Quantcast
Channel: Forensic Focus Forums - Recent Topics
Viewing all articles
Browse latest Browse all 20110

Mobile Phone Forensics: FTK Mobile Phone Examiner

$
0
0
I'd like to start by thanking Lee and his team for helping me out. He and I spoke for about 30 minutes today and I was able to show him where my concerns were, and I think we have a good chance at a positive resolution. A brief history I deal mostly with iPhones. Modern iPhones are encrypted. My perfect use scenario for MPE+ is as a second or third opinion on the data Cellebrite PA and BlackLight decode, but I rarely have posession of the phone long enough to image the phone twice. What I want to do is use Cellebrite to take the image and then use that image in MPE+. I asked specifically about that during the sales process and was told unequivocally yes, it can read physical images from Cellebrite. So, when I got my MPE+ license and threw an iPhone physical image at it and it failed to read anything, I was naturally a little peeved. I was even more angry when I inquired of AccessData's support team, and the answer was "To my understanding Cellebrite uses a proprietary format for most of their images, so they will not be able to be read by MPE+." So sales tells me yes it can, and support tells me no it can't. This is what touched off my rant from yesterday. Based on the information I had at this point, I had been lied to by sales in order to make the sale. (we think) The solution I explained to Lee today my desire to image a phone once and use it in both Cellebrite PA and MPE+, and once we determined that the reason I haven't been able to import any Cellebrite iPhone images into MPE+ was encryption, I think Lee has the answer. The .UFD file is a plain text file with some basic information about the image, including the encryption keys. Lee and his team think they can use this key information, modify a copy of the .UFD file and then import the image into MPE+ as if it had been imaged by MPE+. Lee has already been able to get the file system to decrypt, but the iOS parser isn't working yet. Seeing how committed he is to making this work, I think there is a good chance it will work. I will report back when we get it working.

Viewing all articles
Browse latest Browse all 20110

Trending Articles