Parsing the Package

Refers to the automated process of analyzing the raw data structure of a mobile application to identify, extract, and decode human-readable information. Without effective parsing, extracted data remains a stream of unintelligible code. Solutions like XRY and XAMN excel at parsing diverse app packages to recover critical evidence.

Understanding Parsing in Digital Forensics

Data parsing is a fundamental concept in modern mobile forensics. When a forensic tool extracts data from a device, it often retrieves raw files—databases, configuration files, and cached data—that are structured in formats chosen by the application developer.

Parsing is the translation layer. It takes this raw material and reconstructs it into a format that an investigator can understand such as text messages, call logs, location pins, and images.

The Challenge of App Updates

The primary challenge in parsing is the sheer volume and velocity of application updates. A single app, like WhatsApp or Facebook, may release weekly updates, often changing the underlying file structure or encryption methods. If the forensic software cannot recognize the new “package” structure, it may fail to display the data or, worse, display it incorrectly.

Why Integrity Matters:
Incorrect parsing can lead to misinterpreted evidence. For example, misreading a timestamp in a database could place a suspect at a crime scene at the wrong time. Therefore, the “parsing” used by the forensic software must be rigorously tested and updated.

Automated vs. Manual Parsing

• Automated Parsing: Tools like XRY automatically detect the app version and apply the correct decoding script. This is essential for speed and efficiency in handling large backlogs.
• Manual Parsing: In complex cases where automated parsing isn’t possible (e.g., a brand-new or obscure app), investigators may use tools like XAMN to manually examine the hexadecimal code or SQLite databases to reconstruct the data.

FAQs

What happens if a forensic tool cannot parse a package?
If a tool cannot parse a specific app package, the data usually appears as raw, unreadable files (often in hex code). Investigators may need to wait for a software update from their vendor or attempt manual decoding using appropriate tools.

Does parsing recover deleted data?
Yes, advanced parsing can often recover deleted data. By analyzing the “freelist” or “unused space” within an app’s package, forensic tools can reconstruct entries that the user may have attempted to remove.

How does MSAB handle new app versions?
MSAB continuously updates its XRY and XAMN platforms to include new parsers for the latest app versions. This ensures that investigators can “turn data into justice” without being stalled by software updates.