Articles
Now Reading
The Future of Mobile Forensic Hardware
1

The Future of Mobile Forensic Hardware

Nowadays more than 80 % of devices in digital forensics labs are tablets, smartphones and phones. This is the reason why mobile forensic hardware prices are a very actual problem. An average price for top mobile forensic hardware (for example, Cellebrite UFED or Micro Systemation XRY) is in the area of 9 000 $ (some kits can cost up to 20 000 $). License renewal for such hardware costs in the area of 3 000 $. And what do users get for this huge amount of money? Let’s try to find out.

Figure 1. Cellebrite UFED Touch

All mobile devices coming to digital forensics labs can be divided in three groups: the first two groups are iOS and Android devices, and the third – some older phones.

Mobile phones

Usually, these are old phones. The main problem is – these devices are not actual ones for mobile forensic hardware developers. For example, Cellebrite can extract data from some devices on the physical level, but this dump can’t be parsed, and, what is more, due to the fact that these devices are old we’ll barely get the updates for software to be able to parse them.

In such situation MOBILedit! Forensic (Compelson Labs) can be very useful. It supports lots of old mobile phones, which are not supported by other vendors. What is more, the price for this piece of software is quite affordable.

Figure 2. MOBILedit! Forensic

Also, we should mention Chinese phones here. These are phones based on MediaTek, Spreadtrum, Infineon chips. Usually top mobile forensic hardware developers offer support for Chinese phones as an additional option. But for the price of such option you can buy a standalone solution, for example, Tarantula (EDEC). Also some cheaper solutions for Chinese phones can be found, for example, at Ebay.

Figure 3. Tarantula

Android devices

Top mobile forensic hardware supports devices running 3rd and 4th versions of Android OS very well. But data extraction from such devices is not a problem for a mobile forensic examiner, even if he or she doesn’t have this expensive equipment. You can perform physical extraction from such devices even with dd [1].

Due to security issues, it’s very difficult to extract data from devices running 5th and 6th versions of Android OS, especially perform a physical extraction.

There was a case in our lab, during which we needed to recover deleted data from HTC One smartphone. The device had a locked bootloader, so it couldn’t be rooted. If we tried to unlock the bootloader, the user data would have been destroyed. Top mobile forensic hardware was not able to solve the problem. To perform physical imaging we used a flasher which cost us just 99 $.

For parsing of the dump you can use both free (FTK Imager [2], SQLite Viewer, NowSecure Forensics CE [3]) and commercial tools (Belkasoft [4], Oxygen Forensic [5]), which cost less.

Figure 4. Oxygen Forensic

Locked Android devices

Top mobile forensic tools usually offer solutions for locked devices, but for limited models only. Flashers support wider range of mobile devices and allow a mobile forensic examiner to overcome all types of locks.

iOS devices

Of course, developers try to hide this fact, but data from iOS devices is extracted via iTunes backup procedure. There are no other methods of data extraction from modern iOS devices. And, of course, top mobile forensic software and hardware vendors could offer you some «advanced logical» method, but only if the examined device is jailbroken – and you barely get such device for examination. For example, our lab got no such devices in recent 5 years. That’s why the best tool for iOS forensic should be judged not for its extraction capabilities, but for its ability to parse iTunes backups. And there are some very good pieces of software (Belkasoft [4], Oxygen Forensic [5]) which cost less. The thing is – iTunes backup can be performed by iTunes or some open source tools, for example, libmobiledevice.

Locked iOS devices

Top mobile forensic tools can help to unlock some devices (there are also advanced solutions available in Cellebrite lab) running iOS 7 or 8, but you can use IP Box for it, for example, and it costs just 100 $ at Ebay.

Discussion

Ten years ago, when we had to use an individual approach for examination of almost every phone model, having all-in-one expensive forensic tool was reasonable, but not now. Today you can pay 300-400 $ for hardware (a flasher and a few JTAG adapters) and 1000-2000 $ for software and your forensic lab gets more powerful equipment than top mobile forensic hardware. Data from most mobile devices running Android or Windows Mobile can be extracted via JTAG technique, for others you can use chip-off. Of course, adapters for chips are expensive, but its range isn’t very wide – there are around 6 main chip carrier types.

References:

1. Physical acquisition of a locked Android device

2. AccessData Current Releases

3. NowSecure Forensics community edition

4. Belkasoft evidence center

5. Oxygen Forensic

About the authors:

Igor Mikhaylov

Interests: Computer, Cell Phone & Chip-Off Forensics

Oleg Skulkin

Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics

1 Comments
  • 2018-07-05 at 7:50 PM
    Positives

    And though sexual acts are still for the discretion of
    the involved individuals nowadays, public displays of nudity
    are vieewed absolutely unacceptable--even wearing shorts and a
    tank top is questionable in some areas and establishments.
    Everyone could have their very own threshold, nevertheless forr us greater few times per hour is way too much.
    They simply do not have the resources in order to meet
    the customer's needs and their reputations are sufferingg as a result.

    Negatives

    And though sexual acts are still for the discretion of
    the involved individuals nowadays, public displays off
    nudity are viewed absolutely unacceptable--even wearing shorts and a tank top is questionable in somne areas and establishments.
    Everyone could have their very own threshold, nevertheless for us greater few
    times per hour is way too much. They simply ddo not have the reources in orde to meet the customer's needs and their reputations are suffering aas a
    result.

    And thlugh sexual acts are still for the discretion of the involved individuals nowadays, public displays of nudity are vieewed
    absolutely unacceptable–even wearing shorts and a tank
    top is questionable in some areas and establishments.
    Everyone could have their very own threshold, nevertheless
    for us greafer few times per hor is way too much. They
    simply do not have the resources in order to meet thhe customer’sneeds and their
    reputations aare suffering as a result.

Leave a Response


Please enter the result of the calculation above.