These are some of the tools available for mobile forensics. Some are free while the rest are paid.
Generic Free tools
AFLogical OSE
AFLogical OSE is a Open Source android forensic app. It is available in APK format. It must be installed before hand in the Android terminal.
Information is extracted to the SD card (call log, contact list and list of applications installed, text messages and multimedia), which must subsequently be recovered either by connecting the card to an external device or through the ADB.
Andriller
Andriller is a software utility for Windows Operating System with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. It has other features, such as powerful Lockscreen cracking for Pattern, PIN code, or Password; custom decoders for apps data from Android (and some Apple iOS) databases for decoding communications.
LIME
LiMe is a Loadable Kernel Module (LKM) Linux memory extractor which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
It supports Full Android memory acquisition and Acquisition over network interface also.
Specific Free Tools
Android Data Extractor Lite (ADEL)
Android Data Extractor Lite (ADEL) is a tool developed in Python. It allows a forensic flowchart to be obtained from the databases of the mobile devices. Mobile phones must be rooted or have a personalized recovery tool installed.
WhatsApp Xtract
WhatsApp Xtract allows WhatsApp conversations to be viewed on the computer in a simple and user-friendly way.
Note : The different databases that store information corresponding to messages should be obtained beforehand.
Skype Xtractor
Skype xtractor for Linux and Windows is a python tool developed for the Forensics distro DEFT Linux 8. Extracts data from the Skype’s main.db, including contacts, chats, calls, file transfers, and deleted/modified messages from chatsync databases.
Paid Tools
Cellebrite Touch
Cellebrite Touch is one of the well known and complete evidence extraction device. Work can be done across 6300 different terminals with the main operating system. It is also very simple and intuitive.
Encase Forensics
EnCase is the shared technology within a suite of digital investigations products by Guidance Software (now acquired by OpenText). The software comes in several products designed for forensic, cyber security, security analytics, and e-discovery use. Encase is traditionally used in forensics to recover evidence from seized hard drives. Encase allows the investigator to conduct in depth analysis of user files to collect evidence such as documents, pictures, internet history and Windows Registry information.
Oxygen Forensics
Oxygen Forensic is a powerful mobile forensic tool with built-in analytics and cloud extractor. It is very easy to use, it has a user-friendly interface to search, browse, filter and analyze the extracted data. It has Built-in Cloud data recovery using the Oxygen Forensic® Cloud Extractor. It is capable of obtaining information from more than 10,000 different mobile device models.
MOBILedit
MOBILedit is a platform that works with a variety of phones and smartphones (a complete list of supported handsets is available on the manufacturer’s website) and explores contents of the phone through a MS Outlook-like folder structure. This allows backup of the information stored on the phone, storing it on a PC or copy data to another phone via Phone Copier feature.
MOBILedit connects to cell phone devices via an Infrared (IR) port, a Bluetooth link, Wi-Fi, or a cable interface. After connectivity has been established, the phone model is identified by its manufacturer, model number, and serial number (IMEI) and with a corresponding picture of the phone.
Data acquired from cell phone devices are stored in the .med file format. After a successful logical acquisition, the following fields are populated with data: subscriber information, device specifics, Phonebook, SIM Phonebook, Missed Calls, Last Numbers Dialed, Received Calls, Inbox, Sent Items, Drafts, Files folder. Items present in the Files folder, ranging from Graphics files to Camera Photos and Tones, depend on the phone’s capabilities. Additional features include the myPhoneSafe.com service, which provides access to the IMEI database to register and check for stolen phones.
Elcomsoft
Elcomsoft is a iOS Forensic Toolkit allows for physical acquisition on iOS devices such as iPhone, iPad or iPod. It also includes other utility features such as that of deciphering the keychain that stores user passwords in the terminal analyzed or registering each action that is performed during the whole process to keep a record of them.
Note : To carry out the evidence-gathering process in an Android mobile device, many of the tools require enabling of the “USB debugging” option, preferably the “Stay awake” option and disabling of any time-out screen lock option. In the event that the terminal has any screen lock option configured, it is necessary to circumvent it.
