My current impression of cell phone forensic tools
As part of my work, I recently put together a fairly comprehensive cell phone forensic course. As part of the development phase of this project, I had a chance to use most of all the common cell phone forensic tools and put them through the paces with over 50 different phones, most of which were international models.
In opinion, the forensic industry is nowhere near where we are today with cell phone forensics compared to computer forensics. Mostly because it is a fairly new sub-field of digital forensics and the tools just have not been around long and have not yet evolved to the state where the current computer forensic tools are at.
I also think it is due to the complete lack of standardization by phone manufacturers. With computer forensics, you have different makes and models of computers and it generally has little effect on the analysis phase because how they each operate is standardized and follow a set of design specifications. Whereas in cell phone forensics, each cell phone manufacturer could be using their own proprietary operating system and each phone may operate completely different from other models by the same manufacturer. This makes developing an all-inclusive tool that can support all the manufacturers and models of phones very difficult and is something like hitting a moving target traveling at 200mph. By the time you develop a tool to deal with a specific phone, 5 more new ones have been released that don't follow the same standard(s).
**** I have no association with any of these vendors****
The following is just my experience and impressions of the current state of these tools, future version releases could improve or worsen their performance.
The tools I used and evaluated are as follows:
Cellebrite
http://www.cellebrite.com/
Neutrino (Guidance Software)
http://www.guidancesoftware.com/
Mobile Phone Examiner (AccessData)
http://www.accessdata.com/
Secure View (DataPilot)
http://www.datapilot.com/productdetail/253/producthl/Notempty
XRY
http://www.msab.com/
XACT
http://www.msab.com/
Paraben
http://www.paraben-forensics.com/catalog/product_info.php?cPath=26&products_id=343
Fernico ZRT
http://www.fernico.com/zrt.html
Project-a-phone
http://www.projectaphone.com/
To first summarize my experience and findings, I would rate my top three tools as:
Cellebrite
DataPilot
XRY
The reason for rating these tools as my top three tools is based on this criteria:
Functionality
Supported phones
Ease of use
Cellebrite
Currently, the only tool evaluated that can handle iPhones. This was not a deal-maker/breaker for me, but it is worth noting. This is a very simple to use hand held device that can be brought out into the field. I would love to see it have an internal battery to facilitate true in-the-field information gathering. This device handles many different phone models. It supports cable connections to phones as well as bluetooth. It cannot be any simpler to use, clear & easy menu driven screens guide the operator through the acquisition phase. Information can be sent immediately to an attached computer or saved to a USB flash drive, so it can be handed to an investigator for review.
DataPilot (Secure View)
Nice compact kit. Comes with an excellent cable kit that supports many different phones. This is a software solution that really only involves cables and a security key to enable to software. The software is simple to use. Generates nice clean reports.
XRY
XRY is a kit that comes in a fairly large box (suitcase). It comes with several cables, but not as many as Cellebrite or DataPilot. The XRY device itself is fairly small and self-explanatory with clearly labeled ports and connections. The device can be powered by a wall plug or by USB port, making field acquisitions very easy. The software interface is very simple to use and it supports a large number of phones.
For the rest of the devices I used and evaluated, the following are some of the findings and experiences that were relevant to my rating of these devices:
Neutrino
This device is an add-on to EnCase. It comes in a very large case. The biggest downside to this product is the lack of support for phones. The number of phones this device supports and can extract data from is very low. The ability to read non-US models is also very very low.
AccessData MPE
Notwithstanding all the known and previously discussed issues with FTK 2.0, I found this product to be very "clunky" and not too intuitive. I had common problems with the licensing of the MPE module and it not recognizing phones that were connected. Phone support it also very low. Ease of use is very low.
XACT
XACT is the only tool that is focused on getting a physical image of a phone. I was very excited to see this product and try it out. The hardware and software is almost identical to XRY. The biggest disappointment I had with this product is that it just didn't work or support many phones. Even the phones it said it supported, I had trouble with and later found out that it only supports phones with certain firmware. So if the documentation says it supports a Motorola SLVR L7, it may not work if that phone is using a certain firmware version. XACT can parse the "physical" image of some phones and break out the data into categories and show logical data, such as SMS, photos, etc, but this does not work on all models of phones. I didn't mind this because I could still look at the physical image, but unfortunately many of the phones I tried simply would not work because the firmware version was not supported. I was very happy that an old Motorola SLVR L7 that I examined, XACT was able to pull a physical image, but not parse the data. A manual search of the data resulted in several SMS messages that were deleted and were from 8-9 months in the past. The bummer was that when I tried three more Motorola SLVR L7 phones, a physical image could not be obtained because of an unsupported firmware version on these phones.
Paraben
This device suffers from many of the drawbacks as Neutrino. It does not support many common phone types. As Neutrino, it needs drivers installed for many of the phones.
Fernico ZRT
This really isn't a forensic tool, but rather a solution to process phones manually. It includes an awesome desk clamp, camera, microphone and software so that if you need to process a phone that isn't supported by one of the above tools, you can manually go through the phone and record everything as you do it. This is hands down my tool of choice when having to process or deal with phones that a forensic tool cannot process or when I want to manually capture something on a phone.
Project-a-phone
This tool is similar to Fernico, as it is used to manually process a phone and record right off the phone's screen as the investigator cycles through the phone screens. I found this product to be very low-quality and cheap looking. The camera image is very poor and not very usable. I would not recommend using this product at all.
ShareThis
Posts
49 comments:
Lance, thanks for the consolidated info. Have you looked into MobilEdit Forensic? I have used it a couple times and seems to pull good info and supports a good number of phones..
This is awesome Lance, thanks for the write up...
You should enroll for a XACT training and get a better understanding of the tool. There are some quite outstanding possibilities!!
Whilst the Cellebrite may support more phones then many of the other tools, what you have negated to state is that in many instances it extracts the least data of all the stated tools. With many of the phones it claims to support, it does no more then extract contact lists, leaving the relevant info (Messages, call logs, photos, etc) behind.
I am an leo detective in florida that is doing some research into what is the best products on the market to start doing forensic examinations on cellphone and other handheld devices. If you could only buy one product (hardware kit and software) what would you buy. I spoke with some examiner who say Paraben products but based on my research it doesn't seem to be the best product on the market. Has anyone had any experience with Logicube Cell TEK KIT. Right now they are running a special $5,500 until the new year, but it is regularly $12,000. Is it worth the money? Does anyone have anything good or bad comments about this product. Looks like a good product but looks don't get you far. Does anyone have any experience with this kit and software product and if so would you recommend it "is it good, bad or just ok?? Any info is welcome. Thanks
guillette173...
If I had one choice, I would select the Cellebrite. I am also LE in FL, and we have had great success with the unit. To that end, the Cellebrite supports a ton of phones, but on certain phones, it only supports phonebook and pictures. It doesn't get SMS, recent call list, etc. Regardless, you can't go wrong with this kit. We use it in concert with other products as it relates to the cable kit. Many of the cables plug in via USB to the PC as well, and we've had good success in pulling data through Cellebrite cables on a PC using other software suites.
And the funny thing is the most used product for cell phone "Forensics" here in the states is BitPim.. We have CellDek, Paraben Device Seizure, XRY and Cellbrite.. and it seems while those tools get about 50% of the phone or so.. We resort to BitPim to do alot of the Clean up work and as the last ditch effort.. Only for CDMA Phones though..
BTW..guillette173
CellDek is Decent...when we bought it almost 2 years ago it was almost $20K..and it gets your standard 50-60% of phones.. It's simple to use if that's what you are looking for.. And like most cell phone products it has a large yearly maintenance fee for updates/cables etc.. etc (I think 1K+ or more). I know We got 2 new cables for the Cellbrite last year..at what..$1000 fee? Hmm..
The project-a-phone works. Period. It's not built like a tank like the fernico... but it's not priced like a Tank either. It get's the images you need of the phones that your software won't touch.. and it's good enough for a Jury's to see what the phone looks like. It's not priced or built like a commercial grade product..but it does what it's supposed to...
I have used the Cellebrite UFED product for close to a year now with great success..In the past year the content support..IE pics, vids, SMS and call histories have increased dramatically and they just added Sim ID cloning and iPhone support at the touch of a button !!
PLEASE stay FAR away from Paraben as you will encounter major connection (Driver and com port) issues..Low Phone support and cust service
Celldeck ehh..unit and cables way overpriced..
Cellebrite ..best bang for buck in my book
To the Cell DEK TEK guy: BEWARE!!!! The support for CellDEK is AWFUL!!! It had promise in November of 2006, but due to horrific support, and the units being made with cheaper parts, we arent going with them. Very pretty lights, and VERY simple to use. Also, updating a CellDEK is also a nightmare as well! We have had to return the entire device several times because an update made the box non-functional. I think they made their research money back, and are now just dumping product. Some people paid 20K for their stuff, and now it’s “on sale” for $7,000?!??!?!?!.
Paraben is another bad option. Their support is awful, and they continue to store their data in a proprietary format container. If the container gets corrupt, you cannot retrieve ANY of your data, and are required to PAY THEM to try to recover your data should the file become corrupt!?!?!?! Also, they continue to encrypt their log files not allowing you to see all the commands that their tool is throwing to your phone.
I agree with the author here: CelleBrite, DataPilot and XRY are all good choices! Get a copy of BitPIM, and do not dismiss it just because it is free!
ONE Cell Phone Forensics tool will NOT meet all your needs! If ANYONE tells you that they are LYING! Get a few, CelleBrite and BitPIM are a good start, but be prepared to buy cables and other tools as new phones come in.
Also, going to the Mobile Forensics World is a wise choice as well if you only want to talk about phone stuff! Some of the best in the world are there to answer YOUR questions personally!
2 comments.
I second the recommendation for MobilEdit Forensic
Re Paraben. I don't know how recent the bad experience with Paraben was, but they've improved a lot in the last few months. I find there phone tools pretty good and use it all the time for RIM Blackberry's
Great feedback Lance, appreciate it. I have found that the more tools you have, the more phones you will recover data from. Between Secure View, XRY, Device Seizure, Mobile Edit, Cellebrite, Bit Pim, various flasher boxes, Windows Hyper Terminal and patience, we recover data from about 95% of all the phones we examine. Don't waste your money on CellDek, you can spend the funds on multiple tools that will work with a number of other phones. If we can't get the data with the above tools, then it is Fernico to the rescue, it is outstanding and well worth the money. Another factor is training, by far the best is MFI training by Lee Reiber and for us Canadians, the CPC CSAW (Cellphone Seizure and Analysis Workshop). Without proper training, you will miss out on proceedures and techniques that will allow you to find data. One other thing that helps is websites/blogs like this that allow experts like Lance to share thier knowledge with other examiners in this field. If we all share our experiences with the tools and various cell phones we encounter, the further we all will be.
Anyone using any of the BK Forensics software/hardware? They have some deals for LEOs on training and equipment (and free is ALWAYS the right price) but i am wondering if any has tried it?
I agree with anonymous, who said "Get a copy of BitPIM, and do not dismiss it just because it is free!"
My two primary tools for phones are Paraben DS and Bitpim. I have recently discovered more limitations to DS, but for the most part it does a fine job. Bitpim is exceptional, once you know how to exploit it's strengths and should be in your tool box! I did notice that the title of the blog was "Cell Phone Forensic Tools", and surmised that was the reason Bitpim was not present.
Running Bitpim on a Linux of Mac OS eliminates the need for drivers for most of their supported phones, eases the daily grind when you have fewer drivers to load and create conflicts.
Don L.
Cell Deck? Yikes! Please stay awy from that OVERPRICED OLD suitcase! In the past, I have had date and time issues, incossistant reports as well as having to replace the entire unit as an update made the OLD suitcase freeze up.
However,I do give Logicube credit for the pretty lights and sexy packaging
Paraben, too many driver and connection issues and inaccurate supported phone list. 1,900 claimed handsets supported?? LOL..NO WAY PARTNER..Not even close to that #
XRY/Xact good GSM suppoort but Lacks CDMA SUPPORT!! Last time I checked we are based in the USA..Right? The deck is way overpriced for unit(10-11K) and SW support 5K ! In addition, if you do not pay your for your annual SW the device is inoperable.
Cellebrite (best phn and cable support by far) Fernico and BIT PIM are tools I mainly use and get results with ..All work as advertised ..
Just chiming in with my 2cents;
We use the following products in our lab;
Cellebrite – We have 3 of these and it is generally the first tool that we try.
DataPilot – Also a good tool that is generally our second choice.
Bitpim – Outstanding for the price (free) and we use it frequentl.y
Oxygen Phone Manager – Great for Nokia phones, generally extracts all data from supported Nokia phones.
CellDEK – Over priced for what you get. Works on some of the phones that we see however I am not impressed with the number of phones that it supports for the price.
Paraben – Sometimes works, we usually try it if nothing else is working. Appears to not get along well with other cell phone tools. We have had to install it on its own system to avoid conflicts.
Items we do not use;
XRY – I have heard some good things about this product however we have chosen not to use it for the following reasons;
-Cost of device and updates (we can only afford so many)
-About a year ago (when we were considering buying XRY) the company refused to supply me with a list of phones that their device would support stating that their competitors would use the list against them
-Unless they have changed, if a users yearly license lapses, the device becomes locked and unusable
Does anyone know the price for XRY/XACT kit?
Thank you!
Thanks to Cellebrite, CellDeck and XRY have now dropped the price in more than 50%.
What all those that bought it in the previous prices feel now? and still there is almost a 100% price difference.
lance, very good work. i have been using the mobiledit,cellseizure, celldek,nutrino, ufed of cellbright,.xry etc., out of these i find cellbright, celldek and .xry are the good tools which are simple to use and supports many models.
krishna, cyber forensic expert, hyderabad.
Mobil edit Forensic
http:\\forensoc.mobiledit.com
sorrz http:\\forensic.mobiledit.com
Regarding:
Items we do not use;
XRY – I have heard some good things about this product however we have chosen not to use it for the following reasons;
-Cost of device and updates (we can only afford so many)
-About a year ago (when we were considering buying XRY) the company refused to supply me with a list of phones that their device would support stating that their competitors would use the list against them
You can see all the updates on there website, http://www.msab.com/en/About-Micro-Systemation/News2/XRY-SW-39-released/
-Unless they have changed, if a users yearly license lapses, the device becomes locked and unusable
From versions .XRY 3.8 and XACT 1.2 we change the license model; the license is still for a 12 month period and includes software maintenance and updates, new cables and support. However - from now on the software will not stop function after the license period has expired. N.B. You will, without valid license, neither have access to software maintenance, new cables nor support, i.e. new phone models are not supported.
hi just following the posts and i have a question if anyone knows the answer please explain it to me have you ever heard of the technology known as the roving bug supposedly software can be downloaded unto the phone activating it as a bug to pick up sound in the phones vicinity all this is done without even touching the phone.
Lance, great review and commendable piece of work - well needed . FYI - there is a version of Cellebrite that comes with an internal battery so it is completely usable in the field
thanks again
Great review and includes all my favourites.
You could also add PMExplorer from Paul Sanderson. It only supports Nokia PM files but it gives a great low level look at the raw bits qnd bytes allowing you to validate your report and it is a great learning/teaching tool.
Hi,
You should also include a review on IntaForensics ART for manual phone analysis. Automates the process of manual reporting on mobile phones and best of all it's free I think?.
Great article. I think Paraben was too easily dismissed. I had a lot of the same perceptions until I went to their training. I now use Paraben as my primary tool simply because it often gets full memory dumps. They also now allow data exports so I can back up my cases in a non-proprietary format.
I never experienced the "bad" support others have talked about but they must have improved a lot because I've received great support over the last year. I do have some of the other tools mentioned but only use them as a backup and am usually disappointed at only getting logical data.
The best tool for extracting and analysing physical images from handsets is M-Filter from FTS.
As for logical exams, we still opt for XRY and have cellebrite as backup for handsets XRY cant do.
I think someone said it further up, but there is no one tool to do it all at the moment..
A poster above said:
"From versions .XRY 3.8 and XACT 1.2 we change the license model; the license is still for a 12 month period and includes software maintenance and updates, new cables and support. However - from now on the software will not stop function after the license period has expired. N.B. You will, without valid license, neither have access to software maintenance, new cables nor support, i.e. new phone models are not supported."
The quote states that the license expired. Does this mean that, although the item is not locked, the license is no good -- so using it is a violation of the license agreement? If not, then the above should be reworded to state that the support period has expired rather than the license has expired.
"The quote states that the license expired. Does this mean that, although the item is not locked, the license is no good -- so using it is a violation of the license agreement? If not, then the above should be reworded to state that the support period has expired rather than the license has expired."
You are correct it does mean that the 'Support Period' has expired rather than the licence. You are free to continue using the equipment after this point. The manufacturers of XRY & XACT are Swedish and sometimes the fine subtleties of english can be confusing as a second language.
By the way XRY & XACT are now at version 4.0 with considerable more handset support and features.
XRY now does CDMA handsets by the way. Version 4.1 is available
Micro Systemations XRY and XACT units are more or less standard in Europe and have just opened their office in the States. Go to www.msab.com and contact them for a run through of the products. They now have a CDMA system at the R&D in Sweden so more US phones will be added. Highly recommended!
Hello.
My name is Tudor, and I'm running a small Internet based business (selling a hybrid software - web service product, for automatic backup of mobile phones data). I'm located in Romania (www.f-spy.ro).
My costumers are interested in data recovery from sim-cards, like deleted sms. I was trying a solution provided by Data Doctor Recovery (software). Its not working at all. I can not read any deleted sms.
Now, because you are a real specialist in data recovery, I want to ask you about another products:
-BrickHouse Security ( http://www.brickhousesecurity.com/cellphone-spy-simcardreader.html )- Cell Phone Spy.
-Paraben's SIM card Seizure (software product).
I remind you that I am interested especially in recovery of deleted sms.
So, can you let me know please, if this solutions and products are working? I really trust your expertise and experience in the field of data recovery.
Thanks a lot for helping me.
Regards,
Tudor.
PS: excuse my grammar, unfortunately english is not my first language.
After doing cell/mobile forensics for over 10 years I think it is important that everyone realize there is no single tool for any job. That is training is key. Many people will use a tool and because it requires some time to get it to talk to the phone dismiss it as a faulty tool. I know I had that perception with a couple of these tools when I started. Most of my errors I had were mine because I did something wrong, not because of the tool. I know that no one likes to admit it, but we as users are a lot of the problem. I am doing my Paraben PCME right now and after attending all their training as well as some of the other training classes out there I have to give them credit they are the company committed to doing cell forensics. Their tool was designed for investigators, and although the drivers are a pain to load they follow the best forensic principles and I have not had any problems with their support, actually the opposite, they bent over backwards to help me. I have my favorite secondary tools such as BitPim and Mobiledit!, but I think it is time someone at least say what the real problem is, and that is we are all overwhelmed with our workload and if it doesn’t work perfect on click one we give up.
Thanks for sharing this info post.
I really would like to thank you.
Well, I have been reading your blog posts daily and the reason I come on your blog frequently is its compelling content… Regards… http://www.pctechoutlet.com
I really would like to thank you.
great post, extremely useful! thanks.
a+ post!
good post. Very valuable!
Cellebrite is a Japan owned company headquartered in Tel Aviv.
I found BK Forensics with HQ in PA has great "deleted data recovery" and has even trained LEOs around the globe.
Gr8 prices for LEO too with lifetime support!
Oxygen Forensic Suite 2010 is the best option to extract more data from the phone.
http://www.cybersecurityspecialist.com/software.html
With regards to cell phone forensics, when you say lack of standardization, I am assuming you also are talking about the different types of chips and security protocols used by the different providers? Or at least I am assuming that would also make a difference.
However, in terms of computer as well as cell phone forensics you still have to deal with particular information providers. I initially assumed the computer would be easier since you can analyze the transfer of data via the Internet; however, those logs are stored on your ISP's machines (I am assuming).
Lance,
You said you would like the CelleBrite better if it was truly portable for field work. The "ruggedized" version I have is powered by an AC cord, a 12-volt cigarette lighter cord or its internal LI-PO Rechargeable Battery. Truly Portable. I can put it in the case (with the cables) and take it anywhere, whether that is in my office, my car, or out in a field miles from anything else.
Support@SCCTF.ORG
thanks everybody for leaving your comments behind. I have been looking for somebody to finally analyze the different cell phone recovery tools available and somebody has finally done it for me.I am using cellebrite ultimate and i can trully say that it has some advantages as far as i can see:
1. for starters it has an awesome support team who are always around to help you out.
2.it has a very large set of supported phones that could be extracted using the device.
some of the noticeable shortcomings of the device include:
1.it has a poor record in dealing with nokia phones
2.it does not support physical extraction for iphone 4s and ipads(although i don't know the success rates of other tools when it comes to this kind of gadgets.)
but all in all, thanks for the comprehensive summary you've done in comparing the different tools.
Post a Comment