Present undecoded m...
 
Notifications
Clear all

Present undecoded messages of apps if UFED or XRY fails

6 Posts
4 Users
0 Likes
456 Views
(@yunus)
Posts: 178
Estimable Member
Topic starter
 

Hello All,

Mobile forensic tools (UFED, XRY etc) fails to keep pace with ever emerging new apps for messaging and sharing. And now we see the forensic extractions of a lot of smart phones fails to decode the existing messages in the phone although the messages are there.

As part of quality assurance, we check all smart phones manually before completing the examination to avoid any messages from any apps left unextracted, and it is not uncommon that we see existing messages of applications are left unextracted by forensic tools.

So, those messages somehow need to be sent to the investigative unit. However, messages may make up hundreds of pages of texts in total; consider each app with hundreds of persons in their own seperate directory. so the process requires you to tap on each of them one by one e.g whatsapp can have 200 persons in its address list and another app might have 300 persons in its own. So just to show the each person's messages you manually need to tap each of those 500 persons and browse the contents of each one of them.

So, we have to find a solution. The options are;
1- to type each of those thousands messages in a word file (which might take weeks) with timestamps etc.
2- to read all those messages and write in the report only those that might be related to the case with timestamps etc.
3- to photograph each of the message one by one.
4- to video record the phone while browsing each messages.

So, currently video recording the phone screen -while browsing each person, each fields- seems to be the way to go and we do it, but even that takes hours to record each person and each message without skipping any of them and it is not practical, and it has been piling up with each new phone with more content to record.

And there comes out another extraction in addition to the existing ones (logical, physical, file system, phone screen record) which we already present. and this new one might take hours to watch and you can't keyword search in it. And video record might not be good quality to show the texts clear enough.

Furthermore, if you write the producing company like CELLEBRITE and MSAB, they just say they put it in their "wish lists", but you cant't know when they will be covered in the next updates, so you cant keep the case for months.

So, finally, Is there any other way that you can recommend other than taking picture/video of the phone screen or waiting for the manufacturing company to release an update that might possibly present a solution?

How would it feel like if you write in the report something like "there are messages of x, y, z applications in the phone which can be seen on the phone but can not be decoded by forensic tools, and we may not know whether or not those messages are just regular personal messages or might somehow be related to the case. In order for the case not to be kept for longer, the current extractions are sent to you without those messages. If you feel like looking at those mesaages, too, they should be read one by one and this process do not require any special skills", which might very well be done by investigative staff. So it could be done by the investigator/procesutor/someone else to be tasked by the prosecutor. However, investigative units or prosecutor might not be happy about it.

What is you opinion on that?

 
Posted : 14/06/2016 4:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Nothing more than some "wishful thinking" mind you, and only a side-side thought, but what I wold find of an exceptional value (particularly in complex and/or multidisciplinary cases) would be the possibility of creating a Virtual Machine behaving like the phone does.
You could handle it together with the (partial) report and then the investigator (which may be better qualified - in the sense of being more able to see the "relevance" of even a trifling bit of data) would be able to interact with the "virtual device" the same way the suspect could, see the actual messages/whatever the exact same way they were viewed on the "real" phone, etc.

jaclaz

 
Posted : 14/06/2016 4:58 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Hello,

This application is NOT a "forensic" application, but presents some interesting evidence capture possibilities

http//mobilego.wondershare.com/#mirror

Wondershare's Mobilgo allows one to view an Android phone's screen in real-time within a window on one's computer desktop. One can also interact with the phone using the mirrored interface on the computer desktop.

It may be more convenient to perform a screen capture or even create a video of an investigation of an Android device from one's computer desktop using this Wondershare technology rather than taking pictures of the suspect Android device using another camera.

Has anyone tested this tool?

 
Posted : 14/06/2016 10:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Wondershare

Cannot say specifically, but personally I wouldn't touch it (actually anything coming from them), they have a years long name as spammers, and usually deliver non working or just crappy, sub-standard software.
Example
http//stream-recorder.com/forum/www-wondershare-com-review-wondershare-lowest-quality-t4332.html

jaclaz

 
Posted : 15/06/2016 12:35 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Jaclaz - good to know.

What do you think of the idea of being able to see and interact with a target phone's screen in a window on one's forensic workstation?

 
Posted : 15/06/2016 12:38 am
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

Hello All,

Mobile forensic tools (UFED, XRY etc) fails to keep pace with ever emerging new apps for messaging and sharing. And now we see the forensic extractions of a lot of smart phones fails to decode the existing messages in the phone although the messages are there.

Have you tried Oxygen Forensic Detective for mobile apps extraction? Apps support is one of our priorities. We support 1900+ apps versions by now and we are regularly releasing minor updates to parse new apps versions. The apps databases are changing almost with every app version. Moreover, we help our customers to parse data from a new app ASAP even if it is not supported in the current program version.

 
Posted : 17/06/2016 1:58 pm
Share: