Forensic Phone Images for Geeks

Last month, I had the opportunity to present a talk titled “Stories Your Cell Phone Can Tell About You” to the Madison DC608 Monthly Meetup. DC608 is the Madison chapter of DEF CON Groups and is a collection of cyber security enthusiasts with a wide range of skills and experience levels. I had lots of fun talking to the group about mobile device forensics over an adult beverage. There were two questions that struck me as great material for a post. The first was “are there any good open-source mobile device forensics tools?” and the other question was “where can I get sample images of mobile phones to analyze?”

The bad news is that mobile device forensic software is rather expensive. Phones are updated constantly and that requires the software publishers to constantly research the changes and update their software. That being said, there is a very neat pair of open-source projects created by Alexis Abrighnoni called the iOS Logs, Events, And Plist Parser (iLEAP) and Android Logs Events And Protobuf Parser (ALEAPP). To learn more about these tools, check out https://cellebrite.com/en/getting-started-with-ileap-and-aleap-a-fundamental-approach/

The commercial mobile device forensic tools are typically able to save an image in a read-only format that is compatible with a viewer or reader that may be freely distributed along with the image. An example of this is Cellebrite Reader, which can read files with the “UFDR” extension. Of course, it requires the full Cellebrite software to generate the UFED file.

Regarding the second question about getting sample forensic images of phones—Josh Hickman has contributed several images to the community. Check out his blog at https://thebinaryhick.blog/public_images/. Josh has both iOS and Android images for several versions in different formats, including the UFDR format—so it can be analyzed with the free Cellebrite Reader.

Check these resources out if you are interested in learning more about mobile forensics.

Scroll to Top