Reviewed by John J. Carney, Carney Forensics
I am a digital forensics examiner who early in my career studied computer science and wrote code as a software developer and later in my career studied law and became a licensed attorney. I have acquired certifications in both mobile device forensics and computer forensics and own a private digital forensics firm in Minnesota. We love mobile! Half our case load is recovering dozens of flavors of deleted messages from every variety of phone known to humanity. But we also devise evidence strategy for complex civil litigation and draft preservation letters and requests for production and advise on e-discovery issues, which now increasingly turn on mobile evidence.I obtained Magnet Forensics’ Internet Evidence Finder (IEF) in early January 2013 upon strong recommendations from friends in the industry. As a mobile examiner I procured it for examining microSD cards removed from the phone and placed behind a write blocker for live and deleted multimedia evidence including photo, video, audio, and anything else that might be there.
IEF worked so well on microSD cards that I started experimenting with it on phone handsets for six months beginning in January 2013. Knowing no bounds I performed my unsupported experiments on both smart phones and old feature phones. I ran IEF on images and file systems and found truly remarkable photo and video evidence upon which I used Magnet’s novel Skin Tone filter to search photos far more effectively. I also got app data from smart phones two years ago that surprised me including Kik Messenger, WhatsApp, and Gmail messages.
Mobile device forensics, if not in infancy anymore, has progressed to early childhood in relation to its mature sibling, computer forensics. This child has a lot to learn from its elders. IEF’s Mobile Module is an exceptionally good example of taking the best computer forensics has to offer and putting it to work on mobile evidence.
IEF’s Mobile Module is a new mobile device forensics tool produced by computer forensic software development pros that can scan a mobile device just like a hard drive and highlight hundreds of different types of artifacts. It draws upon Magnet Forensics’ hard drive data carving roots and expertise. And it reflects a world view and approach to digital forensics that has major strengths and also a few challenges for mobile device examinations. I will attempt to describe them both in this review and another yet to follow in Forensic Focus later this winter or spring.
Fundamentally, IEF is highly complementary with traditional mobile device forensics tools that predate it. These tools rely on bootloaders and other acquisition techniques for data extraction. IEF also complements advanced JTAG and chip-off methods used today for difficult device examinations including burner phones and devices that are damaged, locked, and otherwise impervious to data extraction. IEF analyzes device images and file systems with its strengths in multiple mobile browsers including carving for history, bookmarks, cache, cookies, autofill, visits, downloads, toolbars, etc. It performs sophisticated parsing of search engine queries and google analytics; also specialty URL parsing for dating, pornography, malware, cloud services, shipping, tax, web chat, social media, and classifieds sites.
IEF’s Mobile Module also supports a broad base of popular and forensically relevant mobile apps. And as my curiosity drove me to discover two years ago IEF has powerful data carving, filtering, and presentation capabilities for multimedia evidence.
But as is common to innovative upstarts in a relatively new industry, IEF needs a bit of work to complete some purely mobile device forensics functionality, which is not surprising given the developers’ deep roots in computer forensics.
IEF’s Mobile Module platform support is impressive out of the gate. All iOS variants for iPhone, iPad, and iPod are supported as are, not unexpectedly, Android versions old and new. And IEF leverages its Android support to provide analysis of Amazon’s Kindle Fire, an important platform often not supported by mobile device forensics tools. It probes Amazon’s Silk browser for evidence and may find remnants from the AWS Cloud on the device. IEF also leverages its computer forensics support of Windows 8 to provide analysis for Windows Phone which goes to native artifacts like SMS, MMS, e-mail, call logs, contacts, documents, photo, video, and browsers. But it also includes third party apps for messaging, social media and web mail. We look forward to using IEF’s Mobile Module on Windows Phone devices acquired with JTAG and Cellebrite’s brand new UFED bootloaders released this week.
And of course, IEF’s Mobile Module supports microSD cards, the reason for which I brought IEF into my forensics lab two years ago. I remove the card from the device and process it independently. Today I use IEF to examine it first as a hard drive image behind a write blocker for Windows/Mac artifacts. Then I use IEF’s Mobile Module to examine the card as a mobile device image behind a write blocker for artifacts from the mobile device from which it was removed. Quite often I get different results from the two examinations. I would love to see a microSD Card choice in IEF’s Mobile Module workflow navigation that would process the card with all of the computer hard drive artifacts and all of the appropriate mobile operating system artifacts together so I don’t have to do it twice and look at two reports.
IEF’s Mobile Module does not support aging platforms like Symbian abandoned by Nokia, now Microsoft. Nor does it support the old Windows Mobile, but I’ll bet it works great on an extracted file system given similarities between Windows and Windows Mobile. IEF’s Mobile Module also doesn’t support the standalone GPS platforms from Garmin, Magellan, and Tom-Tom as most users have migrated to using navigation apps on modern smart phones. Old proprietary feature phones are not supported either, but as I discovered, if you force an IEF examination on an image extracted from one of them, you’ll get the best data carving and presentation of photo and video I’ve seen today. And not surprisingly, SIM cards are not supported. Back in the feature phone era a GSM phone’s SIM card was usually loaded with contact, call log, and SMS evidence. But I have yet to see a GSM smart phone brimming with SIM card evidence. I have a couple of great tools in my arsenal that I routinely use to check, but I don’t miss SIM card support in IEF’s Mobile Module.
BlackBerry support by IEF’s Mobile Module, however, would be desirable. Granted, the original smart phone’s popularity is dropping like a rock in today’s competitive market place, but the world is full of them. They remain a legacy challenge for mobile device examiners today. But I’m sure the development cost to support the platform is high given it’s a proprietary mobile operating system available in two varieties, BlackBerry OS and BlackBerry 10. And its apps are native. But is there another vendor, except Magnet Forensics, located in BlackBerry’s backyard, Waterloo, Ontario, who is better situated to capitalize on the local talent pool and unique hiring opportunities to master the world of BlackBerry forensics?
Mobile Device Specification
The difference in world view and approach to digital forensics between the mobile and computer communities comes into sharp focus when specifying the device image or file system as input to IEF’s Mobile Module. Examiners must get this right in order to get the best evidence for investigations and cases to be tried in court. Magnet Forensics is making this important task easier with a series of blog posts on specific mobile device forensics tools, but it is not a slam dunk that examiners can ignore or take for granted. Let’s take a brief look at a couple of these tools which acquire device images and file systems and consider emerging best practices for specification.
Cellebrite’s UFED features industry-leading bootloaders which acquire images from smart phones and tablets, feature phones, GPS units, etc. It is my flagship acquisition tool and anchors my workflow as diagrammed below. I also use it for examination and analysis, but cross validate with IEF’s Mobile Module.
Examiners can specify the first UFED binary for the device image in the folder and any additional binaries in that series will automatically be input by IEF’s Mobile Module. This convention is standard in computer forensics with tools like FTK and EnCase.
Examiners can also specify UFED zipped file systems similarly, whether they derive from forced iTunes backups or AFC (Apple File Connector) or both. They are typically partitioned into .z01, .z02, etc. files and identifying the first in the series to IEF’s Mobile Module will do the trick.
IEF’s Mobile Module unzips these zip files as it inputs the file system. The examiner does not have to manually unzip them. But know on specification that Magnet calls zipped file systems “images” and not files or folders. Be sure and navigate the tool’s workflow on input accordingly. As a shortcut examiners can alternatively specify Cellebrite’s UFED Dump file (.ufd) to IEF and it will work fine for images and file systems. Magnet does not officially support or document it yet, but I’ve tested it and it works.
Katana Forensics’ Lantern Lite does a nice job of imaging older iDevices (iPhone, iPad, iPod) that can be acquired in DFU mode. Examiners can specify the resulting .DMG file to IEF as an image. It carves them up well and delivers a cornucopia of rich iDevice evidence. Examiners can also specify Lantern’s .lantern files to IEF as a folder. IEF’s Mobile Module is great for cross validating Lantern.
Mobile Messaging Artifacts
At Carney Forensics we rely on IEF’s Mobile Module for its mobile messaging apps support. We examine a lot of iPhones and iPads, as most examiners do, and appreciate the great job it does with iMessages. I am pleased that SMS and iMessages are identified by type even as they are grouped together for presentation. But especially am I impressed with the quality of carved outbound iMessages. All three date and time stamps available are presented: Sent, Delivered, and Read. I expect to see a date and time the iMessage was sent. Some tools will tell me if there was a delivery failure, but IEF gives me the date and time of delivery. Lastly, I really appreciate read receipt metadata because so few tools report it. IEF puts it right out there in the report and I don’t have to go looking for it. I have the whole history of the outbound iMessage all in one place.
IEF’s Mobile Module does a really nice job carving Kik Messenger artifacts. I discovered its power earlier this year in a case in which the tool excelled on Kik evidence. Emoticons are rendered in message content, but what I really like is the unique distinction in timing a sent message between a device-based date and time stamp and a server-based date and time stamp. It can make a material difference in examinations with split second timing requirements, e.g. texting-while-driving cases. It turns out Kik Interactive is based in Waterloo, Ontario in Magnet Forensics’ backyard. The forensics development team has clearly made a concerted effort to support this app at a best-in-class level.
From time to time IEF’s Mobile Module produces mobile messaging app false positives. I have seen them for QQ Chat, LINE, and a few other apps. Infrequently the tool reports only unusable false positives for an app. In general IEF seems to err on the side of transparency in aggressively presenting this evidence to the examiner. Personally, I would rather my tools err on the side of an occasional false positive than to err by failing to alert me to evidence crucial to my case. With each release I am seeing fewer false positives. And IEF examiners can suppress all instances of the messaging artifact when reporting to clients, or when creating a portable case file. I believe there is a role for false positive filtering and suppression, if implemented wisely and professionally.
Web Mail Artifacts
We also rely on IEF’s Mobile Module to find web mail evidence for our clients’ investigations and legal cases. Right from the start it has delivered needed Gmail content and metadata. The latest release supports content in the form of an e-mail snippet, but also a visual depiction of the e-mail body. During one of our cases last year IEF was the only tool that found and reported Gmail messages.
Digital photograph carving for picture artifacts is absolutely superb. This feature has always been an IEF strength for examining hard drives, and that strength carries over to mobile devices. Even incomplete photos from unallocated storage or slack space are partially and cleanly rendered for examiners. IEF’s Skin Tone filter or slide bar dramatically speeds up searches for pornography, selfies, or domestic abuse.
EXIF block support for the device’s onboard camera metadata including identification, properties, GPS and date and time stamps is improving with each release. This is absolutely critical metadata to show whether the device’s camera was the source of the photo, or if it came from MMS, or some app. EXIF metadata is also critical to show the device’s whereabouts at a specific time. It can be the basis for a conviction or it can provide a convincing alibi in criminal justice cases. It can significantly impact the damages award in a personal injury suit or insurance fraud case.
Most digital forensics tools find one kind of video artifact, but IEF’s Mobile Module finds three of them (Video, Carved Video, and Snapchat video) and has built-in media players and integration with third party media players for all of them. And IEF supports 3GP formatted video, which is quite popular on mobile devices because it decreases storage and bandwidth requirements to better accommodate mobile phones.
IEF’s Mobile Module identified traditional video but, until the latest release, did not support playback and file export. The cost is, of course, a bloated evidence or portable case file since video is a binary large object, or BLOB in database parlance, and consumes enormous amounts of storage. So Magnet gives the examiner the option of enabling it and setting a quota on video file size for both storage and carving. The dialog box to enable and set it is not easy to find. Look for the little plus sign immediately to the right of the “Videos” icon on the Artifacts screen. Clicking it causes a dialog box called “Video Options” to pop up for you.
The little plus sign is a convenient visual short-cut to the dialog box, but I would like to see options or settings for artifacts like this also placed somewhere more predictable in the Windows menu tree where they will be noticed and discovered by examiners. How about “Artifacts” under “Settings” in the Tools menu?
IEF data carves video for examiners and Magnet calls the results Carved Video. This artifact can be opened and exported. I found Windows Media Player useful for AVI file playback and QuickTime useful for MPEG and 3GP file playback.
IEF’s Mobile Module also supports voice messages or voice mail, but not unexpectedly, as the computer forensics pioneers they are, Magnet calls the artifact “AMR Files”. Audio playback is built into the IEF Report Viewer now and renders AMR files reliably. Every single one I’ve tested, whether taken from an Android or iOS device, has played first time and every time. But improvement in carving and presenting voice message metadata is needed. Examiners need access to the calling phone number that left the voice message and the name from the address book that matches that phone number. Examiners need to know the date and time stamp when the voice message was created and whether or not it has since been deleted from the device. If deleted from an iDevice, they need to know the date and time stamp when the voice message was deleted.
Purely Mobile Artifacts
In a similar vein other improvements for purely mobile functions and artifacts can be applied to bring IEF’s Mobile Module to maturity:
Sometimes the number of contacts in the address book reported is substantially less than other mobile device forensics tools on cross validation. Perhaps deleted contacts are not carved.
Sometimes the number of calls in call logs reported is substantially less than other mobile device forensics tools on cross validation. Perhaps deleted calls are not carved.
Examiners need to know whether or not an instance of an artifact, any artifact, has been deleted from the device. It is needed globally for all mobile artifacts.
IEF’s Mobile Module does not yet take full advantage of the contact information obtained from the device’s address book to supplement a person’s name (the party name) that matches the phone number in reporting artifacts like calls, SMS, MMS, etc. Doing so will improve examiner comprehension of evidence and increase investigator usability of IEF’s reports and portable case files on evidence review.
A small, but vital piece of standard mobile metadata called “direction” or “to/from” is very helpful for examiners to correctly interpret calls, SMS, MMS and messaging apps like iMessage, WhatsApp, or Skype. For some artifacts IEF presents a “Message Type” column for that purpose, but for others it is missing and the “Status” column must perform double duty awkwardly.
As of this writing IEF’s Mobile Module does not yet recover the iDevice dictionary, its virtual keylogger. The dictionary records words entered into the iDevice in the order the user typed them. Forensically it can show sentence fragments typed into messages and e-mails or search queries entered into browsers. Data that was deleted and unavailable from any other source can be recovered from this keylogger. I would love to see a Dictionary artifact in IEF’s Mobile Module for iDevice examinations. I have heard it is “in the works” and may be available as you read this review.
IEF’s Mobile Module is the newest mobile device forensic tool in my lab. It is one of the most powerful and probative for mobile evidence, particularly multimedia, browser artifacts, and app data. It’s our “go to” cross validation tool for smart phone and tablet exams, especially Android images and iOS file systems. We look forward to using it on Windows Phone devices acquired with JTAG and Cellebrite’s new bootloaders. We usually extract the device image or file system with UFED, and after running it through Cellebrite’s Physical Analyzer, IEF is our next stop in our mobile device exam plan. We use it to get a second opinion on our mobile evidence and to generate a portable case file for client review. We may pick and choose other tools based on device platform, but we always use IEF’s Mobile Module on our clients’ devices.
Watch for a second review of advanced features and evidence at ForensicFocus.com later this winter or spring.
Learn more about IEF and other software tools from Magnet Forensics at www.magnetforensics.com.
About the reviewer
John Carney is a digital forensics examiner who, early in his career, studied computer science and wrote code as a software developer. Later, he studied law and became a licensed attorney. John has acquired certifications in both mobile device forensics and computer forensics, and owns a private digital forensics firm, CARNEY FORENSICS (www.carneyforensics.com) in Minnesota. CARNEY FORENSICS helps attorneys, investigators and corporations obtain insight into their investigations and cases at law by retrieving admissible digital forensic evidence from cell phones, smart phones, tablets, PCs and Macs, GPS and personal navigation devices, electronic documents, social media, and e-mail including web mail. John can be contacted at [email protected].