MASTER THESIS - COMPARATIVE ANALYSIS & STUDY OF ANDROID/IOS MOBILE FORENSICS TOOLS - DIVA PORTAL

Page created by Joan Bradley
 
CONTINUE READING
MASTER THESIS - COMPARATIVE ANALYSIS & STUDY OF ANDROID/IOS MOBILE FORENSICS TOOLS - DIVA PORTAL
Master Thesis
Network Forensics, 60 credits

Comparative Analysis & Study of
Android/iOS Mobile Forensics Tools

Digital Forensics, 15 credits

Halmstad 2021-06-08
Amer Shakir, Muhammad Hammad, Muhammad
Kamran                                    HALMSTAD
                                         UNIVERSITY
MASTER THESIS - COMPARATIVE ANALYSIS & STUDY OF ANDROID/IOS MOBILE FORENSICS TOOLS - DIVA PORTAL
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

Abstract

This report aims to draw a comparison between two commercial mobile forensics and recovery
tools, Magnet AXIOM and MOBILedit. A thorough look at previously done studies was helpful
to know what aspects of the data extractions must be compared and which areas are the most
important ones to focus upon. This work focuses on how the data extracted from one tool
compares with another and provides comprehensive extraction based on different scenarios,
circumstances, and aspects. Performances of both tools are compared based on various
benchmarks and criteria. This study has helped establish that MOBILedit has been able to
outperform Magnet AXIOM on more data extraction and recovery aspects. It is comparatively a
better tool to get your hands on.

Halmstad University                                                                Page 1
MASTER THESIS - COMPARATIVE ANALYSIS & STUDY OF ANDROID/IOS MOBILE FORENSICS TOOLS - DIVA PORTAL
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

Contents
1. Introduction ................................................................................................................................. 4
2. Literature Review........................................................................................................................ 6
3. Research Objectives .................................................................................................................... 8
4. Methodology and Testing Environment ................................................................................... 10
   4.1 Method ................................................................................................................................ 10
   4.2 Equipment and Testing........................................................................................................ 11
   4.3 File System Extraction and Analysis .................................................................................. 11
5. Results ....................................................................................................................................... 15
   5.1 Comparison Tables .............................................................................................................. 16
   5.2 Social Media ........................................................................................................................ 19
6. Summary ................................................................................................................................... 24
7. Future Work .............................................................................................................................. 25
8. Conclusion ................................................................................................................................ 26
9. References ................................................................................................................................. 27

Halmstad University                                                                                                                     Page 2
MASTER THESIS - COMPARATIVE ANALYSIS & STUDY OF ANDROID/IOS MOBILE FORENSICS TOOLS - DIVA PORTAL
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

List of Figures
Figure 1: An iPhone in Airplane mode ......................................................................................... 12
Figure 2: Magnet AXIOM data extraction options ....................................................................... 12
Figure 3: Magnet AXIOM data extraction process....................................................................... 13
Figure 4: MOBILedit generates device information ..................................................................... 13
Figure 5: MOBILedit data extraction options ............................................................................... 14
Figure 6: MOBILedit data extraction process .............................................................................. 14
Figure 7: Magnet AXIOM data extraction results ........................................................................ 15
Figure 8: MOBILedit data extraction results ................................................................................ 15
Figure 9: MOBILedit social media extraction report ................................................................... 19
Figure 10: MOBILedit Facebook artifacts extraction report ........................................................ 19
Figure 11: MOBILedit messenger account information extraction report ................................... 20
Figure 12: MOBILedit messenger voice calls extraction report ................................................... 20
Figure 13: MOBILedit Instagram artifacts extraction report ........................................................ 21
Figure 14: MOBILedit Snapchat artifacts extraction report ......................................................... 21
Figure 15: MOBILedit Snapchat contact list extraction report .................................................... 22
Figure 16: Magnet AXIOM options for acquiring data from different social media platforms ... 22
Figure 17: Magnet AXIOM asks for Facebook login credentials................................................. 23
Figure 18: MOBILedit provides unencrypted login credentials for social media ........................ 23

List of Tables
Table 1: List of testing equipment and their versions ................................................................... 11
Table 2: Comparison of Samsung Galaxy Xcover3 Artifacts ...................................................... 16
Table 3: Comparison of Samsung Galaxy S7 (Non Rooted) Artifacts ......................................... 17
Table 4: Comparison of Samsung Galaxy S7 (Rooted) Artifacts ................................................. 17
Table 5: Comparison of Apple iPhone 6s Artifacts ...................................................................... 18
Table 6: Comparison of Apple iPhone 12 Pro Max Artifacts ....................................................... 18
Table 7: Summary of Results........................................................................................................ 24

Halmstad University                                                                                                        Page 3
MASTER THESIS - COMPARATIVE ANALYSIS & STUDY OF ANDROID/IOS MOBILE FORENSICS TOOLS - DIVA PORTAL
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

1. Introduction

With almost 3.80 billion smartphone users globally as of April 2021, these handheld devices are
the most common way of communication (Turner, 2021). Smartphones are not just handy when
it comes to communication, but they are known to hold a wide range of user data. Because of
their small size, these devices are convenient. They can preserve massive data artifacts that
include message history, call logs, social media and web history, GPS location and place visits
history, etc. (Panhalkar, 2021). Since these convenient yet reliable devices can hold such a
massive amount of personal data, cybercrimes involving smartphones are rising. These devices
have also become a target for hackers. 60 % of online fraud occurs through mobile phones
(CHACHAK and Thomas, 2021). Consequently, acquiring and investigating the evidence of a
mobile cybercrime has become a necessity because of the vast information they may contain.
The process of extracting and examining digital evidence from mobile phone systems is called
mobile forensics.

"Mobile forensics is a branch of digital forensics that deals with acquiring or extracting digital
data or evidence from mobile devices in a forensically sound manner. The term mobile device is
relatable not just to mobile phones but also to any handheld device that has internal memory and
ability to communicate. Such devices may include PDA, GPS and Tablets (e-spincorp.com,
2018)."

“Acquired data can be considered as forensically sound if it is extracted, investigated, analyzed,
moved around and stored without tempering its originality. In order to be forensically sound, the
process of data acquisition must be defensible, reliable, repeatable and well documented and
genuine (zapproved.com, 2017)."

"The core aim for a forensically sound data investigation is that original evidence must not be
tempered (Shaikh, 2017)."

Forensically sound data obtained from these devices can be used and investigated by law
enforcement agencies to trace the criminals or prevent a crime from happening. Military and
intelligence agencies can track terrorists or take counter-terror measures to prevent threats
against national security. Considering the importance of obtaining forensically sound data from
mobile devices, there are different sorts of forensic recovery tools that help investigators to fulfill
this task. Rather than manually acquiring data, forensic investigators can save time and efforts by
using these advanced tools as they can perform tasks much faster and in a more reliable way.
Forensic tools have the ability to recover deleted data, track call logs and messages with
timestamp and trace GPS location while at the same time maintaining data integrity and
supporting forensically sound acquisition by matching the hash value of extracted copies with
the original ones. Maintaining data integrity is very crucial if the acquired data is to be presented
as evidence in court of law.

Halmstad University                                                                           Page 4
MASTER THESIS - COMPARATIVE ANALYSIS & STUDY OF ANDROID/IOS MOBILE FORENSICS TOOLS - DIVA PORTAL
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

These tools also allow the investigators to categorize the data they want to acquire, so rather than
extracting the whole physical copy which is time and resource consuming, investigators can
focus on acquiring interesting data only.

With a massive number of variants of smartphones and forensic tools out there in the market,
there isn't any tool that can be considered perfect for every situation. Every forensic tool uses a
unique algorithm and strategy to perform the extraction of forensic data. Some tools work well
with the android platform while others are good at extracting data from iOS devices. As there are
plenty of tools available, it is very time-consuming for investigators to dive deep into the details
of every forensic tool to select the best one among them to perform investigations. Therefore,
forensic investigators tend to rely on research papers that draw comparisons between different
forensic tools to choose the best tool as per their requirements. Such studies of comparisons are
performed by individuals and academic intuitions, which in turn help the forensic teams to select
the tools. For our research, we have decided to compare two widely used mobile forensic tools,
Magnet AXIOM and MOBILedit. This report concerns with comparing the results of forensics
outcomes performed by using these two tools on iOS and android platforms. Different types of
data artifacts have been recovered by using both tools to determine which tool has done a better
job concerning recovering what sort of data artifact. In the end, the overall performance and
features offered by both tools are compared as well.

Forensic recovery has been performed on different types of data artifacts from both iOS and
android platforms and at the end performance of both tools is evaluated and compared. In the
first section, a literature state of the art of the current comparisons among different forensic tools
has been discussed and research objectives are defined. In the second section of this paper, the
methods that have been used to conduct this forensic extraction and research are addressed as
well. In the third section, literal comparisons between both tools have been performed and
finally, in the last section a summary, recommendation of future works and conclusion of this
paper is presented.

Halmstad University                                                                          Page 5
MASTER THESIS - COMPARATIVE ANALYSIS & STUDY OF ANDROID/IOS MOBILE FORENSICS TOOLS - DIVA PORTAL
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

2. Literature Review

The main focal point of this research is to compare and examine the forensic data obtained from
the android and iOS-based smartphones using two different tools. This section will present the
past studies research conducted that are relevant to this project, either in the methods used or the
testing environment in which the research has been performed.

Raji, Wimmer and Haddad (2018) compared the forensic results acquired using two different
mobile forensic tools, Autopsy and Paraben E3:DS. Paraben is a commercial tool, while Autopsy
is openly available for anyone to use. A four step method recommended by National Institute of
Standard and Technology (NIST) was used to conduct all the tests and experiments. This process
has helped the researchers to preserve the integrity of the data which makes it presentable in
court of law if required. The researchers have performed all the testing and experiments on
rooted android devices only and found out that Paraben E3:DS was able to retrieve almost all the
data artifacts while Autopsy wasn't able to perform many retrievals. They have also noted that,
unlike Autopsy, Paraben retrieved all activities with an accurate timestamp. They have
concluded that data can be retrieved from Android smartphones using the right tools and right
methods as per the requirements.

Although their research was influential in determining the fact that Paraben is better than
Autopsy, their research was limited to android devices. This research could have been much
more comprehensive if data acquisition and retrieval from iOS devices were incorporated as the
iOS user base is the second largest in world after android. Also, instead of comparing a freely
available open source tool such as Autopsy, with a commercially available professional tool that
is pricey yet reliable like Paraben, a comparison between two tools with equal capabilities and
competitiveness would have been much fairer.

Osho and Ohida (2016, p. 74-83) were able to compare the performance of four different mobile
forensic tools in order to acquire data from android based smartphones with an emphasis on
deleted data. No specific sets of recommended methodologies are used in order to conduct this
study, instead a self-defined evaluation procedure has been used by researchers in which they
have mentioned how different sorts of data artifacts that are present in different types of phones
can be extracted in different ways. They have used AccessData FTK imager. EnCase,
MOBILedit and Oxygen Forensic Suite to conduct their study. They have concluded that
MOBILedit and Oxygen Forensic Suite could not extract deleted data from the smartphone; In
contrast, AccessData FTK Imager and Encase have demonstrated somewhat good capability in
this regard. FTK imager and Encase are found to be effective in extracting deleted pictures,
videos and audios. None of the four tools were able to extract deleted call logs, SMS and
contacts. One of the limitations that they have faced in their research is that they weren't able to
acquire a fully working version of the Oxygen Forensics suite and had to rely on a trial version to
perform testing. They have concluded that there isn't any single forensic tool that can virtually

Halmstad University                                                                        Page 6
MASTER THESIS - COMPARATIVE ANALYSIS & STUDY OF ANDROID/IOS MOBILE FORENSICS TOOLS - DIVA PORTAL
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

perform every task on all available mobile platforms. They also highlighted the importance of
acquiring deleted data as a criminal might be able to evade justice if the deleted data is not
recovered accurately. In this regard, forensic tools and their capability of extracting deleted data
shouldn't be overemphasized.

This study is able to produce resounding outcomes and it can be further complimented by
incorporating a sound methodology that ensures data integrity. A solid methodology is required
to extract data in a forensically sound condition, which is the most important part of any digital
forensic investigation.

Alhassan et al. (2018) have performed a comparative analysis on the results obtained using four
different mobile forensic tools, AccessData FTK Imager, Paraben device seizure, Encase, and
MOBILedit on five mobile devices with different versions of android operating systems. The
researchers have not used any specific methodology that might be helpful in acquiring data. The
research paper does include a section for methodology in which they have mentioned the testing
environment. Emphasis given to the procedure that is used for acquiring data from the devices on
which testing is performed, but no recommended or already established guidelines or methods
have been followed. The results of this research shows that FTK Imager and Paraben device
Seizure were able to present better results than Encase and MOBILedit. They argue that while
FTK imager and Paraben were able to retrieve deleted data such as images, videos, documents
and voice recordings from memory, they could not retrieve anything from the SIM card. While
Encase only showed that the device was connected, it wasn't able to recover any deleted data at
all. On the other hand, MOBILedit only retrieved some basic information on phone and SIM
such as IMEI, ICCID, and IMSI.

Though the results of their study might be convincing, this study could have been much more
thorough if the researchers utilized a practically proven set of methods and guidelines that
ensures the integrity of data so it can be presented in court of law without any hurdles if required.

Johns (2017) made a comparison between Oxygen Suite, Cellebrite touch, and Autopsy. In order
to conduct this study, the researcher relied on generic research methods that are related to various
philosophies of science. Researchers mentioned in the paper that there are two main research
methods: inference and deduction, that can be used with various philosophies of science and he
decided to proceed with the deduction method to conduct this study. The researcher argues that
this method deals with developing research strategies and theories that can be tested upon some
hypothesis presumably obtained from existing literature. Furthermore, to conduct the actual
testing and experiments a total of five mobile devices were used to acquire data. Four of them
were android based smartphones while one mobile device was based on Apple iOS operating
system. The researcher argues that while Oxygen suit has been able to retrieve more WhatsApp
messages from iPhone which makes it the best tool among all three in this regard, but when it

Halmstad University                                                                         Page 7
MASTER THESIS - COMPARATIVE ANALYSIS & STUDY OF ANDROID/IOS MOBILE FORENSICS TOOLS - DIVA PORTAL
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

comes to the acquisition of Images, contacts, SMS and call logs, Cellebrite has performed
reasonably well as compared to others. Autopsy hasn’t been able to retrieve as many artifacts as
compared to the other two tools.

Even though this research provides convincing results as it includes testing on both the android
and iOS devices using a variety of mobile forensic tools, this research could have been further
enhanced by incorporating some tests on a rooted version of android device. Also, inclusion of
simple yet reliable and easy to understand methodology could have made this research even
more competitive.

Riadi, Yudhana and Putra (2018) made a forensic recovery of the activities from the Instagram
social media app installed in an android device using two forensic tools, Oxygen forensics and
Magnet AXIOM. They have conducted their study by using the National Institute of Standards
and Technology (NIST) method, which consists of four steps: Collection, Examination, Analysis
and Reporting. They have concluded that Magnet AXIOM could retrieve all activities from the
Instagram app with 100% accuracy while Oxygen Forensic retrieval performance accuracy was
limited to 84%. They have also concluded that Magnet AXIOM has been able to retrieve data
comprehensively, including retrieving detailed information concerning the artifacts. In this
regard, Oxygen forensic performed well too but it missed to recover a few necessary information
like the timestamp of retrieved data.

Though they have used a simple yet reliable NIST method to acquire data which ensures data
integrity, their research was limited to acquiring data from Instagram Messenger app from a
single android phone. The study produced good results but the scope of study could have been
expanded to include one more device, preferably an iOS device, which could give further
insights on performance of both tools with regards to iOS platform.

3. Research Objectives

The acquired data can be used as evidence in court proceedings and must meet a certain standard
that ensures it has not been tempered during the extraction process. An appropriate chain of
custody should be proven in court that includes the whole procedure of maintaining and
documenting the management of acquired evidence. These steps help ensure that the integrity
and authenticity of the acquired data remains protected throughout the extraction process. Failure
to demonstrate the integrity of the data can result in the court not accepting the acquired data as
legitimate evidence (atlanticdf.com, 2019).

Therefore, to fulfill the legal requirement and ensure the integrity and authenticity of acquired
data, it is very important to use a practically proven and reliable methodology. Literature review
section brought some insights on previously done studies. Some of the studies have been able to
produce good results but haven’t been able to use systematic approach and proper methodologies

Halmstad University                                                                       Page 8
MASTER THESIS - COMPARATIVE ANALYSIS & STUDY OF ANDROID/IOS MOBILE FORENSICS TOOLS - DIVA PORTAL
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

to conduct their research. At least three out of five previously done studies haven’t used any
proper methodologies at all. Among these three previously done studies, only one has
incorporated both iOS and android platforms, while other two have done testing on android
devices only. None have included any rooted version of android in their research.

Though the two remaining studies have used the NIST method, which is practically proven and
reliable, but these researches are not comprehensive as well. One of the studies that have used a
proper methodology made a comparison between a free tool Autopsy and a commercially
available expensive tool Paraben, which doesn’t sound fair. Comparisons should be drawn
between the tools that have somewhat equally matching capabilities which are used in
professional and practical environments. Also, the researchers have performed their research and
testing on rooted versions of android devices only and haven’t conducted any tests on original
non-rooted platforms. The second study focuses on acquiring data from the android version of
the Instagram Messenger app. In both of these studies, only android platforms have been used to
conduct testing. By incorporating another platform such as iOS, these researches could have
provided much more thorough and comprehensive results on the comparisons of forensic tools.

From above analysis it can be seen that each study has at least one or more of the following
shortcomings:

    Proper methodologies are not used
    Testing performed on one platform only, mostly android.
    Testing performed on non-rooted devices only
    Testing performed on rooted devices only
    Testing performed using two tools of different capabilities
    Very few details about the extraction of Social Media artifacts

We are aiming to address the above mentioned shortcomings in this research. After using a
proper methodology, testing has been performed on both android and iOS devices using the tools
that we are aiming to compare. Both old and newer versions of android and iOS are included in
this research. Along with non-rooted original android, testing has also been performed on rooted
android as well to achieve comprehensive results with regards to comparison. Specific focus is
given on acquiring data artifacts from social media applications that reside inside mobile devices.

Halmstad University                                                                       Page 9
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

4. Methodology and Testing Environment

4.1 Method

This research aims to retrieve forensic data from four mobile devices; two of them are based on
android while other two are iOS devices. Magnet AXIOM and MOBILedit are the two forensic
tools used to perform forensic recovery of data from mobile devices. A comparison of the data
collected by using these tools on all four devices has been conducted to know which amongst
both tools have performed better under similar testing conditions. This comparison allowed us to
find out which tool works better with iOS devices and which tool is good at retrieving data from
Android devices. Data from all four devices is recovered through file system extraction, and
afterward, forensic analysis has been conducted. Extracting data from a digital device is highly
sensitive, and it is the investigators' job to make sure that the data is recovered in a forensically
sound manner. In this regard, generating timestamps and hash values would ensure that the
acquired information is not tempered and can be in the court of law. We have decided to follow a
four-step process for digital forensics recommended by the National Institute of Standards and
Technology (NIST), which ensures forensically sound recovery of digital data. The
recommended four steps are as follows

"(1) identify, acquire and protect data related to a specific event; (2) process the collected data
and extract relevant pieces of information from it; (3) examine the extracted data to derive any
further valuable information; and (4) report the results of the analysis, Lessons learned during
the forensic process should be incorporated in future forensic efforts (nist.gov, 2006)"

The steps mentioned above ensure the integrity of the retrieved data from both devices to be
presented as an acceptable form of evidence in the court of law if required. The data is extracted
and analyzed using Magnet AXIOM and MOBILedit forensic tools. Magnet AXIOM can acquire
and analyze data from multiple sources such as computers, online clouds, social media accounts,
mobile phones and other IoT devices. When the data is acquired, AXIOM will process, visualize
and examine it. After completing all these steps, AXIOM will even report the data into one
comprehensive case file for the purpose of examination, thus providing investigators a full
rounded view of the acquired evidence (cybersecurity-excellence-awards.com, 2021).

MOBILedit Forensic Express can extract, analyze and report data. It is a 64-bit application that
has the ability to acquire data using both logical and physical methods. It can recover deleted
data from the smartphone and supports a huge range of phone variants. In some cases, it can
even break mobile PINs and passwords which allow the investigators to access the locked
backup in smartphones. It also has the ability to acquire information such as IMEI, IMSI, ICCID
and location area information (MOBILedit.com, 2021).

Halmstad University                                                                         Page 10
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

4.2 Equipment and Testing

The testing environment includes a number of equipment and a desktop system loaded with
Windows 10. The table below shows in-depth details of all equipment that are utilized for the
purpose of testing.

Equipment                                       Version
iPhone 6s                                       iOS 13.5.1
iPhone 12 Pro Max                               iOS 14.4.2
Samsung Galaxy S7                               Android 8.0.0
Samsung Galaxy xcover 3                         Android 5.1.1
Magnet AXIOM                                    Version 2.1.9.9727
MOBILedit                                       Forensic Express PRO 7.4.0.20408 64bit
Desktop Computer                                Loaded with Windows 10 64 bit
                   Table 1: List of testing equipment and their versions
There are four mobile devices upon which testing has been performed, two android and two iOS.
We have decided to root one of the android devices with the latest version. We decided to keep
the old android device in its original form as we wanted to monitor the performance of forensic
tools on both rooted and non-rooted android systems. Both iOS devices are in original format as
we are not able to successfully jailbreak any of them. Since we were trying to make our testing
as accurate as possible, we have decided to perform all procedures on the phones used on daily
basis and have a good amount of data objects already inside them. Data objects that were already
in the phone including images, web history, Google search history, number of various
applications, list of wifi hotspots connected, emails, call logs history and message history.

4.3 File System Extraction and Analysis

Afterward, we proceed ahead by connecting the mobile devices with the PC to perform an
extraction. One by one extraction was conducted on each of the four mobile devices. These
extractions are done directly by a connecting device with a USB cable to the workstation. It is
vital to turn on airplane mode before starting with the data acquisition process. A significant
difference between MOBILedit and AXIOM is that MOBILedit can perform bit by bit physical
data acquisition of the device. In contrast, AXIOM can only perform logical acquisition. Physical
acquisition is an exact duplicate of the device memory that includes everything precisely as it is
in the device while logical acquisition only acquires selective and interesting contents.

Halmstad University                                                                      Page 11
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

                            Figure 1: An iPhone in Airplane mode
We have already put our phone into airplane mode as it will disconnect the phone from the
communication network which prevents any changes and data tampering.

                       Figure 2: Magnet AXIOM data extraction options
The figure above shows the process of extraction is about to get started on Magnet AXIOM.
After clicking on the acquire evidence option, AXIOM will begin extracting data from the device
that has been connected to the workstation. In the above example it is the iPhone 6s.

Halmstad University                                                                    Page 12
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

                       Figure 3: Magnet AXIOM data extraction process

The figure above shows that AXIOM has started to collect and acquire data from iPhone 6s
mobile phone. It gives the option to analyze the data objects that are collected while it continues
to collect more. AXIOM extracts data as a whole; it is not possible to extract data precisely.
Unlike AXIOM, MOBILedit is capable of extracting data either as a whole or specifically by
category.

                       Figure 4: MOBILedit generates device information

As seen in the figure above, the moment device is connected; MOBILedit immediately identifies
it and gives us the option to proceed with data extraction.

Halmstad University                                                                       Page 13
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

                         Figure 5: MOBILedit data extraction options
Then it further gives us the option to select what type of content we would like to extract. It
allows us to extract specific contents category-wise or extract everything with a full content
option.

                         Figure 6: MOBILedit data extraction process
MOBILedit begins the data acquisition process in the above picture. In this case, an Apple
iPhone 12 Pro Max is used as an example.

Halmstad University                                                                    Page 14
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

5. Results

                       Figure 7: Magnet AXIOM data extraction results
The above picture shows the results of acquiring data in Magnet AXIOM. As visible in the
picture above, it obtains data as a whole package. It allows the users to view data in categories
but doesn't give the option to generate a report or extract specific data objects separately.

                          Figure 8: MOBILedit data extraction results

Halmstad University                                                                      Page 15
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

As soon as the acquisition is completed, MOBILedit gives us the option to individually select the
application and extract its report, as seen in the picture above.

5.1 Comparison Tables

These comparison tables show the actual number of acquired artifacts for each device that we
have performed testing on. We got these numbers by performing testing multiple times on each
device to ensure the integrity of acquired data.

                          Samsung Galaxy Xcover 3 (Android 5.1.1)
        Data Objects               Number of Artifacts           Number of Artifacts
                                  Acquired By AXIOM           Acquired By MOBILedit

Contacts                      1415                          711
Emails                        9                             0
Application List              173                           199
Image Files                    2095    (including   Google 119
                              photos)
Bluetooth Pairing             None                          2
Call Logs                      4                            4
SMS                           5                             5
Wi-Fi Network                 2                             2
Web History                   27                            0
Google Search                  1                            1
                  Table 2: Comparison of Samsung Galaxy Xcover3 Artifacts
The table above shows the data acquired from the Samsung Galaxy Xcover 3 phone which uses
an old Android version. As seen in this comparison, AXIOM has performed better in obtaining
data from this old android phone in contrast with MOBILedit. More contacts are acquired by
AXIOM than MOBILedit. Another critical thing to note is that AXIOM has been able to acquire
a lot more Image files. The reason for this is because AXIOM has successfully been able to
acquire contacts and images found in Google cloud. In contrast, MOBILedit has only been able
to acquire the data that is actually present in the phone memory.

Halmstad University                                                                      Page 16
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

                     Samsung Galaxy S7 NON-Rooted (Android 8.0.0)
         Data Objects              Number of Artifacts           Number of Artifacts
                                   Acquired By AXIOM           Acquired By MOBILedit
Contacts                       59                            57
Emails                         0                             0
Application List               214                           336
Image Files                    2                             9
Google Search                  0                             0
Call logs                      4                             1
SMS                            0                             1
Wi-Fi Network                  3                             3
Web History                    0                             0
              Table 3: Comparison of Samsung Galaxy S7 (Non Rooted) Artifacts
We have performed data extraction using both tools on both rooted and non-rooted versions of
Samsung Galaxy S7. The above table shows the results from the non-rooted version. The
performance of both tools is almost at par with each other, with MOBILedit taking the lead in
acquiring more application lists and image files. AXIOM has been able to acquire more artifacts
related to call history.

                         Samsung Galaxy S7 Rooted (Android 8.0.0)
         Data Objects               Number of Artifacts           Number of Artifacts
                                   Acquired By AXIOM            Acquired By MOBILedit
Contacts                       57                            57
Emails                         211                           0
Application List               214                           336
Image Files                    39503 (including Google 11
                               image)
Google Search                  11                            0
Call logs                      2                             1
SMS                            1                             1
Wi-Fi Network                  3                             3
Web History                    0                             0
                 Table 4: Comparison of Samsung Galaxy S7 (Rooted) Artifacts
However, when it comes to rooted android devices, AXIOM has performed better. While
MOBILedit has been able to acquire almost the identical number of artifacts as it did with the
non-rooted version, AXIOM extracted a lot more image files and emails in comparison. It has
now been revealed that AXIOM can perform better on rooted android devices as compared to
MOBILedit.

Halmstad University                                                                    Page 17
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

                                  IPhone 6s (iOS 13.5.1)
        Data Objects               Number of Artifacts              Number of Artifacts
                                  Acquired By AXIOM              Acquired By MOBILedit
Contacts                        0                              1750
Emails                          0                              0
Application List                0                              229
Image Files                     3266                           11031
Google Search                   0                              0
Call logs                       0                              641
SMS                             1                              5206
Wi-Fi Network                   0                              0
Web History                     0                              982
Bluetooth Pairing               0                              14
                       Table 5: Comparison of Apple iPhone 6s Artifacts
We have also performed an extraction on iOS devices. The above table shows the data that has
been acquired from an iPhone 6 smartphone. MOBILedit performed better on iOS devices. It has
been able to acquire more data artifacts in every aspect as compared to AXIOM. Apart from a
few image files, AXIOM hasn't been able to acquire anything at all.

                              iPhone 12 Pro Max (iOS 14.4.2)
        Data Objects               Number of Artifacts            Number of Artifacts
                                   Acquired By AXIOM            Acquired By MOBILedit
Contacts                       0                              1772
Emails                         0                              0
Application List               0                              227
Image Files                    5104                           14253
Bluetooth Pairing              0                              21
Call Logs                      0                              255
SMS                            0                              5149
Wi-Fi Network                  0                              0
Web History                    36                             1249
GPS Location                   0                              148
Account Passwords              36                             1249
                  Table 6: Comparison of Apple iPhone 12 Pro Max Artifacts
As seen in the table above, MOBILedit performed better on iPhone 12 Pro Max as well. It has
been able to acquire artifacts of all categories while, on the other hand, AXIOM has only
acquired a few image files, web history and account passwords.

Halmstad University                                                                 Page 18
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

5.2 Social Media

Our testing has revealed that MOBILedit can acquire data related to social media applications
like Facebook, Instagram and Snapchat found within a smartphone while AXIOM hasn't been
able to do so.

                      Figure 9: MOBILedit social media extraction report
The above picture shows a PDF report related to social media generated by MOBILedit. This
report includes the details of every artifact acquired from social media apps like Facebook,
Messenger, Instagram and Snapchat. MOBILedit generated this comprehensive report after
performing data extraction.

                 Figure 10: MOBILedit Facebook artifacts extraction report

Halmstad University                                                                  Page 19
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

In the above example, we can see MOBILedit has successfully retrieved Facebook conversations
that are taking place. It has also retrieved account details, contacts and friend lists, messages,
calls and news feeds.

            Figure 11: MOBILedit messenger account information extraction report
In this picture it can be seen MOBILedit has retrieved that information about the account that is
used for logging in to the messenger.

                 Figure 12: MOBILedit messenger voice calls extraction report
MOBILedit has also retrieved the list of voice calls from the messengers, as shown in the picture
above.

Halmstad University                                                                      Page 20
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

                  Figure 13: MOBILedit Instagram artifacts extraction report

                  Figure 14: MOBILedit Snapchat artifacts extraction report
The above two pictures show successful retrieval of accounts that are logged into Instagram and
Snapchat apps. Information includes username, link to the user profile, email, and phone number
used to log into the account, along with a timestamp of the installed app.

Halmstad University                                                                    Page 21
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

                 Figure 15: MOBILedit Snapchat contact list extraction report
MOBILedit has retrieved the contacts list from the Snapchat account of the user, as displayed in
the above picture.

MOBILedit has done an impressive job acquiring social media details from within the apps
installed by the user on a smartphone. However, that is not the case with Magnet AXIOM. Our
testing has revealed that AXIOM hasn't retrieved any information about the user accounts that
are logged into the social media apps like Facebook, Instagram and Snapchat. To acquire data
from a specific social media platform, we have to manually log into a user account by selecting
the cloud option and entering credentials like username and password. This makes AXIOM
ineffective when it comes to extracting data from social media platforms.

  Figure 16: Magnet AXIOM options for acquiring data from different social media platforms

Halmstad University                                                                     Page 22
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

AXIOM gives us the option to acquire data from social media and clouds by clicking one of the
options shown in the above picture. To successfully retrieve data from any of these platforms,
investigators must know the credentials of the account they are trying to recover.

                Figure 17: Magnet AXIOM asks for Facebook login credentials
As shown in the picture above, when you click on the Facebook option, it asks for a username
and password. AXIOM can't retrieve data without a username and password, which makes it
ineffective.

        Figure 18: MOBILedit provides unencrypted login credentials for social media

Halmstad University                                                                    Page 23
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

According to the above figure, MOBILedit can extract all synchronized accounts credentials.
These passwords are unencrypted. Credentials contain account, application used, URL and
password.

6. Summary

                                  Table 7: Summary of Results

While both tools have worked well with android, AXIOM has done a better job when it comes to
acquiring data from rooted version of an android device, as it has been able to retrieve almost all
artifacts. MOBILedit has done well as well but failed to retrieve most of the images and pictures
from the rooted device. On other hand, AXIOM hasn’t been able to recover artifacts of any use
from iOS platform. AXIOM hasn’t done well with newer version of iOS platform specifically.
MOBILedit seems to be very effective in acquiring data from both old and newer iOS platforms
and has been able to recover almost all artifacts.

MOBILedit provides the option to retrieve data from third party forensic tools like Magnet
AXIOM and Oxygen Forensics. Our study shows that MOBILedit can extract detailed artifacts
and give a report with credentials which are unencrypted.

Halmstad University                                                                       Page 24
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

On other hand, AXIOM doesn’t seem to be an effective tool for acquiring data from social media
platforms as it hasn’t been able to recover anything at all from social media apps that reside
inside mobile. It also asks for login credentials when a user tries to acquire data from a specific
social media platform. In this regard MOBILedit has shown a great competency, as it has been
able to acquire crucial social media history. It has successfully extracted data artifacts from
Snapchat, Facebook Messenger and Instagram. It has generated a separate PDF format report
that includes the details of all acquired social media artifacts, which makes it even more
convenient for investigators to read.

7. Future Work

The future work can be done with regards to acquiring data from jailbroken version of iPhones.
We have already witnessed the huge difference between the results of acquired artifacts from
rooted and non-rooted version of Samsung S7, that’s why we believe that if same extraction and
analysis procedure can be performed upon jailbroken version of iPhone, the acquired artifacts
result could have been much more comprehensive. Furthermore, newer version of AXIOM and
MOBILedit can be acquired and their comparison can be drawn against open source tools like
Autopsy and well known commercial tools like Oxygen Forensics’ detective software in order to
further expend this research in future. Future work can also be directed towards bypassing the
passcodes of smartphones. In this regard, MOBILedit’s latest version could come in handy, since
it might contain an inbuilt ability to bypass passcodes of many different sorts of smartphones as
they claim.

Halmstad University                                                                       Page 25
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

8. Conclusion

Our study outcome has highlighted the importance of using more than one independent forensic
tool in an investigation process in order to achieve forensically sound results. There is no tool
that can be considered perfect for all the tasks, as one tool might be superior in doing a specific
task over another that might be suitable for another task. Our research shows that the
performance of both tools is almost even when it comes to acquiring data from android phones.
However, in comparison with MOBILedit, Magnet AXIOM has performed much better and
acquired a huge number of data artifacts from rooted android devices. Therefore, it is safe to say
that AXIOM is a better tool to get your hands on if data is to be extracted from a rooted android
device. On the other hand, MOBILedit has done a much better job and acquired a great number
of data objects from both old and new versions of iOS devices. When it comes to acquiring data
from social media apps, MOBILedit has a clear advantage over Magnet AXIOM. MOBILedit
acquired all useful data objects from social media applications, while AXIOM hasn't been able to
acquire anything at all. AXIOM requires the username and password of the account holder to
acquire data from social media platforms, which makes it ineffective.

Halmstad University                                                                       Page 26
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

9. References

1.   Turner, A., 2021. Number Of Smartphone & Mobile Phone Users Worldwide (Billions).
     [online] https://www.bankmycell.com. Available at:
      [Accessed 3 May
     2021].

2.   Panhalkar, T., 2021. Information that resides on mobile devices (a non-exhaustive list):.
     [online] https://info-savvy.com/. Available at:  [Accessed 4 May 2021].

3.   CHACHAK, E. and Thomas, C., 2021. Cybercrime is moving towards smartphones – this is
     what you could do to protect your company. [online] https://www.cyberdb.co/. Available at:
      [Accessed 4 May 2021].

4.   e-spincorp.com, 2018. Definition of mobile device forensics. [online] https://www.e-
     spincorp.com/. Available at:  [Accessed 4 May 2021].

5.   zapproved.com, 2017. Defending collection processes in court. [online]
     https://zapproved.com/. Available at:  [Accessed 5 May 2021].

6.   Shaikh, H., 2017. Mobile forensic process: Steps and types. [online]
     https://resources.infosecinstitute.com/. Available at:
     
     [Accessed 11 May 2021].

7.   Raji, M., Wimmer, H. and Haddad, R., 2018. Analyzing Data from an Android Smartphone
     while Comparing between Two Forensic Tools. SoutheastCon 2018, [online] Available at:
      [Accessed 6 May 2021].

8.   Osho, O. and Ohida, S., 2016. Comparative Evaluation of Mobile Forensic
     Tools. International Journal of Information Technology and Computer Science, [online]
     8(1), pp.74-83. Available at:  [Accessed 7 May 2021].

Halmstad University                                                                        Page 27
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

9.    Alhassan, J., Oguntoye, R., Misra, S., Adewumi, A., Maskeliūnas, R. and Damaševičius, R.,
      2018. Comparative Evaluation of Mobile Forensic Tools. Proceedings of the International
      Conference on Information Technology & Systems (ICITS 2018), [online] Available at:
       [Accessed 7 May 2021].

10.   Johns,O.,
      2017.http://erepository.uonbi.ac.ke/bitstream/handle/11295/109875/Onditi_Comparative%2
      0Evaluation%20Of%20The%20Effectiveness%20Of%20Smartphone%20Forensics%20Tools
      ..pdf?sequence=1. [ebook] Nairobi: University of Nairobi. Available at:
       [Accessed 7 May 2021].

11.   Riadi, I., Yudhana, A. and Putra, M., 2018. Forensic Tool Comparison on Instagram Digital
      Evidence Based on Android with The NIST Method. Scientific Journal of Informatics,
      [online] 5(2), pp.235-247. Available at:  [Accessed 8 May 2021].

12.   atlanticdf.com. 2019. atlanticdf.com. [online] Available at:
       [Accessed 4 June 2021].

13.   nist.gov, 2006. NIST Guide Details Forensic Practices for Data Analysis. [online]
      https://www.nist.gov/. Available at:  [Accessed 8 May 2021].

14.   cybersecurity-excellence-awards.com/, 2021. Magnet AXIOM. [online] https://cybersecurity-
      excellence-awards.com/. Available at:  [Accessed 9 May 2021].

Halmstad University                                                                      Page 28
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools

15.   MOBILedit.com, 2021. MOBILedit Forensic Express All-in-one phone forensic tool from
      pioneers in the field. [online] https://www.MOBILedit.com. Available at:
       [Accessed 8 May 2021].

Halmstad University                                                                  Page 29
Amer Shakir is a student of master’s
programme in network forensics. He
finished studying B.SC. ELECTRONIC
ENGINEERING (1983) and
COMPUTER NETWORK
TECHNOLOGY (2009). Since 2013,
He manages a company that
specializes in fixing mobiles
(http://mediafixer.se).

Muhammad Hammad is a student of
master's programme in network
forensics at Halmstad University. He
received his bachelor’s degree in
computer networking from Malaysia.
He worked as IT specialist for 3 years
in Saudi Arabia before coming to
Sweden and pursuing master's degree

Muhammad Kamran is a student of
the master's programme in network
Forensics at Halmstad University. He
received his bachelor's degree in
computer science from Pakistan. He
has been working as an IT consultant
in the private sector since 2011.

 PO Box 823, SE-301 18 Halmstad
 Phone: +35 46 16 71 00
 E-mail: registrator@hh.se
 www.hh.se
You can also read