Just a quick query about Pandora's Box. Lots of people mention this in for use with a mobile phone physical image, but it doesnt seem to be available anywhere any more - anyone know different?
The scenario is examination of a mobile handset with PHY layer capture required where not supported by XRY/UFED; I can extract the data by chip removal or JTAG methods, and do direct memory searching, but was looking for other 'helpful tools' for this area. I'm aware of the UFED pro software but thats a high investment if you only need the raw image processing; Pandora seemed ideal, but the site seemed to have just been pulled… maybe someone can tell me otherwise?
Phil.
Does anyone have any info regarding this
Yes. Product is not available nor supported anymore.
Further more QMat and Sanderson forensics tools are a must and acid to look up how you did it the last time or how somebody else did it..
In our company we use .XRY and XACT as one of our main tools, but also have Cellebrite, Aceso and Oxygen, along with a lot of flasher boxes.
I have found Aceso very good when dealing with media especially pictures, as it extracts meta data, where as Cellebrite doesn't display meta data from the original image when these images are exported from the tool. It is also my favoured tool when dealing with Blackberry devices.
(BTW, this is my first post, I've been silently watching the forum but thought I'd start offering some input)
Adding to this post, I've been able to do a secure forensic dump of the logical data off a Blackberry Pearl 8230 (Verizon) however all the tools I've researched do NOT support the physical dump of the "Unallocated" deleted space. I've called and researched the following;
1. BitPim - no support for this phone
2. CelleBrite - Logical but NO physical support
3. Data Pilot - Logical but NO physical support
4. Xact - NO Physical support
It seems strang that a popular phone such as the Pearl 8230 doesn't currently have physical dump support but then again in this field (cell phone forensics) each phone is different and requires lots of R&D to figure out. Thank you for any other tools that you know supports this phone.
It seems [strange] that a popular phone such as the Pearl 8230 doesn't currently have physical dump support but then again in this field (cell phone forensics) each phone is different and requires lots of R&D to figure out.
'Tis the nature of this beast, I'm afraid. Do you REALLY need a physical dump? I've gotten the "dirt" off of a Pearl with "only" a logical extraction.
My experience is that when I present the "goods" I've extracted, no one questions the veracity of my findings. It is what it is. Question my collection technique if you will, but *I* did not create the "very personal" photos or the SMS request that particular "actions" be performed in a certain, erm, "irregular" manner, the detailded description of which I retrieved from the handset.
I am using
1. EnCase Neutrino
2. Paraben
3. XRY & XACT
4. Mobile Edit
5. Oxygen
6. BitPIN
7. FTK MPE
All tools are very good. but recover deleted items from phone memory has been not possible.
Abdulcadir,
You are missing UFED & UFED Physical from your list.
You should be aware that UFED Physical now supports 503 devices with physical extraction and about 2200 device with logical dump.
The above supported devices include also the latest devices on the market.
We use the EnCase Neutrino. Has capabilities for iPhones right now that are nice and the capture image reads in EnCase very nicely. It also has the Neutrino EnScript that can do some nice quick reporting.
Side note on that - the manual will say that the USB Neutrino drivers install automatically - not always. And the driver package doesn't show in the installation compressed file. After you install the Neutrino software (we are using 2.5) and plug in the USB for the Neutrino to your examination machine it will ask to load drivers automatically. Change to specify driver location and point the driver search to where you installed the Neutrino software i.e. [root]\Program Files\EnCase Neutrino and there is a folder for "drivers". It will ask for driver installs about 4 times and if you want to use unsigned drivers. Say yes then you will be able to get the device to read properly in EnCase.
RosN
U are right ! but I am talking about deleted contents of internal phone memory…….
I am not talking about live contents of phone memory even if it hidden.
Abdulcadir,
Not sure I understand you.
UFED Physical extracts the mobile phone flash memory that is where the deleted data is stored and being restored from.
RonS
absolutely correct!…..
mobile phones have the same evidentiary possibilities as other digital media, such as hard drives….
There some possibility of extraction for deleted contents but it will loose when restart cz its a RAM.
RAM is used for all intermediary storage during communication and user
interaction
Now I am thinking Manual Extraction ?