Test Results For Mobile Device Acquisition Tool: XRY/ XACT .

XRY/XACT v6.10.1Test Results for Mobile Device Acquisition ToolSeptember 26, 2014

This report was prepared for the Department of Homeland Security Science and Technology Directorate CyberSecurity Division by the Office of Law Enforcement Standards of the National Institute of Standards and Technology.For additional information about the Cyber Security Division and ongoing projects, please visit www.cyber.st.dhs.gov.

September 2014Test Results for Mobile Device Acquisition Tool:XRY/XACT v6.10.1

ContentsIntroduction . 1How to Read This Report . 11 Results Summary . 22 Mobile Devices . 43 Testing Environment. 53.1 Execution Environment . 53.2 Internal Memory Data Objects. 53.3 UICC Data Objects . 74 Test Results. 84.1 Android Mobile Devices. 94.2 iOS Mobile Devices. 114.3 Feature Phones . 144.4 Universal Integrated Circuit Cards (UICCs). 16September 2014iiXRY/XACT v6.10.1

IntroductionThe Computer Forensics Tool Testing (CFTT) program is a joint project of theDepartment of Homeland Security (DHS), the National Institute of Justice (NIJ), and theNational Institute of Standards and Technology Law Enforcement Standards Office(OLES) and Information Technology Laboratory (ITL). CFTT is supported by otherorganizations, including the Federal Bureau of Investigation, the U.S. Department ofDefense Cyber Crime Center, U.S. Internal Revenue Service Criminal InvestigationDivision Electronic Crimes Program, and the U.S. Department of Homeland Security’sBureau of Immigration and Customs Enforcement, U.S. Customs and Border Protectionand U.S. Secret Service. The objective of the CFTT program is to provide measurableassurance to practitioners, researchers, and other applicable users that the tools used incomputer forensics investigations provide accurate results. Accomplishing this requiresthe development of specifications and test methods for computer forensics tools andsubsequent testing of specific tools against those specifications.Test results provide the information necessary for developers to improve tools, users tomake informed choices, and the legal community and others to understand the tools’capabilities. The CFTT approach to testing computer forensics tools is based on wellrecognized methodologies for conformance and quality testing. Interested parties in thecomputer forensics community can review and comment on the specifications and testmethods posted on the CFTT Web site (http://www.cftt.nist.gov/).This document reports the results from testing XRY/XACT v6.10.1 across supportedAndroid and iOS devices and a feature phone. The images captured from the test runs areavailable at the CFREDS Web site (http://www.cfreds.nist.gov).Test results from other tools can be found on the DHS S&T-sponsored digital forensicsweb page, http://www.cyberfetch.org/.How to Read This ReportThis report is divided into four sections. Section 1 identifies and provides a summary ofany significant anomalies observed in the test runs. This section is sufficient for mostreaders to assess the suitability of the tool for the intended use. Section 2 identifies themobile devices used for testing. Section 3 lists testing environment, the internal memoryand Universal Integrated Circuit Cards (UICC) data objects used to populate the mobiledevices and associated media. Section 4 provides an overview of the test case resultsreported by the tool. The full test data is availableat http://www.cftt.nist.gov/mobile devices.htm.

Test Results for Mobile Device Acquisition ToolTool Tested:Software Version:XRY/XACTv6.10.1Supplier:Micro Systemation IncAddress:5300 Shawnee Road Suite 100Alexandria VA 22312Tel:Fax:WWW:(703) 750-0068(888) 395-9027http://www.msab.com1 Results SummaryXRY/XACT is designed for perform a secure forensic extraction of data from a widevariety of mobile devices, such as smartphones, GPS navigation units, 3G modems,portable music players and the latest tablet processors.The tool was tested for its ability to acquire active and deleted data from the internalmemory of supported mobile devices and UICCs. Except for the following anomalies, thetool acquired all supported data objects completely and accurately for all mobile devicestested.Presentation: Readability and completeness of Personal Information Management (PIM) data(i.e., graphic files associated with address book entries, non-Latin address bookentries) were not reported. (Devices: Galaxy S3, Galaxy S4, Galaxy S5, GalaxyNote3, HTC One, Nexus4, Samsung Rugby 3)Equipment / Subscriber related data: Subscriber related data (i.e., MSISDN) were not reported. (Devices: Galaxy S3,Galaxy S4, Galaxy S5, Galaxy Note3, HTC One, Nexus4) The MEID was not reported (Device: iPad Air, iPad Mini)Personal Information Management (PIM) data: Memo entries were not reported. (Devices: Galaxy S3, Galaxy S4, Galaxy S5,Galaxy Note3, HTC One, Nexus4)EMS messages: Text messages containing more than 160 characters were not reported. (Device:Samsung Rugby 3)MMS messages: Incoming and outgoing audio and picture messages were not reported. (Device:Samsung Galaxy Note3)September 2014Page 2 of 16XRY/XACT v6.10.1

Non-Latin Character Presentation: Address book entries containing non-Latin characters were not reported in thegenerated report. (Devices: Galaxy S3, Galaxy S4, Galaxy S5, Galaxy Note3, HTCOne, Nexus4, Samsung Rugby 3)Physical Acquisition: Acquisitions of recoverable deleted data remnants (i.e., graphic, audio, videofiles) were not recovered. (Device: Galaxy S3, Galaxy S4)For more test result details see section 4.September 2014Page 3 of 16XRY/XACT v6.10.1

2 Mobile DevicesThe following table lists the mobile devices used for testing PadAppleiPad MiniAppleiPad MiniSamsungGalaxy S3SamsungGalaxy S4SamsungGalaxy S5HTC OneHTC OneSamsungGalaxyNote 3Nexus 4SamsungRugby 3Model55siPad 2 MD065LL/AiPad Air ME999LL/AiPad Mini ME030LL/AiPad Mini MF075LL/ASGH-1747SGH-M919SM-G900VHTCC6525LVWHTC OneSM-N900VNexus 4SGH-A997OSiOS 6.1.4(10B350)iOS 7.1(11D167)iOS 6.1.3(10B329)iOS 7.1(11D167)iOS 6.1.3(10B329)iOS Android4.2.2Android4.1.2Android 4.3Android .3250.20 ble 1: Mobile DevicesSeptember 2014Page 4 of 16XRY/XACT v6.10.1

3 Testing EnvironmentThe tests were run in the NIST CFTT lab. This section describes the selected testexecution environment, and the data objects populated onto the internal memory ofmobile devices and UICCs.3.1 Execution EnvironmentMicro Systemation XRY/XACT version 6.10.1 was installed on Windows 7 v6.1.7601.3.2 Internal Memory Data ObjectsMicro Systemation’s XRY/XACT was measured by analyzing acquired data from theinternal memory of pre-populated mobile devices. Table 2 defines the data objects andelements used for populating mobile devices provided the mobile device supports thedata element.Data ObjectsAddress Book EntriesData ElementsRegular LengthMaximum LengthSpecial CharacterBlank NameRegular Length, emailRegular Length, graphicRegular Length, AddressDeleted EntryNon-ASCII EntryPIM DataDatebook/CalendarMemosRegular LengthMaximum LengthDeleted EntrySpecial CharacterBlank EntryCall LogsIncomingOutgoingMissedIncoming - DeletedOutgoing - DeletedMissed - DeletedText MessagesIncoming SMS - ReadIncoming SMS - UnreadOutgoing SMSIncoming EMS - ReadIncoming EMS - UnreadOutgoing EMSSeptember 2014Page 5 of 16XRY/XACT v6.10.1

Data ObjectsData ElementsIncoming SMS - DeletedOutgoing SMS - DeletedIncoming EMS - DeletedOutgoing EMS - DeletedNon-ASCII SMS/EMSMMS MessagesIncoming AudioIncoming GraphicIncoming VideoOutgoing AudioOutgoing GraphicOutgoing VideoApplication DataDevice Specific App DataStand-alone data filesAudioGraphicVideoAudio - DeletedGraphic - DeletedVideo - DeletedInternet DataVisited SitesBookmarksLocation DataGPS CoordinatesSocial Media DataFacebookTwitterLinkedInTable 2: Internal Memory Data ObjectsSeptember 2014Page 6 of 16XRY/XACT v6.10.1

3.3 UICC Data ObjectsThe table below (Table 3) provides an overview of the data elements populated onUniversal Integrated Circuit Cards (UICCs).Data ObjectsAbbreviated Dialing Numbers (ADN)Data ElementsMaximum LengthSpecial CharacterBlank NameNon-ASCII EntryRegular Length - Deleted NumberCall LogsLast Numbers Dialed (LND)Text MessagesIncoming SMS - ReadIncoming SMS - UnreadNon-ASCII SMSIncoming SMS - DeletedNon-ASCII EMSIncoming EMS - DeletedTable 3: UICC Data ObjectsSeptember 2014Page 7 of 16XRY/XACT v6.10.1

4 Test ResultsThis section provides the test cases results reported by the tool. Sections 4.1 – 4.3identify the mobile device operating system type (e.g., Android, iOS) and the make andmodel of mobile devices used for testing Micro Systemation’s XRY/XACT v6.10.1.Section 4.4 covers Universal Integrated Circuit Cards (UICCs).The Test Cases column (internal memory acquisition/UICC) in sections 4.1 - 4.4 arecomprised of two sub-columns that define a particular test category and individual sub categories that are verified when acquiring the internal memory for supported mobiledevices and UICCs within each test case. Each individual sub-category row results foreach mobile device/UICC tested. The results are as follows:As Expected: the mobile forensic application returned expected test results – the toolacquired and reported data from the mobile device/UICC successfully.Partial: the mobile forensic application returned some of data from the mobiledevice/UICC.Not As Expected: the mobile forensic application failed to return expected test results –the tool did not acquire or report supported data from the mobile device/UICCsuccessfully.NA: Not Applicable – the mobile forensic application is unable to perform the test or thetool does not provide support for the acquisition for a particular data element.September 2014Page 8 of 16XRY/XACT v6.10.1

4.1 Android Mobile DevicesThe internal memory contents for Android devices were acquired and analyzed withMicro Systemation’s XRY/XACT v6.10.1.All test cases pertaining to the acquisition of supported Android devices were successfulwith the exception of the following. Readability and completeness of PIM Data i.e. graphic files associated withcontact entries are not reported in the html report for all Android devices.Readability and completeness of PIM Data i.e. non-Latin contact entries (i.e.,Chinese) were not reported in their native format in the pdf report for all Androiddevices.Subscriber related data (i.e., MSISDN) were not reported for all Android devices.Memo entries were not reported for all Android devices.Bookmarks for visited Internet URLs were not reported for the Samsung GalaxyNote 3.Incoming and outgoing audio and picture (MMS) messages were not reported forthe Samsung Galaxy Note 3.Deleted data remnants for graphic, audio and video files were not recovered whenperforming a physical acquisition for the Samsung Galaxy S3, Galaxy S4.See Table 4 below for more details.XRY/XACT v6.10.1GalaxyS3 GSMGalaxyS4 GSMGalaxyS5CDMAGalaxyNote 3CDMAHTC OneGSMHTC OneCDMANexus 4GSMMobile Device Platform: sExpectedNANot AsExpectedPartialNot AsExpectedPartialNot AsExpectedPartialNot AsExpectedPartialNot AsExpectedPartialNot AsExpectedPartialNot ATest Cases – InternalMemory ent/User DataGeneratedReportsIMEIMEID/ESNMSISDNContactsPIM DataCalendarTo-Do List/September 2014Page 9 of 16AsExpectedXRY/XACT v6.10.1

XRY/XACT v6.10.1GalaxyS3 GSMGalaxyS4 GSMGalaxyS5CDMAGalaxyNote 3CDMAHTC OneGSMHTC OneCDMANexus 4GSMMobile Device Platform: AndroidSpreadsheetsNot AsExpectedAsExpectedNot AsExpectedNANot AsExpectedAsExpectedNot AsExpectedNANot AsExpectedAsExpectedNot AsExpectedNANot AsExpectedNot AsExpectedNot Not AsExpectedNANot AsExpectedAsExpectedNot AsExpectedNANot AsExpectedAsExpectedNot AsExpectedNANot AsExpectedAsExpectedNot sExpectedAsExpectedAsExpectedNot AsExpectedNot st Cases – InternalMemory AcquisitionTasksMemosIncomingCall aHistoryFacebookSocial MediaDataTwitterLinkedInAcquire AllAcquisitionSelected AllSelectIndividualSeptember 2014Page 10 of 16XRY/XACT v6.10.1