Smartphones and tablets are widely used in everyday life and in various technological processes. For this reason, they often become a part of forensics investigations in informational security cases. This article analyzes the efficiency of the forensic suits used to study such devices.
There are three main problems in the mobile forensics:
The first one – mobile devices data extraction. The mobile devices manufacturers, taking care of data security, try to complicate the process of sensitive data extraction for the forensic specialists. This leads to the situations when the device’s owner changes the password and forgets it and consequently loses the access to the data (for example, it can accidently happen, when you give your device to a child to watch a video on YouTube or to play a game). The other sad example is when wife can not extract family pictures from the device of her perished husband. The cost of the data extraction from blocked mobile devices can be several times higher than the cost of the device itself. Experts put great efforts into data extraction and spend a lot of time in order to overcome the protective mechanisms of mobile devices that prevent the data extraction. Unfortunately, such attempts often fail.
The second one – the various mobile forensics utilities extract data from mobile devices differently. The types and amount of data extracted are different. Even the “traditional” types of data (such as: phone book entries, SMS, calls, multimedia files) are extracted in different amount from the same device, this is due to the specifics of the software development and support of the certain artefacts, which are stored in the mobile devices memory, by the forensics software developers. For that reason, there is no unifying concept of the data extraction and analysis procedures. Each investigated mobile device is now unique. This increases the cost of the investigation process and it is more time-consuming.
The third one – data volume stored in the mobile devices is becoming equal or in some cases is even higher than the volume of data stored in the laptops and desktop computers. For example, we can compare the Macbook Air laptop that has 128GB of internal storage and iPhone that has 256GB or 512GB internal storage. That is why it is not enough to extract data from a mobile device, you need to analyze them in a quick and qualitative way.
This article will compare the most popular utilities for mobile forensics. The time spent on data analysis by various utilities is estimated. In addition, it is considered what types of artifacts and in what quantity are extracted.
For testing, we used two forensic images containing typical data for the most common mobile devices – mobile devices running Android and iOS operating systems.
The first object of test is a physical dump of a mobile device running Android 8 operating system. This image is an uncompressed binary copy of the device’s flash memory data. The image size is 32GB. This is a public copy of a mobile device. You can use it both to verify the results and for your own tests.
The second object of test is a public copy of iPhone file system running iOS 13.3.1. The file size is 8,3GB. This copy of the mobile device is also publicly available.
We used the typical suits for testing: AXIOM version 188.8.131.5217 ”(Magnet Forensics), UFED Physical Analyzer version 184.108.40.206 (Cellebrite), Belkasoft Evidence Center version 9.9800.4963 (Belkasoft LLC), XRY version 8.2.0 (Micro Systemation AB ).
For testing, we used a test workstation containing the following main components:
Table № 1. The main components of the test workstation.
|CPU||Intel Core i7-8700K (3.7 GHz)|
|MB||Asus Prime Z370-A|
|RAM||Kingston HyperX KHX2400C15 (4 x 16 GB)|
|GPU||Asus AMD Radeon RX 550 (2 GB)|
|System hard drive||Samsung 860 Pro (256 GB)|
|SSD drive used for work with databases||Samsung 970 Pro (1 TB)|
|RAID controller||Intel RS3DC080|
|RAID hard drives||Western Digital WD40EFRX-68N32N0 (4 x 4 TB)|
|Operating system||Windows 10 x64|
Stage 1. Timing estimations
At the first stage, we estimated the time spend on two image processing, which were described above, by one or another testing program. We used the default settings as some of the testing programs have options to choose what type of data to process, meaning that we used the option that would use the ordinary user who does not want to waste time setting additional parameters for the analyzed data. The test results are shown in Table № 2.
Table № 2. Forensic Image Processing Speed.
|Program||Android (binary file)||iPhone (TAR file)|
|AXIOM||35 min 47 sec||51 min 53 sec|
|UFED Physical Analyzer||5 min 13 sec||3 min 46 sec|
|Belkasoft Evidence Center||106 min 23 sec||23 min 33 sec|
|XRY||13 min 20 sec||5 min 41 sec|
As it can be seen from the Table №2, in this test the UFED Physical Analyzer was the best one. The XRY took the second place. The surprisingly long time was taken for the Android image processing by the Belkasoft Evidence Center. The previous version of this program 9.7.4265 spent for the analysis of this image 3 min 41 sec. We hope that the developers will rapidly fix this bug.
Is it possible that some of the programs processed the data faster than others because they did not extract the data in full? This will be discussed in the next part.
Stage 2. The analysis results measurement
The following artifacts are the most important for an expert: the web-browser history, messengers, e-mail, images and documents. For the reason of ethical issues, we will not show the results of the “outsider” programs and consider only the results of the best ones.
The Android image analysis results.
Fig. 1. Artefacts extracted by Belkasoft Evidence Center.
Fig. 2. Artefacts extracted by AXIOM.
The undisputed leaders in extracting artifacts from this image are Belkasoft Evidence Center and AXIOM. Other programs have extracted significantly less artifacts.
IPhone SE image analysis results.
The most efficient suit in this part of comparison became AXIOM. It extracted not only more important artifacts, but also a huge amount of system artifacts that can help an expert understand how the examined device worked.
Fig. 3. Artefacts extracted by AXIOM.
Fig. 4. Artefacts extracted by UFED Physical Analyzer.
The second leader of TAR-file analysis is the UFED Physical Analyzer. It extracted such categories of artifacts as “Activities” and “Device Locations” At the same time, Belkasoft Evidence Center got more chats compared to the UFED Physical Analyzer.
As the testing showed, the results obtained during examination have to be checked as they may differ when you analyze the same source data by various mobile forensics suits. The tests showed that the best suit for data analysis extracted from mobile devices (in the ratio of the number of extracted artifacts to the time spent on analysis) is AXIOM. This suit extracts not only important artefacts (such as web-browser history, messengers, e-mail, images and documents), but also a great amount of other technical information that is useful for an expert to understand how the examined device worked.
About the Author
Igor Mikhaylov is a digital forensic analyst at Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud. He holds a number of certifications, including EnCE, ACE and MCFE. Igor is authored Mobile Forensics Cookbook: Data Acquisition, Extraction, Recovery Techniques, and Investigations Using Modern Forensic Tools, as well as many blog posts and articles on digital forensics and incident response you can find online.