The Future of Mobile Forensic Hardware
Nowadays more than 80 % of devices in digital forensics labs are tablets, smartphones and phones. This is the reason why mobile forensic hardware prices are a very actual problem. An average price for top mobile forensic hardware (for example, Cellebrite UFED or Micro Systemation XRY) is in the area of 9 000 $ (some kits can cost up to 20 000 $). License renewal for such hardware costs in the area of 3 000 $. And what do users get for this huge amount of money? Let’s try to find out.
Figure 1. Cellebrite UFED Touch
All mobile devices coming to digital forensics labs can be divided in three groups: the first two groups are iOS and Android devices, and the third – some older phones.
Usually, these are old phones. The main problem is – these devices are not actual ones for mobile forensic hardware developers. For example, Cellebrite can extract data from some devices on the physical level, but this dump can’t be parsed, and, what is more, due to the fact that these devices are old we’ll barely get the updates for software to be able to parse them.
In such situation MOBILedit! Forensic (Compelson Labs) can be very useful. It supports lots of old mobile phones, which are not supported by other vendors. What is more, the price for this piece of software is quite affordable.
Figure 2. MOBILedit! Forensic
Also, we should mention Chinese phones here. These are phones based on MediaTek, Spreadtrum, Infineon chips. Usually top mobile forensic hardware developers offer support for Chinese phones as an additional option. But for the price of such option you can buy a standalone solution, for example, Tarantula (EDEC). Also some cheaper solutions for Chinese phones can be found, for example, at Ebay.
Figure 3. Tarantula
Top mobile forensic hardware supports devices running 3rd and 4th versions of Android OS very well. But data extraction from such devices is not a problem for a mobile forensic examiner, even if he or she doesn’t have this expensive equipment. You can perform physical extraction from such devices even with dd .
Due to security issues, it’s very difficult to extract data from devices running 5th and 6th versions of Android OS, especially perform a physical extraction.
There was a case in our lab, during which we needed to recover deleted data from HTC One smartphone. The device had a locked bootloader, so it couldn’t be rooted. If we tried to unlock the bootloader, the user data would have been destroyed. Top mobile forensic hardware was not able to solve the problem. To perform physical imaging we used a flasher which cost us just 99 $.
For parsing of the dump you can use both free (FTK Imager , SQLite Viewer, NowSecure Forensics CE ) and commercial tools (Belkasoft , Oxygen Forensic ), which cost less.
Figure 4. Oxygen Forensic
Locked Android devices
Top mobile forensic tools usually offer solutions for locked devices, but for limited models only. Flashers support wider range of mobile devices and allow a mobile forensic examiner to overcome all types of locks.
Of course, developers try to hide this fact, but data from iOS devices is extracted via iTunes backup procedure. There are no other methods of data extraction from modern iOS devices. And, of course, top mobile forensic software and hardware vendors could offer you some «advanced logical» method, but only if the examined device is jailbroken – and you barely get such device for examination. For example, our lab got no such devices in recent 5 years. That’s why the best tool for iOS forensic should be judged not for its extraction capabilities, but for its ability to parse iTunes backups. And there are some very good pieces of software (Belkasoft , Oxygen Forensic ) which cost less. The thing is – iTunes backup can be performed by iTunes or some open source tools, for example, libmobiledevice.
Locked iOS devices
Top mobile forensic tools can help to unlock some devices (there are also advanced solutions available in Cellebrite lab) running iOS 7 or 8, but you can use IP Box for it, for example, and it costs just 100 $ at Ebay.
Ten years ago, when we had to use an individual approach for examination of almost every phone model, having all-in-one expensive forensic tool was reasonable, but not now. Today you can pay 300-400 $ for hardware (a flasher and a few JTAG adapters) and 1000-2000 $ for software and your forensic lab gets more powerful equipment than top mobile forensic hardware. Data from most mobile devices running Android or Windows Mobile can be extracted via JTAG technique, for others you can use chip-off. Of course, adapters for chips are expensive, but its range isn’t very wide – there are around 6 main chip carrier types.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics