It's hard to know what's best for you without more information. What types of devices do you see most often? Mostly smartphones, or do you get feature phones? How about Chinese chipset phones? Are you in private industry, or do you work for a law enforcement agency?
I can only tell you what has worked reasonably well for me. I see a lot of iPhones with a limited number of Android devices and BlackBerrys thrown in to make it interesting. This is because of my client base. Your mix may be very different.
I started with BlackLight, which is an iOS and OS X analysis too only (with recent support for Windows). BlackLight won't get you physical images of anything, but it is good at analyzing iOS backups and acquiring logical images of iOS devices.
I bought a Cellebrite UFED Touch Ultimate to deal with a particular case that never materialized, but since then it has become my go-to tool for mobile forensics. I have not tried XRY or Oxygen, but I am impressed with Cellebrite. As you know, Cellebrite comes with a high price tag, but the support has been great. I do not have Chinex as I have yet to see a Chinese chipset phone.
I also use MPE+ and Magnet Forensics IEF for mobile device analysis, but I continue to use Cellebrite to acquire all my images.
This has worked for me. I can't justify two top-tier solutions, but I can justify one, Cellebrite, with a few of the second-tier or specialized tools to assist and provide a second opinion on what Cellebrite can analyze.
The primary reason for multiple tools is that even the top-tier tools can analyze less than 1% of apps. They try to get the big ones, but as an example, the LinkedIn app isn't decoded by Cellebrite. If you think there might be something in the LinkedIn app, you will be doing some manual decoding through SQLite Browser or something similar. Some of the other tools may decode apps that Cellebrite won't.
This is not a temporary situation. With over a million apps across all four smartphone platforms is is effectively impossible to decode them all. In your budget, include plenty of room for some robust mobile forensics training.
↧