Selectively extract...
 
Notifications
Clear all

Selectively extraction for specific timeframe

6 Posts
5 Users
0 Likes
454 Views
(@john000)
Posts: 45
Eminent Member
Topic starter
 

Hi all,

Anyone know if it's possible to perform Selectively data acquire between defined dates/times using UFED/XRY/Magnet?
We need the option to perform Logical extraction only for a limited timeframe and I wonder if it's possible.

Thanks,
John

 
Posted : 04/11/2018 1:51 pm
(@dandaman_24)
Posts: 172
Estimable Member
 

Nope

 
Posted : 04/11/2018 5:26 pm
 dega
(@dega)
Posts: 261
Reputable Member
 

I am not sure. But mobile edit forensic express should have this feature

 
Posted : 04/11/2018 6:31 pm
(@agp_analyst)
Posts: 22
Eminent Member
 

I know the UFED Kiosk devices support this, as well as other filters but I don't know if any of their other products do.

 
Posted : 05/11/2018 10:01 am
(@mcman)
Posts: 189
Estimable Member
 

The problem with selective extraction is that even if you try to do it, it won't work across the board for all files and extraction types.
1) Even if you have privileged access (root/jailbreak/etc.), the file system timestamps that you would base your extraction on only tell part of the story. If you're looking for chat or SMS messages or data within a database (which most mobile data is in SQLite/Plist/JSON or similar structure), it's not possible to filter that data without first analyzing the contents of the database or structured file.
2) A logical extraction (iTunes/ADB backup) does not accommodate for selective extraction very easily. For similar reasons above as well as each app chooses to be backed up or not and what to include in a backup. You could create a tool to pull the backup (how ever it was given through the API). Have the tool automatically analyze and parse out the data it knows and then only display the data within your time frame but that's not part of the extraction. The full extraction already happened, the tool is just showing you a filtered result.
3) If you're just looking to do this for allocated pictures and video, sure, definitely doable. Make an MTP connection to the phone and pull the media based on the file system timestamps available (created/modified/etc.). This is how most in-field or kiosk tool provide this info. Anything beyond that isn't universal and limited in availability across device models and OS versions.

Again, selective extraction has way too many holes in it to be a viable option for most forensic examiners. You'll still miss out on a lot of relevant data within your time frame that might be important to your investigation if you try to do it at the point of extraction. It always comes up due to legal constraints but most jurisdictions have mechanisms to limit the scope after the extraction but prior to analysis either through automated analysis (machine) or examiner/analyst review prior to providing the dataset to the investigative team.

My 2 cents.
Jamie

 
Posted : 05/11/2018 2:13 pm
(@john000)
Posts: 45
Eminent Member
Topic starter
 

The problem with selective extraction is that even if you try to do it, it won't work across the board for all files and extraction types.
1) Even if you have privileged access (root/jailbreak/etc.), the file system timestamps that you would base your extraction on only tell part of the story. If you're looking for chat or SMS messages or data within a database (which most mobile data is in SQLite/Plist/JSON or similar structure), it's not possible to filter that data without first analyzing the contents of the database or structured file.
2) A logical extraction (iTunes/ADB backup) does not accommodate for selective extraction very easily. For similar reasons above as well as each app chooses to be backed up or not and what to include in a backup. You could create a tool to pull the backup (how ever it was given through the API). Have the tool automatically analyze and parse out the data it knows and then only display the data within your time frame but that's not part of the extraction. The full extraction already happened, the tool is just showing you a filtered result.
3) If you're just looking to do this for allocated pictures and video, sure, definitely doable. Make an MTP connection to the phone and pull the media based on the file system timestamps available (created/modified/etc.). This is how most in-field or kiosk tool provide this info. Anything beyond that isn't universal and limited in availability across device models and OS versions.

Again, selective extraction has way too many holes in it to be a viable option for most forensic examiners. You'll still miss out on a lot of relevant data within your time frame that might be important to your investigation if you try to do it at the point of extraction. It always comes up due to legal constraints but most jurisdictions have mechanisms to limit the scope after the extraction but prior to analysis either through automated analysis (machine) or examiner/analyst review prior to providing the dataset to the investigative team.

My 2 cents.
Jamie

Thank you for your detailed answer. very helpful!

 
Posted : 05/11/2018 4:04 pm
Share: