Evaluation of Cell ...
 
Notifications
Clear all

Evaluation of Cell phone forensic software/hardware  

  RSS
akaplan0qw9
(@akaplan0qw9)
Member

Colleagues,

I'm interested in receiving a frank evaluation of software/hardware packages that you have actually used. We all know that manufacturers tell us all the wonderful things their product does. They fail to mention problems and things that their product will not do.

I would like to hear about dropping one product and switching to another and the reasons for that. Please do not consider price in your comments. I would like your evaluation in terms of operational effectiveness. If deleted data is rarely or never recoverable, please say so.

Thanks for your help.
Back to top

Quote
Posted : 05/04/2011 6:57 pm
AlexC
(@alexc)
Active Member

Hi Alan,

You've probably already looked at this stuff, but in case you haven't, it's always worth checking out NIST's tests of software

http//www.cftt.nist.gov/mobile_devices.htm

It's a shame that in this fast moving field that they don't keep quite as up to date as might be possible, but it does help illustrate some actual capabilities.

ReplyQuote
Posted : 05/04/2011 8:04 pm
akaplan0qw9
(@akaplan0qw9)
Member

Alex,

Thanks. I find the test parameters, but failed to find specific test results for any cellular foremsic products. Did I miss something?

ReplyQuote
Posted : 05/04/2011 10:02 pm
ThePM
(@thepm)
Active Member

We have been using a lot of different cell phone forensic tools in the past 5-6 years. Here is a quick overview of our experience

Mobiledit Forensic this was the first software we've used. It was the only one supporting the Motorola RAZR at the time… We've used it a while but dropped it since because the software was buggy and there weren't many updates at the time. Also, the phones added when updated were often european phones, which is useless for me.

Paraben Device Seizure We originally bought Paraben PDA Seizure that then transformed into Device Seizure. We don't use this product much, i.e. only when other products have failed or with GPS devices. In my experience, the software has stability issues which is why we don't use it much.

Susteen SecureView Forensics (Datapilot) When we bought this kit, it came in a cheap transport case that broke 2 months after purchase… As for the software, it is pretty basic. It supports a lot of phones, but the number of items that can be extracted per phone is often limited. I haven't personaly tried the latest version, but the software was not as user-friendly as other solutions on the market.

XRY XRY is a good product to conduct forensic examinations of cell phones. The updates are frequent enough, the include a very complete phone manual with each release describing each supported phones with the required cable, what items can be extracted and notes to facilitate the extraction process. When a new update is available, they send you a Release Notes document with the new features/supported devices. They also send you new data cables if needed. Also, I have had a very good experience with their tech support dept. I must also say that I've encountered some stability issues with the software. I haven't worked with their Physical plugin (XACT), so I can't comment on it's ability to retrieve deleted items.

CelleBrite IMHO, the rising star of cell phone forensics. Very simple to use and A LOT of phones are supported. Recently, they added the possibility of retrieving lock codes of some CDMA phone directly on the device. Unfortunately, the number of updates/year is low (3-4), but those updates bring support for A LOT of new phones. Like XRY, if new cables are released along with a software update, they will send it to you by mail. As for technical support, my experience has been so-so. When I dealt with 1st level technical support agents, my questions weren't always answered. But when I escalated the problems to higher levels, I got much better answers. As for their Physical Pro, I haven't tried it personally so I can't comment.

Jonathan Zdziarski iPhone Tools As Law Enforcement, I have access to his forensic imaging and unlocking tools. After using them many times, I must say that I'm not a big fan… The problem is that JZ offers no support (email or other) for his tools. So, if you get it to work, good for you. But if you have any type of issue, you are on your own big time… You can send him and email, but don't expect an answer. We have paid for his training on his tools, but now we are looking for FTS iXAM as an alternative to JZ solution.

Mobilyze This is a great analysis/reporting tool for iOS devices. It can analyze full disk images acquired with the JZ method as well as iTunes backups of iOS devices. If you feed it with a full disk image, it will be able to find deleted items. The GUI is great, but we've had some crashes. However, keep in mind that this is a new solution and I hope that we will see it's stability improve with the 2011 releases. In the next few weeks, Mobilyze should be integrated in another Blackbag Software product, Blacklight.

CDMA Workshop This is not an analysis tool, but it allows to retrieve the lock code on most CDMA phones. Although not very user-friendly, it does this job well once you know how to use it. However, since this is not a forensic tool, you might damage your evidence if not used carefully.

Bottom line is we are using CelleBrite about 50% of our cases, XRY 40% and the rest of the tools 10%, aside from locked iPhone devices that we try imaging with JZ method and analyze with Mobilyze.

Also, if I may give you a hint, isolate each software from each other to avoid driver conflicts. Some solutions work with "home made" drivers and other softwares work with the phone's manufacturer drivers. If those are all installed on the same OS, believe me, you WILL have issues. What we did here to solve this problem is that we installed each software in it's own VMWare virtual machine and the VM is deployed on our analysis computers. CDMA Workshop does not work in a VM environment.

Hope this helps.

ReplyQuote
Posted : 05/04/2011 10:04 pm
AlexC
(@alexc)
Active Member

Alex,

Thanks. I find the test parameters, but failed to find specific test results for any cellular foremsic products. Did I miss something?

If you scroll down to the "REPORTS" section you'll find links to reports on specific tools

Test Results for Mobile Device Acquisition Tool Mobilyze 1.1 (January 2011)
Test Results for Mobile Device Acquisition Tool iXAM Version 1.5.6 (December 2010)
Test Results for Mobile Device Acquisition Tool Zdziarski's Method (December 2010)
Test Results for Mobile Device Acquisition Tool WinMoFo Version 2.2.38791 (November 2010)
Test Results for Mobile Device Acquisition Tool Secure View 2.1.0 (November 2010)
Test Results for Mobile Device Acquisition Tool Device Seizure 4.0 (November 2010)
Test Results for Mobile Device Acquisition Tool XRY 5.0.2 (November 2010)
Test Results for Mobile Device Acquisition Tool CelleBrite UFED 1.1.3.3 - Report Manager 1.6.5 (October 2010)

and so on.

Those reports note on which parameters the particular tools pass/fail etc.

ReplyQuote
Posted : 05/04/2011 10:19 pm
akaplan0qw9
(@akaplan0qw9)
Member

Hitman,

Wow! You did a lot of work on this. Thank you very much.

Al

ReplyQuote
Posted : 05/04/2011 10:51 pm
akaplan0qw9
(@akaplan0qw9)
Member

Alex,

Thanks again!

ReplyQuote
Posted : 05/04/2011 10:59 pm
Share: