We previously hosted a webinar on investigating smartphones using Magnet ACQUIRE and Magnet IEF. Our Director of Product Management, Geoff MacGillivray, and Forensics Consultant, Jamie McQuaid, discussed some recent challenges impacting mobile forensics. If you would like to watch the webinar, you can do so here.
Attendees got a preview into our new smartphone acquisition tool, which is currently available to current customers who have requested to join our beta program. We had a number of great questions from our attendees about our new product, and wanted to recap for other interested in learning more about ACQUIRE:
- Is Magnet ACQUIRE a standalone product or does it require a user to have IEF?
Magnet ACQUIRE is a standalone smartphone acquisition tool and does not require Magnet IEF in order to acquire smartphone images from iOS or Android devices. You can load an image extracted with ACQUIRE in whatever analysis tool you prefer or you can manually analyze the data provided. The output is in either a RAW/DD or ZIP format and contains no proprietary formatting that may pose a challenge to your analysis.ACQUIRE is still in beta and is currently open to approved IEF customers, but we will be opening up the beta program to the forensic community later this summer.
- Does ACQUIRE work on a Mac?Currently Magnet ACQUIRE only runs on Windows PCs.
- On average, how long does a Full Extraction take with ACQUIRE?The speed of a Full Extraction can vary on the device and will depend on the size of the storage. A Full Extraction will perform a RAW/DD dump of the smartphone’s physical storage. In testing, a 16GB Samsung Galaxy SIII took on average around an hour to get the Full image.
A Quick Extraction can also vary depending on how much data is on the device and what is set to be backed up, but it can take significantly less time. Performing a Quick Extraction with the same Samsung Galaxy SIII took only 4-5 minutes.
- How does ACQUIRE handle locked or password protected smartphones?Magnet ACQUIRE does not currently attempt to crack or bypass any locked or password protected devices, and requires access to the device to enable USB debugging.
- Will ACQUIRE automatically include the SD card when imaging a smartphone?Yes, Magnet ACQUIRE will automatically image the SD card (when present) for both a Quick and a Full Extraction.
- By installing an agent or rooting a device to extract data, how do I combat a legal defense that I am “polluting” or modifying the device?Traditional forensics methodology is that a disk is supposed to be write-blocked and the examiner should not modify the evidence in any way. As technology changes, this has become more difficult and with live system or smartphone acquisitions, nearly impossible. Most smartphones require two-way communications with the host computer in order to backup or extract data from the device.
While the laws of every country are different (I am not a lawyer), it is perfectly acceptable to allow evidence in court that has been modified during the acquisition (there are several cases at all levels that can act as precedent to this argument). This type of argument applies to both physical and digital forensics. The key is to show that it was necessary to modify the evidence in order to collect it and most importantly to document your steps and account for any changes being made to the system or device.
- Does ACQUIRE recover SMS messages or other native application data or just third-party data?Depending on the method of extraction and the type and operating system, ACQUIRE will include data from both native and third-party applications including SMS. A Full Extraction will include everything on the device, while a Quick Extraction may include SMS, depending on the device and OS being examined. ACQUIRE contains details on what is included in each extraction based on the OS being examined.
- Will ACQUIRE extract all database files regardless of whether or not IEF can analyze them?Yes, ACQUIRE will extract as much data as it can based on the device and the options selected, regardless of whether IEF is able to analyze all the databases collected or not. This allows examiners to manually examine databases that IEF may not support or use other tools that can assist in their investigation.
- How does ACQUIRE handle chat databases, such as WhatsApp, that are encrypted by default?For a Quick Extraction, ACQUIRE will collect any databases that are included in the backup, whether they are encrypted or not. It will be up to IEF (or other analysis tools) to decrypt the data and correctly analyze it. Specifically for WhatsApp, IEF will decrypt the WhatsApp database if it is encrypted using the key found on the smartphone, or if you were able to get a Full physical or file system extraction with ACQUIRE, WhatsApp stores an unencrypted version of the chat database in the user files that does not require decryption.
Watch the recorded version of this webinar on Investigating Smartphones with Magnet ACQUIRE and IEF.