API ForensicsTM is proud to announce the release of Exponent MobileMessagingTM, the next product in a series of offerings belonging to the ExponentTM library of DFIR add-on X-Tensions for X-Ways Forensics (XWF).
Exponent MobileMessagingTM is designed to import SMS, MMS and iMessages, including available Instagram Direct Messages (for iOS devices) directly into X-Ways Forensics from Android and iOS devices that have been acquired by select 3rd party mobile forensic software tools. In addition, standalone iTunes Backups are also supported for message extraction. See the product FAQ page for details about supported products.
Select mobile device forensic tools are widely popular with forensic practitioners who need to investigate smartphone devices. Exponent MobileMessagingTM leverages the pre-processing they perform by reading, decoding and importing data made available through or by the tools. Plans are in development to support other vendor tools in the near future.
When it comes to text messages, a single text message is really not all that different from an email in that it comprises of (a) a message, and (b) one or more potential attachments. As a result, MobileMessagingTM takes a unique and clever approach by importing messages into X-Ways Forensics as common .EML format. This makes it possible to embed any attachments such as sent pictures or videos.
During the message importation process, messages and their metadata are store in .EML format so that X-Ways Forensics can process them further using Refine Volume Snapshot.
By taking this approach, it makes it possible to combine conventional email and text messages for a much simpler, consolidated and faster analysis of communication based evidence. Messages are also arranged within XWF’s Case Data pane in an intuitive, hiearachical format making it easy for examiners to appreciate where each text message originated, as demonstrated below.
Exponent MobileMessagingTM provides updated support for emoji graphics encoded within text messages. Applications that don’t stay current on Unicode updates will fall short of acurately displaying emojis in text messages. Some emoji encoding solutions omit to consider Unicode codepoint modifiers for enhanced emojis (e.g., varying skin tone emojies) when decoding UTF-8 data.
With Exponent MobileMessagingTM, you will typically see this 👨🏼🔧 instead of this 👱🔧.
To ensure proper interpretation and rendering of emoji graphics in text messages, Exponent MobileMessagingTM goes beyond this limitation by providing full support for the most current extended Unicode Technical Standard Version 15.1, which was made available on 2023-09-05. Exponent MobileMessagingTM implements an exclusive encrypted decoding feature that provides support for full colour emojis. This capability makes it possible accurately render emojis in text messages when using the Preview feature in X-Ways Forensics (see below).
Messages that are imported into XWF by Exponent MobileMessagingTM are formatted as email messages. This again, allows X-Ways Forensics to process messages and extract metadata and embedded attachments, using Refine Volumen Snapshot. The cool thing about this approach is that photos or videos, sent or received in a text message, will automatically be extracted and added to the case file as a child object, just like any other email message.
Notably, the Subject (or Name column in XWF) will populate with the actual text message (or a shortened version of it), making it very easy for examiners to review conversations within XWF. Using Exponent MobileMessagingTM, X-Ways Forensics can now provide support for emoji graphics that are unicode encoded within text messages. With every message that is collected that contains emojis, a Rich_View.html file attachment is created to provide best accounts of what the original message looked like. Here is an example of a Rich_View.html file as displayed within XWF:
IMPORTANT: Exponent MobileMessagingTM identifies and preserves vital metadata during the importation process ensuring that continuity of evidence is adhered to throughout the investigative process. This not only includes the message original location on the source device, but includes available embedded or decoded timestamps for each message (e.g., LastModified).
Get started today and realize the full potential of Exponent MobileMessagingTM in your X-Ways Forensics investigations. Simply fill out the download request form and we’ll send you an ExponentTM 30-day trial license by email.
If you do not currently have a valid license for X-Ways Forensics, click here to get more information.