±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36738
New Yesterday: 0 Visitors: 133

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Selectively extraction for specific timeframe

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

John000
Member
 

Selectively extraction for specific timeframe

Post Posted: Nov 04, 18 13:51

Hi all,

Anyone know if it's possible to perform Selectively data acquire between defined dates/times using UFED/XRY/Magnet?
We need the option to perform Logical extraction only for a limited timeframe and I wonder if it's possible.

Thanks,
John  
 
  

dandaman_24
Senior Member
 

Re: Selectively extraction for specific timeframe

Post Posted: Nov 04, 18 17:26

Nope  
 
  

giandega
Senior Member
 

Re: Selectively extraction for specific timeframe

Post Posted: Nov 04, 18 18:31

I am not sure. But mobile edit forensic express should have this feature  
 
  

AGP_Analyst
Member
 

Re: Selectively extraction for specific timeframe

Post Posted: Nov 05, 18 10:01

I know the UFED Kiosk devices support this, as well as other filters but I don't know if any of their other products do.  
 
  

mcman
Senior Member
 

Re: Selectively extraction for specific timeframe

Post Posted: Nov 05, 18 14:13

The problem with selective extraction is that even if you try to do it, it won't work across the board for all files and extraction types.
1) Even if you have privileged access (root/jailbreak/etc.), the file system timestamps that you would base your extraction on only tell part of the story. If you're looking for chat or SMS messages or data within a database (which most mobile data is in SQLite/Plist/JSON or similar structure), it's not possible to filter that data without first analyzing the contents of the database or structured file.
2) A logical extraction (iTunes/ADB backup) does not accommodate for selective extraction very easily. For similar reasons above as well as each app chooses to be backed up or not and what to include in a backup. You could create a tool to pull the backup (how ever it was given through the API). Have the tool automatically analyze and parse out the data it knows and then only display the data within your time frame but that's not part of the extraction. The full extraction already happened, the tool is just showing you a filtered result.
3) If you're just looking to do this for allocated pictures and video, sure, definitely doable. Make an MTP connection to the phone and pull the media based on the file system timestamps available (created/modified/etc.). This is how most in-field or kiosk tool provide this info. Anything beyond that isn't universal and limited in availability across device models and OS versions.

Again, selective extraction has way too many holes in it to be a viable option for most forensic examiners. You'll still miss out on a lot of relevant data within your time frame that might be important to your investigation if you try to do it at the point of extraction. It always comes up due to legal constraints but most jurisdictions have mechanisms to limit the scope after the extraction but prior to analysis either through automated analysis (machine) or examiner/analyst review prior to providing the dataset to the investigative team.

My 2 cents.
Jamie  
 
  

John000
Member
 

Re: Selectively extraction for specific timeframe

Post Posted: Nov 05, 18 16:04

- mcman
The problem with selective extraction is that even if you try to do it, it won't work across the board for all files and extraction types.
1) Even if you have privileged access (root/jailbreak/etc.), the file system timestamps that you would base your extraction on only tell part of the story. If you're looking for chat or SMS messages or data within a database (which most mobile data is in SQLite/Plist/JSON or similar structure), it's not possible to filter that data without first analyzing the contents of the database or structured file.
2) A logical extraction (iTunes/ADB backup) does not accommodate for selective extraction very easily. For similar reasons above as well as each app chooses to be backed up or not and what to include in a backup. You could create a tool to pull the backup (how ever it was given through the API). Have the tool automatically analyze and parse out the data it knows and then only display the data within your time frame but that's not part of the extraction. The full extraction already happened, the tool is just showing you a filtered result.
3) If you're just looking to do this for allocated pictures and video, sure, definitely doable. Make an MTP connection to the phone and pull the media based on the file system timestamps available (created/modified/etc.). This is how most in-field or kiosk tool provide this info. Anything beyond that isn't universal and limited in availability across device models and OS versions.

Again, selective extraction has way too many holes in it to be a viable option for most forensic examiners. You'll still miss out on a lot of relevant data within your time frame that might be important to your investigation if you try to do it at the point of extraction. It always comes up due to legal constraints but most jurisdictions have mechanisms to limit the scope after the extraction but prior to analysis either through automated analysis (machine) or examiner/analyst review prior to providing the dataset to the investigative team.

My 2 cents.
Jamie


Thank you for your detailed answer. very helpful!  
 

Page 1 of 1