TEST RESULTS UFED, XRY and SIMCON

TEST RESULTS UFED, XRY and SIMCON Test material : SIM card Tested software : UFED 3.6, XRY 6.5, SIMcon v1.2 Expected results : Proper extraction of SMS messages Date of the test : 02.04.2013 Note : The phone numbers in the left side of the extraction below are either omitted or edited in the form of dots(e.g+90 ), or covered, where applicable. The details which is focused during the text is shown in red. XRY EXTRACTION (TOTAL 26 MESSAGES): Numara ve İsim Tarih Mesaj Durumu 1 AVEA 15.08.2012 16:19:04 UTC+04:30 Avea'da Cepten Internet Sadece 5TL!Internette heryone doyasiya gezin diye 250MBlik internet paketi aylik sadece 5TL!Kayit icin EVET yazin 1333'e gonderin 2 +90 15.08.2012 18:29:29 UTC+04:30 Nasılsın yiyenim 3 90. 15.08.2012 18:38:20 UTC+04:30 sa napion.d 4 90.. 15.08.2012 18:38:20 UTC+04:30 sa napion.d 5 +90 Mete 15.08.2012 19:10:25 UTC+04:30 kanka dün aksam gidiyom yolda bi yaşlı kadın gordum kanka elınde iki poset vardı yardım edeyim mi tayze dedim sonra o hırsız sandı olmaz dedi ondan sonra gidiyoduk gel dedi et dedi tasıyorum kanka cok agır hızlı hızlı gidiyom araya bi dondum bi baktım baş kanka bi korktum 6 AVEA 15.08.2012 19:24:34 UTC+04:30 Tebrikler! Kampanyamizdan faydalanmaktasiniz. Gostermis oldugunuz ilgi icin tesekkur ederiz. 7 09333 15.08.2012 19:24:35 UTC+04:30 Indirimli 250MB internet paketini kullanmaya baslayabilirsiniz. Paketiniz her ay otomatik yenilenecektir. Paket asim ucreti 0,05kr olarak ucretlendirilmektedir 8 09333 15.08.2012 19:28:16 UTC+04:30 Degerli musterimiz,liralariniz kisa surede bitecektir.avea Bayileri,ATMler,kredi kartiyla Avea Musteri Hizmetleri veya online islemlerden yukleme yapabilirsiniz 9 905. 15.08.2012 20:52:01 UTC+04:30 napion.d 10 90. 15.08.2012 21:33:05 UTC+04:30 kum tasiym derkn is mi degistirtrdin 11 90. 15.08.2012 21:34:27 UTC+04:30 hmm nie.d Dencerem var davam var gas mpa aliyim avam varr :) deyip 12 90 15.08.2012 22:54:27 UTC+04:30 geziyor amcam evin i inde xd 13 90.. 15.08.2012 23:42:04 UTC+04:30 kac kamyon? 14 90 15.08.2012 23:42:47 UTC+04:30 oha 15 90.. 16.08.2012 00:35:50 UTC+04:30 oha 16 90 16.08.2012 00:38:49 UTC+04:30 tek basina misin? 17 90 16.08.2012 01:16:23 UTC+04:30 kolay gelsin ne diym.s 18 90 16.08.2012 07:18:04 UTC+04:30 Selin ben mal. 19 90. 16.08.2012 11:22:17 UTC+04:30 Nrdsn la 20 90. 16.08.2012 12:41:19 UTC+04:30 Nerdesin len 21 90.. 16.08.2012 12:43:02 UTC+04:30 Tamam kalk kutuphaneye gidelim hadi 22 90 16.08.2012 12:44:27 UTC+04:30 Msj attigm da szin ewin asasina gel 23 90 16.08.2012 12:58:35 UTC+04:30 Ewin asasina in geldm 24 90.. 16.08.2012 13:23:07 UTC+04:30 napion.d 25 90 16.08.2012 13:29:56 UTC+04:30 oturuyom.d isten cikmamismiydin sen? 26 90 16.08.2012 13:41:52 UTC+04:30 gasteye girdim derken.s See the 5 th message which is to be detected differently by UFED and SIMcon, as 4 separate messages, and as 5 separate messages, respectively. 1

THE UFED EXTRACTION (TOTAL 29 MESSAGES): The 5, 6, 7, 8th messages above are actually the pieces of single message above but is reported as seperate messages in the UFED extraction, which is still missing one piece. 2

THE SIMcon EXTRACTION (TOTAL 30 MESSAGES ): The 5th message in the XRY extraction is reported here as separate messages in 5,6,7,8,12th places. The message is apparently broken into pieces like UFED did, however, at least all pieces of the message are presented here whereas the UFED missed one of the pieces. 3

The details about one of the pieces of that SMS in the SIMcon extraction: SIMcon provides the information that this text is the 3 rd one the 5-piece SMS, so you can track and piece together the other pieces. THE EVALUATION As a result, the number of the messages extracted from the same card is found to be completely different. SOFTWARE XRY UFED SIMCON NUMBER OF MESSAGES 26 MESSAGES 29 MESSAGES 30 MESSAGES Not only contents of the messages but also the time stamps and status of the messages were compared: a) The 5,6,7,8 th messages in the UFED extraction is actually the pieces of one single message. The whole message text is shown in the 5th place in the XRY extraction. SIMcon also shows the same message as separate messages in the 5,6,7,8,12th places of its extraction. b) The contents of the XRY and SIMcon report match each other, not in terms of number of messages but in terms of message texts. When the 5 pieces of messages in the SIMCon exraction is combined into 1 single piece, the total number of the extracted SMS matches. However, the UFED is still missing 1 piece, which is the one that goes like this ki poset vardı... That missing part is correctly shown in the 5 place of the SIMcon report. c) To make sense or to understand these separate messages, one has to bring together and read all pieces in the correct order, otherwise the pieces of the texts will not make sense. This will be a big problem where there are hundreds of messages. 4

d) The time stamps of the extracted messages are also compared and the results were found to be contradictory. The UFED and SIMcon, brought the same timestamps regarding the messages in the 5,6,7 th place (GMT +03:00), while XRY extracted the time stamp of the same message as UTC+04:30. The UFED extracted the same time stamp as the XRY regarding the message in line 8. It is expected that the time stamps of the pieces of the one single message should be in the same time zone, so the XRY results are found to be more consistent. e) The UFED reports that the 5,6,7 th messages and SIMcon s 5,6,7,8,12 th messages are reported as UNREAD, however, the XRY shows them as READ, which is completely opposite. RESULT The fact that the UFED breaks the SMS messages into pieces is a big problem in mobile phone forensics examination. When the messages are broken into pieces, one may not bring together which pieces are which and how many pieces make one single message. And unless you have found all the pieces and read them in the correct order, you can not understand what the texts means, which can obviously cause an examiner to miss important evidence. The status of the messages in UFED extraction such as READ and UNREAD should not be regarded as %100 correct. An SMS which was actually sent on date XX.XXX.XXX may incorrectly be reported as having been sent on another date in the UFED extraction. One product, even those with the forensic-purpose, should never be regarded as %100 correct. Yunus BALI IT Forensics Examiner 5