Mobile Phone Examiner Plus (MPE+) - Part 2
Posted Tuesday April 07, 2015 (16:34:06)
Reviewed by Si Biles, Thinking Security
One of the things that I love about being in IT is that it is an ever changing field. I find myself coming across new things daily. This even occasionally applies to my own “infrastructure”, such as it is. Once upon a time, in a land far, far away (well, Scotland) I started my IT career as a Linux SysAdmin – bouncing around corporate IT departments and getting into security. I strayed for a long time from this true path. I covered my guilt by generally trying to use a Mac, because at least it had a BSD based operating system, but I have once again seen the light, and have returned to my “root”s (hopefully at least one or two UNIX people got that joke). Actually, the truth of the matter is that my MacBook Pro – the one that the first part of this review was written on – has become horribly unreliable and has had to be replaced. It is being put out to pasture at home, being a 17” model, as a NetFlicks streamer. However, this has left a big gap for me – one that I wasn't sure how to fill...
Do I buy another Apple? Dell? Lenovo? The thought of running Windows 24x7 actually filled me with a horrible cold dread, so unless the Apple route was going to be followed, then another solution had to be found. Also, I have to say that I'm getting too old and unfit to cart around 17” machines so the actual decision came down to either a MacBook Air or something similar – the something similar turned out to be a Lenovo X1 Carbon. Windows 8 never saw it coming, it never got booted, and the machine was quickly and painlessly transitioned to Fedora Core 21.
Those of you of a more observant nature (which, given that this is an audience of forensicators(1)...) will note that MPE+ doesn't run on Linux – nor, with the notable exception of the SleuthKit - does any other popular forensic software. So, having got rid of Windows 8, back on goes Windows 7 running under Linux virtualisation (KVM for those who care) to do all of those things.
This has actually worked out rather well for the review cycle – since I wrote the first part, AccessData has (a) rewritten the installer and (b) put out a free trial version of the software – so, now, for 20 days, you can try this all out for yourself.(2)
This new version (188.8.131.52) of the installer resolves some of the issues that I encountered in the first review, and I have to commend AccessData for taking onboard the feedback of users with regard to this and making the installation process actually theoretically unattended. Sorry I can't give you a speed comparison given the vastly different nature of the machines being used but it clearly lets you know what components require installing and their status: Pending, Installing or Succeeded. There is a moving green bar, but this just seems to cycle Cylon-like without actually indicating the percentage completed – again I was left wondering if it was working or not - as apparent action doesn't necessarily equate to progress...
It also isn't entirely “unattended” as you are required to be present in the “Install Mobile Phone Examiner Drivers” stage - something that I didn't cotton onto immediately - and again for “MPESmartPhone Drivers” - I'm not 100% sure what purpose this actually serves, as I found that in MPE+ the option to “Install Drivers” under the “Driver Management” tab is still present and shows them as un-installed. I think that it did actually install them but that this part of the application hasn't actually caught up with that fact – I was able to perform an extraction before I realised that this was still the case … If it is a full install of the drivers, aside from the lack of clarity surrounding it there isn't the obvious granularity that existed before – on the other hand, with the exception of Apple devices, this means that you are good to go once the install is finished – Apple, for licensing reasons I suspect, is a further install again.
Once you are done with that you get onto the actual MPE+ installer, again requiring interaction. I think that it would be good to move any questions that need answering (e.g. path) to the start of the installation process and, given that these two items are entirely under the control of AD, to remove the requirement to click on anything. Improving certainly, but not quite there yet!
The other aspect of change over the last few weeks is that I've now closed out the case that I was testing with MPE+ in the first part of the review. However, I've got a new test case to work with. I've just upgraded my phone as well as my laptop so I've got a new Sony Xperia Z3 but sadly, although the Lollipop (Android 5.0) update is allegedly going to be pushed out soon, this is still running on 4.4.4. Nonetheless, it is at least another device above and beyond the Samsung and iPhones that I have thrown at MPE+ so far.
I won't repeat the first part of the review other than to say that the imaging worked under Android dLogical (it seems that the Sony Z3 is another device not explicity listed – a North American bias perhaps?) This second part of the review is here to cover the more advanced features of the software.
Interfacewise, it is pretty much a matter of “Plus ça change, plus c'est la même chose” - there are no differences that I could identify in the “new” version from the old one, not that I think that there is all that much room for improvement if I am honest. As I said before, this is a clear and well laid out interface – quick and easy to find all of the things that would make triage painless and with simple access to the more advanced features of the program as well.
I didn't cover off last time the file carving, nor do I think that it should qualify as an “advanced feature”, so briefly – MPE+ does file carving, the icon is under the tools menu and it does what it should.
The first of the more advanced features that I'd like to draw to the attention of the reader is the “Alerting” functionality. You can find this under the “Tools” tab. This rather natty feature allows you to set triggers for alerts that will pick up on keywords that you specify. These alerts can be exported and imported and are easily shared amongst examiners, the idea being that as you identify items of interest, be they people, files, names or numbers, you can flag these up clearly. These alerts carry across phones and instances and look at the data passing through MPE+ as a whole, so if you are processing multiple devices it is easy to determine all hits at a glance.
Creating a new alert is easy - you give it a name, pick a colour and give it some keywords to look for. I started off with my daughter's name, knowing for certain that this would generate some hits, but then thought better of the screenshots and possibly putting her telephone number out on the web by accident, so after having run the alert, I deleted it and created another for “forensic focus” - that which you can see in the screenshots. Unfortunately this appears to be a use case that AD hadn't accounted for (or, if they had, they've decided that you won't ever make a mistake or change your mind) as my initial alert tags still persist against the entries in the main view. The count feature (a red number showing the number of hits) under the main icons seems to ignore this persistance though and still reports the correct number of current alerts.
The second advanced feature is the PythonScripter – an embedded Python interpreter that is built into to MPE+ which allows you to write your own scripts and enhancements to the application, to make use of the pre-installed ones or to download those created by others and run them against the data that you have extracted from the device. No manufacturer can keep up with the plethora of applications that are constantly being added to out in the Android or iOS ecosystem, and it is this feature, powered by community contributions, that is most likely to be of long term value to the examiner, especially if we can adopt a “sharing” attitude to our code, rather than being possessive of it.(3) In any case, this is a hugely powerful addition to the program. I personally loathe Python but this really is only my personal preference, being a Perl person, so sadly this isn't a feature that I'll be making much use of but the material available to learn Python and the ease with which it can be picked up is pretty much second to none in current interpreted languages.(4) This function, like the soon to be mentioned SQL functions, is obtained from a right-click menu when looking at files.
The provided pre-loaded scripts will give you a good place to start, covering within them for example file carving, log and data parsing and GPS decoding amongst other things. These, coupled with a good Python book (I am contractually obliged to plug O'Reilly at this point – Learning Python by Mark Lutz – but there are plenty of free resources on the web) should have you well on your way to getting the data out that you want.(5)
The other advanced features focus around the database side of things. Firstly there is the SQLite Explorer, available from a right click on an SQLite file. This simply opens the database in a pleasantly browsable way allowing you to step through the structure quite comfortably and quickly to get the lay of the land.
This is useful in and of itself, but it is the SQL Builder (again, a right click option) that is actually the real joy – having ascertained the layout of your database, you can then construct your SQL query as you like and extract the data as you wish using any of the fields in the database. This is a powerful feature and not immediately intuitive – however given training, time and practice I could easily see a lot of time being spent in here digging productively. The ability, like that available pretty much everywhere else in the product, to save and recall your “programs”(6) is a really powerful tool – reinventing the wheel is no fun, especially when there are so many variations of apps out there that you may come across. Building a working library of code as an individual or a department is a real advantage and again, I would encourage you to play nice with the community as a whole and share!
Finally, reporting. MPE+ supports a number of formats and allows you to select comfortably what is and isn't included (much the same as any other forensic product really). I, personally, never actually use the reports generated by a product, rather they get cut and pasted into another document – XLSX and RTF are probably the best bet for this. DOC or, better still ODT, would be great in a later version. If you want to use the actual report then the PDF is pretty enough, and can be tailored pretty well from within MPE+. I particularly like the “Preview” button which really does show you what you are going to get.
Rounding out the review, I'm going to go back to the beginning. MPE+ is a good product – superficailly easy to use, and to get the low hanging fruit from an investigation it really is very quick. The more advanced features require work to get the most out of them – learning how to code in Python and getting to grips with the SQL Builder for example. AD recognise this and back, at the very beginning, on the “Home” page, are a whole group of video tutorials that will aid you in getting to grips with these features. They are pretty well paced and have a good production value making them quite watchable. They actually stream through MPE+ - if your machine is internet connected – which quite possibly won't be the case in a lot of forensic environments. They are available on YouTube as well though, and you can get to these now free of charge I believe. You can also, assuming that you are online, access other AD resources through the interface once you are signed in.
As far as I know, Forensic Focus doesn't have a standardised star rating system and everyone reads these things in their own way. I think a 4 star Amazon review is a good thing and a 5 star a sure thing – other people view things differently - and I personally think that MPE+ is hitting a solid 4. There are some irritations that prevent it from making it to 5 star, and these are as follows:
- Common phone models in the UK, like the Galaxy S4 and Sony Z3, could not be located in the supported list but are supported for collection, as are all Android devices using the dLogical model under Android.
- The search facility in the model selection for extraction is irritating – you have to type the phone ID exactly or it won't match – you can't type “S3” under Samsung and get all instances of the string “S3”, you have to type the full “SCH-i535 Galaxy S3”, this makes finding a phone (or the lack of it) quite often a “Scroll down the entire list” task.
- Flags set on data entries don't clear. I have mixed feelings about this, I can see that some people might actually find this useful but to me it is information leakage waiting to happen at worst and irritatingly clogging up my view at best.
- Stability (in my own use cases) hasn't been 100%. It's been better when left alone rather than asking it to multi-task but at the same time my installation has crashed while booting only to start perfectly fine the next moment.
- Installation still isn't as good as it could be – it's not unattended, and not clear (owing to the Drivers aspect) what has and hasn't been installed.
- Progress being indicated by a little blinking light, even one with a mouse-over that tells you that something is happening, isn't indicative of real progress – you can't tell the difference between a hang and a long task.
If all of these things were resolved the product would be an absolute pleasure to use, making it an absolute sure thing. As it is, it is good, very good in fact, but not perfect...yet. AD is knocking out updates pretty frequently, and if they can address these issues in the next 6 months, I'll be considering it come renewal time.
Learn more about MPE+ on the AccessData website or contact AccessData for further information.
Discuss this review here.
About the reviewer
Simon (Si) Biles is an Information Security and Digital Forensics Consultant. Starting as a UNIX and Linux SysAdmin more years ago that he cares to remember, he now specialises in "alternate" operating systems (which, it seems, is everything not made by Microsoft), both in Forensicating and in Security. As well as running the consulting company Thinking Security (www.thinking-security.co.uk), he also lectures for DeMontfort University in Leicester on both Forensics and Security to undergraduate and postgraduate students. If you enjoyed the review, and would be willing to spare a cup of coffee in exchange for the time it may have saved you in doing it yourself, Si would be grateful if you would consider making a donation to the charity WaterAid in support of his daughter who is currently training hard for a major fundraising event - http://my.wateraidfundraising.org.uk/dwkayaking
Si can be contacted by e-mail at: [email protected]
LinkedIn : uk.linkedin.com/in/simonbiles/en
1 Still aiming for that Oxford English Dictionary entry...
2 At the time of writing, there seemed to be some glitches with the download link being sent out by the register mailing system – I hope that this has now been resolved.
3 Please insert appropriate debate about the benefits of open source vs. closed source here. I'm running a Linux laptop, guess which side of the fence I fall on...
4 Except Perl of course, Perl is the best...
5 Second shameless plug, I understand that the DeMontfort University – Forensic Computing for Practicioners MSc course in Programming uses Python.
6 SQL is “Structured Query Language” - as a language one would assume that the result is a program? Stretching it a bit too far?
Article content received from: Forensic Focus,