Implementing a mobi...
 
Notifications
Clear all

Implementing a mobile forensic lab

11 Posts
8 Users
0 Likes
654 Views
(@forensix)
Posts: 7
Active Member
Topic starter
 

Hi,

I'm currently managing the implementation of new mobile phone forensic lab and I'm trying to decide which software to use. In the past my only experience has been with XRY however this was while I was still in edication and was largely due to the costs of licenses etc. (We got the XRY licences significantly cheaper than we could get the others)

From the research I've done and also using some threads on this site it seems Cellebrite is the most popular within the industry, however there have been many people that have made the point that different software packages have different advantages/disadvantages (naturally).

I'm leaning towards using Cellebrite as long as the relevant training can be given. Would it be prudent to utilise a secondary tool/piece of software to support mobile phone investigations as well? (I'm expecting the response to be yes). If so are there any options which are relatively cheap, as a secondary tool to support Cellebrite I will struggle to get the funding to purchase licenses for 2 of the main industry tools (Cellebrite, XRY, Oxygen etc)

In an ideal world I would implement one of the main tools and then use a selection of open-source tools to support the investigations, but I'm not holding out much hope!

Any help/advice/discussion would be greatly appreciated.

 
Posted : 06/09/2013 4:53 pm
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

It's hard to know what's best for you without more information. What types of devices do you see most often? Mostly smartphones, or do you get feature phones? How about Chinese chipset phones? Are you in private industry, or do you work for a law enforcement agency?

I can only tell you what has worked reasonably well for me. I see a lot of iPhones with a limited number of Android devices and BlackBerrys thrown in to make it interesting. This is because of my client base. Your mix may be very different.

I started with BlackLight, which is an iOS and OS X analysis too only (with recent support for Windows). BlackLight won't get you physical images of anything, but it is good at analyzing iOS backups and acquiring logical images of iOS devices.

I bought a Cellebrite UFED Touch Ultimate to deal with a particular case that never materialized, but since then it has become my go-to tool for mobile forensics. I have not tried XRY or Oxygen, but I am impressed with Cellebrite. As you know, Cellebrite comes with a high price tag, but the support has been great. I do not have Chinex as I have yet to see a Chinese chipset phone.

I also use MPE+ and Magnet Forensics IEF for mobile device analysis, but I continue to use Cellebrite to acquire all my images.

This has worked for me. I can't justify two top-tier solutions, but I can justify one, Cellebrite, with a few of the second-tier or specialized tools to assist and provide a second opinion on what Cellebrite can analyze.

The primary reason for multiple tools is that even the top-tier tools can analyze less than 1% of apps. They try to get the big ones, but as an example, the LinkedIn app isn't decoded by Cellebrite. If you think there might be something in the LinkedIn app, you will be doing some manual decoding through SQLite Browser or something similar. Some of the other tools may decode apps that Cellebrite won't.

This is not a temporary situation. With over a million apps across all four smartphone platforms is is effectively impossible to decode them all. In your budget, include plenty of room for some robust mobile forensics training.

 
Posted : 06/09/2013 6:36 pm
(@forensix)
Posts: 7
Active Member
Topic starter
 

We're in private industry, these tools will be used to investigate company phones more often than not. We will primarily be dealing with Windows phones, although there will be the occasional iPhone or Blackberry making an appearance no doubt.

Your response was pretty much what I was expecting, but its always nice to bounce idea's of someone with alot more experience in the industry. Thanks for the help )

 
Posted : 09/09/2013 12:50 pm
(@davepawlak)
Posts: 29
Eminent Member
 

Rather than popularity, look at which phones each tool supports and compare with the phones you expect to see coming in. You could ultimately have the nicest tool set but if the phones aren't supported it will not matter. I have only seen a handful of Windows phones come through the doors and when they do most of my tools do not support them.

For phones (not in any particular order)

Cellebrite
XRY
Secure View
Final Mobile Forensics
BlackLight
IEF
Lantern
Oxygen
iTunes
BlackBerry Backup Manager
BitPim
ViaForensics
Elcomsoft

The big thing with phones is that if you can get a physical dump you can load the physical dump in to most of the major forensic suites. So Cellebrite and iLook, X-Ways, FTK, and/or EnCase may get you what you need.

 
Posted : 11/09/2013 4:49 pm
(@forensix)
Posts: 7
Active Member
Topic starter
 

Thanks Dave, I appreciate popularity isnt any guarentee of being the best solution, I just felt it was a reasonable place to start, particularly with this being the first time I've had to create a lab from scratch.

The main problem I have at the minute is that I dont know what kind of phones are going to be coming in. The current phone that our employer is supplying is a HTC 8X which again is a Windows phone so I've deducted that they intent to keep supplying Windows phones (this is based purely on the fact that for the last 2 years each company phone has been windows based).

In your experience are there any tools you have used which have been particularly good at investigating Windows based devices? The other issue is that we are currently looking at providing tablets to a number of local teams; although no-one internally seems to have a clue what options are being considered, let-alone which one we will finally end up with.

I realise this is rather ambiguous but unfortunately thats the situation I've been put in; Implement a lab with no definitive info on what kind of devices I'm going to be presented with, leading me to base these decisions on rather large assumptions. I have every intention of making this point at my next Project Meeting, not that I'm expecting anything that could be considered a remotely useful response.

Thanks again for the input.

 
Posted : 11/09/2013 7:25 pm
(@psychopigeon)
Posts: 4
New Member
 

Atm there is not much that can be done with windows phone 7/8 due to limitations and security in the OS (locked down).

Media files are supported by XRY and media files/contacts by UFED. We have to photograph the data.

 
Posted : 11/09/2013 7:33 pm
(@cb_forensics)
Posts: 1
New Member
 

I've run into issues using IEF to parse through iOS backups. Best bet is to use the Cellebrite software to ensure you obtain all parseable data within these backups

 
Posted : 11/09/2013 10:10 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

I think you are still better off sitting with one of the major two (Cellebrite or XRY) as they tend to offer the greatest support for most phone vendors and the most frequent updates for phones.

You will obviously pay more for these suites, but there is a reason why they are the two that you will find in most forensic labs around the world.

For my money right now I like the UFED, very strong on iPhone and BB which accounts for 90% of what I see in the corporate world. Support is excellent and you can usually get help pretty quickly if you come across some problems.

 
Posted : 12/09/2013 6:26 am
(@sam305754)
Posts: 44
Eminent Member
 

As Adam10541 said previously you can use the major two(Cellebrite or XRY).
In our lab we used UFED with physical license for most of the extraction as it covers a wide variety of phones, has several software tools (phone detective, PA and Link analysis) and get frequent updates. And we have Tarantula to reinforce our capability in chinese chipset as it tends to become more frequent in our cases.
If you plan to just perform logical extraction there is also Secure view from Susteen (mentionned by davepawlak).

 
Posted : 12/09/2013 2:32 pm
(@brunomac)
Posts: 16
Active Member
 

Just my opinion (tested with good results)

-UFED Cellebrite touch physical
-XRY logical
-FTK (excelent tool carving searching and reporting, not so good at web items reporting like IEF or belkasoft ( web history, chat, etc…) )
-IEF or belksoft evidence center pro or ultimate.

If you want much bugs and pain buy MPE+, is going to break your head and makes you talk every day with support until you buy another tool. Ah ah (XRY logical extracts more data then MPE+ in lots of phones and tablets i extracted in my lab)

Sorry for my english
Hope helped

 
Posted : 12/09/2013 4:10 pm
Page 1 / 2
Share: