MASTER THESIS - COMPARATIVE ANALYSIS & STUDY OF ANDROID/IOS MOBILE FORENSICS TOOLS - DIVA PORTAL
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Master Thesis
Network Forensics, 60 credits
Comparative Analysis & Study of
Android/iOS Mobile Forensics Tools
Digital Forensics, 15 credits
Halmstad 2021-06-08
Amer Shakir, Muhammad Hammad, Muhammad
Kamran HALMSTAD
UNIVERSITY
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools Abstract This report aims to draw a comparison between two commercial mobile forensics and recovery tools, Magnet AXIOM and MOBILedit. A thorough look at previously done studies was helpful to know what aspects of the data extractions must be compared and which areas are the most important ones to focus upon. This work focuses on how the data extracted from one tool compares with another and provides comprehensive extraction based on different scenarios, circumstances, and aspects. Performances of both tools are compared based on various benchmarks and criteria. This study has helped establish that MOBILedit has been able to outperform Magnet AXIOM on more data extraction and recovery aspects. It is comparatively a better tool to get your hands on. Halmstad University Page 1
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools Contents 1. Introduction ................................................................................................................................. 4 2. Literature Review........................................................................................................................ 6 3. Research Objectives .................................................................................................................... 8 4. Methodology and Testing Environment ................................................................................... 10 4.1 Method ................................................................................................................................ 10 4.2 Equipment and Testing........................................................................................................ 11 4.3 File System Extraction and Analysis .................................................................................. 11 5. Results ....................................................................................................................................... 15 5.1 Comparison Tables .............................................................................................................. 16 5.2 Social Media ........................................................................................................................ 19 6. Summary ................................................................................................................................... 24 7. Future Work .............................................................................................................................. 25 8. Conclusion ................................................................................................................................ 26 9. References ................................................................................................................................. 27 Halmstad University Page 2
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools List of Figures Figure 1: An iPhone in Airplane mode ......................................................................................... 12 Figure 2: Magnet AXIOM data extraction options ....................................................................... 12 Figure 3: Magnet AXIOM data extraction process....................................................................... 13 Figure 4: MOBILedit generates device information ..................................................................... 13 Figure 5: MOBILedit data extraction options ............................................................................... 14 Figure 6: MOBILedit data extraction process .............................................................................. 14 Figure 7: Magnet AXIOM data extraction results ........................................................................ 15 Figure 8: MOBILedit data extraction results ................................................................................ 15 Figure 9: MOBILedit social media extraction report ................................................................... 19 Figure 10: MOBILedit Facebook artifacts extraction report ........................................................ 19 Figure 11: MOBILedit messenger account information extraction report ................................... 20 Figure 12: MOBILedit messenger voice calls extraction report ................................................... 20 Figure 13: MOBILedit Instagram artifacts extraction report ........................................................ 21 Figure 14: MOBILedit Snapchat artifacts extraction report ......................................................... 21 Figure 15: MOBILedit Snapchat contact list extraction report .................................................... 22 Figure 16: Magnet AXIOM options for acquiring data from different social media platforms ... 22 Figure 17: Magnet AXIOM asks for Facebook login credentials................................................. 23 Figure 18: MOBILedit provides unencrypted login credentials for social media ........................ 23 List of Tables Table 1: List of testing equipment and their versions ................................................................... 11 Table 2: Comparison of Samsung Galaxy Xcover3 Artifacts ...................................................... 16 Table 3: Comparison of Samsung Galaxy S7 (Non Rooted) Artifacts ......................................... 17 Table 4: Comparison of Samsung Galaxy S7 (Rooted) Artifacts ................................................. 17 Table 5: Comparison of Apple iPhone 6s Artifacts ...................................................................... 18 Table 6: Comparison of Apple iPhone 12 Pro Max Artifacts ....................................................... 18 Table 7: Summary of Results........................................................................................................ 24 Halmstad University Page 3
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools 1. Introduction With almost 3.80 billion smartphone users globally as of April 2021, these handheld devices are the most common way of communication (Turner, 2021). Smartphones are not just handy when it comes to communication, but they are known to hold a wide range of user data. Because of their small size, these devices are convenient. They can preserve massive data artifacts that include message history, call logs, social media and web history, GPS location and place visits history, etc. (Panhalkar, 2021). Since these convenient yet reliable devices can hold such a massive amount of personal data, cybercrimes involving smartphones are rising. These devices have also become a target for hackers. 60 % of online fraud occurs through mobile phones (CHACHAK and Thomas, 2021). Consequently, acquiring and investigating the evidence of a mobile cybercrime has become a necessity because of the vast information they may contain. The process of extracting and examining digital evidence from mobile phone systems is called mobile forensics. "Mobile forensics is a branch of digital forensics that deals with acquiring or extracting digital data or evidence from mobile devices in a forensically sound manner. The term mobile device is relatable not just to mobile phones but also to any handheld device that has internal memory and ability to communicate. Such devices may include PDA, GPS and Tablets (e-spincorp.com, 2018)." “Acquired data can be considered as forensically sound if it is extracted, investigated, analyzed, moved around and stored without tempering its originality. In order to be forensically sound, the process of data acquisition must be defensible, reliable, repeatable and well documented and genuine (zapproved.com, 2017)." "The core aim for a forensically sound data investigation is that original evidence must not be tempered (Shaikh, 2017)." Forensically sound data obtained from these devices can be used and investigated by law enforcement agencies to trace the criminals or prevent a crime from happening. Military and intelligence agencies can track terrorists or take counter-terror measures to prevent threats against national security. Considering the importance of obtaining forensically sound data from mobile devices, there are different sorts of forensic recovery tools that help investigators to fulfill this task. Rather than manually acquiring data, forensic investigators can save time and efforts by using these advanced tools as they can perform tasks much faster and in a more reliable way. Forensic tools have the ability to recover deleted data, track call logs and messages with timestamp and trace GPS location while at the same time maintaining data integrity and supporting forensically sound acquisition by matching the hash value of extracted copies with the original ones. Maintaining data integrity is very crucial if the acquired data is to be presented as evidence in court of law. Halmstad University Page 4
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools These tools also allow the investigators to categorize the data they want to acquire, so rather than extracting the whole physical copy which is time and resource consuming, investigators can focus on acquiring interesting data only. With a massive number of variants of smartphones and forensic tools out there in the market, there isn't any tool that can be considered perfect for every situation. Every forensic tool uses a unique algorithm and strategy to perform the extraction of forensic data. Some tools work well with the android platform while others are good at extracting data from iOS devices. As there are plenty of tools available, it is very time-consuming for investigators to dive deep into the details of every forensic tool to select the best one among them to perform investigations. Therefore, forensic investigators tend to rely on research papers that draw comparisons between different forensic tools to choose the best tool as per their requirements. Such studies of comparisons are performed by individuals and academic intuitions, which in turn help the forensic teams to select the tools. For our research, we have decided to compare two widely used mobile forensic tools, Magnet AXIOM and MOBILedit. This report concerns with comparing the results of forensics outcomes performed by using these two tools on iOS and android platforms. Different types of data artifacts have been recovered by using both tools to determine which tool has done a better job concerning recovering what sort of data artifact. In the end, the overall performance and features offered by both tools are compared as well. Forensic recovery has been performed on different types of data artifacts from both iOS and android platforms and at the end performance of both tools is evaluated and compared. In the first section, a literature state of the art of the current comparisons among different forensic tools has been discussed and research objectives are defined. In the second section of this paper, the methods that have been used to conduct this forensic extraction and research are addressed as well. In the third section, literal comparisons between both tools have been performed and finally, in the last section a summary, recommendation of future works and conclusion of this paper is presented. Halmstad University Page 5
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools 2. Literature Review The main focal point of this research is to compare and examine the forensic data obtained from the android and iOS-based smartphones using two different tools. This section will present the past studies research conducted that are relevant to this project, either in the methods used or the testing environment in which the research has been performed. Raji, Wimmer and Haddad (2018) compared the forensic results acquired using two different mobile forensic tools, Autopsy and Paraben E3:DS. Paraben is a commercial tool, while Autopsy is openly available for anyone to use. A four step method recommended by National Institute of Standard and Technology (NIST) was used to conduct all the tests and experiments. This process has helped the researchers to preserve the integrity of the data which makes it presentable in court of law if required. The researchers have performed all the testing and experiments on rooted android devices only and found out that Paraben E3:DS was able to retrieve almost all the data artifacts while Autopsy wasn't able to perform many retrievals. They have also noted that, unlike Autopsy, Paraben retrieved all activities with an accurate timestamp. They have concluded that data can be retrieved from Android smartphones using the right tools and right methods as per the requirements. Although their research was influential in determining the fact that Paraben is better than Autopsy, their research was limited to android devices. This research could have been much more comprehensive if data acquisition and retrieval from iOS devices were incorporated as the iOS user base is the second largest in world after android. Also, instead of comparing a freely available open source tool such as Autopsy, with a commercially available professional tool that is pricey yet reliable like Paraben, a comparison between two tools with equal capabilities and competitiveness would have been much fairer. Osho and Ohida (2016, p. 74-83) were able to compare the performance of four different mobile forensic tools in order to acquire data from android based smartphones with an emphasis on deleted data. No specific sets of recommended methodologies are used in order to conduct this study, instead a self-defined evaluation procedure has been used by researchers in which they have mentioned how different sorts of data artifacts that are present in different types of phones can be extracted in different ways. They have used AccessData FTK imager. EnCase, MOBILedit and Oxygen Forensic Suite to conduct their study. They have concluded that MOBILedit and Oxygen Forensic Suite could not extract deleted data from the smartphone; In contrast, AccessData FTK Imager and Encase have demonstrated somewhat good capability in this regard. FTK imager and Encase are found to be effective in extracting deleted pictures, videos and audios. None of the four tools were able to extract deleted call logs, SMS and contacts. One of the limitations that they have faced in their research is that they weren't able to acquire a fully working version of the Oxygen Forensics suite and had to rely on a trial version to perform testing. They have concluded that there isn't any single forensic tool that can virtually Halmstad University Page 6
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools perform every task on all available mobile platforms. They also highlighted the importance of acquiring deleted data as a criminal might be able to evade justice if the deleted data is not recovered accurately. In this regard, forensic tools and their capability of extracting deleted data shouldn't be overemphasized. This study is able to produce resounding outcomes and it can be further complimented by incorporating a sound methodology that ensures data integrity. A solid methodology is required to extract data in a forensically sound condition, which is the most important part of any digital forensic investigation. Alhassan et al. (2018) have performed a comparative analysis on the results obtained using four different mobile forensic tools, AccessData FTK Imager, Paraben device seizure, Encase, and MOBILedit on five mobile devices with different versions of android operating systems. The researchers have not used any specific methodology that might be helpful in acquiring data. The research paper does include a section for methodology in which they have mentioned the testing environment. Emphasis given to the procedure that is used for acquiring data from the devices on which testing is performed, but no recommended or already established guidelines or methods have been followed. The results of this research shows that FTK Imager and Paraben device Seizure were able to present better results than Encase and MOBILedit. They argue that while FTK imager and Paraben were able to retrieve deleted data such as images, videos, documents and voice recordings from memory, they could not retrieve anything from the SIM card. While Encase only showed that the device was connected, it wasn't able to recover any deleted data at all. On the other hand, MOBILedit only retrieved some basic information on phone and SIM such as IMEI, ICCID, and IMSI. Though the results of their study might be convincing, this study could have been much more thorough if the researchers utilized a practically proven set of methods and guidelines that ensures the integrity of data so it can be presented in court of law without any hurdles if required. Johns (2017) made a comparison between Oxygen Suite, Cellebrite touch, and Autopsy. In order to conduct this study, the researcher relied on generic research methods that are related to various philosophies of science. Researchers mentioned in the paper that there are two main research methods: inference and deduction, that can be used with various philosophies of science and he decided to proceed with the deduction method to conduct this study. The researcher argues that this method deals with developing research strategies and theories that can be tested upon some hypothesis presumably obtained from existing literature. Furthermore, to conduct the actual testing and experiments a total of five mobile devices were used to acquire data. Four of them were android based smartphones while one mobile device was based on Apple iOS operating system. The researcher argues that while Oxygen suit has been able to retrieve more WhatsApp messages from iPhone which makes it the best tool among all three in this regard, but when it Halmstad University Page 7
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools comes to the acquisition of Images, contacts, SMS and call logs, Cellebrite has performed reasonably well as compared to others. Autopsy hasn’t been able to retrieve as many artifacts as compared to the other two tools. Even though this research provides convincing results as it includes testing on both the android and iOS devices using a variety of mobile forensic tools, this research could have been further enhanced by incorporating some tests on a rooted version of android device. Also, inclusion of simple yet reliable and easy to understand methodology could have made this research even more competitive. Riadi, Yudhana and Putra (2018) made a forensic recovery of the activities from the Instagram social media app installed in an android device using two forensic tools, Oxygen forensics and Magnet AXIOM. They have conducted their study by using the National Institute of Standards and Technology (NIST) method, which consists of four steps: Collection, Examination, Analysis and Reporting. They have concluded that Magnet AXIOM could retrieve all activities from the Instagram app with 100% accuracy while Oxygen Forensic retrieval performance accuracy was limited to 84%. They have also concluded that Magnet AXIOM has been able to retrieve data comprehensively, including retrieving detailed information concerning the artifacts. In this regard, Oxygen forensic performed well too but it missed to recover a few necessary information like the timestamp of retrieved data. Though they have used a simple yet reliable NIST method to acquire data which ensures data integrity, their research was limited to acquiring data from Instagram Messenger app from a single android phone. The study produced good results but the scope of study could have been expanded to include one more device, preferably an iOS device, which could give further insights on performance of both tools with regards to iOS platform. 3. Research Objectives The acquired data can be used as evidence in court proceedings and must meet a certain standard that ensures it has not been tempered during the extraction process. An appropriate chain of custody should be proven in court that includes the whole procedure of maintaining and documenting the management of acquired evidence. These steps help ensure that the integrity and authenticity of the acquired data remains protected throughout the extraction process. Failure to demonstrate the integrity of the data can result in the court not accepting the acquired data as legitimate evidence (atlanticdf.com, 2019). Therefore, to fulfill the legal requirement and ensure the integrity and authenticity of acquired data, it is very important to use a practically proven and reliable methodology. Literature review section brought some insights on previously done studies. Some of the studies have been able to produce good results but haven’t been able to use systematic approach and proper methodologies Halmstad University Page 8
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools to conduct their research. At least three out of five previously done studies haven’t used any proper methodologies at all. Among these three previously done studies, only one has incorporated both iOS and android platforms, while other two have done testing on android devices only. None have included any rooted version of android in their research. Though the two remaining studies have used the NIST method, which is practically proven and reliable, but these researches are not comprehensive as well. One of the studies that have used a proper methodology made a comparison between a free tool Autopsy and a commercially available expensive tool Paraben, which doesn’t sound fair. Comparisons should be drawn between the tools that have somewhat equally matching capabilities which are used in professional and practical environments. Also, the researchers have performed their research and testing on rooted versions of android devices only and haven’t conducted any tests on original non-rooted platforms. The second study focuses on acquiring data from the android version of the Instagram Messenger app. In both of these studies, only android platforms have been used to conduct testing. By incorporating another platform such as iOS, these researches could have provided much more thorough and comprehensive results on the comparisons of forensic tools. From above analysis it can be seen that each study has at least one or more of the following shortcomings: Proper methodologies are not used Testing performed on one platform only, mostly android. Testing performed on non-rooted devices only Testing performed on rooted devices only Testing performed using two tools of different capabilities Very few details about the extraction of Social Media artifacts We are aiming to address the above mentioned shortcomings in this research. After using a proper methodology, testing has been performed on both android and iOS devices using the tools that we are aiming to compare. Both old and newer versions of android and iOS are included in this research. Along with non-rooted original android, testing has also been performed on rooted android as well to achieve comprehensive results with regards to comparison. Specific focus is given on acquiring data artifacts from social media applications that reside inside mobile devices. Halmstad University Page 9
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools 4. Methodology and Testing Environment 4.1 Method This research aims to retrieve forensic data from four mobile devices; two of them are based on android while other two are iOS devices. Magnet AXIOM and MOBILedit are the two forensic tools used to perform forensic recovery of data from mobile devices. A comparison of the data collected by using these tools on all four devices has been conducted to know which amongst both tools have performed better under similar testing conditions. This comparison allowed us to find out which tool works better with iOS devices and which tool is good at retrieving data from Android devices. Data from all four devices is recovered through file system extraction, and afterward, forensic analysis has been conducted. Extracting data from a digital device is highly sensitive, and it is the investigators' job to make sure that the data is recovered in a forensically sound manner. In this regard, generating timestamps and hash values would ensure that the acquired information is not tempered and can be in the court of law. We have decided to follow a four-step process for digital forensics recommended by the National Institute of Standards and Technology (NIST), which ensures forensically sound recovery of digital data. The recommended four steps are as follows "(1) identify, acquire and protect data related to a specific event; (2) process the collected data and extract relevant pieces of information from it; (3) examine the extracted data to derive any further valuable information; and (4) report the results of the analysis, Lessons learned during the forensic process should be incorporated in future forensic efforts (nist.gov, 2006)" The steps mentioned above ensure the integrity of the retrieved data from both devices to be presented as an acceptable form of evidence in the court of law if required. The data is extracted and analyzed using Magnet AXIOM and MOBILedit forensic tools. Magnet AXIOM can acquire and analyze data from multiple sources such as computers, online clouds, social media accounts, mobile phones and other IoT devices. When the data is acquired, AXIOM will process, visualize and examine it. After completing all these steps, AXIOM will even report the data into one comprehensive case file for the purpose of examination, thus providing investigators a full rounded view of the acquired evidence (cybersecurity-excellence-awards.com, 2021). MOBILedit Forensic Express can extract, analyze and report data. It is a 64-bit application that has the ability to acquire data using both logical and physical methods. It can recover deleted data from the smartphone and supports a huge range of phone variants. In some cases, it can even break mobile PINs and passwords which allow the investigators to access the locked backup in smartphones. It also has the ability to acquire information such as IMEI, IMSI, ICCID and location area information (MOBILedit.com, 2021). Halmstad University Page 10
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
4.2 Equipment and Testing
The testing environment includes a number of equipment and a desktop system loaded with
Windows 10. The table below shows in-depth details of all equipment that are utilized for the
purpose of testing.
Equipment Version
iPhone 6s iOS 13.5.1
iPhone 12 Pro Max iOS 14.4.2
Samsung Galaxy S7 Android 8.0.0
Samsung Galaxy xcover 3 Android 5.1.1
Magnet AXIOM Version 2.1.9.9727
MOBILedit Forensic Express PRO 7.4.0.20408 64bit
Desktop Computer Loaded with Windows 10 64 bit
Table 1: List of testing equipment and their versions
There are four mobile devices upon which testing has been performed, two android and two iOS.
We have decided to root one of the android devices with the latest version. We decided to keep
the old android device in its original form as we wanted to monitor the performance of forensic
tools on both rooted and non-rooted android systems. Both iOS devices are in original format as
we are not able to successfully jailbreak any of them. Since we were trying to make our testing
as accurate as possible, we have decided to perform all procedures on the phones used on daily
basis and have a good amount of data objects already inside them. Data objects that were already
in the phone including images, web history, Google search history, number of various
applications, list of wifi hotspots connected, emails, call logs history and message history.
4.3 File System Extraction and Analysis
Afterward, we proceed ahead by connecting the mobile devices with the PC to perform an
extraction. One by one extraction was conducted on each of the four mobile devices. These
extractions are done directly by a connecting device with a USB cable to the workstation. It is
vital to turn on airplane mode before starting with the data acquisition process. A significant
difference between MOBILedit and AXIOM is that MOBILedit can perform bit by bit physical
data acquisition of the device. In contrast, AXIOM can only perform logical acquisition. Physical
acquisition is an exact duplicate of the device memory that includes everything precisely as it is
in the device while logical acquisition only acquires selective and interesting contents.
Halmstad University Page 11Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
Figure 1: An iPhone in Airplane mode
We have already put our phone into airplane mode as it will disconnect the phone from the
communication network which prevents any changes and data tampering.
Figure 2: Magnet AXIOM data extraction options
The figure above shows the process of extraction is about to get started on Magnet AXIOM.
After clicking on the acquire evidence option, AXIOM will begin extracting data from the device
that has been connected to the workstation. In the above example it is the iPhone 6s.
Halmstad University Page 12Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
Figure 3: Magnet AXIOM data extraction process
The figure above shows that AXIOM has started to collect and acquire data from iPhone 6s
mobile phone. It gives the option to analyze the data objects that are collected while it continues
to collect more. AXIOM extracts data as a whole; it is not possible to extract data precisely.
Unlike AXIOM, MOBILedit is capable of extracting data either as a whole or specifically by
category.
Figure 4: MOBILedit generates device information
As seen in the figure above, the moment device is connected; MOBILedit immediately identifies
it and gives us the option to proceed with data extraction.
Halmstad University Page 13Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
Figure 5: MOBILedit data extraction options
Then it further gives us the option to select what type of content we would like to extract. It
allows us to extract specific contents category-wise or extract everything with a full content
option.
Figure 6: MOBILedit data extraction process
MOBILedit begins the data acquisition process in the above picture. In this case, an Apple
iPhone 12 Pro Max is used as an example.
Halmstad University Page 14Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
5. Results
Figure 7: Magnet AXIOM data extraction results
The above picture shows the results of acquiring data in Magnet AXIOM. As visible in the
picture above, it obtains data as a whole package. It allows the users to view data in categories
but doesn't give the option to generate a report or extract specific data objects separately.
Figure 8: MOBILedit data extraction results
Halmstad University Page 15Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
As soon as the acquisition is completed, MOBILedit gives us the option to individually select the
application and extract its report, as seen in the picture above.
5.1 Comparison Tables
These comparison tables show the actual number of acquired artifacts for each device that we
have performed testing on. We got these numbers by performing testing multiple times on each
device to ensure the integrity of acquired data.
Samsung Galaxy Xcover 3 (Android 5.1.1)
Data Objects Number of Artifacts Number of Artifacts
Acquired By AXIOM Acquired By MOBILedit
Contacts 1415 711
Emails 9 0
Application List 173 199
Image Files 2095 (including Google 119
photos)
Bluetooth Pairing None 2
Call Logs 4 4
SMS 5 5
Wi-Fi Network 2 2
Web History 27 0
Google Search 1 1
Table 2: Comparison of Samsung Galaxy Xcover3 Artifacts
The table above shows the data acquired from the Samsung Galaxy Xcover 3 phone which uses
an old Android version. As seen in this comparison, AXIOM has performed better in obtaining
data from this old android phone in contrast with MOBILedit. More contacts are acquired by
AXIOM than MOBILedit. Another critical thing to note is that AXIOM has been able to acquire
a lot more Image files. The reason for this is because AXIOM has successfully been able to
acquire contacts and images found in Google cloud. In contrast, MOBILedit has only been able
to acquire the data that is actually present in the phone memory.
Halmstad University Page 16Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
Samsung Galaxy S7 NON-Rooted (Android 8.0.0)
Data Objects Number of Artifacts Number of Artifacts
Acquired By AXIOM Acquired By MOBILedit
Contacts 59 57
Emails 0 0
Application List 214 336
Image Files 2 9
Google Search 0 0
Call logs 4 1
SMS 0 1
Wi-Fi Network 3 3
Web History 0 0
Table 3: Comparison of Samsung Galaxy S7 (Non Rooted) Artifacts
We have performed data extraction using both tools on both rooted and non-rooted versions of
Samsung Galaxy S7. The above table shows the results from the non-rooted version. The
performance of both tools is almost at par with each other, with MOBILedit taking the lead in
acquiring more application lists and image files. AXIOM has been able to acquire more artifacts
related to call history.
Samsung Galaxy S7 Rooted (Android 8.0.0)
Data Objects Number of Artifacts Number of Artifacts
Acquired By AXIOM Acquired By MOBILedit
Contacts 57 57
Emails 211 0
Application List 214 336
Image Files 39503 (including Google 11
image)
Google Search 11 0
Call logs 2 1
SMS 1 1
Wi-Fi Network 3 3
Web History 0 0
Table 4: Comparison of Samsung Galaxy S7 (Rooted) Artifacts
However, when it comes to rooted android devices, AXIOM has performed better. While
MOBILedit has been able to acquire almost the identical number of artifacts as it did with the
non-rooted version, AXIOM extracted a lot more image files and emails in comparison. It has
now been revealed that AXIOM can perform better on rooted android devices as compared to
MOBILedit.
Halmstad University Page 17Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
IPhone 6s (iOS 13.5.1)
Data Objects Number of Artifacts Number of Artifacts
Acquired By AXIOM Acquired By MOBILedit
Contacts 0 1750
Emails 0 0
Application List 0 229
Image Files 3266 11031
Google Search 0 0
Call logs 0 641
SMS 1 5206
Wi-Fi Network 0 0
Web History 0 982
Bluetooth Pairing 0 14
Table 5: Comparison of Apple iPhone 6s Artifacts
We have also performed an extraction on iOS devices. The above table shows the data that has
been acquired from an iPhone 6 smartphone. MOBILedit performed better on iOS devices. It has
been able to acquire more data artifacts in every aspect as compared to AXIOM. Apart from a
few image files, AXIOM hasn't been able to acquire anything at all.
iPhone 12 Pro Max (iOS 14.4.2)
Data Objects Number of Artifacts Number of Artifacts
Acquired By AXIOM Acquired By MOBILedit
Contacts 0 1772
Emails 0 0
Application List 0 227
Image Files 5104 14253
Bluetooth Pairing 0 21
Call Logs 0 255
SMS 0 5149
Wi-Fi Network 0 0
Web History 36 1249
GPS Location 0 148
Account Passwords 36 1249
Table 6: Comparison of Apple iPhone 12 Pro Max Artifacts
As seen in the table above, MOBILedit performed better on iPhone 12 Pro Max as well. It has
been able to acquire artifacts of all categories while, on the other hand, AXIOM has only
acquired a few image files, web history and account passwords.
Halmstad University Page 18Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
5.2 Social Media
Our testing has revealed that MOBILedit can acquire data related to social media applications
like Facebook, Instagram and Snapchat found within a smartphone while AXIOM hasn't been
able to do so.
Figure 9: MOBILedit social media extraction report
The above picture shows a PDF report related to social media generated by MOBILedit. This
report includes the details of every artifact acquired from social media apps like Facebook,
Messenger, Instagram and Snapchat. MOBILedit generated this comprehensive report after
performing data extraction.
Figure 10: MOBILedit Facebook artifacts extraction report
Halmstad University Page 19Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
In the above example, we can see MOBILedit has successfully retrieved Facebook conversations
that are taking place. It has also retrieved account details, contacts and friend lists, messages,
calls and news feeds.
Figure 11: MOBILedit messenger account information extraction report
In this picture it can be seen MOBILedit has retrieved that information about the account that is
used for logging in to the messenger.
Figure 12: MOBILedit messenger voice calls extraction report
MOBILedit has also retrieved the list of voice calls from the messengers, as shown in the picture
above.
Halmstad University Page 20Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
Figure 13: MOBILedit Instagram artifacts extraction report
Figure 14: MOBILedit Snapchat artifacts extraction report
The above two pictures show successful retrieval of accounts that are logged into Instagram and
Snapchat apps. Information includes username, link to the user profile, email, and phone number
used to log into the account, along with a timestamp of the installed app.
Halmstad University Page 21Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
Figure 15: MOBILedit Snapchat contact list extraction report
MOBILedit has retrieved the contacts list from the Snapchat account of the user, as displayed in
the above picture.
MOBILedit has done an impressive job acquiring social media details from within the apps
installed by the user on a smartphone. However, that is not the case with Magnet AXIOM. Our
testing has revealed that AXIOM hasn't retrieved any information about the user accounts that
are logged into the social media apps like Facebook, Instagram and Snapchat. To acquire data
from a specific social media platform, we have to manually log into a user account by selecting
the cloud option and entering credentials like username and password. This makes AXIOM
ineffective when it comes to extracting data from social media platforms.
Figure 16: Magnet AXIOM options for acquiring data from different social media platforms
Halmstad University Page 22Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
AXIOM gives us the option to acquire data from social media and clouds by clicking one of the
options shown in the above picture. To successfully retrieve data from any of these platforms,
investigators must know the credentials of the account they are trying to recover.
Figure 17: Magnet AXIOM asks for Facebook login credentials
As shown in the picture above, when you click on the Facebook option, it asks for a username
and password. AXIOM can't retrieve data without a username and password, which makes it
ineffective.
Figure 18: MOBILedit provides unencrypted login credentials for social media
Halmstad University Page 23Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
According to the above figure, MOBILedit can extract all synchronized accounts credentials.
These passwords are unencrypted. Credentials contain account, application used, URL and
password.
6. Summary
Table 7: Summary of Results
While both tools have worked well with android, AXIOM has done a better job when it comes to
acquiring data from rooted version of an android device, as it has been able to retrieve almost all
artifacts. MOBILedit has done well as well but failed to retrieve most of the images and pictures
from the rooted device. On other hand, AXIOM hasn’t been able to recover artifacts of any use
from iOS platform. AXIOM hasn’t done well with newer version of iOS platform specifically.
MOBILedit seems to be very effective in acquiring data from both old and newer iOS platforms
and has been able to recover almost all artifacts.
MOBILedit provides the option to retrieve data from third party forensic tools like Magnet
AXIOM and Oxygen Forensics. Our study shows that MOBILedit can extract detailed artifacts
and give a report with credentials which are unencrypted.
Halmstad University Page 24Comparative Analysis & Study of Android/iOS Mobile Forensics Tools On other hand, AXIOM doesn’t seem to be an effective tool for acquiring data from social media platforms as it hasn’t been able to recover anything at all from social media apps that reside inside mobile. It also asks for login credentials when a user tries to acquire data from a specific social media platform. In this regard MOBILedit has shown a great competency, as it has been able to acquire crucial social media history. It has successfully extracted data artifacts from Snapchat, Facebook Messenger and Instagram. It has generated a separate PDF format report that includes the details of all acquired social media artifacts, which makes it even more convenient for investigators to read. 7. Future Work The future work can be done with regards to acquiring data from jailbroken version of iPhones. We have already witnessed the huge difference between the results of acquired artifacts from rooted and non-rooted version of Samsung S7, that’s why we believe that if same extraction and analysis procedure can be performed upon jailbroken version of iPhone, the acquired artifacts result could have been much more comprehensive. Furthermore, newer version of AXIOM and MOBILedit can be acquired and their comparison can be drawn against open source tools like Autopsy and well known commercial tools like Oxygen Forensics’ detective software in order to further expend this research in future. Future work can also be directed towards bypassing the passcodes of smartphones. In this regard, MOBILedit’s latest version could come in handy, since it might contain an inbuilt ability to bypass passcodes of many different sorts of smartphones as they claim. Halmstad University Page 25
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools 8. Conclusion Our study outcome has highlighted the importance of using more than one independent forensic tool in an investigation process in order to achieve forensically sound results. There is no tool that can be considered perfect for all the tasks, as one tool might be superior in doing a specific task over another that might be suitable for another task. Our research shows that the performance of both tools is almost even when it comes to acquiring data from android phones. However, in comparison with MOBILedit, Magnet AXIOM has performed much better and acquired a huge number of data artifacts from rooted android devices. Therefore, it is safe to say that AXIOM is a better tool to get your hands on if data is to be extracted from a rooted android device. On the other hand, MOBILedit has done a much better job and acquired a great number of data objects from both old and new versions of iOS devices. When it comes to acquiring data from social media apps, MOBILedit has a clear advantage over Magnet AXIOM. MOBILedit acquired all useful data objects from social media applications, while AXIOM hasn't been able to acquire anything at all. AXIOM requires the username and password of the account holder to acquire data from social media platforms, which makes it ineffective. Halmstad University Page 26
Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
9. References
1. Turner, A., 2021. Number Of Smartphone & Mobile Phone Users Worldwide (Billions).
[online] https://www.bankmycell.com. Available at:
[Accessed 3 May
2021].
2. Panhalkar, T., 2021. Information that resides on mobile devices (a non-exhaustive list):.
[online] https://info-savvy.com/. Available at: [Accessed 4 May 2021].
3. CHACHAK, E. and Thomas, C., 2021. Cybercrime is moving towards smartphones – this is
what you could do to protect your company. [online] https://www.cyberdb.co/. Available at:
[Accessed 4 May 2021].
4. e-spincorp.com, 2018. Definition of mobile device forensics. [online] https://www.e-
spincorp.com/. Available at: [Accessed 4 May 2021].
5. zapproved.com, 2017. Defending collection processes in court. [online]
https://zapproved.com/. Available at: [Accessed 5 May 2021].
6. Shaikh, H., 2017. Mobile forensic process: Steps and types. [online]
https://resources.infosecinstitute.com/. Available at:
[Accessed 11 May 2021].
7. Raji, M., Wimmer, H. and Haddad, R., 2018. Analyzing Data from an Android Smartphone
while Comparing between Two Forensic Tools. SoutheastCon 2018, [online] Available at:
[Accessed 6 May 2021].
8. Osho, O. and Ohida, S., 2016. Comparative Evaluation of Mobile Forensic
Tools. International Journal of Information Technology and Computer Science, [online]
8(1), pp.74-83. Available at: [Accessed 7 May 2021].
Halmstad University Page 27Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
9. Alhassan, J., Oguntoye, R., Misra, S., Adewumi, A., Maskeliūnas, R. and Damaševičius, R.,
2018. Comparative Evaluation of Mobile Forensic Tools. Proceedings of the International
Conference on Information Technology & Systems (ICITS 2018), [online] Available at:
[Accessed 7 May 2021].
10. Johns,O.,
2017.http://erepository.uonbi.ac.ke/bitstream/handle/11295/109875/Onditi_Comparative%2
0Evaluation%20Of%20The%20Effectiveness%20Of%20Smartphone%20Forensics%20Tools
..pdf?sequence=1. [ebook] Nairobi: University of Nairobi. Available at:
[Accessed 7 May 2021].
11. Riadi, I., Yudhana, A. and Putra, M., 2018. Forensic Tool Comparison on Instagram Digital
Evidence Based on Android with The NIST Method. Scientific Journal of Informatics,
[online] 5(2), pp.235-247. Available at: [Accessed 8 May 2021].
12. atlanticdf.com. 2019. atlanticdf.com. [online] Available at:
[Accessed 4 June 2021].
13. nist.gov, 2006. NIST Guide Details Forensic Practices for Data Analysis. [online]
https://www.nist.gov/. Available at: [Accessed 8 May 2021].
14. cybersecurity-excellence-awards.com/, 2021. Magnet AXIOM. [online] https://cybersecurity-
excellence-awards.com/. Available at: [Accessed 9 May 2021].
Halmstad University Page 28Comparative Analysis & Study of Android/iOS Mobile Forensics Tools
15. MOBILedit.com, 2021. MOBILedit Forensic Express All-in-one phone forensic tool from
pioneers in the field. [online] https://www.MOBILedit.com. Available at:
[Accessed 8 May 2021].
Halmstad University Page 29Amer Shakir is a student of master’s programme in network forensics. He finished studying B.SC. ELECTRONIC ENGINEERING (1983) and COMPUTER NETWORK TECHNOLOGY (2009). Since 2013, He manages a company that specializes in fixing mobiles (http://mediafixer.se). Muhammad Hammad is a student of master's programme in network forensics at Halmstad University. He received his bachelor’s degree in computer networking from Malaysia. He worked as IT specialist for 3 years in Saudi Arabia before coming to Sweden and pursuing master's degree Muhammad Kamran is a student of the master's programme in network Forensics at Halmstad University. He received his bachelor's degree in computer science from Pakistan. He has been working as an IT consultant in the private sector since 2011. PO Box 823, SE-301 18 Halmstad Phone: +35 46 16 71 00 E-mail: registrator@hh.se www.hh.se
You can also read
