Digital Forensics Global Trends

The role of personal devices & digital forensics continues to grow

The current number of global mobile device connections in use around the world exceeded 7 billion in April 2014 — this number is expected to continue to increase exponentially as the Internet of things continues to grow.  As use of these devices, and accompanying applications, continue to expand rapidly around the globe so too will the use of digital forensics as an invaluable tool for a variety of law enforcement agencies and stakeholders. The global digital forensics market had revenues of around $1.4bn in 2013 and is expected to grow at a compound annual growth rate of 10.5% between now and 2018.

There are two critical global trends that are shaping the evolution of these marketplaces and the uses of digital forensics- and they are interconnected.  The first is that law enforcement agencies and a growing array of stakeholders are using digital forensics for a rapidly expanding set of uses to keep up with the pace of innovation and commercialization.  The second is that of privacy concerns whereby policy makers are taking a more active role in attempting to shape the use of digital forensics and that law enforcement will have to make adjustments to these new realities.

Recently there have been a number of high profile cases where cutting-edge digital forensics tools have played a key role.  In the Oscar Pistorius trial, Reeva Steenkamp admitted to being scared of the South African track star in a text message three weeks before he shot her dead, according to police experts during his murder trial.  In a Whatsapp conversation in January of 2103, Ms. Steenkamp wrote: “I’m scared of you sometimes and how you snap at me.”  Thanks to digital forensics tools for mobile devices used by the South African Police that can recover messages, including deleted messages and data from encrypted versions, over 35,000 pages worth messages between the couple were recovered and will likely prove pivotal in the disposition of the case. 

For more on this story please read the full article in GRC-Daily here >>

Smartphone App Versions

It’s not just apps anymore, now it is app version numbers.

Did you notice that we just changed the way that we count the number of Smartphone Apps supported in XRY v6.10? It’s not just apps anymore, now it is app version numbers.

Maybe that doesn’t seem so significant, but for us it is an important step and it’s not just to make the numbers look good. It has a solid reason to help us explain the value built into XRY and differentiate us from tools which claim equal support, when in reality it’s anything but equal.


Some years ago, we modified the method in which we counted our mobile device support. In the beginning for XRY, we counted the number of phones we supported based on the number of handsets we could logically extract from; simple and effective.

Things got more complex in 2008 when we launched Physical Dumping & Decoding support for mobiles. For a while we tried to carry on with the existing count method, but it soon became apparent that we weren’t doing justice to the work of our development teams. We did all the research, but the numbers didn’t change.

In reality we had introduced support for a device with a logical extraction and then introduced support for physical dumping and then later on again after even more work, we introduced physical decoding on the same device. It didn’t reflect the value of XRY or indicate to users the full potential to say we still just ‘support’ one phone.

So after some consideration we introduced device support profiles. That way when we find a way to recover more data from a device through either logical, dumping, or decoding etc. you can now see it reflected in the numbers, to give recognition that the product has improved.

We still haven’t found an adequate way to explain how we make XRY better when we improve the existing extraction method on a phone we already support, by finding a way to recover even more data, like we just did in v6.10 for over 400 devices - but that’s a topic for another day.


How many people do you know with a smartphone that’s never updated its Apps? It seems like every other day your smartphone is updating one application or another in the background.

As the software engineers behind these apps identify improvements, they roll them out at a speed never seen before. The result is that it’s highly unlikely you will ever come across a smartphone with version 1.0 of the Facebook app installed. The handset may stick around for a few years, but the software sure won’t.

Examiners need a forensic tool that intends to keep up with that pace of change and that is our intention with XRY. How many tools specifically designed for mobile forensics exist that fully document detailed levels of support for smartphone apps and the versions – the answer is not many.

It’s pretty easy to claim support for one app if you reverse engineer just one version. It is a whole other thing to maintain that support moving forward and do all the ongoing research for the numerous updated versions of the same app that follow.

We see a lot of customers express frustration that an app is meant to be supported, but they still can’t get the data. The answer soon becomes apparent when it is discovered that the app version they have on their device is a newer one to the one which support is claimed.


With our hex tool XACT we have tried to solve this dilemma by allowing you access to tools that provide the capability to recover even more app data. If you have the skills and want to create your own scripts using Python, you can incorporate your own decoders. So for new apps with unknown data structures that even our Development team has not yet worked out, users can build their own scripts to extract and analyse the data. Yet another built in feature to help examiners recover what they need.


Meanwhile for users who prefer as much automatic decoding as possible, we want to reassure you that XRY supports more app versions than any other mobile forensic tool on the market today. Simultaneously we wanted to help users understand that if they can’t recover the data from a particular app there could be an obvious reason why – the version number is not supported.

That’s why we changed a few things in v6.10 XRY – in this new release all the Smartphone Apps we support are now listed in the Device Manual. In there you will see a list of each smartphone OS and which apps are supported on each of those smartphone platforms. Critically there is a complete list of which app versions have been tested and are now supported in XRY. The Device Manual is easy to use and fully searchable to make things as easy as possible.

XRY Device Manual Entry in v6.10

Naturally we wanted to show these improvements and not have the same dilemma that we experienced with the introduction of physical support for XRY. So we have chosen to now count APP VERSIONS rather than just individual apps, for exactly the same reasons – to illustrate the depth and breadth of coverage in XRY to demonstrate the forensic research that has gone into our product.

Beware the forensic tool vendor who says “Yes we have support for the Facebook app” – if that support only extends as far as Facebook App version 1.1 on the iPhone platform only, then you probably won’t get much data.

As an example of what’s out there in terms of data; currently Facebook claims 874 million users and estimates that 10 billion messages are exchanged on a daily basis on Facebook. That is a whole lot of data not being recovered, if the app version installed is not supported in your forensic tool. As an example in v6.10 XRY supports 9 different versions of Facebook just for Android alone.

In future when trying to decide which mobile forensic tool is right for you, make sure you ask which operating systems and specifically what versions of that app are supported on each platform if you want a true gauge of the support levels available to you in a mobile forensic tool.

MSAB Training Department

XRY used in Oscar Pistorius Trial

Oscar Pistorius trial: Whatsapp messages reveal Reeva Steenkamp was 'scared' of Paralympian boyfriend

Oscar Pistorius' girlfriend, Reeva Steenkamp, admitted to being scared of the South African track star in a text message sent less than three weeks before he shot her dead, a police expert told his murder trial.

In a Whatsapp conversation sent on 27 January 2013, Ms Steenkamp wrote: "I'm scared of you sometimes and how you snap at me."

Captain Francois Moller from the South African Police, said he was able to access some 35,000 pages worth of messages between the couple, and 90 per cent of them were loving. 

The evidence was extracted and shown to the court using XRY software.

Credit: This Video link is published on YouTube by IBTIMES TV (  

Increased sales of paint tins anticipated in US

A view of the US Supreme Courts recent ruling:

On Wednesday this week The US Supreme Court unanimously ruled that law enforcement agencies may not search the cell phones of criminal suspects upon arrest without a warrant.

Chief Justice John Roberts wrote in the judgement:

Cellphones are unlike anything else police may find on someone they arrest. They are not just another technological convenience, but ubiquitous, increasingly powerful computers that contain vast quantities of personal, sensitive information. The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought.

A cell phone search would typically expose to the government far more than the most exhaustive search of a house. A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form—unless the phone is.

Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple — get a warrant.

The right to privacy comes at a price and that is now what law enforcement officers throughout the US will need to consider as part of their procedures for mobile device examinations.

Ellen Canale, a Justice Department spokeswoman, said the agency would work with law enforcement to ensure "full compliance" with the decision.

"We will make use of whatever technology is available to preserve evidence on cell phones while seeking a warrant, and we will assist our agents in determining when exigent circumstances or another applicable exception to the warrant requirement will permit them to search the phone immediately without a warrant," Canale said.

For our customers within the US we offer the simple (albeit tongue in cheek) suggestion they buy a few paint tins. In the absence of a budget for the investment in proper Faraday cages or bags to retain mobile devices, a number of practioners have found that the humble paint tin can act as quite a good signal blocker.

Albeit there are no guarantees - some of our customers have discovered that putting a mobile device inside a small paint tin, and that inside another larger tin and then perhaps placing them in the basement of a building where mobile signals struggle to reach, might just help prevent a signal wiping all the evidence off the device before a judge has authorized the search warrant.

On a more serious point, law enforcement agencies still need to recover evidence from suspect mobile devices. The courts, prosecutors and even the defence (if they think it will help their case) will expect officers to do all they can to secure best evidence for a criminal trial. So the demand for mobile forensic tools remains and the training and policies around their use become more important than ever. 

The ruling will change the procedures of US law enforcement, but the demand to capture and secure evidence for court will always remain.

US Supreme Court Ruling

MSAB Releases Latest Evolution of Internationally Recognized XRY Digital Forensics Technology

Version 6.10 Will Enable Access to 12,415 support profiles including the latest versions of a wide array of apps

Stockholm - June 5, 2014

MSAB, the mobile leader in forensic technology for mobile examination and pioneer of XRY announced the release of the latest version of its internationally recognized XRY platform. XRY allows users to perform forensically sound digital extractions of data from mobile devices.

Version 6.10 offers a number of new features and capabilities including expanded access to smartphone apps and broader interoperability. To read more about the smartphone app support that version 6.10 you can access go to: MSAB Smartphone App Versions Blog

“The latest version of our groundbreaking XRY technology will enable access to 12,415 device profiles, offering unparalleled capability to users, allowing them to keep pace with latest versions of applications and new technologies in the personal device marketplace,” said Joel Bollö, CEO of MSAB.  “This latest version was driven by the evolving needs of law enforcement and direct feedback from the field, we feel the latest XRY platform provides our customers with a unique and powerful tool, that will be a real game changer.”   

MSAB’s XRY platform is playing a key role in  law enforcement’s efforts to address a wide array of criminal threats including narcotics trafficking, gang violence and exploitation of children. The XRY tool helps law enforcement collect evidence from today’s most advanced smartphones and mobile devices, including cell phones, tablets, portable GPS units, SIM cards, and memory cards. The evidence collected by XRY includes contacts, phone numbers, call logs, text messages, social network app data, location data, pictures, videos, and voice messages including files that have been deleted.  It is heavily used by federal task forces addressing crimes against children and drug enforcement, Computer Crime Labs / Digital Forensics Labs, Regional Computer Forensic Labs (RCFL’s), and Fusion Centers.  It is also widely used by a government, federal, state and local law enforcement agencies and military. 

“While many tools claim to cover applications such as Facebook, they are not created equally,” added Bollö.  “Unless they support the latest versions of those applications they will likely offer limited utility to users.”

XRY has also been successfully proven in courts of in over 60 countries around the world and was recently used to extract WhatsApp messaging data used in Oscar Pistorius case.  It was also used to collect data used against City Councilman in Central Valley California, USA who was sentenced in case involving sex crimes against minors. 

 1 2 3 >  Last ›