Digital forensic practitioners have been largely focused on mobile devices since the advent of the smart phone. Through the virtually countless generations of Apple, Android, Blackberry, Windows and legacy phones, the forensic analysis community has learned that the data contained on these devices can often make or break an investigation. Mobile forensic tools have evolved accordingly to try and keep up with the changes in technology, hardware, software and security surrounding the storage of data on mobile devices.
One of the main players in the field of mobile forensic data acquisition and analysis, MSAB, has recently updated their main suite of tools: XRY and XAMN. We took a look at XRY v9.3 and tested some functionality to help better inform both government and private sector practitioners who may be considering adding it to their capabilities and offerings.
System Requirements
Virtually all digital forensic tools have hardware and software requirements for their minimum operation and XRY is no different in this respect. In addition to an MS Windows operating system platform, the following system requirements are listed on the XRY FAQ Page:
- Intel 6th Generation (Core i3 or above) or equivalent, 8 GB RAM minimum
- 4 GB of hard-disk space required for XRY program installation
- 256 GB HDD for data storage minimum ~ recommended 500GB or more
- 2 USB-ports minimum – recommended 3 or more
- Windows 8 or 10 (64 bit)
- Microsoft .NET Framework 4.7.2
- Screen monitor 1600 x 900 resolution minimum
While these requirements will allow XRY to work at a basic level, it is recommended to increase processor speed and RAM to increase analysis efficiency. The data acquisition in XRY may also require different specifications to run effectively than the analysis and reporting tool, XAMN.
XRY Extraction Workflow
In our primary testing, we conducted a logical extraction and analysis on a Samsung Galaxy S10 (SM-G973u). Those who have dealt with this model of phone in any forensic suite know that it is currently challenging to get a large amount of user data from the device. Fortunately, we not only have access to XRY, which does an adequate job, but the current case involved WhatsApp messages as our primary piece of evidence, which is also supported to an advanced degree in XRY.
The pre-extraction of our S10 was simple and intuitive, offering a number of options. Upon inputting the device make and model into XRY, the user is presented with the supported devices and a listing of what the tool can be expected to extract, which is great for documentation and reference.
Once the appropriate device is chosen, we are provided with options for the various forms of extraction, being physical, logical and/or file system, and XRY tells us what to expect from the specific type of extraction on the specific device. Part of this workflow also directs a step-by-step guide to put the device into developer mode and activate USB debugging and other settings necessary for extraction.
One of the extraction features we noted as being of particular interest to not only law enforcement, but also to ediscovery and corporate professionals, is the ability to narrow the extraction data to a specific time frame and/or specific data areas, such as pictures, videos, and so on. This would be extremely helpful if your legal authority only grants data for a specific period of time, or your case only involves data from a particular time frame. This is a feature that is not offered by every tool on the market.
As mentioned before, the particular test case on this device involved WhatsApp messages. The solution on this device for acquiring WhatsApp data is a downgrade feature for the app, which proved extremely helpful. Other apps available for the downgrade acquisition included Chrome, Facebook and Google Maps, all of which could lead to some fantastic and valuable location and social media data upon successful acquisition.
Along with the options for downgrade, XRY allows us to select all or some of the available apps for downgrade extraction, which again is helpful of your legal authority is limited to a particular set of data from one of the supported apps or data that could be stored in one of the apps, but not others.
During the extraction process, XRY provides a workflow to let us know how the extraction is proceeding and what steps are being taken during the overall extraction. This log is also kept as part of the extraction file.
Of particular note in this case and for this device was the clear and concise indication that our WhatsApp downgrade acquisition was successful, preceded by the steps XRY took to attempt to acquire this data. When and if the WhatsApp data should be used as evidence, it is vital to document this and understand what procedures are being undertaken to acquire the messages.
In all, the extraction flow and procedure for this device was simple and effective. The extraction options offer us a multitude of choices to narrow or expand the scope of the extraction, based upon our case-specific parameters.
XRY Data Analysis
The advent of mobile forensics as a practice combined with the ubiquitous nature of devices and their involvement in virtually every type of investigation has caused mobile forensic software tool companies like Sweden-based MSAB to create the proverbial ‘easy-button’ to find the most often used and relevant data more quickly. Whatever term the specific forensic tool uses for this area of data analysis, it generally allows browsing data and gives the 10,000-foot view of the common areas of evidence such as calls, contacts and text messages.
XRY color codes these areas in an easy-to-navigate menu which also displays the overall number of these items (so you know how much time you might spend viewing them). Of note are the over 3,600 WhatsApp messages that were acquired as part of the downgrade option.
Also available in XRY are “Quick Views,” where users can filter by file or data type, date, deleted items and more. This is a handy feature to help streamline your investigations and save time.
The tagging feature allows the analyst to select particular messages and add them to one or more of several default tags, or to add custom tags to the particular data area. The example below illustrates the tagging feature in our WhatsApp investigation. We are also able to add notes to the particular piece or set of tagged/selected data. This feature is extremely helpful when we are providing a large amount of data in a report to other stakeholders in the case, such as investigators, counsel or clients.
The developers of XRY undoubtedly appreciate that location-based data is often relevant in cases, so they have made it simple for users to parse and analyze this data. The internal mapping tool in XRY plots the different data areas where location is included and allows for simple analysis of this data in an easy-to-navigate way, complete with hyperlinked files which are associated with the particular location data.
One advanced area of analysis that XRY also handles well is the ability to locate, browse and analyze SQLite databases. By navigating to the “Databases” area, we can browse which databases are part of our extraction data and conduct a search to locate which ones we may want to view. Once located, the list of tables in the database is presented to us and is easily navigable to not only analyze, but also to help validate what the easily parsed information may be showing us. This functionality is extremely valuable, as the vast majority of applications are not supported by every mobile forensic tool on the market and XRY streamlines this database analysis and makes it less cumbersome and more efficient for our casework.
As a whole, navigation through the GUI while conducting analysis is simple and self-explanatory. Even more advanced analysis of the database tables on the device is concise and is fashioned in such a way as to be time-saving.
Reporting
In nearly every forensic analysis case, the reporting is where the rubber meets the road. It is regularly the point at which we take the technical analysis phase and begin to translate those findings to a format which will be reviewed by non-technical people. As such, it is vital to get this part right in any forensic tool and this one does a good job at providing us not only options, but uncomplicated production and review of reports. The options are many and varied, depending on who your audience for the report may be. Of course, multiple formats may be chosen at the analyst’s discretion, including open-source document formats and integration into Nuix.
Standard customizable options also exist, such as adding the analyst’s/investigator’s name and contact information, departmental/company logos and other options to add individuality and ownership to the report.
When producing the report, we can also choose not only different file types, but layouts and formats, depending on the file type selected. This is also something that is not included with several other mobile forensic tools and is a nice addition to XRY.
Additional options about specific storage location and the native ability to zip the report and accompanying files is also available through the report generation process, as in this example for PDF report generation:
The reporting options in XRY are robust, varied and impressive. It cannot be overstated that the reporting phase and the options with regard to reporting are of vital importance to translating the hard work that goes into the analysis to those who may ultimately be deciding the outcome of your hard work.
Conclusion
Mobile forensic data acquisition and analysis has turned into a very competitive market. As practitioners, we know and appreciate that our initial cost and yearly licensing fees largely go toward back-end development, reverse engineering and bolstering the interface of the tools we use. In our testing, XRY have demonstrated that they have the necessary resources in place to help support us as examiners and are working hard to implement their research and development into the functionality of the tool. If you are in the market, XRY does a great job in providing us with options to optimize case analysis outcomes at a lower price point than some of their competitors. XRY also incorporates several features that are not only useful, depending on case variables, but unique to the tool platform.
