Forensic competency solutions

**All of the below is subject to the legislative and regulatory provisions of your country, and in cases of organisational matters, subject to your legal departments evaluation of contracts, policies and procedures. Hill and Associates, and their vendors, do not advocate any technique or tool for use in any circumstance that does not provision for the laws in the applicable jurisdictions to which these platforms and techniques could be used within. These tools or techniques must never be used without the owners express written legal consent, or under appropriate legal provision, or designated authoritative legal powers.**

We only use, and partner with, the premier vendors in the World. The information as below is from our forensic tool partner, specialising in mobile phone, IOT and drone device data extraction and analysis.

Hill and Associates provides full scope solutions, including device examination, analysis of data and reporting. We also review your exposure and evaluate if a more appropriate security solution would be internal adoption of the equipment, and provision of expertise and training. If you wish to learn more, please contact our specialist.

What can be discovered using our partners specialist forensic tool

Accounts and passwords

The Accounts and Passwords section displays logins, passwords and tokens from extracted mobile devices, including passwords and tokens from web applications from both extracted mobile devices, as well as PCs, using this tool.

The program decrypts credentials from the iOS keychain and Android KeyStore, finds them in application databases and web forms, and separate Windows, Mac and Linux PCs.

Advanced physical method

The platform provides advanced physical extraction for Android devices based on Exynos, MTK, Kirin, Spreadtrum and Qualcomm chipsets.

These methods enable lock screen bypass and require no root rights.

Moreover, the software offers the ability to gain root rights and conduct a full physical extraction of Android devices with installed Android OS 7, 8, 9 and 10.

Applications

The applications section displays user data that has been extracted and parsed from popular Social Networks, Messengers, Web Browsers, Navigation, Productivity, Travel, Finance, Fitness, Drone and Multimedia apps.

Investigators can view app account details, contacts, messages, calls, logs, cache, and other relevant data.

Even encrypted apps are decrypted and displayed in this area.

Backup and image import

The platform imports and parses dozens of various device backups and images created in official device software, third-party programs or other forensic tools.

Investigators can import iTunes, Android ADB backups, JTAG/ISP, CHIP-Off images, .dar archives, XRY and UFED extractions, Warrant Returns and many other files.

The Calls

The Calls section provides access to phone and App calls.

Investigators can apply various filters as well as export all or selected data to supported file formats.

Call Data Records (CDR) Analysis

The built-in CDR Expert allows importing and analysing of CDR files received from mobile service providers regardless of the difference in their column formats and file layouts.

The program conveniently guides the investigator through the process of call data records file importing and any field mapping that is required to convert the file into a unified format.

CDR Expert then visualises direct and indirect links between callers on a graph.

Cloud Data

The built-in Cloud Extractor acquires data from the most popular cloud services to include: WhatsApp, iCloud, Google, Microsoft, Mi Cloud, Huawei, Samsung, E-Mail (IMAP) Servers and more.

Various social media services are supported to include, but not limited to: Facebook, Twitter, Instagram, and many more.

Investigators can use usernames and password combinations or tokens extracted from the mobile device or PC to gain access to a cloud storage even when two-factor authentication is enabled on selected services.

Contacts

Contacts section displays contacts obtained from various sources: standard phonebook, calls log, messages and application databases.

Contacts with the same fields are merged into one meta-contact.

Contacts Data can be used at both the case level and device level of the examination.

Data Reports

The platform enables the export of data from any section to many popular file formats including: PDF, XLSX, XML, HTML, JSON Project VIC. A report can be created to include a single device, several devices, several sections or even selected records.

Reports are highly customizable to display only the data required, for any type of case.

Our XML reports can be integrated into many popular analytic software platforms with our built in XML export specification documentation.

Export to Relativity software is also available.

Data Search

The platform has a powerful built-in interface for data search. Searching can be conducted on all devices, at the case level and at the device level.

Investigators can search data according to the information entered in the input field, by keyword lists, hashes, using regular expressions or choosing any other available method.

Search is launched as a separate process so investigators are free to work with the software during the search process.

The search process can search within files to uncover data that has not been parsed, often uncovering valuable data within SQlite databases, log files, and property lists.

Device Information

The device information section gives you the general information about the acquired device.

It shows various attributes, like the device specifics (e.g., make, model), SIM and network information, phone numbers and case details.

Investigators can also find summary information of all the device owner’s accounts.

Moreover, the Statistics tab shows the detailed statistics about extraction: Top 10 applications with the greatest number of communications, Top 10 groups, Top 10 contacts, Last contacted, Key Evidence with tags and notes.

Drone Data

The platform can perform physical extraction of drones and parse GPS locations showing valuable route data in our built-in Timeline section and the built-in Maps.

The software also allows the investigator to import drone log .dat files directly into Maps to visualize locations and track a drone route, as well as physically extract the internal memory on select DJI drones.

Also available, data parsing from many drone applications, like DJI Go, Flight It Pro for iOS and Android devices. And finally, the software allows to extract data from drone cloud services, like DJI cloud, SkyPixel and Parrot.

Encrypted Backups and Images Import

The platform enables decryption of iOS and Android backups and images.

The built-in Passware mobile kit module helps to find passwords with latest algorithms and technologies including distributed processing and GPU acceleration with ATI and NVIDIA boards.

The available attacks include brute-force, dictionary, Xieve, etc. and are highly optimized to deliver the result in the shortest amount of time.

Facial Recognition

The platform offers the ability for investigators to categorise human faces.

The facial recognition is available in the Faces section at no additional charge.

The unique features include detailed face analytics (gender, race, age), immediate categorization and matching and support for massive volumes of data.

Using the built-in facial recognition investigators will spend less time looking through thousands of photos or videos in mobile, cloud or drone extractions.

Files

The Files section grants access to user’s photos, videos, documents and device databases.

Built-in Text, Hex, Multimedia, SQLite and Plist viewers allow investigators to examine files and their metadata. Rich filtering and powerful search help to focus only on the required evidence.

The section can be built for several devices in the same case.

Geo Data

The platform collects geo data from various sources: photo and video EXIF headers, web connections information and applications databases.

Geo coordinates can be extracted both from mobile devices and cloud services.

The full list of geo points can be found on Geo Timeline tab in Timeline section.

Maps can be also opened from this section to view the coordinates overlaid on a rich map view.

Image Categorisation

Identify, analyse, and categorize images from twelve different categories that are: pornography, extremism, graphic violence, drugs, alcohol, weapons, gambling, child abuse, documents, currency, risqué, and identification documents.

IoT Device Support

The platform supports the two most popular digital assistants - Amazon Alexa and Google Home.

You can access Amazon Alexa cloud using a username and password or token. A token can be found on the device's associated computer with KeyScout and used in Cloud Extractor.

The software acquires a complete evidence set from Amazon Alexa, including account and device details, contacts, messages, calendars, notifications, lists, activities, skills, etc. Google Home data can be extracted via Google username/password or a master token found in mobile devices.

Extracted Google Home data includes account and device details, voice commands, and information about users.

Key Evidence

The Key Evidence section displays records bookmarked in other sections by the investigator as important.

The function of the section is to put the entries identified as evidence relevant to a case in the same place, making data analysis easier.

Investigators can bookmark important evidence in one or several devices and export it later to one data report.

Keyword Search

The software allows creating and using keyword lists to quickly find relevant case facts in a single search function.

Investigators can enter keywords or import them from a .txt file before data extraction to receive the results once the extraction process has completed.

Live Data Extraction

The platform offers both logical and physical methods of device acquisition via a regular USB cable.

The program supports thousands of devices running Apple iOS and Android. Support for MTK, Qualcomm, Kirin and Spreadtrum chipsets is also available.

Additionally, you can extract and recover data from media and SIM cards via specialized readers.

Locations Visualisation

The built-in Maps module is available both in online and offline modes.

Maps allows investigators to quickly identify a user’s frequently visited places, visualize routes within a specified period and pinpoint common locations of several device users.

Messages

The messages section gives investigators access to SMS, MMS, iMessage and E-mail messages (with the attachments) as well as application chats in the device.

The export button allows to send all or selected messages with attachments to data reports directly from this section.

Optical Character Recognition (OCR)

The is an often omitted feature which is vital to any forensic platform. The platform ensures that your key evidence is not missed.

Organiser

The Organiser section displays the detailed information about calendar events, notes and tasks.

The program can decrypt notes created and encrypted in Apple devices running iOS 9-12.

Data reports can also be customized and generated in any of supported file formats directly from this section.

Plist Viewer

The built-in Plist Viewer offers advanced analyzing of Plist files: investigators can open plain XML and binary XML files, view entries according to their type (string, data, numbers etc.), convert values, open external files for analysis, export .plist file data in XML format for further analysis by external tools.

Social Graph

The software provides several tools to explore social connections between the device owner and contacts or between several devices by analysing calls, messages and app communication activities.

Investigators can use either a Graph or Diagram to view and identify social links, find common contacts and analyse communication statistics.

Statistics

The Statistics section consists of several widgets, that are divided into two categories–data on the device and investigator interaction.

Data on the device is displayed in the first widgets and shows the data present within the extraction in charts or tables (Activity Chart, Activity Matrix, Last Contacted, Data Types, Top 10 Applications, Contacts, or Groups).

The second group of widgets, or investigator interactions widgets, display the investigator’s interactions with the evidence: assigning tags, marking data as Key Evidence, adding and editing notes, running hash set searches.

SQLite Viewer

The built-in SQLite Viewer is a powerful tool for examining SQLite files and their contents.

With this tool, investigators can open any SQLite database, recover deleted records, convert values to a readable format, build visual SQL queries and save them for further use, run search and finally export selected entries to customization data reports.

Timeline

The Timeline section summarises all events in chronological order: calendar events, messages, calls, web cache, web connections, voicemails, photos and videos history, etc.

The section offers investigators a number of powerful filters and convenient data presentation modes that allow them to concentrate on the analysis of the pertinent data only.

User Data Collection on Computer

KeyScout offers the ability to seek and locate system files, tokens and passwords saved on a computer as well as extract user data from various desktop Web browsers, E-mail clients and Messengers.

The utility is available from the main menu in the platform, installs to removable media and collects credentials currently from PCs.

The collected credentials can then be imported into the Cloud Extractor for immediate use and extracted user data should be imported as Desktop Backup into the platform.

The KeyScout is compatible with Windows, macOS and Linux.

Webkit Data

The WebKit Data section shows a user’s emails from webmail interface and content of visited web pages.

You can gain access to email messages, web search history, locations and other data stored in WebKit databases throughout a device.

This section is an additional source of app user data for investigators and is often overlooked by commercial tools.

Wireless Connections

The Wireless Connections section presents the history of Wireless connections in one list and shows the place where the Internet was used.

Information about every Wi-Fi hotspot is found in this section and includes the SSID, MAC address, time of the first and last connections.

The program also displays the history of Bluetooth connections and the list of frequent locations extracted from iOS devices.

*The above material has been kindly provided by our product partner for this article.