±Forensic Focus Partners
New Today: 0
New Yesterday: 5
±Forensic Focus Partner Links
· Forensic Analysis of SQLite Databases: Free Lists, Write Ahead Log, Unallocated Space and Carving
· How Secure Is Your Password? A Friendly Advice from a Company That Breaks Passwords
· Using SQL as a date/time conversion tool
· Forensics and Bitcoin
· Investigation and Intelligence Framework (IIF) – an evidence extraction model for investigation
· Extracting data from dump of mobile devices running Android operating system
· Development of Digital Forensic Tools on Mobile Device, a Potential Area to Consider?
· Can You Get That License Plate?
· How To Decrypt WeChat EnMicroMsg.db Database?
InterviewsBack to top Back to main Skip to menu
Lee Reiber, Global Director of Mobile Forensics, AccessData
I worked in law enforcement for almost 15 years, both as a patrol officer and forensic examiner. I spent the majority of my career as a forensic examiner starting with computer forensics and ultimately moved into only mobile device forensics. I began to do a bit of R/D on mobile devices, developed some software and befriended Karl Sonnenberg. Karl owned Mobile Forensics Inc (MFI) initially and after working as an instructor I became the owner of MFI. MFI was starting to really gain steam late in 2008 especially in the federal space; training examiners from all branches of the government. The training of these types of groups caught the eye of AccessData, who had a stellar computer forensic training group, but lacked training or knowledge of the mobile device realm. So, in 2009 I was approached to merge my training company with AccessData which I initially turned down. A short time later I was again approached and agreed to terms to move the MFI training curriculum into the AccessData fold.
Tell us more about your current role. What are your main responsibilities?
I am the Global Director of Mobile Forensics for AccessData. In this role I oversee the development of AccessData’s Mobile Phone Examiner Plus (MPE+) product and the ADMobile Training group. I continue traveling to venues in a different capacity instilling in users the multi-tool approach; utilizing multiple tools to collect the maximum amount of data from mobile devices.
What makes a good mobile forensics training course?
A good training course is one that is not devoted to one side of the story or ideal. A great course is one that the student can walk away from and immediately use some of the tools, ideas and experience. A brilliant course is one that can put both of them together.
What qualities are important in an instructor and how important is it that they have "real world" investigative experience?
In the mobile device forensic field it is extremely important that the instructor has experience with not only the tools but also explaining the usage of the tool and the process. It is one thing to push a button and another thing to explain what happened when you pushed the button. Unfortunately there are many that just know to push a button.
What is MPE+?
MPE+ or Mobile Phone Examiner Plus is a mobile device forensic tool from AccessData. Prior to joining AccessData they had a product called MPE (minus the plus of course) that lacked extensively in all areas of mobile device collections. Upon joining AccessData I wanted to bring a product to the community that expressed my ideals; allowing examiners to dig into the bits and bytes making a forensic process out of digital device collections. While creating MPE+ I removed all code that once was MPE and built this tool up from the ground. Today, we support over 6800 devices ranging from the legacy GSM/CDMA and iDEN to the iOS, Android, Windows Mobile, Blackberry and Symbian; not to mention SIM and USIM support. I have really devoted a lot of my efforts on smart devices and we support every application by Android and iOS using our SQLite browser and recover deleted data from all iOS devices including the iPhone 5 and new mini. Understanding that no tool can do all devices and the fact that using multiple tools to recover maximum data is not only important for me but the MPE+ users, they can import file systems from Encase, XRY, Cellebrite and any other tool. By allowing this feature, the examiner is able to use the MPE+ built in parsers for Android and iOS devices to recover digital data from these images as well, which is a great advantage. I am very proud of MPE+ and where it is heading.
What trends do you see in mobile forensics and what new challenges do you envisage in the future? How will AccessData evolve to meet these challenges?
Mobile device data is becoming more and more difficult to recover with the advent of encryption and also the size of the data area. Mobile devices are no longer simple computing platforms but a mobile device with a complex computing platform with enormous storage. AccessData has always been a pioneer with handling encryption and is a world leader in data forensics. We are meeting both of these hurdles head on and see a bright future with all the AccessData products.
Is the analysis of mobile devices a viable career in itself? What advice would you give to someone wishing to specialize in this field?
I found out while I was in law enforcement that when you start getting into mobile devices your diary fills up with ONLY mobile device examinations. With over 70% of the world owning some type of mobile device I would say this field is booming. I would just caution those getting into the field, it is an extremely expensive endeavor. Some tools are very expensive and potential examiners must be keen to their usage before getting into them. I would also plead that anyone getting into a career in mobile forensics should receive general training, not tool specific. Examiners need a well rounded background from cellular records to interpretation of HEX to become an expert in this field.
What would you most like to see changed or improved in the area of mobile phone forensics?
I would ask those in the mobile forensic field to become expert examiners, dive into what makes the electronically stored information, and stop “pushing buttons”. I always hear complaints about time not being on your side when doing examinations but I always ask, what makes more sense, to spend time doing things right the first time or to spend the time explaining why you didn’t in the first place? I know my answer.
What do you do to relax when you're not working?
I love to spend time with my wife and beautiful daughters, sitting back thinking about what is on their cell phones and how I can extract it...
Lee Reiber is responsible for bringing a proven mobile phone training curriculum to AccessData’s current training offerings, directing the development team for the MPE+ project and the coordination of the mobile forensic training team. Lee also offers consulting services to customers specifically focusing on the extraction, recovery, methodology and security of mobile devices.
Lee is also an active member of IACIS, HTCC and HTCIA and has retired from the Boise Police Department after 15 years of service where his duties included the examination of digital evidence on computers and cellular phones.