I have been reading some of the posts and since I have extensive knowledge of it I would like to respond to this post. This is not to incite replies and if some additional answers are needed I would ask it is sent directly to me at my email address.
First MPE+ can support data extracted from any tool and can help verify the findings you might have discovered using other tools as well as uncover much more data with it's advanced features. Some raw files can be used as well as exported filesystems. It really depends upon the device type.
An example
User extracted an Android physical image with another tool and parsed the image. The tool was unable to recover the call logs. Not because the tool was poor just because the logic was not there to "find" and parse the image.
LE Officer brought in the image via import image in MPE+ and the image was decoded. User used the automated "Parse Android Image" and the call logs and other data types were presented to him.
So now instead of milling over the call log file manually because the first tool did not recover the data a second tool, MPE+, was used to automatically parse the missing data. So the usage of multiple tools extracted maximum data.
This is not a limitation of either tools because I will be the first to tell you MPE+ might not extract the location data, but another tool might. That said, MPE+ will extract data that other tools cannot. That is how it works and if any other vendor does not agree with that statement I would question why.
The best I can do is dump the filesystem from within Cellebrite Physical Analyzer and load that filesystem into MPE+.
This is not correct. It depends upon the device and how this was collected. For example if it was a true image of the device MPE+, FTK or FTK Imager would properly decode. If the image is not, as it appears this is not since it is really just a simple backup - I would want to know why it is in that format.
First off, file paths on an iOS device are too long, so some files can't be dumped at all.
This would be the limitation of the software. If it cannot export a long filename then I would suggest that vendor be contacted
Second, what I wanted MPE+ for was a "second opinion" compared to Cellebrite. If Cellebrite misses a file for some reason, MPE+ won't magically pick it up after I dump it from Cellebrite.
Actually this is incorrect. A filesystem contains many files, some of which cellebrite cannot parse and I am sure some MPE+ cannot parse. It is not that it is not there, just that code is not built into the software to parse each and every file. That is one reason I personally built in the SQLite browser into the software. There a user can open up each of the files and locate, document and analyze the data even if the software did not automatically parse the details by simply right clicking on the file and selecting "SQLite Browser".
And my final comment, I imaged an iPhone 5 with MPE+ yesterday, and it found zero deleted text messages. Cellebrite found the same number of non-deleted text messages plus 8 deleted messages.
I would be interested if you ran the autoparser for deleted data on the sms.db or any other sqlite database in the image. That would be how you recover the deleted SMS. What is great about MPE+ is the ability to recover deleted data from any SQLite database for both iOS and Android. It is quite easy, simply right click and select "parse for deleted data".
There is not one software tool that allows for every contingency, especially in mobile device forensics. There are simply too many variables.
I do appreciate any feature requests so please send any and all directly to me. No need to post them here.
EDIT
See post below from 8/23 for possible solution. And thank you to Lee for working with me to make MPE+ do what I want it to do.
Lee,
I appreciate you jumping in here and defending your product. I know I have been unkind to MPE+, but I am very frustrated with it, and when I saw that I am not the only one frustrated, I decided to share my frustration. I am trying to work through this with your support people, but thusfar I have had no luck.
What I wanted MPE+ for it exactly what you describe, a second opinion on other tools because no one tool can interpret everything. In fact, all the tools combined can't interpret everything. If I could afford XRY and Oxygen, I'd have those as well. As is, I'll get by with Cellebrite, MPE+, and BlackLight.
As to my trouble importing .img files created by Cellebrite Physical Analyzer. I have verified twice with Cellebrite that the .img file generated by Cellebrite when doing a physical extraction is an exact bit-for-bit copy of the flash memory of the device. I have tried with three different iPhone images, and none of them are interpreted by MPE+, usually with the message "MPE could not complete the import. Please verify that you selected a supported file type." If I attempt to trick MPE+ into ingesting the image by renaming it to a .dd4 or .dd8 file, it does import the file, but it cannot interpret any of the data. I can see the file system, but when I ask it to interpret it as an iOS device, I get nothing.
As an aside, why does MPE+ care about the extension? The .img file is refused, but if I rename it .dd4 or .dd8 at least it makes an attempt. If I name it a .zebra file but it contains an iOS file system, why doesn't MPE+ go ahead and try to interpret it?
I have to laugh at your comment about path lengths. Here's an error message from MPE "Some files could not be written to disk because their names and/or paths are too long. Would you like to view a list of these files?" This is the message I get when I try to interpret iOS data from a .dd8 image I've tricked MPE into importing by renaming from .img. Then, after I select all the extraction options, I get no interpreted data. I think I am getting this message because MPE+ is dumping the filesystem contents to a temporary location to be interpreted. I have tried to shorten the path to the temporary location as much as possible, but that has not helped.
My comment about the second opinion and magically picking up files is that if I dump the file system out of Cellebrite or create a PKZIP file of the file system and there are long paths that can't be exported, there is nothing MPE+ can do to make those missing files suddenly appear in MPE+. This is not a limitation of MPE+, it is a limitation of PKZIP and NTFS. I do want MPE+ to be able to interpret data that Cellebrite cannot. That was my purpose for buying it. I prefer that MPE+ interpret the original binary data rather than a dumped file system which Cellebrite has interpreted for us.
As to the deleted SMS messages, I admit I did not know I needed to ask it to parse for deleted messages. This appears to be user error on my part. I don't have access to that phone any longer, or I would try again.
EDIT I forgot to add that if I am able to get this resolved I will report back with the resolution.
I am trying to work through this with your support people, but thusfar I have had no luck.
EDIT I forgot to add that if I am able to get this resolved I will report back with the resolution.
Please contact me directly via and I know I can resolve your situation.
First MPE+ can support data extracted from any tool and can help verify the findings you might have discovered using other tools as well as uncover much more data with it's advanced features.
Putting aside the obvious nepotism in your post, how can you make this statement when all the evidence of independent practitioners who have posted here is the exactly opposite?
You need to stop the company line in defending a clearly under performing product and work with the end users to try and improve your product and bring it up to spec.
Lee is going out of his way to help me figure this out, and the only reason it hasn't happened yet is my schedule and technology limitations (namely, I don't put my forensic computers on the Internet).
I'll let everyone know as soon as I know what the solution is. I'll also let you know if there is no solution, but please don't judge yet.
I may have some preconceived idea's a but they are not without merit.
Don't worry, I'm not judging them based on your problems, I judged them years ago based on numerous issues I've experienced with numerous pieces of their software.
If I may (and "from the outside", never having used the tool, nor having any kind of familiarity about the Authors of the tool) I notice something "queer".
The essence of this thread are reports that the software (according to some knowledgeable members of this forum, and customers) has some issues (or limitations) that the manufacturer/programmers (or the assistance) were not able to solve in a timely fashion or "at all".
The intervention of someone from the manufacturer in these terms sounds - to me - as an attempt to re-close Pandora's vase (or a more common can of worms)
This is not to incite replies and if some additional answers are needed I would ask it is sent directly to me at my email address.
I do appreciate any feature requests so please send any and all directly to me. No need to post them here.
Please contact me directly via and I know I can resolve your situation.
So there are ways, but they are not to be talked publicly here (nor in the tool support forum)? 😯
The posts by FlaCop and Bulldawg (and as well the ones by brunomac) , as I see them, once "cleared" off the ( BTW understandable) rants, are circling around documentation, support and customer care issues (particularly this latter), as I see it it could be an occasion to publicly clear the doubts and - where applicable - try to provide an explanation to some of the described behaviours (if not downright some apologies).
jaclaz
I'd like to start by thanking Lee and his team for helping me out. He and I spoke for about 30 minutes today and I was able to show him where my concerns were, and I think we have a good chance at a positive resolution.
A brief history
I deal mostly with iPhones. Modern iPhones are encrypted. My perfect use scenario for MPE+ is as a second or third opinion on the data Cellebrite PA and BlackLight decode, but I rarely have posession of the phone long enough to image the phone twice. What I want to do is use Cellebrite to take the image and then use that image in MPE+. I asked specifically about that during the sales process and was told unequivocally yes, it can read physical images from Cellebrite. So, when I got my MPE+ license and threw an iPhone physical image at it and it failed to read anything, I was naturally a little peeved.
I was even more angry when I inquired of AccessData's support team, and the answer was "To my understanding Cellebrite uses a proprietary format for most of their images, so they will not be able to be read by MPE+." So sales tells me yes it can, and support tells me no it can't.
This is what touched off my rant from yesterday. Based on the information I had at this point, I had been lied to by sales in order to make the sale.
(we think) The solution
I explained to Lee today my desire to image a phone once and use it in both Cellebrite PA and MPE+, and once we determined that the reason I haven't been able to import any Cellebrite iPhone images into MPE+ was encryption, I think Lee has the answer.
The .UFD file is a plain text file with some basic information about the image, including the encryption keys. Lee and his team think they can use this key information, modify a copy of the .UFD file and then import the image into MPE+ as if it had been imaged by MPE+.
Lee has already been able to get the file system to decrypt, but the iOS parser isn't working yet. Seeing how committed he is to making this work, I think there is a good chance it will work.
I will report back when we get it working.
I am very happy to report that Lee was able to convert the .UFD file into a usable .iso_keys file so that MPE+ can import iOS physical images from Cellebrite. He's working on instructions to do this for any .UFD file. I will be testing that out next week.
I'm hoping that this functionality can be integrated into a future release of MPE+ so there will be no need to manually convert the .UFD file.
We didn't work on it, but I would think the same would be possible with BlackBerry and Android images. I'll investigate when I get some time.
Bumping. Trying to place a .UFD file system image from an iPhone 4S into FTK (I do have MPE+).
Any update on this process and if it can be accomplished?