Device Seizure By Paraben

[Christain Cobb]

Aspart of my work, I recently put together a fairly comprehensive cell phone forensic course. As part of the development phase of this project, I had a chance to use most of all the common cell phone forensic tools and put them through the paces with over 50 different phones, most of which were international models.

In opinion, the forensic industry is nowhere near where we are today with cell phone forensics compared to computer forensics. Mostly because it is a fairly new sub-field of digital forensics and the tools just have not been around long and have not yet evolved to the state where the current computer forensic tools are at.

I also think it is due to the complete lack of standardization by phone manufacturers. With computer forensics, you have different makes and models of computers and it generally has little effect on the analysis phase because how they each operate is standardized and follow a set of design specifications. Whereas in cell phone forensics, each cell phone manufacturer could be using their own proprietary operating system and each phone may operate completely different from other models by the same manufacturer. This makes developing an all-inclusive tool that can support all the manufacturers and models of phones very difficult and is something like hitting a moving target traveling at 200mph. By the time you develop a tool to deal with a specific phone, 5 more new ones have been released that don't follow the same standard(s).

**** I have no association with any of these vendors****

The following is just my experience and impressions of the current state of these tools, future version releases could improve or worsen their performance.

The tools I used and evaluated are as follows:

Cellebrite

Neutrino (Guidance Software)

Mobile Phone Examiner (AccessData)

Secure View (DataPilot)

XRY

XACT

Paraben

-forensics.com/catalog/product_info.php?cPath=26&products_id=343

Fernico ZRT

Project-a-phone

To first summarize my experience and findings, I would rate my top three tools as:

Cellebrite

DataPilot

XRY

The reason for rating these tools as my top three tools is based on this criteria:

Functionality

Supported phones

Ease of use

Cellebrite

Currently, the only tool evaluated that can handle iPhones. This was not a deal-maker/breaker for me, but it is worth noting. This is a very simple to use hand held device that can be brought out into the field. I would love to see it have an internal battery to facilitate true in-the-field information gathering. This device handles many different phone models. It supports cable connections to phones as well as bluetooth. It cannot be any simpler to use, clear & easy menu driven screens guide the operator through the acquisition phase. Information can be sent immediately to an attached computer or saved to a USB flash drive, so it can be handed to an investigator for review.

DataPilot (Secure View)

Nice compact kit. Comes with an excellent cable kit that supports many different phones. This is a software solution that really only involves cables and a security key to enable to software. The software is simple to use. Generates nice clean reports.

XRY

XRY is a kit that comes in a fairly large box (suitcase). It comes with several cables, but not as many as Cellebrite or DataPilot. The XRY device itself is fairly small and self-explanatory with clearly labeled ports and connections. The device can be powered by a wall plug or by USB port, making field acquisitions very easy. The software interface is very simple to use and it supports a large number of phones.

For the rest of the devices I used and evaluated, the following are some of the findings and experiences that were relevant to my rating of these devices:

Neutrino

This device is an add-on to EnCase. It comes in a very large case. The biggest downside to this product is the lack of support for phones. The number of phones this device supports and can extract data from is very low. The ability to read non-US models is also very very low.

AccessData MPE

Notwithstanding all the known and previously discussed issues with FTK 2.0, I found this product to be very "clunky" and not too intuitive. I had common problems with the licensing of the MPE module and it not recognizing phones that were connected. Phone support it also very low. Ease of use is very low.

XACT

XACT is the only tool that is focused on getting a physical image of a phone. I was very excited to see this product and try it out. The hardware and software is almost identical to XRY. The biggest disappointment I had with this product is that it just didn't work or support many phones. Even the phones it said it supported, I had trouble with and later found out that it only supports phones with certain firmware. So if the documentation says it supports a Motorola SLVR L7, it may not work if that phone is using a certain firmware version. XACT can parse the "physical" image of some phones and break out the data into categories and show logical data, such as SMS, photos, etc, but this does not work on all models of phones. I didn't mind this because I could still look at the physical image, but unfortunately many of the phones I tried simply would not work because the firmware version was not supported. I was very happy that an old Motorola SLVR L7 that I examined, XACT was able to pull a physical image, but not parse the data. A manual search of the data resulted in several SMS messages that were deleted and were from 8-9 months in the past. The bummer was that when I tried three more Motorola SLVR L7 phones, a physical image could not be obtained because of an unsupported firmware version on these phones.

Paraben

This device suffers from many of the drawbacks as Neutrino. It does not support many common phone types. As Neutrino, it needs drivers installed for many of the phones.

Fernico ZRT

This really isn't a forensic tool, but rather a solution to process phones manually. It includes an awesome desk clamp, camera, microphone and software so that if you need to process a phone that isn't supported by one of the above tools, you can manually go through the phone and record everything as you do it. This is hands down my tool of choice when having to process or deal with phones that a forensic tool cannot process or when I want to manually capture something on a phone.

Project-a-phone

This tool is similar to Fernico, as it is used to manually process a phone and record right off the phone's screen as the investigator cycles through the phone screens. I found this product to be very low-quality and cheap looking. The camera image is very poor and not very usable. I would not recommend using this product at all.

Whilst the Cellebrite may support more phones then many of the other tools, what you have negated to state is that in many instances it extracts the least data of all the stated tools. With many of the phones it claims to support, it does no more then extract contact lists, leaving the relevant info (Messages, call logs, photos, etc) behind.

I am an leo detective in florida that is doing some research into what is the best products on the market to start doing forensic examinations on cellphone and other handheld devices. If you could only buy one product (hardware kit and software) what would you buy. I spoke with some examiner who say Paraben products but based on my research it doesn't seem to be the best product on the market. Has anyone had any experience with Logicube Cell TEK KIT. Right now they are running a special $5,500 until the new year, but it is regularly $12,000. Is it worth the money? Does anyone have anything good or bad comments about this product. Looks like a good product but looks don't get you far. Does anyone have any experience with this kit and software product and if so would you recommend it "is it good, bad or just ok?? Any info is welcome. Thanks

guillette173...

If I had one choice, I would select the Cellebrite. I am also LE in FL, and we have had great success with the unit. To that end, the Cellebrite supports a ton of phones, but on certain phones, it only supports phonebook and pictures. It doesn't get SMS, recent call list, etc. Regardless, you can't go wrong with this kit. We use it in concert with other products as it relates to the cable kit. Many of the cables plug in via USB to the PC as well, and we've had good success in pulling data through Cellebrite cables on a PC using other software suites.

And the funny thing is the most used product for cell phone "Forensics" here in the states is BitPim.. We have CellDek, Paraben Device Seizure, XRY and Cellbrite.. and it seems while those tools get about 50% of the phone or so.. We resort to BitPim to do alot of the Clean up work and as the last ditch effort.. Only for CDMA Phones though..

BTW..guillette173

CellDek is Decent...when we bought it almost 2 years ago it was almost $20K..and it gets your standard 50-60% of phones.. It's simple to use if that's what you are looking for.. And like most cell phone products it has a large yearly maintenance fee for updates/cables etc.. etc (I think 1K+ or more). I know We got 2 new cables for the Cellbrite last year..at what..$1000 fee? Hmm..

The project-a-phone works. Period. It's not built like a tank like the fernico... but it's not priced like a Tank either. It get's the images you need of the phones that your software won't touch.. and it's good enough for a Jury's to see what the phone looks like. It's not priced or built like a commercial grade product..but it does what it's supposed to...

3a8082e126