In @Accessdata MPE+ you now have the ability to import many different image types. Not only can you import any Accessdata AD1 files you can import compressed folders, TAR, DD, YAFFS, YAFFS2, EXT (all flavors), FAT, IPD and what I am going to focus on in the blog, E01 files.
What does this capability mean to you the examiner? Honestly, it means you now have a tool that can process formats from many, if not all current mobile phone tools. If the tool exports to a folder, zip it up and bring it in; if the tool exports the iOS to a TAR or DD or DMG, bring it in. If you have used AccessData’s Forensic Toolkit you are familiar with the many files and filesystems it can process; MPE+ is capable as well.
Why import a file or image from another tool? Simple question with a simple answer; it is because doing so allows you the flexibility to look at the data differently. By looking at the data differently you can not only validate the tool that collected the data, but quite possibly recover additional data not recovered or supported by the original tool.
A perfect example of this is with an image of an Android device. The E01 image contained a YAFFS2 partition of the user area. In this software example, the image was mounted as you can see in Figure 1 but the userdata areas where not parsed out. If the user data is not parsed out, the examiner would need to jump into the SQL databases and grab/script/convert/bookmark the data. This of course is extremely time consuming, and honestly not the easiest task to accomplish.
This same E01 image was imported into MPE+ via Import Image. The E01 file immediately mounted into the filesystem view but looks like the other software mounted image. So what is the difference?
With the built in parsers in MPE+ you simply select iOS or Android and MPE+ will traverse the filesystem – finding the selected capabilities – and when completed present them to the examiner in the MPE+ interface.
The data can now be viewed, selected, exported and reported.
Not only can MPE+ perform the physical collections on both iOS and Android devices but as you can see MPE+ also a compliments other mobile phone tools that might lack the robust parsing capabilities that MPE+ possesses.
As I always say, one cannot have just one tool when it comes to mobile device forensics, but without a doubt AccessData’s Mobile Phone Examiner Plus should be in your toolbox.