AccessData’s MPE+ Potential

Eventually we will be getting AccessData’s Mobile Phone Examiner Plus as part of our forensic toolset in the lab. I’m not a huge AccessData product user (even though I just got re-certified as an AccessData Certified Examiner today) so I know basically next to nothing about the product. I participated in a Webex that AD presented on the tool, and I surprised myself when I realized I’m excited to use it.

The difference between EnCase’s Smartphone Module and AD’s MPE+ is that EnCase supports phones based by operating system, whereas AD supports media by manufacturer and model of the phone. My first intention is that EnCase would be a better solution because there are zillions of smartphones, with new ones being released every week. How can MPE+ keep up with all the new technologies? Theoretically, EnCase would be able to support a wider range of mobile devices since it parses information based on a handful of operating systems (which usually update less frequently) as opposed to trying to support thousands of phones being released. Although, there were plenty of things I learned in the Webex that caught my eye and made me all giddy inside:

  1. It supports 3,500+ phones. With some afterthought, our company only uses a certain few types of phones, so worrying about support with over 3 thousand options is behind me.
  2. It supports phones running Android, Windows Mobile, iOS, Symbian, and Blackberry (as well as SIM cards, and blackberry/iOS backup files)
  3. There is a TABLET version, which has the software installed so you can do mobile phone analysis in the field — COOL!
  4. There is an auto-update prompt at startup if there are any new releases. This might run into a problem at our lab because our forensic machines are not connected to any network, so updates will have to be checked and installed frequently.
  5. When you add a phone, it shows a picture of the manufacturer and model you selected. I like this as a verification that I selected the correct phone I’m trying to analyze.
  6. Once a phone is added, the acquisition can be exported as an AD1 image if I decide to analyze the contents in FTK.
  7. If a phone is jailbroken (iOS) or rooted (Android) MPE+ is able to take a PHYSICAL image of the device (something EnCase is not able to do…they only support logical acquisition)
  8. MPE+ supports a whole slew of image formats — E01, DD, AD1, etc. This is awesome if lets say I image a phone using EnCase or the Oxygen Suite, I can throw it into MPE+ and examine the contents using the parsing tools that’s built in
  9. It has the ability to play videos within the interface — as opposed to opening an external application like Windows Media Player
  10. It allows you to data carve within the folders and files
  11. It parses by OS for folders that hold valuable information, even protected data files, and will pull all of the information out and display it into a spreadsheet-esque report for easy viewing
  12. It will (unofficially) support hard drive images, like Mac for example. You add the image to the MPE+ case as if it was iOS, then use the tools to extract data
  13. Password protected device? MEH! It has brute-force password cracking options built-in.
  14. Android has what is called as “Forensic Files” which allows you to see the protected user data that wouldn’t normally be seen on the phone (like Google contacts, for example)
  15. It has Android support for multiple partitions. Aka, you can see every partition that’s created on the device (which is normally hidden)
All-in-all, I’m super excited to get this tool in the lab. I was a bit weary at first, but this thing seems PRETTY nifty! =D

1 thought on “AccessData’s MPE+ Potential

  1. Hi Coorie,

    very useful information shared. Appreciate it. Can you share your email id to shoot some query on forensic lab if you allow?

    Cheers,

Leave a Reply

Your email address will not be published. Required fields are marked *