The MPE+ Investigator from AccessData Group can be downloaded from the AccessData website and I wanted to talk about the functionality and to explain what this product is really about. First, let me explain what MPE+ Investigator is touted as.
MPE+ Investigator was originally birthed to allow users to download a FREE version of the MPE+ Software from AccessData to evaluate and “decide before you buy” on its usefulness in the lab. What is also can be utilized for are, in my opinion, the better uses of the tool; a review platform and a MPE+ Tablet companion.
I am going to take a look at the software in this blog and how I think “Investigator” can substantiate these claims.
Investigator only allows users to open files that are created with the full MPE+ tool, or AccessData’s AD1 format. If you are familiar with MPE+ then you will see that the interface is really the same, with a few differences of course one being a different icon. Items omitted for Investigator include:
- No way to perform mobile device collections
- No importing of TAR files or ipd files (or soon to be DD files)
For this blog I did bring in an iPhone 4 that had been collected with MPE+ with its physical extraction capability.
When starting MPE+ Investigator you are greeted by the startup dialog letting you know you are running MPE+ Investigator. Pressing OK then takes you to the mobile device dialog. Here you can preview the supported devices list by selecting the makes and the models. Only limitation is the images displayed are not loaded or are you able to perform a collection. Pressing the connect button gives you a dialog reminding you need the full MPE+ to perform this action.
As I said I was going to further analyze or preview the data collected by MPE+, an iOS device. Doing this you simply select the import AD1 image on the toolbar and are asked to locate the image.
As the AD1 imports into Investigator the Dataviews are immediately populated and you notice a progress bar rolling along. What is nice is you can begin working into the data while the filesystem is parsing. This is really nice if the filesystem contains thousand’s of additional files. Investigator 220.127.116.11 does not mount the images as AccessData’s FTK or FTK Imager so the importing of the AD1 is slower.
NOTE: Version 4.8.0 that is due for release in three weeks (second week of May 2012) will mount an AD1 created by MPE+ effortlessly as Imager and FTK currently do. So from testing I was told 3 Gb images mount in about 2 seconds when importing!
The DataView in MPE+ Investigator will display differently for each type of device you import. No cookie cutter views for each and every mobile device; the data depends on the data types supported. I really like this data dynamic idea, since a lot of tools are pretty static with showing contacts, sms, and call logs for each and every model even if they are not supported.
To help out with threading conversations, organizing workspace and more I can click on columns for each data type to sort and also click-and-hold to move the columns around. All areas can be moved, floated and organized as well. Just like the full MPE+ version.
MPE+ collects many file systems from multiple device types across many platforms. What does this mean? Well, it means there will be a ton of other items that are in the file system that maybe were not parsed. Using MPE+ Investigator you can data carve these items in the simple to use data carver.
The reporting of the data is also a part of Investigator. Not only reporting, but you can create your own investigator information easily and it will save over starts of Investigator. In this pane you can include additional information or items about the image that will be included in the generated report.
Creating a report is easy; simply select the items you would like to report on and click either PDF or RTF. You can also export the data to CSV format to include in third party analytical software. In the current 18.104.22.168 release of MPE+ Investigator you cannot individually select items to be reported but I know the next release, 4.8.0, will. This will mean you can individually select and then report on only the selected items. I think this feature will be great for those reports where only 5 SMS or emails need to be included in the legal brief instead of having to include all 23,000 others. The reports are generated and ready for review.
MPE+ Investigator is much more than just an AccessData demo product MPE+. Investigator is a tool that allows:
- The investigators/attorney/reviewers now have a the ability to look into the data without compromising the data. AD1 formats are a forensic storage container and NO data can be added, deleted or compromised.
- Those with “ownership” in the case can mull the data and report on findings, freeing the examiner from the task.
- As a review platform, the litigation team, can see the data as it “lived” in the digital device; gaining a completely different and new insight into the evidence.
- MPE+ Tablet users can now review, carve and report on a more powerful device like their lab PC or laptop. Now the MPE+ Tablet can be utilized more efficiently as a collection tool, not an analysis machine.
Accessdata has brought another FREE tool to the forensic community that will revolutionize how we view mobile data. All you really need is an AD1 file that is created by MPE+.
You can go to accessdata[dot]com and the download page to grab a copy of MPE+ Investigator. Also, sample images should be posted in the same area so you can test drive Investigator for yourself!