Eventually we will be getting AccessData’s Mobile Phone Examiner Plus as part of our forensic toolset in the lab. I’m not a huge AccessData product user (even though I just got re-certified as an AccessData Certified Examiner today) so I know basically next to nothing about the product. I participated in a Webex that AD presented on the tool, and I surprised myself when I realized I’m excited to use it.
The difference between EnCase’s Smartphone Module and AD’s MPE+ is that EnCase supports phones based by operating system, whereas AD supports media by manufacturer and model of the phone. My first intention is that EnCase would be a better solution because there are zillions of smartphones, with new ones being released every week. How can MPE+ keep up with all the new technologies? Theoretically, EnCase would be able to support a wider range of mobile devices since it parses information based on a handful of operating systems (which usually update less frequently) as opposed to trying to support thousands of phones being released. Although, there were plenty of things I learned in the Webex that caught my eye and made me all giddy inside:
- It supports 3,500+ phones. With some afterthought, our company only uses a certain few types of phones, so worrying about support with over 3 thousand options is behind me.
- It supports phones running Android, Windows Mobile, iOS, Symbian, and Blackberry (as well as SIM cards, and blackberry/iOS backup files)
- There is a TABLET version, which has the software installed so you can do mobile phone analysis in the field — COOL!
- There is an auto-update prompt at startup if there are any new releases. This might run into a problem at our lab because our forensic machines are not connected to any network, so updates will have to be checked and installed frequently.
- When you add a phone, it shows a picture of the manufacturer and model you selected. I like this as a verification that I selected the correct phone I’m trying to analyze.
- Once a phone is added, the acquisition can be exported as an AD1 image if I decide to analyze the contents in FTK.
- If a phone is jailbroken (iOS) or rooted (Android) MPE+ is able to take a PHYSICAL image of the device (something EnCase is not able to do…they only support logical acquisition)
- MPE+ supports a whole slew of image formats — E01, DD, AD1, etc. This is awesome if lets say I image a phone using EnCase or the Oxygen Suite, I can throw it into MPE+ and examine the contents using the parsing tools that’s built in
- It has the ability to play videos within the interface — as opposed to opening an external application like Windows Media Player
- It allows you to data carve within the folders and files
- It parses by OS for folders that hold valuable information, even protected data files, and will pull all of the information out and display it into a spreadsheet-esque report for easy viewing
- It will (unofficially) support hard drive images, like Mac for example. You add the image to the MPE+ case as if it was iOS, then use the tools to extract data
- Password protected device? MEH! It has brute-force password cracking options built-in.
- Android has what is called as “Forensic Files” which allows you to see the protected user data that wouldn’t normally be seen on the phone (like Google contacts, for example)
- It has Android support for multiple partitions. Aka, you can see every partition that’s created on the device (which is normally hidden)