed and digital signatures of all data extracted.
If the validity of any search or resulting data is questioned, SunBlock Systems can access the validation log to provide independent third-party confirmation of the results. Contact SunBlock Systems support for more information regarding validating your extracted data.
BitFlare Technical FAQ
The following system requirements must be met:
- A CD Drive must be connected
- 128 megabytes (MB) of RAM recommended minimum. 96 MB of RAM is the minimum supported
- VGA or higher-resolution monitor
- A mouse and keyboard to access all possible features
- A USB interface for storing any extracted data or saving logs. USB 2.0 is recommended for timely extraction
Because BitFlare is designed to be traceless, it uses its own operating system with settings for thousands of computer hardware devices. BitFlare strives to support as many computers as possible, but machines with unusual hardware devices may prevent BitFlare from operating correctly. BitFlare can be run on most desktop and laptop computers, as well as many servers that meet the minimum system requirements.
If BitFlare does encounter a machine on which it cannot run, it will not modify drive data and will inform the user of the issue. Please refer here for more information on how to handle this situation.
BitFlare can extract data or preserve drives to destinations drives formatted with NTFS, FAT, FAT32, Ext2, or Ext3 file systems.
Each source drive and the data on them are unique pieces of evidence. To identify each source drive and the state of the data on them, BitFlare assigns each drive a Drive Key.
Drive Keys are 12-character numbers, case sensitive, and broken up into three segments by dashes. For example, a Drive Key may look like "45ij-Wr#f-3q76".
BitFlare Troubleshooting FAQ
If BitFlare cannot be run on your computer, you have two options:
- Send your computer to SunBlock Systems for processing. SunBlock Systems' professional services are available to process any machines not compatible with BitFlare using traditional computer forensic and electronic discovery techniques. Please contact SunBlock Systems support for assistance.
- Move the hard drive to a BitFlare compatible computer. A user knowledgeable about computer hardware can remove the hard drive from the original machine and connect it to a different computer that can properly run the BitFlare software. You can simply run BitFlare and analyze the drive from this machine. If this option is chosen, it should be clearly indicated when the results of the analysis are provided.
Please check if the USB drive was connected to the computer during boot up. As a precaution against overwriting a USB drive with evidence, BitFlare does not allow a user to copy data to a USB drive which is connected during start up. If you wish to extract data to the USB drive, please unplug the drive and reboot the computer. You may connect the USB drive when you are prompted for a destination drive.
Hardware failure or an improperly formatted filesystem can also render the device inaccessible by BitFlare. Try using a different destination device or contact SunBlock Systems support for assistance.
When purchasing an EDP, you must provide a valid Drive Key. Drive Keys are verified during the purchase process. Simple typographical errors usually are identified by the program prior to purchase.
If you purchased an EDP based on an incorrect drive key, please contact SunBlock Systems support for assistance.
There are various reasons this could happen; the most likely reason is a hardware error associated with the original hard drive.
Generally, BitFlare will handle hard drive errors in a manner accepted by the computer forensic industry. If the error message indicates that the preserved image is unusable, please note the error code and contact SunBlock Systems support for assistance.
You can still conduct an examination using BitFlare in the absence of a USB 2.0 interface. However, any Evidence Discovery Packs that require transferring data to a USB destination drive will take significantly longer with the slower USB 1.1.
If no USB interface is available, BitFlare is unable to extract data or logs. A user can still conduct a If no USB interface is available, BitFlare is unable to extract data or logs, however a user can still conduct a preliminary investigation on a machine.
If the preliminary investigation determines that a machine has relevant data and you wish to proceed with your investigation, you can send your machine to SunBlock Systems for further processing. Please contact SunBlock Systems support for assistance.
Because BitFlare runs entirely within the memory of a computer, BitFlare's operations may be limited on hard drives containing a large amount of data. If you receive a message indicating that your machine may not have enough memory, you can still proceed with the investigation.
While progressing through the analysis steps, BitFlare may inform the user that it has entered "Low Memory Mode," in which some functions are disabled. While BitFlare will not modify the contents of the suspect drive, it may not be able to fully analyze the drive in this mode of operation. Regardless, a user can conduct keyword searches and execute certain Evidence Discovery Pack Items. EDP Items such as Preserve Drive and File Residue Keyword Search Extraction are fully functional in Low Memory Mode. If you have any concerns, please contact SunBlock Systems support for assistance.
A defective CD or CD Drive will interrupt BitFlare's loading process. In either case BitFlare cannot proceed in its analysis.
If you run into this situation, request or download a new CD. If the problem persists and you wish to proceed with your investigation, you can send your machine to SunBlock Systems for further processing. Please contact SunBlock Systems support for assistance.