Open source or low ...
 
Notifications
Clear all

Open source or low cost tool for Mobile Acquisition

7 Posts
4 Users
0 Reactions
3,201 Views
(@jsmacedo)
Active Member
Joined: 8 years ago
Posts: 5
Topic starter  

Hello, everyone,
I just navigated through last one year topics over Mobile subforum, but I could not find an exact answer.
I worked with Cellebrite 4PC and PA for acquisition and analysis, but now I do not have enough resources to buy it (No until I sell some other project).
I'm looking for an open source or low cost solution for mobile acquisition and analysis.
I made a test with Magnet Acquire, that allowed me only "Quick Acquisition" for a Xiaomi Mi6 running Android 8. Same way, it should allow me only a "Quick Acquisition" for iPhone 5 running iOS 10.3.3. I understand that I'll get "Full Acquisition" only for Rooted/Jailbroken devices (please, tell me if I'm mistaken), situation not so common in a daily investigation.
Same way, I just analyzed it with Magnet AXIOM, through a trial license kindly delivered by a Magnet Forensics account manager, but I could not find Apps installation or WhatsApp messages maybe due the allowed acquisition method (Quick, only).

Can anyone of you suggest other tools that will allow me to acquire and see WhatsApp, Messenger and other chat content (this is the biggest concern), as well as installed Apps?
I remember that it worked fine in my previous experience with Cellebrite 4PC using the "Full File System" acquisition.

I tried Andriller, that did not work fine because I could not find the "key" file for WhatsApp.

Thank you!


   
Quote
Igor_Michailov
(@igor_michailov)
Honorable Member
Joined: 20 years ago
Posts: 529
 

You are not able decrypt whatsapp databases without the key file.


   
ReplyQuote
(@thomass30)
Estimable Member
Joined: 9 years ago
Posts: 110
 

You need to have physical image of rooted device or at least file system dump in order to get access to apps databases like messenger chats.

For analyze you can try Autopsy - open source forensics tool


   
ReplyQuote
OxygenForensics
(@oxygenforensics)
Estimable Member
Joined: 14 years ago
Posts: 143
 

Jsmacedo, have you tried Oxygen Forensic Detective?
The software will allow you to extract WhatsApp data from Apple iOS devices via logical method and from Android devices via various physical methods.
Moreover, with the built-in Cloud Extractor, you can access WhatsApp backups in iCloud and Google Drive. We also offer an exclusive opportunity to extract certain WhatsApp data directly from the WhatsApp Server.
As for the WhatsApp backups decryption, the software can extract a special token from Android devices with which you can decrypt mobile and cloud WhatsApp backups. This is the alternative method for the widely used one with the key file.


   
ReplyQuote
(@jsmacedo)
Active Member
Joined: 8 years ago
Posts: 5
Topic starter  

Jsmacedo, have you tried Oxygen Forensic Detective?
The software will allow you to extract WhatsApp data from Apple iOS devices via logical method and from Android devices via various physical methods.
Moreover, with the built-in Cloud Extractor, you can access WhatsApp backups in iCloud and Google Drive. We also offer an exclusive opportunity to extract certain WhatsApp data directly from the WhatsApp Server.
As for the WhatsApp backups decryption, the software can extract a special token from Android devices with which you can decrypt mobile and cloud WhatsApp backups. This is the alternative method for the widely used one with the key file.

Hello,
Thank you for your response.
I just received a trial license from local representative and I'll give it a try.
I heard a lot about Oxygen Forensics in the past from previous professional experience but I kept using Cellebrite on that moment.
Considering that I'm still planning the services and budget to acquire new resources for external offering, Oxygen can became a nice option.
One more time, thank you!


   
ReplyQuote
(@jsmacedo)
Active Member
Joined: 8 years ago
Posts: 5
Topic starter  

You are not able decrypt whatsapp databases without the key file.

So, considering that key file is available only on rooted/jailbroken devices (Correct me if I'm wrong), it is almost not possible without change the evidence.
I'm asking because I remember success to get some few parts of WhatsApp conversation while executing a "Full File System" acquisition with Cellebrite.


   
ReplyQuote
(@jsmacedo)
Active Member
Joined: 8 years ago
Posts: 5
Topic starter  

You need to have physical image of rooted device or at least file system dump in order to get access to apps databases like messenger chats.

For analyze you can try Autopsy - open source forensics tool

Thank you, Thomas.
I believe that it is becoming more and more difficult to get this kind of data without change the evidence. Considering my previous experience with Cellebrite, I can count on my fingers the number of times where I was able/allowed to acquire a physical image of a device.


   
ReplyQuote
Share: