Software/Hardware q...
 
Notifications
Clear all

Software/Hardware question  

  RSS
srogers
(@srogers)
New Member

Hi All. I am with a law enforcement agency and we are in the process of looking for software/hardware to help with cell phones. We currently are not using anything. I have looked at the Cellebrite UFED(expensive). I was hoping some of you could give some suggestions or recommendations of other options that are out there. Our budget is somewhat tight…and will only have maybe couple thousand to spend. Thanks in advance!

Quote
Posted : 17/10/2011 8:22 pm
LilPopps21
(@lilpopps21)
New Member

Hi srogers,

If you can afford a Cellebrite UFED I highly recommend it. We utilize the UFED Physical Pro in our shop and in terms of acquisition ease and dependability no other tool I have used compares. The UFED comes with Physical Analyzer which is the software used to analyze the .ufd files that Cellebrite generates. Physical Analyzer is a solid analysis tool, but like most forensic tools there is some room for improvement. Cellebrite also supports numerous phone models for physical dumps (need UFED Physical), file system dumps, and logical content dumps. I know multiple examiners who utilize Cellebrite and are satisfied with the product.

We also have Paraben Device Seizure which we will use to correlate our Cellebrite findings. Device Seizure is a much cheaper than Cellebrite but like most things in life you get what you pay for. That is not a knock at Paraben by any means but I prefer to use the UFED as do many others.

There are other tools out there such as AccessData Mobile Phone Examiner, Micro Systemation XRY, Oxygen Forensics, etc. I have only briefly utilized these forensic tools, so I cannot offer any opinion on them but maybe others on this forum can offer some insight.

I know most of these companies offer product "Demos" so I would consider contacting the different vendors and trying the software/hardware for yourself. Another consideration should be your "typical" examinations (i.e. OS Type, Active v. Deleted Content, etc.) Some tools have greater support for specific OS Types such as Symbian. As a law enforcement agency I would suspect that you would be highly interested in deleted content and therefore would need a forensic tool which has the capability of performing physical acquisitions.

I hope this helps.

KP

ReplyQuote
Posted : 17/10/2011 8:55 pm
armresl
(@armresl)
Community Legend

Too many people to name can't afford UFED and prefer Paraben and don't just think of heading to Paraben for price, it's a great piece of software.

Stick with companies who do certain things well. Accessdata = indexing, email, Digital Detective, Internet Browsing, etc.

I personally would keep your choices on UFED and Paraben, but call sales of Paraben first as it's more within your budget and you don't need a kit for their product. Of course UFED does a few things Paraben doesn't do so you will have to weigh how many fake phones you get in, how many jailbroken phones you get in, how many locked phones you get in, etc.

Cya.

Hi srogers,

If you can afford a Cellebrite UFED I highly recommend it. We utilize the UFED Physical Pro in our shop and in terms of acquisition ease and dependability no other tool I have used compares. The UFED comes with Physical Analyzer which is the software used to analyze the .ufd files that Cellebrite generates. Physical Analyzer is a solid analysis tool, but like most forensic tools there is some room for improvement. Cellebrite also supports numerous phone models for physical dumps (need UFED Physical), file system dumps, and logical content dumps. I know multiple examiners who utilize Cellebrite and are satisfied with the product.

We also have Paraben Device Seizure which we will use to correlate our Cellebrite findings. Device Seizure is a much cheaper than Cellebrite but like most things in life you get what you pay for. That is not a knock at Paraben by any means but I prefer to use the UFED as do many others.

There are other tools out there such as AccessData Mobile Phone Examiner, Micro Systemation XRY, Oxygen Forensics, etc. I have only briefly utilized these forensic tools, so I cannot offer any opinion on them but maybe others on this forum can offer some insight.

I know most of these companies offer product "Demos" so I would consider contacting the different vendors and trying the software/hardware for yourself. Another consideration should be your "typical" examinations (i.e. OS Type, Active v. Deleted Content, etc.) Some tools have greater support for specific OS Types such as Symbian. As a law enforcement agency I would suspect that you would be highly interested in deleted content and therefore would need a forensic tool which has the capability of performing physical acquisitions.

I hope this helps.

KP

ReplyQuote
Posted : 18/10/2011 5:12 am
srogers
(@srogers)
New Member

Thank you for the responses! I have tried to take a closer look at both the UFED and Paraben. Looks like most of the phones we are getting in are your most "popular" smartphones..ie..Iphone, droids, blackberry..etc.

My understanding is the UFED will extract deleted items..such as texts, pictures… Is this something the Paraben software can do as well?

ReplyQuote
Posted : 19/10/2011 11:00 pm
ThePM
(@thepm)
Active Member

UFED does not have carving capability yet on iOS devices yet, which means that you can forget about recovering data from unallocated space on those devices. However, it can recover deleted stuff that was stored in SQLite databases (deleted contacts, SMS, call logs). For the rest, don't get your hopes too high.

ReplyQuote
Posted : 20/10/2011 2:10 am
RonS
 RonS
(@rons)
Active Member

Hitman,

iOS4 and above physical dumps are encrypted, so unallocated space is encrypted and there is no solution to decrypt it.

A very limited amount of data can be extracted if the "Journal" is used, and it will mainly be relevant for items that were deleted very close to the extraction itself.

UFED PA will very soon have generic SQLite deleted data extraction capabilities that will allow the extraction of deleted data from most database files (iPhone and Android)

RonS

ReplyQuote
Posted : 20/10/2011 11:27 am
ThePM
(@thepm)
Active Member

Hitman,

iOS4 and above physical dumps are encrypted, so unallocated space is encrypted and there is no solution to decrypt it.

True, however the poster did not specify if he was taking about iOS4. We are still seeing a fair amount of iPhone 3GS running iOS3+ which ar not encrypted. According to the Cellebrite support, they do not support HFS+ low level carving (encrypted or not).

Also, in the case of an iPhone 3GS, even if it was upgraded to iOS4, should not be encrypted. It would have to be restored to iOS4 for the encryption to be enabled.

ReplyQuote
Posted : 20/10/2011 6:37 pm
Boicpue
(@boicpue)
New Member

Cellebrite UFED extends the capabilities of Android mobile forensic
Cellebrite, the leading provider of mobile forensic device announced today that its Universal Forensic Extraction (UFED) is now able to extract data from Android phones in physical form. The UFED, which already offers the removal of physical and logical data decoding over 6,800 device profiles and GPS devices, which now includes the revolutionary physical removal Android devices, including LG, ZTE, Kyocera and Acer. Cellebrite UFED is the first forensic extraction device to perform a physical removal of NAND chips. The physical removal passes blocked devices and does not require grounding.
Physical removal Android allows the decoding of a variety of data types, including call logs, contacts, SMS, MMS, chat, sites, web history, pictures, videos, audio, text files and deleted data. Extraction and decoding is also possible for Wi-Fi and Bluetooth connections photo geolocation data. Extracted and decoded date can be presented in a report that can be used as evidence in a court of law.
mobile user testing

ReplyQuote
Posted : 01/11/2011 4:04 pm
Share: