Susteen’s Data Pilot 10 aims to make it easier for digital forensic examiners to acquire evidence from mobile devices in the field and analyse it back in the lab. In this review we will take a look at some of the Data Pilot’s key features and how it functions in a field environment.
The first thing that strikes you about this device upon removing it from the box is how rugged it is. It has a rubberised exterior that looks like it could deal with some fairly rough handling, and it has covers on all ports for protection. There is also dust and water resistance built in, and it’s IP66 certified for water resistance and milspec.
The large battery might seem a bit unwieldy, but it helps investigators not to run out of charge, and also allows users to charge any phones that are being used in the case as well.
On the back of the case is a camera, and on the front is an easy to read display which looks very similar to the kind of screen you’d see on most smartphones. There are docking ports along the bottom of the device – these plug into the docking station, which is part of the power kit.
Other dock features include USB ports on the front, to allow you to offload content; and ports where you can plug in various types of phone. There is also an ethernet port should it be required, and the dock is wifi enabled, although this can be switched off if preferred. Charging a spare battery from the dock is another option, should you be in a rural setting or a situation where you might need a lot of battery power.
The device ships with a ‘pigtail’, a cord with a port on one end for the device itself, then three cords on the other end: one with a micro USB, one with a USB type C and one with an Apple device cable. This comes as standard in the box with the charger, and you can add on extra power kit options if required.
To get started, simply plug in your device to the Data Pilot. Susteen have created this tool with the specific intent of simplicity, so there should only be a bare minimum of training required even if you’re working with investigators who are not especially tech-savvy. A free 15-20 minute webinar is included with ownership, and this is all most people will need in order to use the Data Pilot.
Android devices will need to be put into debugging mode in order to be acquired. Apple devices will come with a pop-up asking whether you want to ‘Trust this computer’ in which case you can simply click ‘Yes’ and you will then be on your way.
There are two potential paths to follow: Acquire and Report, along with some extra settings. The settings are quite basic, again because the goal is ease of use; they include restarting or shutting down the device, and modifying the date and time.
Once you’ve got your device set up, click ‘Acquire’ and select the device you’re using. You will then be given three choices.
Optical Screen Capture uses the camera on the back of the Data Pilot to take photos of the screen of the phone. It also has OCR capabilities, so it can translate the text into a searchable format. This is especially useful if the port on the device has been damaged.
Linked Screen Capture is the same idea, but if the port is working this is a much more effective way of getting the information you need. It takes screenshots from the phone throughout analysis so you have everything stored in an easily viewable way. Increasingly nowadays phones will have encrypted apps which won’t deal well with phone dumps or downloads; the Linked Screen Capture option is a great way to get around this by giving you a duplicate of the phone’s screen. This also applies the built-in OCR capabilities.
Acquire Data is the third option; clicking on this will show you a few simple filters, such as ‘How Long Ago?’ which lets you choose a timeframe between 30 minutes and 48 hours, or you can just select ‘All’ which will give you all the data from the device.
You will then be prompted to select your acquisition type. Fast Acquisition will just give you the contacts, call history and messages; Complete Acquisition will give you a full logical dump of the handset. The complete acquisition will of course take much longer, so if your goal is simply to extract enough evidence on the scene to be able to proceed, you will probably want to select Fast Acquisition for the moment. And this option does what it says on the tin; it can extract data from most phones within about five minutes.
When it has completed the acquisition, the Data Pilot will create a PDF report as well as another output file that most systems can read. The output file is compatible with a lot of other forensic products, so you could upload it into Cellebrite’s UFED, for example, and complete your analysis there.
The ‘Summary’ button allows you to search the data you’ve acquired in the field for keywords, phone numbers and other points of interest. It is also possible to do deeper dives on some of the data, although this is limited as the primary purpose of Data Pilot is as a field acquisition tool. The XML file which is automatically created is where you will probably be doing most of your deep diving later on, once you are away from the scene and back in the office.
Overall I liked the look of the device; it certainly seems sturdy enough to deal with conditions in the field. Its options are straightforward and I can see how it would be a useful tool for investigators who don’t have a strong background in technology or digital forensics; most people will be able to follow the on-screen instructions without too much trouble. If you spend a lot of time outside of the office, and particularly if you often work on cases where you need to extract data in the field very quickly, this is a great device to add to your repertoire.
Susteen specialise in mobile forensic solutions, and the Data Pilot 10 is specifically designed for use in the field. Find out more on Susteen's website.