MPE+ Investigator 4.7

Posted on April 26, 2012 by Lee Reiber

The MPE+ Investigator from AccessData Group can be downloaded from the AccessData website and I wanted to talk about the functionality and to explain what this product is really about. First, let me explain what MPE+ Investigator is touted as.

MPE+ Investigator was originally birthed to allow users to download a FREE version of the MPE+ Software from AccessData to evaluate and “decide before you buy” on its usefulness in the lab. What is also can be utilized for are, in my opinion, the better uses of the tool; a review platform and a MPE+ Tablet companion.

I am going to take a look at the software in this blog and how I think “Investigator” can substantiate these claims.

MPE+ Investigator-

Investigator only allows users to open files that are created with the full MPE+ tool, or AccessData’s AD1 format. If you are familiar with MPE+ then you will see that the interface is really the same, with a few differences of course one being a different icon. Items omitted for Investigator include:

  • No way to perform mobile device collections
  • No importing of TAR files or ipd files (or soon to be DD files)

For this blog I did bring in an iPhone 4 that had been collected with MPE+ with its physical extraction capability.

Investigator Startup-

When starting MPE+ Investigator you are greeted by the startup dialog letting you know you are running MPE+ Investigator. Pressing OK then takes you to the mobile device dialog. Here you can preview the supported devices list by selecting the makes and the models. Only limitation is the images displayed are not loaded or are you able to perform a collection. Pressing the connect button gives you a dialog reminding you need the full MPE+ to perform this action.

As I said I was going to further analyze or preview the data collected by MPE+, an iOS device. Doing this you simply select the import AD1 image on the toolbar and are asked to locate the image.

 

 

 

As the AD1 imports into Investigator the Dataviews are immediately populated and you notice a progress bar rolling along. What is nice is you can begin working into the data while the filesystem is parsing. This is really nice if the filesystem contains thousand’s of additional files. Investigator 4.7.0.44 does not mount the images as AccessData’s FTK or FTK Imager so the importing of the AD1 is slower.

NOTE: Version 4.8.0 that is due for release in three weeks (second week of May 2012) will mount an AD1 created by MPE+ effortlessly as Imager and FTK currently do. So from testing I was told 3 Gb images mount in about 2 seconds when importing!


The DataView in MPE+ Investigator will display differently for each type of device you import. No cookie cutter views for each and every mobile device; the data depends on the data types supported. I really like this data dynamic idea, since a lot of tools are pretty static with showing contacts, sms, and call logs for each and every model even if they are not supported.

To help out with threading conversations, organizing workspace and more I can click on columns for each data type to sort and also click-and-hold to move the columns around. All areas can be moved, floated and organized as well. Just like the full MPE+ version.

 

 

 

 

 

MPE+ collects many file systems from multiple device types across many platforms. What does this mean? Well, it means there will be a ton of other items that are in the file system that maybe were not parsed. Using MPE+ Investigator you can data carve these items in the simple to use data carver.

The reporting of the data is also a part of Investigator. Not only reporting, but you can create your own investigator information easily and it will save over starts of Investigator. In this pane you can include additional information or items about the image that will be included in the generated report.

Creating a report is easy; simply select the items you would like to report on and click either PDF or RTF. You can also export the data to CSV format to include in third party analytical software. In the current 4.7.0.44 release of MPE+ Investigator you cannot individually select items to be reported but I know the next release, 4.8.0, will. This will mean you can individually select and then report on only the selected items. I think this feature will be great for those reports where only 5 SMS or emails need to be included in the legal brief instead of having to include all 23,000 others. The reports are generated and ready for review.

MPE+ Investigator is much more than just an AccessData demo product MPE+. Investigator is a tool that allows:

  • The investigators/attorney/reviewers now have a the ability to look into the data without compromising the data. AD1 formats are a forensic storage container and NO data can be added, deleted or compromised.
  • Those with “ownership” in the case can mull the data and report on findings, freeing the examiner from the task.
  • As a review platform, the litigation team, can see the data as it “lived” in the digital device; gaining a completely different and new insight into the evidence.
  • MPE+ Tablet users can now review, carve and report on a more powerful device like their lab PC or laptop. Now the MPE+ Tablet can be utilized more efficiently as a collection tool, not an analysis machine.

Accessdata has brought another FREE tool to the forensic community that will revolutionize how we view mobile data. All you really need is an AD1 file that is created by MPE+.

You can go to accessdata[dot]com and the download page to grab a copy of MPE+ Investigator. Also, sample images should be posted in the same area so you can test drive Investigator for yourself!

Posted in Information, Products | Tagged , , , , | Leave a comment

R/D

Posted on March 22, 2012 by Lee Reiber

Of the many things that I have been working on in between the AccessData Roadshow stops I thought I would throw out some tidbits that might be of interest to the mobile phone people. FTK4 as well as a version of FTKimager (soon to be released) allow mounting of YAFFS (Yet Another Flash File System) and YAFFS2! It is a pretty cool addition because it allows the DD image created with a physical extraction of an Android device by AccessData’s MPE+ (Mobile Phone Examiner PLUS) to be mounted. That includes partitions like cache, system, sd, userdata and many others. With these images mounted you now have applications, email, browsers and more at your finger tips.

How about analyzing these images for malware? FTKImager allows you to mount ANY AD1 as a drive where you can run any scanners against it to your heart’s content. Also, with the release of FTK there is also and add-on called Cerberus. The tool works on the code, not on a computed hash or signature of the malware. It got me thinking about finally an automated solution to the onslaught of malware Android is seeing. With Cerberus you get ratings on the likelihood of malicious code inside of the package: so no more hunting for signatures or building signatures for some of this malware that is out in the wild. With mobile devices it is hard enough to keep up with the release of the device let alone malicious code. I think it is huge step in the right direction and I hope to see Android Malware added soon.

Posted in Information | Tagged , , , , , | Leave a comment

Fuel (A company perspective)

Posted on March 22, 2012 by Lee Reiber

As I listened to a message on sustainability this weekend I contemplated the sustainability of mobile forensics. From the start of Mobile Forensics Inc., to the purchase of MFI, to the growth of MFI there has always been a drive for sustainability. This does not come from training examiners to be black and white and to utilize a single tool solution like some would prefer; no, this comes from being the fuel. Like I always say, if a company says that they are the only tool needed for mobile phone forensics don’t buy anything from them. There is not a one tool solution…period

By fuel I am referring to MFI’s focus of raising free thinkers. In order to accomplish this MFI attempts by fueling an examiner’s desire to look outside the box, look at tools as just that, tools, and putting “examiner” into mobile examiner. Move away from the companies alleging their tool is the only tool on the market and allow students to make an informed decision by giving them the fuel to allow them to move forward independently. MFI has always used the term “vendor neutral” but now other companies have taken that mantra so I want to again break away and call MFI a Training Fuel Company.

Fuel is used to power our vehicles, run our computers, power our lights and now our training brains. By imparting knowledge on cellular forensics (not tool forensics) we fuel the examiner to think for themselves, to choose a tool or tools that fit their needs and arm them with the knowledge to be self sustaining.

There is nothing better than receiving feedback from students after attending our course describing that they utilized the knowledge they departed with to solve a case that no tool on this earth could have solved independently. Quite simply, the information the examiner received fueled their focus as well as examination practices. Now the examiner becomes self sustaining, not spoon feed. This is and will always be the goal of Mobile Forensics Inc. If you have taken a Mobile Forensics Inc course, I thank you and hope that the information you departed with was immediately useful to you as an examiner. If you have not been to a MFI course yet, I hope to see you at one soon.

 

Posted in Information, Training | Tagged , , , | Leave a comment

Merry Christmas

Posted on December 23, 2011 by Lee Reiber

I thought in this day and age what better than receiving another form letter! Ok I will spare you the details but without you guys Mobile Forensics Inc and AccessData could not be the number one training company for digital forensics.
There are a ton of new courses, locations and software updates coming your way in 2012. Keep checking the mobileforensicsinc.com and accessdata.com site.
We hope to see you in a mobile training course soon.
So please have a wonderful holiday season and again thank you all for your support!

Posted in Rant | Tagged | Leave a comment

Android AGPS Track Observation

Posted on August 20, 2011 by Lee Reiber

An interesting tidbit on the Android AGPS capability was discovered when just driving around testing the Faraday Pouch from forensicfonefabric.com. First, the Faraday Pouch is an easy way to drop your device into the bag, snap the metal closure like the old school plastic clams you put your change in; pinch the edges and it opens up. Also, the bag has a see-through mesh front which allows you to watch the device to check the phone status and move the keys to quickly put the device into a standby mode. Once in standby mode you can remove it and do your processing; isolated from the massive cell signals. Enough about the pouch, lets talk about the testing.

So, the device I used was a Samsung Fascinate running Android FroYo. The device was fully charged and operational. The test was first targeted at not only celluar signal but the GPS signal; the aim was to see if AGPS signals are blocked as well.

I initiated an application for running called Runtastic and immediately was shown the blue dot on the screen at my exact location, my office. Runtastic allows you to not only track the route, but also the time and miles. I jumped on the road and at approximately 1 mile away from the start I checked the device. On the map the blue dot was now hovering at my NEW location, showing a blue track from the start to my current location. All seemed to be working correctly with the device and the Runtastic software. At this new location I placed the device into the Faraday Pouch from forensicfonefabric.com. I observed the signal bars dive to none and I then continued my journey. Immeditely I noticed that the blue dot still remained at the location I had placed the device into the pouch. This was what I believed would occur, but I continued to monitor the blue dot. The time on the device continued to advance but the mile indicator remained the same. Again, this was not a new revelation and of course was expected. I completed the journey and arrived back at the location I had started, my office. It was when I removed the device from the pouch that I had the, “huh?” moment.

When the device was removed it regained it’s signal from the carrier and I watched the Runtastic application show my current posistion via the blue dot; of course this was expected. It was when I noticed a new path emerge from the location I had placed the device into the pouch and back to my office, I dropped the brick. The device, or application, actually filled in the track; even showing the path in blue! Let me break this down a little farther. I looked at the overview map that showed the inital path FROM the office to the point where I placed the device into the path and then BACK to the office along the same route. What was missing was the track from the place I placed the device into the pouch and the additional 1.5 miles when it was isolated. And when I removed the bag it FILLED IN the path by estimating my path from the location I placed the device in the bag BACK to the OFFICE, still missing the other 1.5 miles. So the device appeared to assume I just had stopped and turned around, going along the same route back to the OFFICE where the signal was again picked up. What are the implications as an examiner?

The implications of this find when we might be conducting an examination of the device began to start to pile up. For example, what if the owner of the device you are examining for a criminal trial suddenly lost service and then it was picked up again? The device, believing it is smart , fills in the missing data, and completes the trip connecting the dots. We extract this data from the applications cache and put it together for trial weighing our testimony on this particular find when the data might just be a guess by the device. As I found on my own track, this data quite possibly might not be the actual street or path taken. A huge deal for court purposes. How can we overcome this find?

Knowing that service might have been inhibited, either by manual manipulation or network issues, it should be very important to determine if the device had network connection at the time of the incident. This can be done by looking at data usage at that particular time, as in calls made/received, packets transmitted, SMS/MMS and others. If this research yields that the device did utilize these services at that particular time we can assume the AGPS signal is valid. If we cannot ascertain this information you should use ANY location services very cautiously when examining devices capable of storing this kind of data.

This phenomenon is also evident with iOS devices as well when using the consolidated.db file. I will also be testing the Runtastic application for this OS as well using the same methods as outlined for the Android device. I will also be looking at other location based applications using both these operating systems because this information if not explained can come back and haunt us should we use it without corroborating with additional evidence.

Posted in Training | Tagged , , , , , | Leave a comment

Elcomsoft – iOS 4 Bricks

Posted on July 20, 2011 by Lee Reiber

I receive this email today and thought I would get it out to those that are looking into the decryption software for the iOS4 devices.  You might want to wait until a fix or another product comes out.   Read on…..

————————————–

Dear Lee Reiber

iOS 4.3.4 (4.2.9) Will not Start After iOS Acquisition Toolkit Have Been Used on the Device
Issued: July 20, 2011

Summary

On July 16, 2011 Apple has released iOS 4.3.4 for iPhone 3GS, iPhone 4 GSM, iPad, iPod
Touch 3rd and 4th generations and iOS 4.2.9 for iPhone 4 CDMA.

These new iOS versions have additional checks to detect if other iOS version have been
used to start the device. If iOS detects such situation, it enters Recovery Mode and asks
user to restore device firmware using iTunes.

iOS Acquisition Toolkit is based on iOS 4.3.3 (4.2.8) and thus loading Toolkit on a device
running iOS 4.3.4 (4.2.9) will prevent the device from booting normally after you have
finished working with the Toolkit.

Please note that Toolkit is capable of doing acquisition of devices running iOS 4.3.4
(4.2.9). The problem arises when the device is rebooted after using the Toolkit ­ it enters
the Recovery mode. Toolkit still can be loaded on the device by following usual steps.

Resolution

If you require the device to remain bootable after acquisition please avoid using the Toolkit until the problem is resolved.

If you have already have an iOS 4.3.4 (4.2.9) device in Recovery Mode as a result of
loading Toolkit or other third-party tools please exercise extreme caution when trying to
resolve the issue as doing this incorrectly will lead to NAND being reformatted.

Affected Products

+ iOS Acquisition Toolkit version up to and including 1.04

+ iPhone 3GS with iOS 4.3.4
+ iPhone 4 (GSM) with iOS 4.3.4
+ iPhone 4 (CDMA) with iOS 4.2.9
+ iPad with iOS 4.3.4
+ iPod Touch (3rd and 4th generations) with iOS 4.3.4


Sincerely yours,
ElcomSoft Co.Ltd. team

Posted in Training | Tagged , , , , , , , , | Leave a comment

Trouble on the plains

Posted on June 27, 2011 by Lee Reiber

I figured it would be fun to start putting out some assistance blogs to help examiners coming into the field and maybe some that have been in the field for a while. I miss the training courses so I figured I would throw some help out into the all knowing Internet.

Ever have a phone not respond to your mobile phone software that you paid mint for? If you have not, trust me you will. Here is the scene:

You hit the connect button, nothing, you unplug the cable, nothing, you hit the connect button again, nothing. First you look at the supported phone matrix and it says it’s supported. Now you are fired up because you just used. Free program that extracted it just fine. You now decide to call support; they say it’s supported, walk you through what you have already done and still no joy. You are now to the point of blacking out from rage. You laugh, But I know you have been there because I have been there. Before you go 300 on anyone lets look at the issues with possible solutions.

Do you have other cellphone software running?

Because of COM envy (we all have it) only one piece of software can have the port open to communicate with the device. Shut down other software and only allow one software title to take hold of the COM port.

Can you query the phone modem via Device Manager?

If yes, cable is good and response from phone is good
If no, check cable and phone port

Did you just extract with another piece of cellphone software?

Other software has placed the phone in diagnostic mode, shutting down COM from the new application trying to do the same thing.
Power cycle device
A simple on/off will not suffice – remove battery count 10 mississippi (optional) and restart.

Does the phone support mass storage mode?

If in mass storage mode cellphone software will not communicate.
Use manual to locate if phone supports modem/PC mode.

These little tidbits could help you to not belittle your work mates, throw things at your boss, throw the phone out the window or just give up on cellphone forensics.

If you want even more help on these problems and more run to a Mobile Forensics Inc training course (shameless plug).

Talk to you soon.

Lee Reiber

Posted in Training | Tagged , , , , , , , | Leave a comment

Divulging company secrets and IP unknowingly?

Posted on June 1, 2011 by Lee Reiber

How many employees in your company are assigned cellular phones? The number across the United States alone is alarming I am sure. Of course we tell ourselves that knowing where our employees are during working hours and allowing our employees to be more productive is a small price for the monthly bill. Lets now think about what kind of risks do we expose ourselves to as owners of these companies.

Some that immediately come to mind are:

Company espionage
Intellectual Property theft
Personal “spillage”
Human resource complaints

The list goes one, but let’s just talk about the simple ones that jumped to the forefront.

How easy would it be for an employee, issued a smart phone, to photograph, forward a company email or video events, sure to undermine the company, while covertly sending the data to the competitor. This could happen while in the presence of any non suspecting employee; the spy never uncovered.

How about an employee who hears of a revolutionary advance in their company’s software design and knowing the company email is “monitored” decides to photograph the electronic document on the screen. Of course not with a standard camera, but the one issued by the company; a 5 megapixel smartphone even capable of scanning documents. Most certainly untracable the employee believes because all data will be deleted once the photograph is sent via their gorilla-mail account; the personal mail account they setup on their issued company phone. The photograph then goes to the highest bidder.

Personal “spillage” easily occures when an employee uses the company issued cellphone to text message, photograph, search the internet, surf the web, blog, etc to conduct personal business. The “spillage” occurs when their personal business becomes public business and the company is then put in the spotlight. Can you say Bret Farve? Granted, Farve’s phone was not issued by the company for all I know, but the picture is easily painted ( or imagined).

There are always the human resource issues with regards to allegations of mistreatment, sexual harassment and the like that have occurred via messages, pictures or calls in the workplace using company issued cellphones. One employee alleges that something was sent to them by another employee’s cellphone, but the acused employee adamantly denies they sent it. The only evidence sits on the company electronic device that was issued to them.

Now comes the challenge; extracting the data from these devices in a forensically sound manner.

These are only but a few examples of what the electronic business age has brought us. Does this mean we deny our employees digital devices to use in our employment? Get rid of a device that keeps our employees more in touch, easily accessible and more productive? I would hope not. What these examples should spark is how we distribute our electronic devices, how we cultivate the data contained on the device and more over how we analyze the data should we have to.

Lee Reiber

###

Posted in Training | Tagged , , , , , , | Leave a comment

TIME and Distributing Work

Posted on April 26, 2011 by Lee Reiber

As I start the journey to Sydney for meetings I thought it would be no better time to work on another blog. I thought I might touch on attacking the TIME issue again. I had a live webinar with Officer.com this week wherein I spoke about this very issue. First, a huge THANK YOU to Officer.com for giving me a chance at the online platform and secondly THANK YOU for supporting the LE officers around the globe with your services.

So TIME; yes it’s a four letter word in forensics similar in sting to any other expliative one might hear. Its really due to the demand we as examiners see due to the inundation of digital evidence on our desks or in our labs. Glorified on TV and in movies as the smoking gun as well as the proliferation of devices in our world; we are slaves to the request of these falsely educated requestors of “on CSI they did it”. So now piled up in our evidence rooms, desks and trunks (I hope not) are digital devices set to be examined which range from cell phones to refrigerators. If it contains a chip it must contain evidence right? Well my concentration and focus in this blog will be of course cell phones, but I hope some of this can be used for the next ‘fridge you run into.

Distribution of labor is a concept used by many companies to “share the work” and become more effective and efficient. This is an easy concept really when we think about it; what better way for someone to focus but give them smaller portions. So using this model the workers can concentrate and focus on their small assigned task, but under the hood they are completing the piece used later to complete the entire project or solution. This is why the distributed processing model is used so well with AccessData’s forensic software. The examiner can use multiple computers to process the data with each core taking an assigned thread while the others are churning out other threads. All are concentrating or focusing on their task, the data thread, which amplifies the efficiency plus reduces the TIME element. Same would be evident in the usage of AccessData’s LAB product where we are now talking about users. Like TRON, throwing Users in the mix usually messes up the Programs (current movie on the plane sorry). Well, using LAB takes the Users non focused, non procedural, overwhelmed with evidence, and huge TIME commitment away because the task is no longer individualized. Distribution allows tasks to be assigned to each User and allows individuals to now focus on what they have been assigned; not wandering down the road of a Users fascination with all the rest of the data in the case. Efficiency and accuracy of the examination when distributed to Users increase exponentially by lowing the burden of TIME and data overload on the User (examiner). So does the distribution of labor mean we do not conduct a proper extraction? That we only extract the email, or internet history when we “image” a computer hard drive? Of course not, we obtain all data that we can; typically a bit by bit copy of the device storage medium. It is the examination that shapes the evidence by extracting the data that pertains to the case.

Why am I focusing on distribution of labor when I am talking about cellphones? We all know that one person is usually extracting and analyzing the data from a cellphone right? It could be a first responder on scene or an examiner back at the office. Technically, that might be true but ultimately that should not be the case. Let’s put a twist on the distribution of labor with regards to a small handheld device being processed in today’s world, using today’s tools.

A typical scene for cellphone forensics is this: A first responder shows up to a scene with multiple devices and begins to extact the data from the devices. Same would go with phones brought to the examiner in the lab. Reports are completed which typically contain only data I call “user data”‘ i.e contacts, call logs, sms, calendar and media. Simply obtained and jammed into a csv or html report after the extraction.

What is the first reponders or front line warriors primary mission? To protect, settle the scene and move on to the next call. TIME is never a luxury for them and the quickest, easiest extraction method for a digital device is all that matters. I am a big proponent of a first responders job not being a forensic examiner, but if we distribute the labor and not neglect the collection we all win.

Here is an example in todays quick and dirty analysis eyes. A first responder or street officer arrives on scene and his or her job is to quickly collect the data from a cellphone sitting next to the body. The phone’s contents are “dumped” quickly on scene; extracting contacts, SMS, media and callogs. This data is saved as a csv file, an html file or both. That output is then sent to the prosecutor for review and the phone is booked into evidence. Because of the work overload and and TIME commitment to extract the phones filesystem with the user files this step was not completed by the first reponder. Later while dealing the case, the prosecutor quickly looks at the case and the first responders case report on the cellphone. Because the prosecutor is looking for a specific MMS message and does not see it contained in the first responders report the case is settled without using any of the first reponders cellphone work. Granted, there were some phonebook entries and SMS that helped the case to settle, but later another trained forensic examiner was asked to look into the evidence from the device because now they had TIME. Remember, the filesystem was not extracted the first time due to the admitted lack of TIME of the first responder so the device had to be reacquired. Once the phone was reacquired the user information was AGAIN extracted but also the available filesystem. Needless to say the second examiner was duplicating the original work of the first examination in obtaining the user data, but this time had the embedded filesystem as well. The second examiner had to use another tool (FTK) to the carve and parse the phones filesystem which was only extracted in the second examination. To the suprise of the prosecutor (after the second examiner contacted them) the MMS was there with the criminal image and text content easily visible in FTK from the phone’s embedded filesystem. Too late came the informtion as I mentioned earlier; the prosecutor had already sealed a deal. That is an everyday occurrence in today’s cellphone world. Should it?

What can be taken from this real life example? One immediately evident fact has to do with the topic, TIME. Could this have been solved on the initial extraction? Maybe distribute processing tasks? Have the first responder conduct a FULL extraction, but only obtain the artifacts requested, say phonebook and SMS. Then have a more trained examiner just analyze the filesystem? That could be a solution. The first responder or examiner extracting the device can obtain and report on what they need, but also another examiner can import the forensic container and examine the data at any time. How about a cellphone tool with a built in carving solution. So extraction and file carving all wrapped up in one. That would have solved the embedded image in the MMS.

Having another examiner examine the device and extract AGAIN is another issue in both TIME and data integrity. Why not just give them the data files from the first extraction. Well, most cellphone tools output in a format not typically seen as forensic containers. Some examples are csv, html, zip and bin files. All are not good alternatives for a forensic container. Having a tool whereas an initial extraction is all that is needed, sealed in a container that is recognized all over the world as a forensic container. Having this ability protects the chain of custody and allows an extration to only have to take place once. Any amount of change, however small, will change the digital finger print of that forensic container.

Now lets analyze this in the sense of distribution of labor. Back to the TIME committment this is all about. As you can see there are tools available that can be the best of both worlds, one for easy acquisition and also deep artifact data mining for that needle that everyone complains they dont have time to look for. Devide the work by task design, not double the work by duplication of labor. Focus on what is needed for the “push button” extraction but also understand there are tools available that can allow a quick preview and reporting of the data but not at the cost of an examinations TIME commitment and data integrity.

Thanks for reading.

Posted in Training | Tagged , , , , , , , | Leave a comment

DoD and Date\Times

Posted on January 24, 2011 by Lee Reiber

Heading to the DoD conference with not only a level of excitement in presenting on Thursday but also about seeing the “regulars”. From Cellebrite, Microsystemation, Susteen and others who regularly attend the conference it is always interesting to hear about the things that have happened since last we got together. Some of course are more guarded than others primarily due to my relationship with AccessData and what I do or they believe I do. It is a time I usually end up having to explain myself and justify my work for the community on a whole to some, but if it makes a relationship better then all is good. Although, I find it terribly tiring to do it every time we all get together. The mobile phone community is extremely volatile to the point of paranoia. Primarily due to the currency involved, the bottom line, the mighty dollar. Ok let’s get some education into this blog.

Date and times are always important to any type of examination or investigation. In our mobile phone training courses, both online and in the classroom, we talk about the value of seeking the truth. The truth I will touch on are the truth in dates and times in cellphone examinations. Mobile Forensics Inc I would say pioneered the addition of carving for these artifacts in our training offerings, starting with our 202 course (I am sure I will be corrected if I am wrong).

Why are dates and times important when software already parses out that data for me already? Well let’s answer that with a few bullets.

Most software reports date/time arrival to handset, which could be drastically different than the sent time (we are talking about SMS for this example)

A lot of dates/times cannot be parsed by software. This is usually due to the developer not knowing the format or location(s).

Software reports incorrect date/time due to the many different types of formats.

Deleted data might have a truncated date/time which is not picked up by software.

A lot of mainstream software will take the file date and display that as the SMS date/time. Now this could be extremely close for outbound SMS, but for incoming messages this could be very far off. And if I want to know the date/time the bad guy sent the message to my victim’s phone then I better start my hunt. A rule of the thumb I always use before diving into the HEX in the handset’s filesystem will be to determine if the date/time show up on the device along with the message. If this is the case, it HAS to be in the phone’s data right? Well, yes it does, but the format it might be in is the difficult part. This, along with where in the file the artifact might reside.

Another issue you will face is the problem with becoming overjoyed with the location of a date/time format on a LG-VX5300 only to be at square one when you look at a Motorola V3m. It is tedious, but the payoff is well worth it.

What tools can I use when trying to locate these artifacts? In our training courses we use several.

All are listed in alphabetical order and should not be construed as order of preference.

AccessData FTK 3.2
Added to the HEX Interpreter window the user can sweep bytes and convert the associated HEX bytes to a date/time. The converted data can then be bookmarked and saved via copy.

Cellebrite Physical Analyzer
Used in our 303 course where the student can sweep bytes and convert the associated HEX bytes to date/time. User can search for date formats on files not automatically parsed.

MFI HEX Assistant
Free App (can I use App?) I put together that allows the user to sweep bytes in evidence, paste in assistant, and convert to proper date/time. Similar to Decode that is used for computer forensic date/time conversion.

RevEnge
Used in our 202 course and from Sanderson Forensics. The student can import any file into the interface and sweep bytes and convert the associated HEX bytes to date/time. User can search for date formats within the files being examined. Data can be bookmarked for each hit.

All are fantastic tools and can be used collectively or independently depending upon your situation.

All support the following dates/times: HEX/DEC 6 Byte, BREW/Qualcomm/GPS, LG/Samsung, OSX/DOS, UNIX

Of course the utilization of each tool is different, but the outcome is always consistent over all the listed applications. The tool is not the difficult part but the location and parsing of the data is, but the payoff is emense! Uncovering data manually from a phones’ fileystem can make a case that was solid, now ROCK SOLID.

So if you are at DoD Cybercrime this week, look me up at the AccessData booth and let me know what you think.

Lee Reiber

Posted in Training | Tagged , , , , , , , , , , , , | Leave a comment