I've been hearing alot about IEF used in mobile foernsics, so i wanted to test it out for myself.
How can i import logical or physical images taken by (oxygen,xry,cellebrite ) that have image extentions of (.fdb , .xry , .ufd) into IEF to conduct further analysis on unallocated space.
or is there a way to take images from phones of extensions that are accepted in IEF?
Thanks.
Searches dd, bin and dmg images
According to the IEF website….you are going to need to do a physical dump I think.
I'm always a little cautious when a tool which is very strong on one discipline, decides to branch out into another area.
I've seen lots of tools try this and usually the result is not the best, think EnCase doing mobile forensics is a classic example.
Having said that I haven't used IEF to run across mobile images but I would be surprised if it can do a better job of carving and interpreting the data than what UFED or XRY can do with their own images.
I'm in no way having a dig at IEF here because it's a fantastic tool and if anyone has run direct comparisons with IEF compared to XRY or UFED I'd be very interested to see how they compare head to head. I would expect maybe IEF to be up there on internet artifacts but mobile centric data I would expect the mobile tools to perform better.
Just did a couple of tries with the IEF mobile phone support.
You need to have a physical dump like a Ufed bin file.
If Im right they are looking at the xry format too.
The power of IEF compared too XRY and Ufed
The possibilities of file/information carving in unallocated space.
XRY and Ufed are good to show the results based on the allocated information like databases, for carving maybe have a look at IEF.
I'm always a little cautious when a tool which is very strong on one discipline, decides to branch out into another area.
I've seen lots of tools try this and usually the result is not the best, think EnCase doing mobile forensics is a classic example.
Totally agree with you, personally IEF should of developed a totally separate application regarding mobile forensics, in my opinion
Hey everyone,
Just want to answer the OP's question first. CopyRight, to search physical images from Cellebrite or other tools just click the Mobile button on the main screen in IEF, then iOS or Android, and then Image. Point it at your image file (.bin, .img, etc) and then a search type (Full, Quick, etc) and you're all set. The only requirement is that the file is in a format supported by IEF (raw/dd, .E01/Ex01, and .L01/Lx01 to mention a few, and soon AD1 in our next release).
If you only have a file system dump from the phone, then click "File Dump" instead of "Image" in the above paragraph. The files need to be already extracted from an archive (if they were in a Zip archive) but we're adding Zip support in our next release.
To address the other comments/concerns, I want to first say that I totally understand the concerns and it's something we took into consideration, but here's where we're coming from and why we added support for mobile artifacts to IEF.
As we attended conferences in 2012 and spoke to many customers, the theme we kept hearing was that people loved what we did on PC images and wanted us to extend that to mobile images as well. At first we had the same concerns but after some thought and consideration, it just seemed to make sense. We recover artifacts, that's our focus and expertise. Whether we do that on a hard drive or an image from a mobile device, it doesn't matter all that much.
We also considered getting into the actual data acquisition from the device but decided that this would be diverting from our area of expertise and didn't make sense when there are good solutions out there for acquisition already.
Early on after we added our mobile support we had (and continue to receive) dozens of success stories from customers (directly to us or on mailing lists/forums/twitter) of how IEF was able to recover a great deal more data from their images, especially deleted data, which is exactly what our goal was. Because artifact recovery is what we do day-in, day-out, we can go deeper on images than other tools might.
Finally, to mitch, we considered making the mobile product a separate product but it would've been a bigger endeavor and the cost would have likely been higher as a separate product.
I'd be happy to provide a free trial to anyone who wants to try out IEF on a few physical images to see the real world results, I find that's the best way to evaluate a tool. I can say all sorts of nice things here (and I'm not blowing sunshine up anyone's you-know-what ) ) but don't believe me, try it out for yourself. ) Best way to contact me is by email, at jad(at)magnetforensics(dot)com.
Thanks and best regards,
Jad
Jad I'm always happy to test things out and as luck would have it I have some iPhone physical and file system dumps where deleted artifacts will be highly relevant if I can find them.
I've emailed you )