i AccessData Enterprise User Guide
AccessData Mobile Phone Examiner LEGAL INFORMATION AccessData Corp. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Corp. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, AccessData Corp.
ACCESSDATA TRADEMARKS AccessData® is a registered trademark of AccessData Corp. Distributed Network Attack® is a registered trademark of AccessData Corp. DNA® is a registered trademark of AccessData Corp. Forensic Toolkit® is a registered trademark of AccessData Corp. FTK® is a registered trademark of AccessData Corp. Password Recovery Toolkit® is a registered trademark of AccessData Corp. PRTK® is a registered trademark of AccessData Corp. Registry Viewer® is a registered trademark of AccessData Corp.
Contents AccessData Mobile Phone Examiner...........................................................................................i Legal Information............................................................................................................i AccessData Trademarks...................................................................................ii Documentation Conventions ..............................................................................ii Contents............................
Chapter 3 Using Mobile Phone Examiner ..................................................................................9 Startup Modes................................................................................................................9 Stand-Alone Mode ...........................................................................................9 FTK Host Mode ..............................................................................................9 User Interface Overview ...................
Technical Support .......................................................................................... 40 Documentation ............................................................................................................
vi AccessData Mobile Phone Examiner User Guide
Chapter 1 Introduction The AccessData® Mobile Phone Examiner (MPE) 2.0 is a tool to allow a criminal or corporate security investigator to inspect and analyze the contents of a suspect’s phone. By installing MPE on the same machine as FTK 2.2, an image of the phone’s contents is added directly to a case. On a machine without FTK 2.2 installed, you can connect, acquire the data, and create an image of the data for use in an FTK 2.2 case.
HARDWARE AND SOFTWARE REQUIREMENTS In order to image and use phone images as part of an investigation certain hardware and software requirements must be met. REQUIRED HARDWARE In addition to the required WIBU CodeMeter CmStick (with current licenses installed), MPE requires the following additional hardware: • An evidence phone with intact contents. • A data synchronization cable specific to the mobile device. Several are shipped with MPE. MPE also works with the Susteen set of cables.
Chapter 2 Installation PRELIMINARIES Mobile Phone Examiner™ ( MPE ) version 2.0 may be installed as a standalone program, or in conjunction with FTK 2.2 or later. If it is intended to be used with FTK, do the following before installing MPE: 1. Install FTK 2.2. 2. Open FTK and create an Application Administrator. 3. Ensure the Case Management window can open. 4. Exit FTK. INSTALLING MPE To install MPE, perform the following steps. 1. Insert the MPE installation media into the CD/DVD drive.
The autorun runs Setup.exe. 2. Select Next to begin the installation. 3. After reading the End-User License Agreement, select the “I Accept...” radio button and then select Next to continue.
4. Select Install to begin the installation process. 5. Click Finish to close the Wizard when installation is complete.
INSTALLING ON AN OFFLINE COMPUTER If the computer where MPE is installed is not connected to the Internet for security or other reasons. In this situation MPE cannot be used until an activator file from an online FTK-licensed computer has been transferred to the offline computer. 1. Install MPE on the offline computer as with an online computer (see above). 2. Open C:\Program Files\AccessData\Mobile Phone Examiner\ComComponents. 3. Run Activator.exe to open the Offline Activator. 4.
6. Click Gather to collect the information about the offline computer. The following message window is displayed. 7. Click OK. The following information is displayed in the Activation section of the window. 8. Leave the Offline Activator open. 9. From Windows File Explorer, select the Activator.exe and the newly generated .actsource file. 10. Copy the files to the online computer into the same location. 11. Run Activator.exe. 12.
DEVICE DRIVER INSTALLATION For any device to be detected by MPE, the manufacturer’s device driver must first be properly installed. To install a manufacturer device driver, perform the following steps: 1. Verify the phone manufacturer and model is listed in the Supported Phoned list. 2. Locate the correct USB cable and connect the phone to the machine through the USB cable. 3. When the Add Hardware wizard runs, select the path to the correct manufacturer sub-folder in the Phone Drivers folder on the MPE CD.
Chapter 3 Using Mobile Phone Examiner This chapter covers the use of AccessData Mobile Phone Examiner (MPE) to capture mobile phone contents as an image. Mobile phone images can only be captured using FTK 2.2 or later, not with FTK Imager. STARTUP MODES This version of MPE can be run either as a standalone application, or as an add-on for FTK 2.2. STAND-ALONE MODE If the MPE is installed without FTK installed on the same machine, MPE will operate as a stand-alone application.
Figure 3-1 Select Evidence Type When Mobile Phone is selected, MPE is started. The behavior of MPE when run from FTK is identical to MPE when run stand alone with the exception of what happens at the end of image creation.
Figure 3-3 Mobile Phone Examiner User Interface Panes DEVICE LIST The Device List pane shows all of the devices that have been detected. DEVICE METADATA The Device MetaData pane displays metadata for the device currently selected in the Device List. LOG MESSAGES The Log Messages pane displays a log, or history, of the activity of the MPE. STATUS BAR The Status Bar indicates the state of the MPE as well as other information related to a given process.
SHUTDOWN RESTRICTIONS When attempting to close the MPE, if it is not in the Idle state (indicated in the Status Bar), the following message will be displayed: Figure 3-4 Cannot Close While Initializing...Please Wait INITIALIZATION Every time the MPE is run, it must initialize. The first step of initialization is reading the AccessData security device to verify the MPE license.
Figure 3-5 Accessing Detect Devices While devices are being detected, the Status Bar indicates that the MPE is Detecting, and the percentage of the total detection that has been completed. Figure 3-6 Status Bar - Detecting The Log pane indicates the ports that have been detected, followed by the devices that have been detected.
Figure 3-8 Create an Image of a Supported Device When the .
Figure 3-12 Accessing the Supported Phones List LICENSE INFORMATION The information used to activate the MPE license in the License Information dialog. To access the license information, click Phone > License Information.
Figure 3-13 Accessing Mobile Phone Examiner License Information The license information is read-only when the MPE license is activated. When the MPE license is deactivated, the license information will appear as follows: Figure 3-14 Deactived Mobile Phone Examiner License Information ACTIVATE LICENSE When deactivated, the Activation Key and the User Name can be edited as required. When the license information is correct and OK is selected, the MPE will attempt to activate the license.
Figure 3-16 Log Entries for Failed License Activation DEACTIVATE LICENSE The deactivate function allows the license to be removed from one machine and placed on another. To deactivate the Mobile Phone Examiner license, click Phone > Deactivate. The following warning will be displayed: Figure 3-17 Deactivate Mobile Phone Examiner License To continue with deactivation, click Yes. This will remove the license from the local machine and allow the license to be used on another machine.
SETTINGS There are several MPE user settings that can be changed as necessary. To access the user settings, click Phone > Settings. Figure 3-19 Accessing Mobile Phone Examiner Settings DETECTION TIMEOUT This is the amount of time in seconds that MPE will wait on each port to detect a phone. EVIDENCE PATH This is the path used to save the AD1 (AccessData image) file. LOG FILE PATH This is the path specifies the location for saving the log files.
Appendix A Mobile Phone Types and Cables The following table contains a list of all currently supported mobile phone manufacturers, models, and the required DATUSB cable to connect the phone to a computer. The second table lists newly supported phones added with the MPE 1.0.4 release. See “Newly Supported Phone Types” on page 33 for the information. Note: The USB Cable column is empty in that list for the time being, and the information will be added as it becomes available. Watch our website, www.
PREVIOUSLY SUPPORTED PHONE TYPES TABLE A-1 20 Phones Supported Previous to the MPE 1.0.
TABLE A-1 Phones Supported Previous to the MPE 1.0.
TABLE A-1 22 Phones Supported Previous to the MPE 1.0.
TABLE A-1 Phones Supported Previous to the MPE 1.0.
TABLE A-1 24 Phones Supported Previous to the MPE 1.0.
TABLE A-1 Phones Supported Previous to the MPE 1.0.
TABLE A-1 26 Phones Supported Previous to the MPE 1.0.
TABLE A-1 Phones Supported Previous to the MPE 1.0.
TABLE A-1 28 Phones Supported Previous to the MPE 1.0.
TABLE A-1 Phones Supported Previous to the MPE 1.0.
TABLE A-1 30 Phones Supported Previous to the MPE 1.0.
TABLE A-1 Phones Supported Previous to the MPE 1.0.
TABLE A-1 32 Phones Supported Previous to the MPE 1.0.
TABLE A-1 Phones Supported Previous to the MPE 1.0.
TABLE A-2 34 Phones Supported Beginning with the MPE 1.0.
TABLE A-2 Phones Supported Beginning with the MPE 1.0.
TABLE A-2 36 Phones Supported Beginning with the MPE 1.0.
TABLE A-2 Phones Supported Beginning with the MPE 1.0.4 Release Manufacturer Model Samsung SGH-U900V Samsung SGH-X520 Sony Ericsson C702 Sony Ericsson C902 Sony Ericsson C905 Sony Ericsson G502 Sony Ericsson K660i Sony Ericsson V640i Sony Ericsson W350i Sony Ericsson W380i Sony Ericsson W760i Sony Ericsson W890i Sony Ericsson W980i Sony Ericsson Z555i Sony Ericsson Z770i Ubiquam U400 Manufacturer Model Apple iPhone (Requires iTunes to be installed.
38 AccessData Mobile Phone Examiner User Guide
Appendix B AccessData Corporation Contact Information This appendix contains information regarding AccessData Corporation’s product registration and license subscriptions, as well as contact information. REGISTRATION The AccessData product registration is tracked by the USB dongle device included with your purchase, and is managed by AccessData. To view your current registration, use the AccessData LicenseManager interface. For more information, see Managing Licenses.
ACCESSDATA CONTACT INFORMATION You can contact AccessData in the following ways: TABLE A-1 AccessData Corporate Headquarters 384 South 400 West Suite 200 Lindon, UT 84042 USA Voice: 801.377.5410 Fax: 801-377-5426 General Corporate Hours: Monday through Friday, 8:00 AM – 5:00 PM (MST) AccessData is closed on US Federal Holidays State and Local Law Enforcement Sales Voice: 800.574.5199, option 1 Fax: 801.765.4370 Email: sales@accessdata.com Federal Sales Voice: 800.574.5199, option 2 Fax: 801.765.
DOCUMENTATION Please e-mail any typos, inaccuracies, or other problems you find with the documentation to: documentation@accessdata.
42 AccessData Mobile Phone Examiner User Guide
