Mobile phone: identifying configuration signatures of local devices absent from XRY
Technology is rapidly expanding in to every part of daily life as evidenced by the increase in the number of new mobile phone devices appearing on the market while older models remain in use and are reused. The rapid emergence of different and new mobile devices presents challenges for mobile phone forensic investigation. Some models cannot be supported by mobile forensic tools and others have ways of preventing access. XRY is one of the best known mobile forensic tools and it is constantly updating signatures and producing new connectors to keep up with the market. However, the speed of new mobile devices’ release and the emergence of new designs will always result some being overlooked.
The purpose of this research project is to conduct an investigation to identify some models on the New Zealand market that are not currently supported by XRY and to perform forensic extraction on one or two as well as a supported model. The research is to identify configuration signatures or characteristics of local mobile phone devices that are absent from the XRY database. The result was that four local mobile phone devices (test phones) that are sold and operate in New Zealand were located. Some of these models were manufactured specifically for local Network Service Providers. They were tested following a methodology derived from previous research literature including the use of practise standards and procedures for digital forensics.
The research findings determine the capability of XRY 6.5 to extract data from these local mobile phone devices. As a result, two of these test devices (Phones 2 and 4) were not officially recognised by XRY and were absent from its database. Phones 1 and 3 were in the database. XRY was able to extract data from each test phone device (logical extraction) however not all the data was extracted. Thus, some of the test devices already recognised by the tool were not fully supported. XRY was able to extract most of the data from some test devices while others had incomplete data. Most of the deleted test data was not able to be recovered.
A discussion of the findings indicates that local mobile phone devices can be supported by forensic tools such as XRY; however there are limitations due to each tool’s performance criteria. These local mobile phone devices can be included in the XRY’s list of supported device profiles and this research provides implications for digital forensic analysts about how these test phones can be recognised and supported. There are also further possible aspects for future work within this research area that can focus on improving the capability of forensic tools to conduct physical analyses for these local test phones.