At every speaking event I make sure to let the attendees know that there is not a one tool solution when it comes to MDF (mobile device forensics). I always add, “if a company says they are the only solution do not buy from them”. This is true for two reasons, one they do not know what they are selling and two, they do not know the complexities to mobile device collection and analysis. The focus tends to be just on stamping “Industry First” on the feature and pushing it into the market.
Sometimes rushing to the head of the line makes one overlook the steps to get there; often giving a sub par feature out to the customers will be the result. What can we do with multiple tools in our toolbox?
Support more devices
This is the most obvious. Mobile device tools do not support all devices that come to market, period! This is easily recognized by the 20 emails I receive every day from phonescoop.com telling me of a new device that has been approved in the United States and Canada. Yes, only in North America. Now when we talk about the phones that come to market worldwide per day, I always use the statistic 2 phones per hour per day across the world. So actually supporting all phones, no matter if a company touts they have an in with cellular companies, is preposterous. Armed with multiple tools you can cover a much wider spectrum. Even then, supporting every device you might see is nearly impossible. So, look to the statistics in your area. Do you see CDMA, GSM, iOS, Android or others? Select tools that cover the wide array of devices you will be encountering in your area and that complement your other forensic tools.
Validation of data
Having a number of tools allows you to validate the data collected. Is the data in UTC or local time, is the device information properly formatted, was the UTF-8 properly decoded and displayed. Was the correct number of SMS displayed? Contacts?
It is extremely important to run these types of tests upon upgrade, update and installation. Ultimately it will be the user that will have to explain that the tool or tools do not add data to the device. This is extremely important because a couple of the tools that are on the market as a mobile forensic solution really come from the data transfer market. In that market the tools actually add data like contacts, sms, pictures, call logs to another phone via a cable transfer. You will see this when you goto your local cellular company upon upgrading to a new device.
Validating that the data is consistent with collections across the tools that you have in your tool box is needed, but determining whether data is altered, deleted, manipulated is paramount.
Support additional fields (better analysis)
Would you be surprised that even if multiple tools support the same device; further the same category, say contacts, each tool might not support a particular field within that category. Take for example: Tool A vs Tool B
Tool A and Tool B both support the iPhone 4S running iOS 6.0.1. A collection is performed with Tool A and an analysis of the iMessages is completed. Looking at the fields there are 4 fields representing the iMessage. Think you have it all right?
The same collection from Tool A is imported as a image into Tool B ( AccessData’s MPE+). The image is parsed for the iMessages and now an additional 4 fields are shown. What does this mean to you as an investigator? Simply put, more data = more evidence. If you where using only Tool A you would be without an additional four fields of user data for that iMessage. So in this instance using multiple tools benefited the overall case because one tool performed better analysis of the data.
Having more than one mobile device forensic solution available to you will benefit you in many ways. As you have read, having multiple tools will allow you to validate the collection and extraction, allow for better analysis and recovery of data not supported by the initial tool and allow you to support more devices that come into your lab.
