Mobile Forensics tools: MOBILedit Forensic Express
Some Quick Information related to MOBILedit Forensic Express:
MOBILedit Forensic Express is a tool that have multiple functions and features. It is a phone and cloud extractor, data analyzer and report generator all in one solution. It is a powerful 64-bit application that use both the physical and logical data acquisition methods in mobile forensics method. In addition, it is an outstanding for its sophisticated application analyzer, deleted data retrieval or recovery, live updates, wide variety of compatible phones which include the most feature smartphones, fine tuned reports, concurrent phone processing and user friendly GUI. We can access the locked ADB or Itunes backups with GPU acceleration and multi threaded operations for maximum speed, using the built in password and PIN breaker.
Mobile Forensic tool leveling system:
When identifying the appropriate tools for the forensic acquisition and the analysis of mobile phones, a mobile device forensic tool classification system developed by Sam Brothers (shown in the following diagram) comes in handy for examiners,
Main features:
More details can be found in the official site: https://www.mobiledit.com/forensic-express
In the MOBILedit, it consists of detail steps on how to connect to a phone. This software supported an extremely wide range of phones manufactured in the last two decades. In addition, it also supports thousand of mobile phones with different operating systems. For instance, IOS, Andriod, Blackberry, Windows Phone , CDMA phones etc.
Integrate with multiple tools:
Since we know that it is a good practice o use multiple tools in a lab and forensic workstation. The software are designed to have the ability to integrate with other forensic tools. It is able to import and analyze data files exported from Cellebrite UFED and Oxygen reports to get even more data.
Besides that, this software can export all data to UFED. Thus, we are able to utilize the UFED Viewer or Analytics for further processing in order to continue with our investigation.
Now let’s have a try on the MOBILedit Forensic Express:
Note: the MOBILedit is not a free tool and the trial version is no longer available.
This is the main menu of the software where you can obtain the live updates for support of new updated application as well as updates to new full version of the software.
As for the file manager, we are able to quickly access and manage files in our machine.
Now let’s click on the start button to proceed:
From here, we can connect the phone by cable, Bluetooth or WIFI cable connection. However, the cable connection is recommended.
In addition, we can also import backups and other data files for analysis.
Data can also be extracted form iCloud if you don’t have the phone present now.
Whereas, for the locked and inaccessible device, we can try the hack phone features to gain access into the phone devices.
Before connecting a phone, make sure that you have installed necessary device drivers to Your machine:
If needed, we can download the drivers for our mobile devices from the official site: https://www.mobiledit.com/downloads
The Universal Android Driver will be downloaded as I am going to use an Android Phone as example in the demonstration.
For Android Phones, we have to first enable the USB debugging mode in order to proceed with the process:
Note: The IOS phone is no need for such action.
The USB debugging mode can be found in the Developer options.
Developer options is hidden by default; use the following steps:
- On the device, go to Settings > About <device>.
- Tap the Build number seven times to make Settings > Developer options available.
- Then enable the USB Debugging option.Tip: You might also want to enable the Stay awake option, to prevent your Android device from sleeping while plugged into the USB port.
Now connect your phone to your computer and wait for the MOBILedit forensic express to discover it.
Now the mobile phone is connected to the software.
A Forensic connector will be installed if there is no connector exist in the mobile phone. Please make sure that you allow the file transmission such as the media device(MTP).
More options will appeared under the connected mobile phone.
In the browse Phone options, we are able to access the phone memory before the extraction process start.Then, exit this options and hit next to initiate the extraction process.
However, if your phone is not rooted, it will pop up a warning to tell you about it.
In addition, if you decided to root your device, you can use the Root built in feature that this software offered under the “Hack Phone” option that you have seen in the previous figure above.
After the phone is connected, then click on the next button to continue. Now, the type of export can be chosen according to your own preferences.
In the specific selection option, we are able to fine tune the search and select the specific information we wanted.
For instance,we are also able to narrow the time and date for the video files selection. The custom control of the filters and configuration enables us to create concise, comprehensive and professional reports.
If we want the full content of the phone, then we can simply select the full content and continue with the extraction process.
On this page, we will be going to input the case details such as the investigator, case evidence number, case notes etc. This information will appeared in the final report.
In this page, we will be able to choose the output of the formats that we preferred. In this case, we will be using the most common type of report type which is the PDF format and the excel format.
Here, we are advised to install the Camera Ballistics. This tool are associated with artificial intelligence and can rapidly locate and identify the key evidence and photos.
It have two options in it the Photo recognizer and Face Matcher. Both of this are very useful in mobile forensics. For instance, the Photo Recognizer allow us to choose the category of image to export while the Face matcher enables us to upload an image and search for that identical person’s image.
This is the final page of the extraction process and click export to begin the extraction analysis and report generation.
The extraction process start now.
Whereas in the phone, we are able to see that the information is being read in the Forensic Connector.
If there is any phone encryption is found, we will run the password and pin attack on the phone when you do not know the password or PIN.
Note: We can also extract in formations from multiple phones concurrently in order to speed up the extraction process and case load.
The extraction process is completed.
Click on the results folder and we will see the PDF format and excel format report in it.
There are a lot of information recorded in the PDF report and it is classified according to the categories in the Table of content which are selected before the extraction process started.
