Of course, dual-tooling seems a nice and handy thing but... to be honest...knowing the limitations of these tools (and i mean all of them) you cannot "seriously validate" your data just by using multiple tools. Especially when working with smart devices (android, iOs etc.)
By all means these tools, despite beeing really good, are not "fire and forget".
Lets say you've got an android device "decoded" with XRY - it tells you that there are 4 emails on the device.
Now you and want to check which databases the tool looked at and which are missing ? Did it look at .journal oder .wal files ? did it carve in unallocated space ? Good luck analyzing that.
Or you want to browse through the file system and look for additional android-email-apps/backups etc..Looking at files in hex ? - good luck with that again - you`ll end up using external hex-viewer which is a cumbersome workflow.
Sometimes you find out that emails/chats etc. are missing because the filepaths changed after the last app-update. There is no way to guide it to that new folder...and so on.
IMHO when comparing these tools it is also very important to look at what you can do AFTER the software has finished decoding. There are some that just "present" you the data and others that make further investigation alot easier.
↧