We recently upgraded to EnCase 7, and now with smart devices becoming a hot commodity in the business, there’s a need for smartphone analysis. Now, I haven’t done much with smartphones when it comes to acquiring them (anything I have done has been infrequently on a Celebrite) so playing around with version 7’s new smartphone functionality has been, a bit challenging.
My first fight was with iOS. Understandably, I needed to install iTunes on the forensic machine so that the device would be able to talk with the Windows machine. I got that. That was fine. I first tried an iPad. Everything worked great — it acquired, I was able to pull information, and EnCase was able to put it in a report format for me. Awesome. I next played with an iPhone (which had the same iOS version, settings, apps, etc., mind you) and ran into all sorts of difficulties. I entered the passcode for the iPhone to unlock it (just as I had done with the iPad) but the contents seemed to be encrypted. I was able to read the names of the files, but the contents were all jibber-jabble. As I said before, the settings were all the same on the iPhone as they were on the iPad, and the backups weren’t encrypted, so what’s the problem? Why would the iPad read perfectly fine, but the iPhone not? Mysteries Mysteries…
Today I tried acquiring a Blackberry. Once again, I got nowhere significant. EnCase was able to detect it, but wouldn’t acquire it. After research, I found that I also needed to install a program and/or driver for Blackberry, since Device Manager recognized it, but I wasn’t able to access it. The driver I needed was included in a Windows Update (which I cannot perform because our forensic machines are not connected to any network) so further research continued. A few forums mentioned installing Blackberry Desktop to help the computer talk with the Blackberry, but ran into issues installing that, with error after error during the install (“The installation files cannot be validated. Please verify the installer package and try again.”). Websense blocked a few websites which Google displayed having an answer for these errors, so at the time I dropped the project. Now, I might have a solution to the digital signature problem with the Blackberry which I will try tomorrow.
My experience with the EnCase smartphone suite was not an easy task. Maybe it’s because I’m inexperienced (I just got my first smartphone a couple weeks ago) or because EnCase’s tool isn’t all that great. I’m going to look into and play around with Oxygen Forensic Suite to look at their mobile forensic solution, in anticipation for AccessData’s Mobile Phone Examiner Plus software to be installed and tested.