For this report I am testing three mobile forensics tools to evaluate them on various criteria. I am looking at ease of use, documentation/guidance, graphical interface, analysis quality and reporting. For this report I am using an iPhone 5 (Model: A1429) with 32 GB storage. I will mainly focus on commercial products that I have been given a trial access to use.
The first software I am trying is MOBILedit. Initial instructions seem fine and there appeared to be a good amount of documentation and explanations regarding the software. Downloading and installation went fine, and the program started up successfully. The program prompts me to install some driver packs, and I try to do that. And here is where the first issue arise. In Windows 7, which is the preferred platform for any forensics software, the driver pack prompts the user every time it wants to install a driver. For thousands of drivers. I therefore have to manually “hack” the iPhone driver to be able to make MOBILedit discover it (this report is too short to cover the process). Afterwards I am able to get the phone detected, but it seems there is no way to override the passcode. The documentation only gives one option – which is to “accept” the connection on the phone. The user interface is good and modern, and there is guidance along the way. After this, I am prompted to purchase a license, and since I dont have a trial license for this one – I move on to the next.
My second software is from AccessData which is widely known for their FTK and FTK Imager. They have a mobile forensics software named MPE+ which is not as known – but have great industry reviews. As always with AccessData the documentation and guidance are well established, taking into consideration a professional user. Downloading and receiving a trial key was fast and reliable, they even called me to check that I have managed to install it correctly. Once I start using the software, it has great guidance for acquisition and handles my iPhone perfectly. It has a step by step process that also includes breaking pass codes and such. Although the program lets you do a live forensics analysis and capture live data – it works best when creating an image of your phone and indexing it. I indexed the whole phone and could find a lot of great data. Chat logs in various apps, text messages, contacts and much more. It also found a great deal of deleted images, and there was also a great way to read logs. As far as user interface goes, it was good and modern, but for the price they charge – it should be better. There was also some issues with functionality, where you could not parse the data properly. Like text messages and finding relevant data connected to certain contacts. However, one really great feature of MPE+ that I could not find in any other forensics software, was the ability to write your own Python code inside the program, in order to script your very own forensics process. This allows for a hugely different approach, and actually gives the examiner the possibility to do endless functionality with the data. So far the MPE+ software delivers on all criteria, and I were ready to write a forensics report using the programs own functionality for this. On this level I were very disappointed. The report system did not allow you to add as much evidence at you had collected, and the output were random and very disorganised. It really did not make any sense, and were as close to useless as you could get. On this level the program fails completely.
My third software is Parabens E3: Universal. This was the one that took the longest to acquire the trial key for, so I did not have too much time to try it out. Downloading was fine, and installation went great – including drivers. The program has a user-friendly interface and an initial greeting with a tour and easy to read guidance. However, due to time issues and late arrival of trial key I could not test the system enough. I also had huge issues in getting E3: Universal to detect my phone in DFU mode. It has sufficient guides IF you looked for them, but there was some guidance lacking in case of urgent issues in the acquiring stage.
Overall there seems to be quite a few issues in getting mobile forensics software to work. This was expected since mobile devices are very different in both hardware, software and usage than regular computers – but my initial expectation was that expensive commercial software would do away with a lot of those issues. During my test I have found that documentation, guidance and graphical user interface are good in these products, but as far as actual usage they do not deliver anything vastly different from an open source software which I have tested on a previous occasion. All except the great feature in MPE+ that allows for Python scripts. As far as reporting goes, both my experience and industry review points out that it is a common problem, and the recommendation is to create your reports outside your software.