It’s not just apps anymore, now it is app version numbers.
Did you notice that we just changed the way that we count the number of Smartphone Apps supported in XRY v6.10? It’s not just apps anymore, now it is app version numbers.
Maybe that doesn’t seem so significant, but for us it is an important step and it’s not just to make the numbers look good. It has a solid reason to help us explain the value built into XRY and differentiate us from tools which claim equal support, when in reality it’s anything but equal.
Some years ago, we modified the method in which we counted our mobile device support. In the beginning for XRY, we counted the number of phones we supported based on the number of handsets we could logically extract from; simple and effective.
Things got more complex in 2008 when we launched Physical Dumping & Decoding support for mobiles. For a while we tried to carry on with the existing count method, but it soon became apparent that we weren’t doing justice to the work of our development teams. We did all the research, but the numbers didn’t change.
In reality we had introduced support for a device with a logical extraction and then introduced support for physical dumping and then later on again after even more work, we introduced physical decoding on the same device. It didn’t reflect the value of XRY or indicate to users the full potential to say we still just ‘support’ one phone.
So after some consideration we introduced device support profiles. That way when we find a way to recover more data from a device through either logical, dumping, or decoding etc. you can now see it reflected in the numbers, to give recognition that the product has improved.
We still haven’t found an adequate way to explain how we make XRY better when we improve the existing extraction method on a phone we already support, by finding a way to recover even more data, like we just did in v6.10 for over 400 devices - but that’s a topic for another day.
How many people do you know with a smartphone that’s never updated its Apps? It seems like every other day your smartphone is updating one application or another in the background.
As the software engineers behind these apps identify improvements, they roll them out at a speed never seen before. The result is that it’s highly unlikely you will ever come across a smartphone with version 1.0 of the Facebook app installed. The handset may stick around for a few years, but the software sure won’t.
Examiners need a forensic tool that intends to keep up with that pace of change and that is our intention with XRY. How many tools specifically designed for mobile forensics exist that fully document detailed levels of support for smartphone apps and the versions – the answer is not many.
It’s pretty easy to claim support for one app if you reverse engineer just one version. It is a whole other thing to maintain that support moving forward and do all the ongoing research for the numerous updated versions of the same app that follow.
We see a lot of customers express frustration that an app is meant to be supported, but they still can’t get the data. The answer soon becomes apparent when it is discovered that the app version they have on their device is a newer one to the one which support is claimed.
XACT & PYTHON
With our hex tool XACT we have tried to solve this dilemma by allowing you access to tools that provide the capability to recover even more app data. If you have the skills and want to create your own scripts using Python, you can incorporate your own decoders. So for new apps with unknown data structures that even our Development team has not yet worked out, users can build their own scripts to extract and analyse the data. Yet another built in feature to help examiners recover what they need.
XRY SUPPORT PROFILES
Meanwhile for users who prefer as much automatic decoding as possible, we want to reassure you that XRY supports more app versions than any other mobile forensic tool on the market today. Simultaneously we wanted to help users understand that if they can’t recover the data from a particular app there could be an obvious reason why – the version number is not supported.
That’s why we changed a few things in v6.10 XRY – in this new release all the Smartphone Apps we support are now listed in the Device Manual. In there you will see a list of each smartphone OS and which apps are supported on each of those smartphone platforms. Critically there is a complete list of which app versions have been tested and are now supported in XRY. The Device Manual is easy to use and fully searchable to make things as easy as possible.
Naturally we wanted to show these improvements and not have the same dilemma that we experienced with the introduction of physical support for XRY. So we have chosen to now count APP VERSIONS rather than just individual apps, for exactly the same reasons – to illustrate the depth and breadth of coverage in XRY to demonstrate the forensic research that has gone into our product.
Beware the forensic tool vendor who says “Yes we have support for the Facebook app” – if that support only extends as far as Facebook App version 1.1 on the iPhone platform only, then you probably won’t get much data.
As an example of what’s out there in terms of data; currently Facebook claims 874 million users and estimates that 10 billion messages are exchanged on a daily basis on Facebook. That is a whole lot of data not being recovered, if the app version installed is not supported in your forensic tool. As an example in v6.10 XRY supports 9 different versions of Facebook just for Android alone.
In future when trying to decide which mobile forensic tool is right for you, make sure you ask which operating systems and specifically what versions of that app are supported on each platform if you want a true gauge of the support levels available to you in a mobile forensic tool.
MSAB Training Department