I understand that there is no ONE tool to do cell phone forensics. But what are the best 2-3 devices and software to obtain, either purchase or open source, to conduct mobile phone exams and create the best possible "umbrella" for most phones and platforms. I'm doing this for a grant funds request so I want the most appropriate tools to get the job done and price is really the second most important factor.
Also, does anyone know of a good database program to use to dump cell phone and contact list info into to use as intel in gang cases?
Thanks
Defo XRY and CelleBrite for logical extractions.
Still getting used to XACT but CelleBrite Physical Analyser is very good in my opinion.
Extras we use are SHU-Box with Pandoras Box.
For logical we use XRY, CelleBrite and Oxygen.
For physical we use XACT, CelleBrite PE and several flasher box's including SHU box, NSPro and Rocker.
Much caution required with the flasher tools though as they are not designed forensics in mind! Although their resultant extractions can be read and decoded with XACT, CelleBrite PE, Cell Phone Analyzer, PMExploer, Pandora's Box and Encase all with varying degrees of success.
I've got to agree with Triran and Alex101, XRY and Cellebrite for logical extraction, and XACT for dumps. The only other 'must' that you should consider, is a good quality digital camera on a 'bracket' with software such as ZRT Video for when the forensic software isn't compatible and a manual extraction has to be done. Plus, loads of coffee!
We also use, amongst others, EnCase for the examination/imaging of memory cards etc. EnCase is a 'must have' for examining storage media.
As Alex101 has already said, be VERY careful with devices such as flashing devices/SHU boxes. They are immensely useful and can often provide a back door to data BUT should only really be used as a last resort if all other methods fail.
With regards to your database query, programs such as XRY, XACT, Cellbrite/UFED etc have an export function. In other words, data such as contacts, calls, SMS etc can be exported to programs such as Excel, Word and Open Office.
Just a quick query about Pandora's Box. Lots of people mention this in for use with a mobile phone physical image, but it doesnt seem to be available anywhere any more - anyone know different?
The scenario is examination of a mobile handset with PHY layer capture required where not supported by XRY/UFED; I can extract the data by chip removal or JTAG methods, and do direct memory searching, but was looking for other 'helpful tools' for this area. I'm aware of the UFED pro software but thats a high investment if you only need the raw image processing; Pandora seemed ideal, but the site seemed to have just been pulled… maybe someone can tell me otherwise?
Phil.
No one has yet to mention
I have no experience (yet) in mobile phone examinations but I went to a forensics conference a few months ago and a PA state trooper was demo'ing cell phone and GPS examinations and was asked what software he recommends for phones. his answer was #1) bitpim, #2) i forgot, and #3) was EnCase.
I was at the next booth and missed most of his presentation so I didn't see him doing the analysis but the guy next to him (Pittsburgh Police) was using CelleBrite. Someone asked the trooper what he thought of CelleBrite and his response was that it was overpriced and wasn't as good as the products he mentioned.
Thoughts?
… Someone asked the trooper what he thought of CelleBrite and his response was that it was overpriced and wasn't as good as the products he mentioned.
Thoughts?
CelleBrite's product is a good tool, but not the be-all/end-all of mobile forensics. Expensive? *All* of the commercial products aimed at the 'forensics market' are over-priced for us private-sector folks who don't benefit from "Stimulus Funding" here in the U.S.
As to BitPim? Well, let me quote Paraben's Amber Shroader, from a statement she made during a panel discussion at Techno Security 2009. "We use our product [Device Seizure] and when that doesn't work, we use BitPim." [emphasis added] wink
What I like about BitPim is that it reads and presents the file system from a handset and lets you drill through it to find the goods that the commercial products often don't show you.
And it's free. (For now)
Indeed BitPim is usefull and free.
But, there are many cases that it will not get you all the files, since many devices have files and folders locked for BitPim (like image folder and other files and folders in many phones).
UFED and UFED Physcial that also provide the file system dump functionality in many cases will get you those hidden/protected files too.
RonS
Just a quick query about Pandora's Box. Lots of people mention this in for use with a mobile phone physical image, but it doesnt seem to be available anywhere any more - anyone know different?
The scenario is examination of a mobile handset with PHY layer capture required where not supported by XRY/UFED; I can extract the data by chip removal or JTAG methods, and do direct memory searching, but was looking for other 'helpful tools' for this area. I'm aware of the UFED pro software but thats a high investment if you only need the raw image processing; Pandora seemed ideal, but the site seemed to have just been pulled… maybe someone can tell me otherwise?
Phil.
Does