Paraben Mobile Forensics

[Leysan Torri]

ParabenCorporation offers E3:MOBILE, an all-inclusive solution for smartphone processing. Since 2001, Paraben has been at the forefront of mobile forensics, dedicated to comprehending and providing tools to capture and analyze data from these devices. Our wide range of acquisition techniques, including rooting, Jailbreaking, ADB Backup, downgrading, and chip dumps, ensures the ability to extract data from all versions of Apple iOS and Android. E3:MOBILE also supports various other mobile devices, such as feature phones, GPS devices, and IoT devices. Experience the power of E3:MOBILE by scheduling a live demonstration with our esteemed Paraben Team members, available Monday to Friday. LICENSING & FEATURE OPTIONS

We also use third-party cookies that help us analyze how you use this website, store your preferences, and provide the content and advertisements that are relevant to you. These cookies will only be stored in your browser with your prior consent.

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

The Paraben E3:Universal software license allows you to perform a comprehensive examination of data with capture capabilities for remote imaging, smartphone logical and physical capture, and even bootable triage imaging. The variety of options make E3:Universal ideal for any lab that needs to have diverse capabilities to deal with digital investigations.

The E3 interface follows the standard processes from Adding Evidence items to focusing on the analysis capabilities. The large variety of supported evidence allows E3:Universal to be the flagship tool for a lab with over 40 processing engines just for computer file systems and related data and adding the additional 20+ engines for mobile and IoT you truly experience what comprehensive capabilities are in a lab.

Many organizations worry about what changing tools will do to their turnaround time. We have taken that concern to heart with the inclusion of a free online course that teaches you the basics to get you started. You will even receive an operator level certification upon completion. The course for E3:Universal users covers both the computer aspects as well as the mobile aspects of examinations.

Beginning to use Paraben in your organization has never been easier with an intuitive interface and out of this world documentation, plus 247 forensic support means Paraben has you covered with your mobile forensics needs.

Even if the connection is lost, you are able to save the unfinished images and resume the imaging process later. In a world where images can be needed at any time from any location from networks to cloud providers having the tool you need to get that work done is critical.

Upon completion you will be able to operate the E3 Forensic Platform through the three primary areas of mobile evidence capture. The first stage of acquisition will focus on both the logical and physical imaging of devices. The DSMO course will focus on a variety of devices from feature phones, Androids and iOS Apple devices. Physical acquisition will also be reviewed with feature phones and Androids. The analysis portion will focus on the searching, reviewing and app analysis that is commonly used in mobile forensics. Finally, the review of data through the use of bookmarking and reporting will round out the cornerstones required for doing proper digital forensic investigations of mobile devices.

Amber Schroader is the CEO and Founder of Paraben Corporation. She has spent the last two decades as a driving force for innovation in digital forensics. Amber has developed over two-dozen software programs designed for the purposes of recovering digital data from mobile phones, computer hard drives, email and live monitoring services. In addition to designing technology for digital forensics, she also spearheaded the procedures for mobile and smartphone devices as well as the emerging field of Internet-of-Things (IoT) devices.

Amber is the patent holder on the EMI shielding container, otherwise known as a Faraday bag, as well as an inventor of many other shielding products. Amber has written and taught numerous classes for this specialized field as well as founded multiple certifications in the field.

Skip the server racks and spin up a realistic environment with one click. Infosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.

Paraben's E3:DS is a full-featured mobile device forensic analysis tool kit. Everything, including a nice collection of cables, a battery backup and many other important accessories come with it. When you receive your license dongle all you need to do is download the product from Paraben's web site and install. You also need to install drivers for the various mobile devices the tool supports - and there are a lot of them - and the dongle manager software. Once all of that is downloaded and installed you're ready to go. Even with some dongle problems caused by the latest upgrade of Windows 10 it only took us less than a half hour to do everything. The dongle did not work, courtesy of Microsoft, but Paraben has a software dongle that will work for a limited time until your dongle arrives or you are able to repair the drivers.

Once we had the dongle updated and installed, and the drivers were repaired we were ready to acquire a mobile device. Our target was a Motorola Droid. All of the cables we needed were in the kit and we were ready for business in little time. Androids need a bit of setup before you can acquire them. We used a Droid XT1565 and we were not interested in rooting it (since it is a personal phone). That left us to do a logical acquisition and that went very smoothly. In the logical mode, E3:DS can recover deleted contacts, SMS history, MMS history, call history as well as the usual non-deleted files. It can remove password protection as well for Android versions lower than 4.1.

Once the data were all in the case we created it was very simple to walk through it and analyze the phone. Acquisition is enhanced by device drivers for over 27,000 mobile devices including phones, tablets, GPS and IoT devices. It also has the ability to image data from cloud accounts such as Facebook Twitter and lots of others.

The Paraben web site is excellent. We were able to register our software and and activate it even though we had dongle issues right from the support area on the site ("Customer Zone"). Here, too, you can download the latest driver packs. When it became evident that we were going to need some support beyond what the web site could offer in its FAQ and knowledge base, we contacted the company by email figuring that, as it was a holiday, we would hear nothing until Tuesday. However, Paraben maintains 24X7 support and we were up and running in no time with the support engineer contacting us by email along the way (after spending time on the phone at 5:30PM on Labor Day) to make sure we were out of the woods.

Pricing for E3:DS is very reasonable for what you get and for an easy-to-use, quick tool it can't be beat. This is the best mobile device forensics tool Paraben has produced and for on-the-run mobile device forensics it's just the thing.

We have observed that many tools of this type have more features and are applicable largely to lab use. E3:DS is applicable to just about any mobile device forensics task that requires solid court-ready forensics (you can even create a special forensically sound container if you wish), management of your cases and everything you need to acquire devices in a hurry. When we were conducting analyses of mobile devices at our university this would have been the perfect tool to have when time is short and evidence is critical. Even if you are using other tools, give this one a very close look. It really does belong in your tool kit.

As part of my work, I recently put together a fairly comprehensive cell phone forensic course. As part of the development phase of this project, I had a chance to use most of all the common cell phone forensic tools and put them through the paces with over 50 different phones, most of which were international models.

In opinion, the forensic industry is nowhere near where we are today with cell phone forensics compared to computer forensics. Mostly because it is a fairly new sub-field of digital forensics and the tools just have not been around long and have not yet evolved to the state where the current computer forensic tools are at.

I also think it is due to the complete lack of standardization by phone manufacturers. With computer forensics, you have different makes and models of computers and it generally has little effect on the analysis phase because how they each operate is standardized and follow a set of design specifications. Whereas in cell phone forensics, each cell phone manufacturer could be using their own proprietary operating system and each phone may operate completely different from other models by the same manufacturer. This makes developing an all-inclusive tool that can support all the manufacturers and models of phones very difficult and is something like hitting a moving target traveling at 200mph. By the time you develop a tool to deal with a specific phone, 5 more new ones have been released that don't follow the same standard(s).

**** I have no association with any of these vendors****

The following is just my experience and impressions of the current state of these tools, future version releases could improve or worsen their performance.

The tools I used and evaluated are as follows:

Cellebrite

Neutrino (Guidance Software)

Mobile Phone Examiner (AccessData)

Secure View (DataPilot)

XRY

XACT

Paraben

-forensics.com/catalog/product_info.php?cPath=26&products_id=343

Fernico ZRT

Project-a-phone

To first summarize my experience and findings, I would rate my top three tools as:

Cellebrite

DataPilot

XRY

The reason for rating these tools as my top three tools is based on this criteria:

Functionality

Supported phones

Ease of use

Cellebrite

Currently, the only tool evaluated that can handle iPhones. This was not a deal-maker/breaker for me, but it is worth noting. This is a very simple to use hand held device that can be brought out into the field. I would love to see it have an internal battery to facilitate true in-the-field information gathering. This device handles many different phone models. It supports cable connections to phones as well as bluetooth. It cannot be any simpler to use, clear & easy menu driven screens guide the operator through the acquisition phase. Information can be sent immediately to an attached computer or saved to a USB flash drive, so it can be handed to an investigator for review.

DataPilot (Secure View)

Nice compact kit. Comes with an excellent cable kit that supports many different phones. This is a software solution that really only involves cables and a security key to enable to software. The software is simple to use. Generates nice clean reports.

XRY

XRY is a kit that comes in a fairly large box (suitcase). It comes with several cables, but not as many as Cellebrite or DataPilot. The XRY device itself is fairly small and self-explanatory with clearly labeled ports and connections. The device can be powered by a wall plug or by USB port, making field acquisitions very easy. The software interface is very simple to use and it supports a large number of phones.

For the rest of the devices I used and evaluated, the following are some of the findings and experiences that were relevant to my rating of these devices:

Neutrino

This device is an add-on to EnCase. It comes in a very large case. The biggest downside to this product is the lack of support for phones. The number of phones this device supports and can extract data from is very low. The ability to read non-US models is also very very low.

AccessData MPE

Notwithstanding all the known and previously discussed issues with FTK 2.0, I found this product to be very "clunky" and not too intuitive. I had common problems with the licensing of the MPE module and it not recognizing phones that were connected. Phone support it also very low. Ease of use is very low.

XACT

XACT is the only tool that is focused on getting a physical image of a phone. I was very excited to see this product and try it out. The hardware and software is almost identical to XRY. The biggest disappointment I had with this product is that it just didn't work or support many phones. Even the phones it said it supported, I had trouble with and later found out that it only supports phones with certain firmware. So if the documentation says it supports a Motorola SLVR L7, it may not work if that phone is using a certain firmware version. XACT can parse the "physical" image of some phones and break out the data into categories and show logical data, such as SMS, photos, etc, but this does not work on all models of phones. I didn't mind this because I could still look at the physical image, but unfortunately many of the phones I tried simply would not work because the firmware version was not supported. I was very happy that an old Motorola SLVR L7 that I examined, XACT was able to pull a physical image, but not parse the data. A manual search of the data resulted in several SMS messages that were deleted and were from 8-9 months in the past. The bummer was that when I tried three more Motorola SLVR L7 phones, a physical image could not be obtained because of an unsupported firmware version on these phones.

Paraben

This device suffers from many of the drawbacks as Neutrino. It does not support many common phone types. As Neutrino, it needs drivers installed for many of the phones.

Fernico ZRT

This really isn't a forensic tool, but rather a solution to process phones manually. It includes an awesome desk clamp, camera, microphone and software so that if you need to process a phone that isn't supported by one of the above tools, you can manually go through the phone and record everything as you do it. This is hands down my tool of choice when having to process or deal with phones that a forensic tool cannot process or when I want to manually capture something on a phone.

Project-a-phone

This tool is similar to Fernico, as it is used to manually process a phone and record right off the phone's screen as the investigator cycles through the phone screens. I found this product to be very low-quality and cheap looking. The camera image is very poor and not very usable. I would not recommend using this product at all.

3a8082e126