FTK Mobile Phone Examiner

MPE has a long way to go before it matures as a forensics tool, in my opinion they shot themselves in the foot in a huge way by limiting the software by locking it in to FTK.

How is locked to FTK? It's a free-standing product, and from what I've seen of it it's absolutely fine, does what it says does.

I should clarify (and it's possible this has changed in the last few months) but the physical download functionality is only viewable via FTK, the logical download can be stand alone.

I'm not saying it doesn't work, just that right now there are many better and cheaper options and someone who already has UFED is not gaining anything by getting MPE as it doesn't do anything UFED doesn't already do and far better )

I should clarify (and it's possible this has changed in the last few months) but the physical download functionality is only viewable via FTK, the logical download can be stand alone.

I'm not saying it doesn't work, just that right now there are many better and cheaper options and someone who already has UFED is not gaining anything by getting MPE as it doesn't do anything UFED doesn't already do and far better )

Fair enough Adam, good reply!

MPE+ is a completely standalone product and the physical extracted files can be viewed from within the product. I have not needed to use FTK to complete a job, but it is handy to have as a resource!

Some of the features I enjoy in this product
Physical Extraction (my main product for physical)
Ability to import images (E01, Yaffs, DD, Cellbrite etc) for analysis or verification
Timeline Visualisation/Social Analysis
Mount image to run malware analysis
Built in parsers for Android, iOS, IPD & Itunes backup.
Built in SQLite browser & Application one click support

I am hopeful that AccessData will incorporate their Cerberus Malware tools into this program in the future for live malware analysis.

MPE+ has come a long way in the last 2 years and I am personally pleased with the updates so far. The product is not perfect and I cannot answer to the lack of language support but when I have needed the support it has always been there. With the imminent merger of the e-discovery and investigation products in the next few months, AD will make it seamless to analyse AD1 images in all the products.

The other tools I use for mobile are Blacklight and Oxygen Analyst.

Disclaimer I have not used UFED.

I stand corrected, my last use of MPE you couldn't view the physical dump unless you had a licensed version of FTK, looks like they realised that mistake and rectified it.

However I'll stand by my original comment that if you already have UFED then you gain nothing by getting MPE, far better value for money upgrading to the UFED touch then you get the Physical Analyser software plus the latest portable package they have.

If I had the money the kit that I would get to compliment the UFED would be XRY as between those two tools you will cover just about everything out there. UFED was stronger on iOS and Blackberry when I did my testing and as in the corporate world that makes up 90% of my work it was a no brainer.

Maybe MPE+ do all that manual say, but hide lots of things that everybody thinks that is included like, bluetooth, useful reporting, etc.

Another issue is that the app is very very slow (comparing with XRY), sometimes it takes more then 4 or 5 minuts to start up (in a brand new pc)
I can Make a video (ftk is faster).

Even MPE investigator that is just for my investigators choose what they whant for reporting, is very very slow.

MPE investigator in my opinion is like a "copy" of XRY or UFED reader but
1 -needs a large install (XRY reader is small, no require install, no frameworks, just need to included in the cd with the phone extractions so my investigators can navigate an see all items they need, so can print for the process what is relevant)
2- in the last version 5.2.1 needs framework 4.5 but is not included in ISO
3- Has problems connection behind a proxy like mpe+
4- has the same problems with reporting. (i can post a report in rtf has no labels)

I'm not saying that MPE+ is bad app, i just say that this app costs +- 4000€, and for that price is very weak in very much aspects.

An good example is that MOBILEDIT FORENSICS cost around 500€(app)+500€(cable kit) and may be a better tool as far as i already tested.

Another good example is that the cable kit don't even include Nokia Ca-50 (a tiny like USB) for all old nokias (this kind of phones apear every day in my department for extracting), Called accessdata support about this because i have cable kit SMS renewall and they told me that some cables are not included, and i have to buyed anywhere in separate.(wy do i have sms renew)

Timeline Visualisation/Social Analysis is a joke only makes a snapshot of the rude analisys. In this field it was preferered that the application made a good extraction to XLS format (not bad CSV as it do) so we can import the data for I2 Analyst Notebook, and make a good analysis report.

The last accessdata support after some bugs i reported, they told me that is was better to me have a second tool for cell Phone extraction (thats easy to say, dificult to pay, when already buyed a 4000€ tool, my boss is going to kill me).

In my department every day are delivered phones to extract data, MPE+ usualy only extract +-50% of the phones, the rest i go to another police department near me and they use XRY that extracts almost all of them.

Sorry for this long post (i'm a little hangry with myself for choosing MPE+)

BUT i like FTK

Best regards for all and sorry for my english.

Since this is still an active post let me go through my recent experience. First, I am an active FTK user - have been since the first 1.7 release. My go-to software, so it was natural that I would want a product linked to FTK.

Disclaimer; this is a one-sided diatribe based on my perceptions of experiences and I'm pissed so it may be "a bit" rough.

I purchased MPE+ and wish I hadn't. The cable kit is minimal but acceptable and the SMS is ridiculous. When I first installed it on a laptop (an I7 core with maxed RAM used for field work) I found that; a) the help/instructions were part of the compressed package. You have to install to find out how to install. b) When I tried to access set up, it crashed repeatedly c) when I ran it against a real phone, it stressed the processor so much that it induced a heat related shutdown. I then installed it on two forensic computers, towers; a moderate one and a monster. It wouldn't install on the monster until I tweaked the Windows support. It installed fine on the moderate tower. Both machines crashed when attempting to access setup. I ran a carve operation on a blackberry image and it crashed the computer. Did not support a 2.5 year old Android smart phone.

So, I called support. They said I should have read all of their "front facing" forum posts to learn how to install it. (Got that? Not their on-line help, not their instructions - the forum posts). They said yeah, we know about the setup crash - it's a known issue. (Why haven't they fixed it??? Why are they selling software that doesn't work, without telling the consumer?) After some other non-helpful answers, I said fine - I want my money back. They said call sales!

I called sales and said I just got the product and it sucks. I want an RMA (their license gives you 30 days). None was forthcoming. I next got the director of sales, who mouthed platitudes and said he was referring it to a VP. No RMA. Never heard from anyone else. No calls, no emails. Finally gave up.

So I'm learning to deal with my mobile phone problems. Fixed the setup crash (via forum posts) and reduced the number of threads so the laptop doesn't explode. I see nothing special in the reports nor the way in which data is presented by MPE+. It does export data to AD1 files, which can be imported into FTK for searches and integration into projects. You will get the job done with the product and get it done cheaper than with UFED <BUT> as noted, others do it cheaper and better. They also just changed the SMS from purchase price plus annual subscription to a flat annual fee of almost $3K for the product - pay or it stops.

It's not horrible. For your money you could get UFED or Oxygen, both of which are good products. There is nothing wrong with having multiple though.

Do you give up on your Cases also? Cmon, don't let AD win, stay on that, whether it's your money, or department money make it your priority to get in their *rse.

The problem, as you have seen, is that the difference in quality between the top of the line, and what a lot of people can afford is HUGEEEEEEEEEEE. The what people can afford items, don't usually work up to what we need, and the we can't afford it items are what we need, but can't have.

I truly hope you get your money back, as you don't deserve to be treated that way.

"I called sales and said I just got the product and it sucks. I want an RMA (their license gives you 30 days). None was forthcoming. I next got the director of sales, who mouthed platitudes and said he was referring it to a VP. No RMA. Never heard from anyone else. No calls, no emails. Finally gave up."

EDIT Everyone, please direct your attention to my post of 8/23/2013 (should be on the next page). Lee and I spoke at length today, and we have a plan to address these issues I was having. The problem is that most iPhone images are encrypted, and MPE+ doesn't know how to read the keys out of the .UFD file. The .UFD file does appear to contain the keys needed to decrypt the image, and Lee and his team are going to work on a way to automate extracting those keys so MPE+ will be able to read encrypted iPhone physical images extracted using Cellebrite.