Summary
BlackBag Technologies has released Mobilyze, a new application for iPhone, iPad and iPod Touch analysis. Since the iPhone was released, many solutions have come out from companies to gather data for law enforcement and corporate eDiscovery with varying levels of evidentiary return. The most rudimentary solution to gathering iPhone data would be to physically use the iPhone itself to display its contents and document what is displayed. At the highest end of data gathering would be “chip-off” forensics and physically tear down the iPhone and analyze the contents of the electronic components contained therein. Mobilyze from BlackBag Technologies (www.BlackBagTech.com) offers a Level of data analysis that is considered sound, easily repeatable, and court presentable.
In summary, you can expect to retrieve:
- Device Information
- Applications
- Messages
- Photos
- Phone Information
- Contact Information
Note: In this article, we are going to demonstrate a select few features of the application. We highly encourage you to contact BlackBag Technologies for a Demo copy of Mobilyze and experience all of the features for yourself.
Execution
When Mobilyze is installed and launched, you are presented with a button to “Acquire Devices”. Once clicked, the following choices appear for your options in obtaining iPhone data.
Mobilyze “Acquire Devices” options
What these options equate to are, Live iPhone or analyze the contents of iPhone Backup data. For this article, we will be looking at an iPhone connected to the Macintosh via USB cable. When the OK button is clicked, the following screen will appear as data is being gathered and analyzed by Mobilyze.
Acquire device connected to Macintosh via USB cable in Progress
The acquisition of data happens rapidly, but will be dependent on the size of the iPhone you are analyzing. Once all of the data has been brought into Mobilyze, you will be presented with a screen similar to the one seen in the following screen capture.
Mobilyze Device Info Screen
This screen gives an excellent summary of the data that has been collected. The information in the “Ryan’s iPhone” window pane will automatically be included in the Report, as you will see at the end of this article. The “Options” window pane is an editable section where the analyst can enter case relevant data to make the reporting more understandable. The “Overview” window pane is where you can begin to look at the findings of the data extraction. Each of the Arrows indicates that data was found in a category and is a clickable link to the data findings. A single-click, for instance, on the Arrow next to “Messages” will pop open a window showing 204 SMS messages from Ryan’s iPhone along with Spotlight search capability. A single-click on the Arrow next to “Images” will pop open a window with 48 images from Ryan’s iPhone along with Spotlight search capability. Any item in each of these windows can be “Tagged” for inclusion in your report as we will demonstrate later. Let’s look closer at the “Applications” window and the data it will reveal.
Applications Window in Mobilyze
The Applications Window contains a list of all apps that have been installed on Ryan’s iPhone. Further, we can gather extensive information from the installed apps themselves. Let’s look specifically at the navigation app NAVIGON on this iPhone and some of the data that can be easily viewed within Mobilyze. First, a single-click on the NAVIGON app reveals to us the simple information such as release date and purchase price. What you will also notice, in the lower left window pane is the data for the app. One file to note is “lastroute.bin”. Clicking on the magnifying glass next to this file will reveal the actual file as stored on the local Macintosh (see screen capture below).
NAVIGON “lastroute.bin” file Revealed in Finder through Mobilyze
This file, lastroute.bin, can now be opened within another application to view the data, such as a hex editor like 0xED, to see where this person has traveled (no I’m not showing you where I took my last vacation). This same technique can be applied for each application and you can get to each data file kept on the iPhone.
Now that we have decided that NAVIGON is important to our case, in the Reports menu, we can tag the app for inclusion in our final report.
Report Menu in Mobilyze
After the iPhone contents have been analyzed and all pieces of data have been tagged for inclusion in the report as needed, a Report can be generated. Below is a sample report generated from this iPhone with the NAVIGON app tagged along with 2 images, 1 Contact, and 1 call from the Call History. You can make your report as extensive or minimal as desired. The original report was exported to HTML natively from Mobilyze. For this review, I made a PNG of the report for inclusion on this page.
Mobilyze Report
Conclusion
Mobilyze from BlackBag Technologies is an application that simplify your analytical life when it comes to all models of iPhones, iPod Touch, and the new iPad. The interface is intuitive enough that you can begin to use it quickly and understand the usage with outside support. As with all of their products, BlackBag offers training on this product to assist you in understand the results of iPhone analysis.