Week 6 - Examination Tools Flashcards
List some typical equipment found in a typical examination room
Combination of hardware & software to extract data from devices in a forensically sound manner.
HARDWARE examples:
Computers, network isolation devices, digital cameras, batteries, cables, anti-static equipment.
SOFTWARE examples: forensic tools, applications (commercial and open source) for acquiring and de-coding data to an evidential standard and or intelligence purposes.
What are non-forensic tools?
Two distinct categories:
– Data Back-up Suites e.g. iTunes, Kies, Windows Phone App
* Provided by handset manufacturer
* Specific to own handsets & maybe specific models
Store data locally on a computer or on an online repository.
– Mobile Device Managers – e.g. MobileMaster
Designed to copy data from one device to another (e.g when you buy a new phone)
* Produced by 3rd party software companies
* Tend to support multiple makes & models
Non-Forensic Tools DO NOT maintain the integrity of the original data.
What are forensic tools?
- Can retrieve information from the mobile device using
Forensic hardware and software. - Usually support different reporting formats.
- May be specific to one mobile device operating system or multiple operating systems and devices.
- Work at different levels, some may support Logical/File system Data Only
*Some may support Physical Data only
- Some may be Combined Logical/Filesystem + Physical
- Offline/Online Storage can be acquired and decoded
Some may not be able to de-code the data acquired. Others may not be able to download the memory content but may decode data content acquired from another tool
In general forensic tools are read only - do not allow data to be written to the device or if required only add minimum data to the device for the tool to work.
Remember no one tool is likely to fit all criteria, so often a combination of tools are required in order to acquire and decode the maximum amount of data.
Forensic vendors face challenges to ensure their tools remain current
Some examples of manual capture tools available
- ZRT
https://fernico.us/zrt3/ - Eclipse
https://teeltechcanada.com/mobile
forensics/hardware/eclipse-3-pro-kit/
Manual examination & capture tools are often used to capture on screen information which cannot be extracted by other examinatioon tools.
Often used in the forensic examination process in order to capture relevant info such as packaging and physical condition of device.
Additional functionality added to some devices such as Encryption or vendor restrictions preventing access to device memory area, can sometimes restrict the use of other forensic tools to extract and decode data. Manual tools may assist. Manual tools can also be used to capture info prior to switching the device off before later examination with other tools.
Or can be used where physical damage has occurred to a connector or port.
Integrated Manual Capture Tools
* XRY Camera
https://www.msab.com/product/xry-extract/xry-camera/
* UFED Camera
Good quality camera with macro lens may be enough to manually capture, but these tools have some additional functionality - or good quality screen capturing tools.
The tools may allow the manual capture to be tagged and added for reference in an evidential report.
SIM/UICC Only Examination Tools
SIM/UICC Only Examination Tools - to extract and decode data from the SIM & UICC.
Some tools designed to read the data only. Some also have ability to create a clone SIM.
- SIMTools - (3G Forensics) Products (3gforensics.co.uk)
- USIMdetective (Quantaq) CPA SIM Analyser (BK
Forensics) - SIMCON (Paraben) - integrated into Paraben product suit.
The use of SIM / UICC only tools has declined because most examination tools also have SIM / UICC read functionality built into the other tools.
SIM / UICC only examination tools may still be required if the SIm / UICC data is all that is requitred.
List some SIM Clone Tools
SIM Clone Tools:
Some devices require a SIM / UICC to be present in order to power up. A number of tools provide the capability to clone an existing SIM in order to allow a device to power up WITHOUT connecting to a network. Important to prevent data from being lost or wiped from the device.
SIM cloning also enables an examination of a mobile device:
* without the original SIM card
* with a PIN locked SIM card
* without connecting to a network
Can be done by getting the last inserted UICC ID or IMSI from either the service provider or by a physical acquisition.
Some forensic tools use rewriteable cards (e.g. XRY)
Other forensic tools use write once cards
Logical Examination Forensic Tools
- XRY Logical (MSAB)
https://www.msab.com/product/xry-extract/xry-logical/ - UFED (Cellebrite)– https://cellebrite.com/en/ufed/
- Magnet Axiom
https://www.magnetforensics.com/products/magnet-axiom/ - Belkasoft X– https://belkasoft.com/x
- Oxygen Forensic Suite (Oxygen) -–
https://oxygenforensics.com/en/products/oxygen-forensic-detective/ - MOBILedit Forensic – (Compelson)
https://www.mobiledit.com/mobiledit-forensic - Secure View Kit (Susteen)
https://www.secureview.us/product.html - E3:Mobile (Paraben)
https://paraben.com/e3-mobile-smartphone-forensics/ - FINALMobile Forensics–(Finaldata) – 파이널데이터
(finaldata.com) - ACESO(Radio Tactics) -–
http://www.radio-tactics.com/ - Encase (OpenText) –
https://www.opentext.com/products/encase-forensic - MD-NEXT (HancomGMD)
https://www.gmdsoft.com/ir/press/md-next-mobile-forensic-software
for-data-extraction/ - Forensic Tool Kit (FTK)
https://www.exterro.com/digital-forensics-software/forensic-toolkit - Autopsy/Sleuthkit – http://www.sleuthkit.org/autopsy/
- UFADE – https://github.com/prosch88/UFADE
Some points to remember re forensic tools
- Open source tools may struggle to remain updated due to lack of esources compared to commercial tools. Unless there is strong community power behind them. But open source tools may develop very powerful tools for a very specific purpose that may out perform a generic commercial tool.
- No one tool is necessarily superior over other tools, depends on so many factors (device, OS, needs, type of investigation etc)
- research tools before preparing a tool kit - establish which ones perform well with commonly encountered devices and investigations.
- keep up to date with developements and updates - soem tools may not be as pprogrssive / up to date as others.
Example Tools - Features of XRY
XRY
* Available in a modular format incl. Logical, Physical and Cloud versions available
* Allows the examination of three different items such as
mobile device, SIM and memory card simultaneously
* XRY provides a device manual which identifies the potential data which it can and cannot retrieve from mobile devices it supports
* USB or Bluetooth connection, InfraRed no longer supported
* Pinpoint add on to extract data from Media Tech (MTK) and Spreadtrum chip /UNISOC devices
* Supports iOS backup import and decoding
* Available in office, kiosk, tablet and field versions
- XRY is part of a suite of tools from MSAB. XRY can extract and decode data from devices. MSAB offers the ‘examine’ tool for data analysis and the ‘exec’ tool for tool management. An on scene triage tool ‘raven’ is also available.
Example Tools - Features of Axion
Axiom (Magnet)
* Axiom is Smartphone based
* Axiom is an evolution of Internet Evidence Finder (IEF) product
* Modular tool with options of different data sources incl. Smartphone, Computer and Cloud
* Logical and Physical acquisition
* Supports Import of acquisitions from other tools and binary images or jtag, chipoff etc for decoding
* has a dynamic app finder to find chat databases and other app data
* Magnet company now also own DME Forensics, Griffeye
* GrayShift product range also now owned by Magnet (GrayKey, Reveal, VeraKey, Fastrak)
Example Tools - Features of Universal Forensic Extraction Device (UFED)
Universal Forensic Extraction Device (UFED) - Cellbrite
- Logical, Physical and Cloud Analyser versions available
- Chinex add on for MTK, Infineon, Spreadtrum unisoc chip devices.
- Advanced capability is integrated called physical analyser - advanced decoding of binary tools.
- Standalone with no computer required for extraction using touch version (a mini windows computer that can be used away from the desk)
- Integrated Malware Scanner / Screen capture
- Supports USB, Bluetooth and IR Interface
- Available in 4PC, Touch, Kiosk and Ruggedized versions
Part of a range of functions from Cellbrite
Example Tools - Features of Oxygen Forensics Detective
Oxygen Forensics Detective Suite.
Oxygen Software Company (Russian)
- Integrates functionality from earlier versions.
- Can be supplied as software only or a complete forensic kit
- Software can be supplied as standard edition or analyser addition or analysis with password edition.
- Extracts data from devices and offline and online backups
- Extracts data from online storage areas
- Built in Plist, SQLite viewer
- Integrated Timeline Function
- Dynamic social link connections
- Integrated communications statistics reporting
- Supports a range of devices
Example Tools - Features of E3:DS
E3:DS (Paraben Corporation - USA)
- Supports a wide range of mobile devices
- USB, Bluetooth or IR Connection
- Available in different versions
- has SIMCON built in (see previous SIM / UICC extraction only tool)
- Logical and Physical Support
Example Tools - Features of MOBILedit Forensic
MOBILedit Forensic (Compelson Laboratories)
- Retrieves handset data and SIM data
– Cable, IR, Bluetooth
– Retrieve data from SIM Card using SIM Card Reader - Software only version available with an optional cable kit
- Or available as Forensic Standard, PRO and ULTRA editions
- Concurrent Extractions
- Camera Ballistic option
- Smartwatch Kit
Single & Multi Operating System Tools
Single and Multi OS Tools.
- Elcomsoft Premium Forensic Bundle
https://www.elcomsoft.com/police_and_law_enforcement_so
lutions.html - Passware Kit Mobile
https://www.passware.com/kit-mobile/ - Belkasoft X Forensic https://belkasoft.com/x
- Autopsy http://www.sleuthkit.org/autopsy/download.php
- xLeapp abrignoni (Brigs) · GitHub
- UFADE https://github.com/prosch88/UFADE
- Evanole/iOS Syslog Monitor https://www.hexordia.com/tools
- ArtEx https://www.doubleblak.com/ArtEx/?key=ArtEx
