Do you know how to do mobile forensics?

Our tests are so thorough, we even discover errors in the manufacturer’s operating system!

The answer as to how best to do mobile forensic, it turns out is quite simple;

1. Acquire an original of every single different device you wish to support

2. Dedicate developer resources to reverse engineer each one no matter how long it takes

3. Once complete have their peers double check their results for accuracy

4. Then get a support engineer to triple check all of the above just to be sure

5. Then offer the mobile device as supported in your forensic tool

We tried other ways of doing it and discovered that there really are no short cuts. Every single device is different in some way or another; be it hardware or software based. Thus there is no alternative to true cell phone forensic support than reverse engineering each device.

Our tests are so thorough that we even discover errors in the original manufacturer’s operating system software!

Any other attempt at projecting “hypothetical” support based on original manufacturing specifications or chipsets is doomed to failure without actual testing; despite the best efforts of our competitors to claim otherwise.

What that means in reality is that we can only offer support for one phone at a time, for every new device that comes on the market. That takes lots of time and a lot of resources; which is one of the reasons why good mobile forensic tools don’t come cheap.

Cell phone forensics is not the same as computer forensics. It’s not like waiting for a new version of Windows to come out every few years and then resting on your laurels. Our engineers are at work every day dealing with new devices with new operating systems. And there are lots of new devices coming out onto the market each week.

True mobile forensics takes a lot of time and a lot of resources to do well, only then can you be assured that if we say we support a device forensically; it means we really do.

XRY Product Recommendations

Don't take our word for it, listen to our customers

Sometimes in the overwhelm of marketing messages it becomes hard to make sense of what products will best suit your needs.

We understand the problem and we know that when you are looking to choose a mobile forensics solution, good independent advice is always valued.

That's why we would like to bring your attention to our: 
LinkedIn pages for Micro Systemation >

At the time of writing this blog entry we just spotted that over 20 professionals in the digital forensics industry have very kindly volunteered to recommend XRY.

If you want independent input from colleagues in the same industry, then this is a great starting point when considering if XRY is suitable for your needs.

I would like to stress that these recommendations are entirely voluntary and nobody has been offered or received any inducement from MSAB to provide them. In fact the individual's professional reputations on LinkedIn are there for all to see if you want to discover more about them.

I should also point out that none of them are resellers or trainers connected to Micro Systemation; all of them are genuine paying customers who liked our product so much that they left us a recommendation. 

If you are doing a comparison with others in the industry ask yourself how many people on their recommendation lists are actually independent of the manufacturer?

MSAB XRY Product Recommendations >>


Customer Survey

Excellent Feedback from our Customer Survey

We have reviewed the results of our customer survey this year. We got answers from over 180 customers as a representative group of our customers.

We asked a whole host of questions but amongst the highlights we discovered the following:

  • 98% of our customers rate XRY’s forensic capabilities as either ”Good” or ”Excellent”
  • 94% of our customers have either "a lot" or "complete" confidence in our ability to deliver improvements in XRY they require
  • 96% of our customers are "very likely" or "certain" to renew their XRY license next year

It's not always that a company can get things right. Like everyone else we are not perfect and we all make the occasional mistake. Nevertheless these are some outstanding results in terms of a customer survey; for which we feel justifiably proud.

If you want to see the results in more detail you can see them here:

Customer Survey >>

Mobile Forensic Controversies

There exists no standard for what constitutes a supported device...


I read with interest the following on Wikipedia:

Mobile Forensic Controversies

"In general there exists no standard for what constitutes a supported device in a specific product. This has led to the situation where different vendors define a supported device differently. A situation such as this makes it much harder to compare products based on vendor provided lists of supported devices. For instance a device where logical extraction using one product only produces a list of calls made by the device may be listed as supported by that vendor while another vendor can produce much more information. Furthermore different products extract different amounts of information from different devices. This leads to a very complex landscape when trying to overview the products. In general this leads to a situation where testing a product extensively before purchase is strongly recommended. It is quite common to use at least two products which complement each other."

Given this difficulty in undertaking a true comparison of tools we thought it may be useful to give some input.

It seems like every day another vendor in the mobile phone forensics industry claims to have a higher level of cell phone forensic support. We understand how confusing this must be, so we wanted to highlight some of the less transparent methodologies being practiced.

Examples of which are:

  • Claiming a Logical file system dump is some form of Physical support for a mobile device. It isn't - it's an extension of the logical support available and shouldn’t be classed differently.
  • Stating a mass of confusing numbers. E.g. “Database of over 4000 GSM, GPS and CDMA devices including 2350 supported and 880 fully validated devices.” Meaning it is very difficult to assess which devices have actually ever been tested and validated thoroughly.
  • Making assumption based support claims. E.g. “Supports more than 3500 phones, because product X enables viewing and acquisition of file systems on 80% of all CDMA handsets.” Again which ones have actually been tested by the manufacturer for true forensic verification or is it all just theoretical?
  • Counting support for the same phone more than once; e.g.

    - Using slightly different methods to recover data off the same phone through a logical extraction process Nokia E71 (No Client) and Nokia E71 (Using Client) is somehow 2 phones supported?

    - Counting support for the same device twice because it is both GSM & CDMA enabled e.g. HTC Ozone XV 6175 GSM/CDMA magically gets counted twice.

    - Counting the same device 3 times because the same model has a different name when supplied by different network operators Samsung SCH-i500 Galaxy S (Android) / Samsung SCH-i500 Fascinate (Android) / Samsung SCH-i500 Mesmerize (Android)
  • Publishing a comparison table of rival products, ensuring that your own software details are regularly updated to reflect your product in the best possible light. Then neglecting to update any competitor information, so their performance looks significantly worse. This is a significant issue in mobile forensics because the market is moving so fast, all vendors need to update their software regularly.

Some Guidance on Mobile Forensic Tool Comparisons

Given these less than transparent approaches to marketing taken by others, we thought the following tips may help you:

1) The actual number of phones claimed as supported is no longer any indicator of the quality of the solution you are buying.

It has started to become a bit meaningless as a way of explaining support in mobile forensics.  One phone is supported whether you can only pull off the contacts list or if you can extract the entire contents, security codes and perform a full physical dump and decode. It is still just one phone.

We faced the same problem in trying to demonstrate the difference and so we switched terminology away from using the term “Phones Supported” to use the term “Device Profiles” to try and help explain more clearly where the product improvements are occurring for customers. Why did we do this? Well consider this example:

If in January we offer Logical extraction support for 3,000 different mobile phones and then on our next release in March we do a lot of work enabling physical dumping of these same handsets and include 500 of the same phones with support for physical dumping extraction, then on the next release we still only support 3,000 mobile phones supported?

If for the next release we then focus on physical decoding of those same 500 phones that we just released dumping support for, then after the second release in June, we still only support 3,000 phones?

Six months research and development work and 3 releases later and the phone support count remains the same? That’s not helpful for us, or for our customers, so we decided to change the terminology to more accurately reflect the work involved and the improvements we are delivering. So that’s why we use the term “Device Profile” and not “Phones Supported” in our documentation.

2) Be very careful about what is meant by the term ‘support’ – it does not always mean tested.

Check how a solution provider is counting. They should have actual possession of the device claimed and be able to run it through an examination process obtaining repeatable results, before claiming it as supported if this is a true forensic tool. That way if there is ever a technical challenge at a later date, the company can go back to the handset in their possession and run further tests to establish what if any problems there may be.

If however the support claim is based on theory - a projection of what should be possible based on the technical specifications of a device. A device that was never actually tested or in the possession of the manufacturer - well that’s not forensic science that is theory.

It may work a lot of the time, but eventually there will be a problem and no doubt it will happen on a critical case. How then does the vendor validate disputed support claims without access to the original handset?

The truth is that doing mobile forensics properly is both very difficult and very expensive, you have to acquire an original of every device you claim support for and then thoroughly test it before claiming it as supported. Even then things can go wrong and we have plenty of experience of making mistakes and learning along the way. It is not unusual for us to even find bugs in the manufacturers own proprietary code.

We are not claiming to be perfect, I am sure MSAB could improve on some things (no doubt our competitors will be pleased to highlight them). However we do want to operate with integrity in this market for the sake of our customers.


Multiple Extractions

How to perform multiple extractions on mobile devices using XRY

We just made a new video to show you just how easy it is to perform simultaneous muiple extractions from up to three different mobile devices using XRY.

A unique feature of XRY is that it offers 3 times the power of other mobile forensic tools.

With XRY users have the ability to extract data from 3 devices and be 3 times quicker. Next time your mobile workload is backing up, you can simply plug in 3 devices, start the wizard and then go home. When you come back into the office in the morning you will have 3 reports done instead of just 1.

Click on the link below to see a guide to using just one of the unique features built into this leading mobile forensics tool.

 < 1 2 3 4 >