Forensic software n...
 
Notifications
Clear all

Forensic software not correct on pre-and-post export process

8 Posts
6 Users
0 Likes
377 Views
(@yunus)
Posts: 178
Estimable Member
Topic starter
 

Hello everyone,

This seems a common a problem with many forensic software. I have seen it with famous forensic software, including UFED, XRY.

It is about number of files exported from phones or drives are missing many times.

You search for pictures -or videos- in a mobile phone or in hard drive, and lets say 1000 pictures are found and shown on the program interface, however when exported, the number of exported files are less and missing many of them, e.g 921 exported instead of 1000. And the program will not give any warning, on the contrary, they give the message"export completed succesfully" which is not true at all. so examiner thinks everything is ok and go ahead with his examination by looking at the exported pictures, whereas he/she is unaware that he is missing some files. Apparantly, forensic software do not seem to be making a comparison for pre-and-post exporting.

When I do further examinations why some files are not exported at all -though shown - it seems that they are mostly files shown with file size 0 or with small size like 1 KB. however, they are viewed on the program interface and they have content.

So, before and after doing an export even if you are doing it with a forensic software, the number of objects must always be compared, which is something many examiners do not check at all.

Regards

 
Posted : 02/01/2016 5:36 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

When I do further examinations why some files are not exported at all -though shown - it seems that they are mostly files shown with file size 0 or with small size like 1 KB. however, they are viewed on the program interface and they have content.

Well, with all due respect ) , a picture file with 1 Kb in size has very little content and a file 0 bytes in size (picture or not) has NO content whatsoever.
Maybe some of them are softlinks or similar. ?

jaclaz

 
Posted : 02/01/2016 7:04 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

This seems a common a problem with many forensic software. I have seen it with famous forensic software, including UFED, XRY.

I can't say that I've used either tool, but I am curious…when you've reported this to the manufacturer, what has been their response?

 
Posted : 03/01/2016 5:56 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

I would like to know too. I will share my experience later.

 
Posted : 04/01/2016 2:29 am
XRY_Mike
(@xry_mike)
Posts: 28
Eminent Member
 

Yunus,

I would be grateful if you could send your data set to MSAB please, so we can independently verify your findings with XRY.

Forensic software should recover the data correctly and it is surprising that nobody else has noticed or reported to us what you have described.

If we can improve, we want the opportunity to do so, however we do need some form of communication directly to pursue this, rather than a post on the forum here.

Mike Dickinson
MSAB

 
Posted : 04/01/2016 1:50 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

This thread reiterates to me an issue within the "community" at large…specifically, those using tools (commercial, free, open source, etc.) who run into an issue and take no action whatsoever.

An analyst I work with recently sent a question regarding a free tool to the entire team. When I followed up with them regarding using other tools or techniques to validate their finding, they said that they'd also run RegRipper and got different output. When I asked which version of the plugin they'd used, they didn't know…the version of each plugin is displayed as part of the output. When I asked from where they'd downloaded RegRipper, they mentioned a CERT location…not something I'm familiar with, and not the GitHub repository I use as the official download location for RR.

I honestly do not know why so many analysts are unwilling to mention an issue that they're having to a tool author, or why they seem unable to collect and provide even basic troubleshooting information.

 
Posted : 05/01/2016 1:44 am
(@yunus)
Posts: 178
Estimable Member
Topic starter
 

Xry_mike,

Most examiners just use the menus on the forensic program and take their software functions for granted. And they do not compare each step of functions with a sensitivity of quality auditor. For instance if extaction on the forensic software GUI says 1000 pictures were found and 57 of them are deleted ones, it is ok for most examiners and they move on looking at the pictures through the interface of the forensic program in the gallery view mode and it is done.

We noticed this is a general problem with other forensic tools including DVRexaminer, another forensic program for extracting videos from DVR hard drives. when one of our examiners preferred to look at pictures/videos not inside the program GUI but after exporting into a regular windows folder, he saw that some of the pictures/videos shown on the program interfrace were not exported at all.

I know most examiners do not prefer to export all the pictures for looking at (becase they can do it through the gallery view in the forensic software) and even if they do, they will not re-compare the number of each content once exportin from the GUI is completed (such as comparing the exact number of pictures, videos, messages, chats, call logs, SMS, locations, facebook messages, web artifacts etc). There are many categories of extraction.

—-
And dear keydet,

Regarding your question why most examiners do not report issues to the forensic companies;

We often do and end up without solution, usually with the same type of answer. "This is expected to be solved next updates" or "this is specific to the phone".

I have always reported to the forensic sotfware manufaturers - and still do- about such kind of problems, but usually we end up "this is specific to that phone", and there is not a quick solution. And it takes so long to get a fix. And you may even end up with no solution after waiting for weeks or months. So, we fed up with asking for solutions unless it is a big one.

By the way, just to give an idea on how slow it is report and -get a solution - with forensic companies

- You e-mail to company support team about the problem and start waiting.
- They send you an e-mail with some questions, sometimes with some recommendations(treat you as newbies).
- and you e-mail again you say to them you have done all that and it is still the same.
- they e-mail and ask for the log file of the extraction.
- Then you do extraction again which might take hours (e.g. a mobile phone 64 gb memory) with the hope you will get the solution. and you e-mail and send the log file and start waiting again.
- after a few days they email you and say there is not enough detail in the log file, so they ask you to send the actual phone to them.
- You e-mail and say to them you can't send the phone to another country.
- Then they email and say they do not have that specific phone in their company and they have to buy the phone to develop a solution and ask you where can they buy it from.
- and you e-mail say to them they can buy it on the internet.
- then after a long time again, they e-mail and ask you to wait for next updates as it will take some months to cover that problem.
- You wait for the next update and see no solution was developed.

So that is basically how it works.

And after waiting for a few months with all these e-mail traffic back and forth including the phone converstations with prosecutor why is it taking so long, how long more can you keep telling the prosecutor who insistingly asks for the results to be sent to wait for the next updates which may hopefully cover that specific phone!!!

Regards

 
Posted : 09/01/2016 2:03 pm
(@randomaccess)
Posts: 385
Reputable Member
 

yep, that sounds about exactly like my experiences yunus
phones are a particular type of pita when it comes to what is and isnt supported and whether you can or cant get access to specific data

 
Posted : 10/01/2016 6:01 am
Share: