Mobile devices like smartphones and tablets have become a goldmine of potential evidence for law enforcement, corporate investigators, and digital forensics examiners. However, extracting and analyzing data from encrypted mobiles in a forensically sound manner requires specialized tools and training.
In this comprehensive guide, we’ll provide an overview of the leading mobile forensics software suites on the market and discuss their core capabilities, strengths, and limitations.
An Introduction to Mobile Forensics:
Mobile forensics is the practice of preserving, recovering, and examining evidence from mobile devices like cell phones, tablets, and GPS devices. The goals are to extract digital evidence while maintaining its integrity and chain of custody requirements for legal admissibility.
Investigators use mobile forensics during:
- Criminal investigations – To reconstruct timelines, establish motives, identify accomplices, and place suspects at crime scenes.
- Internal investigations – To uncover corporate espionage, IP theft, HR violations, and insider threats.
- Civil litigation – As part of eDiscovery efforts and to obtain communications, files, and location history relevant to the case.
- Malware analysis – To analyze mobile malware, spyware campaigns, and vulnerability exploitation.
- Information security – To analyze compromise of mobile assets and insiders.
Main evidence extracted from smartphones and tablets includes call logs, text messages, browsing history, photos, location data, app data, and more.
However, actually accessing this data poses challenges like encryption, limited ports, proprietary connectors, advanced security controls, and anti-forensics measures. Specialized tools help address these obstacles.
Cellebrite UFED:
Cellebrite’s Universal Forensic Extraction Device (UFED) is one of the leading commercial mobile forensics tools used by law enforcement and government agencies globally. It supports logical, file system, and physical extractions for thousands of device profiles from feature phones to smartphones and tablets running Android, iOS, and other modern mobile OSes.
Key capabilities:
- Automated unlocking of locked iOS and Android devices through advanced brute force, exploitation, and chip-off techniques.
- Fast, optimized forensic-grade extraction speeds. UFED boasts industry-leading performance, with physical iOS extractions in as little as 20 minutes.
- Broad coverage of apps, platforms, and data types. Thousands of app parsers recover artifacts like chats, locations, user activity.
- Built-in analytics features like timeline generation, categorized event decoding, and embedded viewers.
- Extensive phone-to-cloud extraction capabilities, recovering data from services like iCloud and Google Drive.
- Custom package creation to streamline exports for outside analysis and review.
Limitations:
- High annual licensing fees that increase with usage levels and additional capabilities.
- Physical extractions remain very time consuming for newer high-capacity devices with 64GB+ storage.
- Heavily relies on Cellebrite’s research labs for device and app support updates.
- Poorly structured or encoded data can cause crashes during automated parsing routines.
Oxygen Forensics:
Oxygen Forensic® Detective (OFD) is a flagship product from Oxygen Forensics for data extraction and analysis. OFD provides extensive support for physical, logical, and cloud extractions across thousands of iOS and Android device profiles.
Key capabilities:
- Advanced data carving recovers deleted files and artifacts beyond what typical extraction captures.
- Extensive app decoding categorizes data from social, communication, and tracking apps into organized formats.
- Built-in timeline, link charting, and geo-location mapping visualizations.
- Wide coverage for IoT forensics including drones, wearables, and vehicle infotainment systems.
- Cloud data support for accounts and synced content across providers like Google and iCloud.
- Multi-user collaboration capabilities for remote investigations.
Limitations:
- Requires significant hands-on analysis time from examiners, with high levels of manual case/device setup steps.
- Limited capabilities for newer Android OS versions 10+ and compression formats.
- No automated device unlocking features. Instead relies on manual chip removal or existing device access.
- Steep learning curve to utilize advanced capabilities.
Magnet Axiom:
Magnet Axiom by Magnet Forensics focuses on in-depth analysis and categorization of evidence from mobile devices, cloud services, computers, and IoT devices. It’s built around decoding app artifacts rather than extraction speeds.
Key capabilities:
- Granular decoding and categorization of data from thousands of apps, including chat, social media, web, and tracking apps.
- Wide coverage for IoT devices like smartwatches, fitness trackers, drones, and e-readers.
- Visual analysis tools provide built-in case management, reporting, timelines, and powerful visualization.
- Integrated virtual machine support provides isolated testing and malware analysis environments.
- Expansive cloud extraction and analytics covering major platforms like Google and Apple.
Limitations:
- Very limited physical extraction capabilities compared to rivals. Focuses on logical and cloud acquisition.
- High resource usage during mobile acquisitions due to decryption routines. Can be very slow on underpowered machines.
- Extremely steep learning curve to utilize many features. Expect a time investment mastering the tool.
Key Considerations for Selection:
With any mobile forensics tool, there are alternatives across performance, usability, support, and licensing considerations:
- Supported devices and OS versions – Ensure the tool covers all the mobile platforms you regularly encounter.
- Extraction capabilities – If physical acquisitions are a priority, lean towards solutions like Cellebrite and Oxygen.
- Analysis abilities – Weigh custom reporting needs versus out-of-the-box categorization features.
- Cloud support – Factor in the cloud platforms most relevant to your investigations.
- Examiner experience levels – Some solutions have steeper learning curves than others.
- Budget – Look at total cost of ownership, not just upfront costs. Ongoing licensing, training, and support all add up.
The Road Ahead for Mobile Forensics:
As mobile technologies continue rapidly advancing, mobile forensics tools face constant pressure to evolve as well. Some key trends shaping their development path:
- Expanding support for wearables, tablets, IoT devices, and peripherals.
- New smartphone unlocking capabilities as hardware and OS security improves.
- More focus on cloud and app data as local device storage shrinks.
- Expanded use of AI and machine learning for evidence triage and analysis at scale.
- Increased automation to speed up repetitive tasks and keep pace with growing data volumes.
Post comments (0)