Yesterday @Celldet was also busy with another class, but this time on SmartDevices. Concentration first on what a Smart Device in the mobile sense and the fact that it is really just a mobile computer. The black and white line of differences between a mobile device and it’s storage capacity, computing ability and applications of yesterday really does not exist today. The only difference between the device is the examination forensically of them by todays examiners. The point, it appeared, was to describe the data held on a computer is no different to a mobile phone so it would seem we can harvest far more pieces of data that we currently do as examiners. So the quest was on.
@Celldet busted out @AccessData FTK 4 and also MPE+ to walk the student through the many artifacts in both Android and iOS filesystems. Like a cooking show the physical images of both and iOS iPhone 4 running iOS 5.1 and an Android’s userpartition.yaffs2 HTC Hero had been obtained previously by MPE+ and then processed in FTK 4. The attendees then were taken through the filesystem looking at the beautiful display of SQLite databases into FTK’s cool html. From the spotlight, to the SMS and into the application area. Each SQLite database a treasure trove of userdata; from settings to stored data. Then the new MPE+ iOS and Android Parsers were unleashed.
At first, the attendees (at least I did) thought this was some sort of sadistic trick. We had previously and methodically negotiated the filesystem in FTK for this great data and @Celldet is now going to show us MPE+ now automates the process! The payback was the image he wanted to use was not on his computer so he had to use his own iPhone 4 image. Paybacks! The image was imported and mounted immediately which is a new feature of MPE+ 4.8. MPE+ now mounts filetypes like AD1, E01, yaffs, yaffs2, ext, fat, ext4, ext3, dd and compressed folders just like FTK Imager or FTK.
So once the iOS image was mounted @Celldet simply went to the tools menu and selected parser and iOS; selected the folder to parse and let it run. A few seconds later capabilities like email, mms, contacts, sms, calendar, notes, webkit, browser, notes and more appeared for selection. @Celldet selected all and the collected data filled the datagrid. Same thing was done with the Android device, a simple point to the mounted image and selection of the caps you want! Amazing.
What had to be flashing through many of the attendee’s swirling domes would be the fact that they could now bring in images created from other programs and run the powerful parsers against them and uncover even more pieces of data.
@Celldet ended showing a “not released” parser that the readers will have to wait for the official release or next blog…… Simply put, game changer…Until then.
