|<< go to main contents||< prev chapter||next chapter >|
Chapter 6: Micro Systemation XRY
Summary (from Company Information)
XRY is a dedicated mobile device forensic tool developed by Micro Systemation (MSAB) based in Stockholm.
XRY has been available since 2002 and ‘XRY Complete’ is a package containing both software and hardware to allow both Logical and Physical analysis of mobile devices. The product comes shipped in a handy portable case with bespoke interior and all the necessary hardware included:
- XRY Forensic Pack Software License Key
- Communication Hub for USB, Bluetooth & Infrared connectivity
- SIM Id Cloner Device
- Pack of SIM Clone Cards
- Write-Protected Universal Memory Card Reader
- Complete set of Cables for Logical & Physical acquisition
- XACT Hex Viewer Software Application
- XRY Reader Tool for distribution to third parties
XRY was designed and refined with the input of forensic investigators and a wizard guides you through the entire process to assist the examination. The new unified Logical / Physical extraction Wizard and the resulting reports help to show the examiner the full contents of the device in a neat clean and professional manner.
One of the unique features of XRY is the Device Manual with a complete and detailed list of the available support for each device; identifying what data can be retrieved, and also what cannot be recovered which is sometimes just as relevant to investigators.
All extractions, Logical or Physical, are saved in a XRY file which remains unaltered – for forensic security purposes. From that file you can create reports as required in Word, Excel, Open Office or PDF. You can include case data, and references, choose what data is included in the report or not and then distribute it to other parties involved in the investigation; lawyers, prosecutors or other investigators. MSAB offer a free XRY reader and you can provide this to third parties to allow them to make notes on the report – whilst still maintaining the original forensic integrity of the data.
Within the package is the XACT Hex Viewer application to undertake more detailed examination of the raw data recovered and assist with searching and manual decoding to supplement the automatic decoding available in XRY Physical.
Version 5.1 of the XRY Forensic Pack was released on 28th June 2010 with additional support for the Apple iPad.
.XRY was installed via the setup.exe file. The installation wizard walked me through everything step by step, and the entire process took approximately 15 minutes. I also received a software update which I downloaded, ran as an executable, and it applied the updated patch within seconds. An activation/registration key was not needed, but a dongle is needed to run the software.
Once .XRY was running, I selected the option to start an acquisition. From the following screen, I selected the “Logical” examination, as a Physical Dump requires the device to be jailbroken. For our testing purposes, I chose not to jailbreak the device, however the .XRY user manual provides instructions on how to do so.
Figure 1.1. Select Type of Examination
The following screen shot displays the data that would be acquired from a logical examination:
Figure 1.2. Device Overview
Clicking “Next” began the acquisition process which took approximately 30 minutes. A “.xry” file was created in the specified destination folder and could then be opened within the application at a later time for analysis.
Figure 1.3. Acquisition Process
Results and Reporting
Upon opening the .xry file, the main screen displayed a summary of the report, with the data explorer on the left-hand side including the following categories: Summary, Case Data, General Information, Contacts, Calls, Calendar, Notes, SMS, MMS, Pictures, Videos, Audio, Documents, Files, and Log.
In the SMS, Calls, Voicemail and Notes categories, there is a “Deleted” column at the end of the row which is set if the data is found to be deleted.
I first selected the “General Information” icon to see what type of data it was able to acquire about the device.
Figure 1.4. General Information
I then selected Contacts. Once a contact is selected, detailed information on that individual is shown on the right-hand side. I noted that there was also a checkbox next to each contact, allowing the user to export selected items into a report.
Figure 1.5. Contacts
The “Calls” section displays outgoing, incoming, and missed calls. I wanted to note that voicemails are also included here at the very bottom of the list (voicemails are also included in the Audio section – where each file can be listened to within the application. This will be discussed in more detail below).
Figure 1.6. Calls
The calendar events are displayed as follows:
Figure 1.7. Calendar
XRY is the only software program which actually extracted the deleted Note and incorporated it into its reporting tool. While many of the remaining tools all found the “notes.idx” file containing the scrambled deleted data, the user would have to know what the note content was to recognize it as being deleted. The following displays both the undeleted and deleted Notes recovered from the device:
Figure 1.8. Notes
The SMS and MMS messages were split into two sections, both containing the phone number, contact name (if available), and message. Selecting a specific message provides more details including date, time, and whether or not the message had been read.
Figure 1.9. SMS
Figure 1.10. MMS
For the MMS messages, XRY offers the capability to save or launch the file directly from the software, however after attempting to open it in Windows Media Player, I was unable to successfully view the picture in either message. The reason for this is because XRY allows the user to use external players instead of the built-in player. To do this, I went into the options menu (in the top-right corner), selected the “File Types” tab, and added a new line telling the app to open all .mms files using Quicktime. From there, I was able to click launch and view the image.
Figure 1.11. Options – File Type
Pictures and Videos were also stored in separate sections and contain each of the photos/videos taken or saved on the iPhone, including those sent via an MMS message (even though they could not be viewed in the MMS section above). Upon clicking on a particular file, you can view the name, type, size, metadata, and path.
Figure 1.12. Pictures
The remaining sections, Documents, Files, and Log, contain plist files, database files, and log activity. Within the .plist and .db files, additional data that would not extracted into it’s own category can be found, such as Wireless networks that were connected to, browser history, bookmarks, and more. The “Log” section is also significant. Not only does it provide the status of the extraction process, but here you can also find information on Networks, Bookmarks, History, Searches, and Accounts. More specifically, I was able to locate the YouTube applications browsing history within the log file as well as the 2 applications that were deleted from the device:
Figure 1.13. Log File – Deleted Applications
Matrix of Results
The following are the results from .XRY:
Figure 1.14. XRY Matrix of Results
XRY is an user friendly tool, beginning with the installation all the way through analysis. Any type of file can be opened directly from the tool, as opposed to having to export it. In addition, XRY was the only iPhone analysis product that displayed the deleted notes within the reporting tool, rather than hidden within one of the acquired files.
The following ranking establishes XRY’s overall rating of 3.7 on the four criteria established at the beginning of this white paper.
Table 1.1. XRY Rankings
|<< go to main contents||< prev chapter||next chapter >|