MOBILedit Forensic Express From Compelson
Posted Wednesday February 14, 2018 (12:08:52)
MOBILedit Forensic Express is a mobile forensic solution from Compelson, who have been in the digital forensics market since 1996. In 2013 Forensic Express was created, and it’s now their most popular application due to its ability to quickly check what data can be extracted from a phone and perform forensic extractions in an easy-to-use way.
The software supports thousands of handsets including popular operating systems such as iOS, Android , Blackberry, Windows Phone, Windows Mobile, Bada, Symbian, Meego, Mediatek, Chinese phones, and CDMA phones. The software can handle many feature phones without an OS. This includes older models from as far back as 1996.
MOBILedit Forensic Express is mainly used by larger forensic companies, private detective agencies, or law enforcement as a triage tool and a way to enable even the less technical members of their teams to uncover and utilise forensic data from mobile devices.
Getting Set Up
When you purchase MOBILedit products you will be sent a licence key which will enable you to download the latest version of the software from the MOBILedit website.
The site is easy to navigate and has a wealth of information for its users, including a comprehensive guide which helps with setup, how-tos and troubleshooting.
The idea behind the user guide is to cut out the need for expensive and time-consuming training; Compelson are confident that anyone will be able to understand how to use their products simply by setting them up and referring to the user guide. They do also have a dedicated support team in case you come across any bugs or challenges, and they encourage their customers to submit suggestions for new features on a regular basis; this then directly feeds into their development plans.
Once you’ve located the user guide and downloaded the latest version of MOBILedit Forensic Express, follow the installation instructions and then open the program. You will need to enter your licence key to activate it. You will then be taken to the main screen where you will see a number of options.
The ‘Check for updates’ button shows if there’s an update available; if there is, you can then choose to install it. If you’re connected to the internet, this button will automatically say ‘Update’ if there are updates available. The update process is very straightforward; simply click ‘Update’ and then follow the on-screen instructions. If your forensic machine is always offline, you can also choose ‘Import packages’, which allows you to add updates without connecting to the internet.
Besides the classical update of the software package there are more sections as you can see on the screen: the most important one is probably Scripts update.
MOBILedit have released a new system which allows live updates of application analyzers. Time is crucial, so this feature is designed to allow you to get the data you need in real-time – without the need to wait for the whole software to be updated. This is similar in principle to anti-virus software, but quite a new feature in phone forensics.
‘File manager’ is the next button down - it’s very like Windows Explorer, but for phones. Laid out in an easy to read way, the file manager lets you quickly see the data you have available and drill down further should that be required.
‘Settings’ allows you to set default options for your investigations; for example fields like ‘Investigator name’ or ‘Case number’ can be added, and once added they will then be included by default in all future reports.
The final button allows you to view the build details and technical data for the product.
Using MOBILedit Forensic Express
Most of your investigative tasks will begin with the Main Connection Screen, which allows you to set up the phone you want to analyse.
It will automatically search for any physically connected devices, but you
can also import logical backups; connect to an iCloud account if you know the credentials for it; or use the Hack Phone option which helps you to get physical data from a phone without breaking any PINs or passcodes.
The ‘Hack Phone’ option allows you to extract physical dumps from MTK chipsets (Chinese devices) and LG phones, and backups from Huawei devices.
To use the Hack Phone option, first of all turn off the phone, then click ‘Hack Phone’ in MOBILedit Forensic Express and you will then be prompted through a number of screens before being asked to select a destination folder. Once you’ve done this you will be able to extract data from the phone as normal.
It is possible to connect phones in recovery mode as well. In this case, you’ll need to choose the recovery options on the phone itself, and it will need to fulfil certain requirements, such as having Bootloader open. Recovery mode provides you with more possibilities for data extraction; you can also create a physical image of the phone from recovery mode. It also allows you to access the data without knowing the PIN or pattern unlock sequence.
If you’re performing a normal physical extration without using the Hack Phone option, first of all select the connected phone or select an import data source.
If you need to root the phone, there is an option to do this; clicking on it will also provide you with a link to a handy guide showing you how to root the phone.
It is important to ensure that you have the right driver available for the phone you’re analysing; drivers can be downloaded from Compelson’s website.
One of my favourite things about this product is how it walks you through everything step by step; at no point does the user feel they’re out at sea without any instructions. Not only is the user guide available on the website, there are also links throughout Forensic Express which show you exactly where to find the information you need. This is particularly handy for non-technical investigators, trainees or junior team members who may be a little less confident when using forensic software.
If you’ve forgotten a step or there’s something you need to do, you’ll see a handy little pink warning triangle which will tell you what needs to happen; for example, ‘Authentication required’.
Once the phone has been connected you will be able to see the IMEI. Clicking the ‘i’ icon will bring up some more details, such as which cable you need to use and which data can be extracted from the phone. Again Forensic Express will warn you if there’s something you should be aware of, for example ‘You’re using an old connector, would you like to update it?’
The ‘Browse Phone’ option brings up a file manager style window which shows you everything within the phone. This means you can quickly check to see what kinds of files are on there and available for extraction; for example, you might be particularly interested in photos, videos or data from a specific app.
Rooting the phone will allow you to create a physical image of it, which is helpful as you can then analyse the physical image without worrying about whether you have inadvertently modified the original; this is also useful when it comes to replicating results.
When you’ve seen what is available to be extracted from the phone, you must then choose what kind of export you want to perform.
‘Full content’ will bring back absolutely everything from the phone and is best if you need a complete image of everything that’s in there.
‘Specific selection’ only brings back whichever items you specifically ask for; this may be certain names or numbers, for example. You can filter these results using contact, time or a text string.
‘Application analysis’ is good if you only want the data from applications. For example, if you know your suspect has information in Facebook Messenger, you can just select that app, or Chrome if you need browsing history.
Once you’ve selected your export type, click Next. MOBILedit Forensic Express will then ask you to fill in details for the eventual report. Here you can label your case, make notes, add your evidence number, and so on. You can also include the label of the device, for example if someone found it on the crime scene and labelled it ‘Evidence-1’.
A nifty new feature in the latest version is ‘take picture’. If you have a webcam, this allows you to take a photo of the phone, so that if there are dents, scratches or other physical attributes you want to include in your report, you can document these here. You can also import a picture you’ve already taken.
If required, you can also export data as a MOBILedit Export or MOBILedit Backup file, which are the native formats of the tool. Cellebrite’s UFDR file is another export option, and the files can be encrypted so that no one else can open them.
Camera Ballistics licence users can add data from this into the application to check whether a picture was taken on a specific phone.
From version 5.0 onwards, a new feature called Photo Recognizer is included. This allows you to automatically categorise photos and tag them as containing certain things, such as weapons, drugs or currency.
‘Application Downgrade’ is a handy option that allows you to push the older version of an application directly into the phone. The advantage of this is that the new versions tend to have updates that make them less accessible than prior versions, so downgrading these before pulling the data can make it easier to find what you’re looking for.
‘Parental check’ is an option for parents who want to check on their children’s phones. There are predefined options built in for this scenario.
Images are shown as thumbnails; clicking on a picture makes it show up in a bigger screen so you can see it at full size. GPS data can be seen next to the thumbnails.
Any location data can be opened in Google Maps with a single click, as long as your machine is connected to the internet.
Deleted data is available too; this is not always 100% readable as bits of it may have been overwritten, but anything that hasn’t yet been overwritten will be visible. This includes deleted conversations; conversations will also have tags attributed to them based on who is talking, where they know each other from (e.g. ‘Gmail’), and when the contact was created and modified.
The timeline view shows all activities on the phone by time. You can also choose more granular options such as only including messages or call logs.
Once you’ve selected all the options above, click ‘Export’. This is quite a quick process, although of course it depends on how much data you have selected: pulling data from a single app will obviously take much less time than extracting an entire device.
Along the left-hand side of the page there is a box which shows exactly what is happening while the data is being extracted, which is very helpful if anything goes wrong, as you can see exactly when and where the error occurred.
When the extraction is done, click on ‘Results folder’ and all the data will open in a File Explorer window.
It is possible to connect and export multiple devices at the same time, and when testing this product it didn’t seem to slow things down much, although there is probably an upper limit!
Reports come in either HTML, PDF or Excel format; during the extraction process you will be prompted to choose a type of report. Every report contains the same information, but HTML tends to be the most popular. If you are reporting to a number of people, all of whom prefer different formats, you can simply tick all the options and get the report in every available format. The report menu at the side allows you to easily navigate through it.
When you’re done extracting, click on the ‘Results folder’ button in the window that comes up and it’ll open the folder with a full report and extractions.
MOBILedit extracts and stores to a PC all files exactly as they are in the phone. This allows you to use other tools, including open source tools, to further analyze data and get even more evidence.
The Summary section shows an overview of everything, for example how many images of nudity or weapons have been found if you used Photo Recognizer. You can see the Applications Filesystem in the report as well, which is useful for further analysis.
In summary, I would say that MOBILedit Forensic Express is certainly a recommended tool for the digital forensics community. It is easy to use and has a lot of support options available for those who may not be so confident using forensic software. I can see it being a fantastic tool for large teams who need to triage a lot of mobile devices, and for non-technical investigators who nonetheless need to know what kind of data is available for analysis.
MOBILedit Forensic Express is a phone and cloud extractor, data analyzer and report generator all in one solution. Find out more and purchase your copy on the MOBILedit website.
Article content received from: Forensic Focus,