New Extraction Feature – Samsung Galaxy S22 Qualcomm Series.

We are excited to release the latest extraction feature of MD-NEXT.

It’s the market’s first extraction of Samsung Galaxy S22 Qualcomm Series.
This feature is supported with MD-NEXT v1.91.4

 

Supported New Models are..

– Galaxy S22 5G (SM-S901N, SM-S901U, SM-S901U1, SM-S901W, SM-S9010, SM-S901E, SM-S901E_DS)
– Galaxy S22+ 5G (SM-S906N, SM-S906U, SM-S906U1, SM-S906W, SM-S9060, SM-S906E, SM-S906E_DS)
– Galaxy S22 Ultra 5G (SM-S908N, SM-S908U, SM-S908U1, SM-S908W, SM-S9080, SM-S908E, SM-S908E_DS)

 

 

 

If you want to have a datasheet of MD-NEXT, please send us your inquiry!

Empower Your On-Site Investigation with MD-LIVE

Whenever to access the evidence phone at the crime scene, you may always suffer from insufficient time and its complicated steps to use the mobile forensic tool.
MD-LIVE has armed itself with various useful features to save the investigation time and to meet these needs for smartphone forensics.
Go check the features and find out how you can empower your investigation with MD-LIVE.

Check our YouTube channel and catch up with our latest product videos!

 

Analyze and Review the Data of ‘MeWe’ and ‘Threema’

We’ve been keeping up with the research on the globally rising social media apps, today we’ll introduce MeWe and Threema. MD-RED is supporting data analysis of MeWe Android from MD-RED v3.7.29 and Threema Android, MD-RED v3.7.31. Follow the below article and find out major features and how MD-RED displays the analysis results. 

 

1. MeWe 

 

  • What’s MeWe?

MeWe is the uplifting social network service app with awesome social features people love along with no ads, no targeting, and no newsfeed manipulation.  It has a timeline, groups, pages you can join, friends can make, a built-in messaging tool, and a profile page for users to customize.

 

  • Major features of MeWe and Analysis results of MD-RED

 

 

2. Threema

 

  • What’s Threema?

 

Threema is a paid open-source end-to-end encrypted instant messaging application for iOS and Android. The software is based on privacy by design principles as it does not require a phone number or any other personally identifiable information. Data is stored in an encrypted DB, and more security settings can be added to the settings. Users can do text messaging, make voice, and video calls, send multimedia, locations, voice messages, and files.

 

  • Major features of Threema and Analysis results of MD-RED

 

If you want to read the full article, please download the PDF file.

Analyze and Review the Data of ‘Zepeto’ and ‘Clubhouse’ using MD-RED

Today, Zepeto and Clubhouse are the rising apps, the app user is growing fast, and it’s recognized as a new generation of social media. MD-RED is supporting the data analysis of Zepeto (Android) from v3.7.26, Zepeto (iOS) from v3.7.31, and Clubhouse (iOS) from v3.7.20.  Through this article, you may learn the basic features of Zepeto, Clubhouse, and how MD-RED can analyze and display the data.

 

  • What’s Zepeto

The Zepeto app is a metaverse (virtual platform) of a creative studio developed by Naver Z Corporation. The friends in Zepeto can share a common room and have fun activities by creating 3D avatars with displayed items available in this environment. The pictures and videos taken in the various maps in Zepeto world can be shared through the feed.

– Account information

Account information is displayed in ‘Account’ and you can find out the user’s name, Inner ID, and creation date and time.

– Chat data: Message

Click the speech bubble on the screen to display the chat list. Conversation supports 1:1, group chat and is analyzed as follows. Chat data such as chat room name, chat room ID, group chat status, chat room creation date, participant, chat room creator are analyzed.

In chat rooms, users can send text, images, and video files. MD-RED analyzes and displays those contents as message type, creation date, content, attachment, sender, message ID, chat room.

 

  • What’s Clubhouse

Clubhouse is social audio app which is a voice networking app developed by Alpha Exploration. It’s designed to have audio/voice communication in real-time in the chat room. MD-RED supports Clubhouse (iOS) analysis from v3.7.20, supported targets are the account, contact, and notification message. And a text-based chat room ‘Backchannel’ feature will be supported by MD-RED soon.

 – Account Information

Supports to analyze the Account name, ID, Inner ID, and Profile image.

– Contacts

The information of the chat room participants in the list is displayed in the contact analysis result.

– Alarm message

An alarm message is analyzed and displayed in the message analysis result. This allows us to infer the user’s activity.

 

If you want to read the whole article, download the PDF.

The Smart feature to find Numbers from Car Plate using MD-VIDEO AI

Numberplate Enhancement Forensics

The Number Plate Analysis is a feature that is machine-learned from low-quality of number (0 to 9) images and predicts the number when a low-quality image is added. An existing enhancement feature in MD-VIDEO also can help you to identify numbers from the low-quality images by applying various enhancement options such as Super Resolution and Motion Deblurring feature.

However, this smart feature can support you to get the data without any complicated steps, it’s much easier, time-saving and you’ll get the most reliable results!

 

 

How to Analyze Blurred License Plates                                                            

 

On the frame, drag the area you want to crop on the canvas then right-click in the [Number Plate] area. Click [Add new bounding box] to specify the area for each number then click Analyze.

You can also check why MD-VIDEO got the result via [Show Detail], it shows you the probabilities of each number analyzed by the number plate analysis model.

 

Review the Image Enhancement results

 

You can check the analyzed result from ‘Image Enhancement Results’, it shows Image, Probability, and Attribute.

  1. Image is the number plate file you select to analyze.
  2. Probability shows each number’s numerical probability determined by the number plate analysis model.
  3. Attribute shows the name, source file path, location, resolution of the improved image, history and user can add comment.

 

To read the full article, please download the PDF.

Approach to the Hidden Data in ‘Samsung Secure Folder’ with MD-NEXT  

Why forensic investigators must keep their eye on the Samsung Secure Folder? Like the word ‘Secure Folder’, Samsung Secure Folder is separated from the normal storage space and encrypted based on Samsung’s security technology ‘Knox’. PIN/pattern/password or biometric verification is required to access the secure folder. The data in the secure folder is not accessible from outside and is not visible even when the device is connected to the PC. This means, personal or confidential data can be stored in Samsung Secure Folder, and this can be the core data for your forensic investigation. Today we introduce how MD-NEXT can help you to approach Samsung Secure Folder with various methods by models, MD-NEXT will support Android version 11 soon, and you’ll get more meaningful data!

*’The ‘Knox’ space manages the entire space variably just like many apps manage data in their DB. And when data is deleted from the Knox, it is returned to the non-allocated area of the basic storage space, therefore, ‘Logical Extraction’ is carried out in file unit.

 

MD-NEXT Extraction methods by Models

  • Galaxy A5/S7/S8/S9/Note8/Note9 Series (Exynos & Qualcomm)

If the Android security patch level is before August 2019, you can obtain the security folder using the ADB Pro T4 method. The USERDATA partition is acquired as a physical image, and additionally, the files stored in the secure folder are decrypted and acquired as a separate logical image.

 

  • Galaxy A6/A7/S9/J6/Note9 Series (Exynos)

If the Android OS version is 10, you can obtain the secure folder using the Bootloader Pro method. Like the ADB Pro T4 method, the USERDATA partition is acquired as a physical image, and additionally, the files stored in the secure folder are decrypted and acquired as a separate logical image.

 

  • Galaxy A30/A40/A50/S10/Note10 Series + Galaxy Tab A 10.1 Series (Exynos)

Samsung Galaxy S10 and Note 10 series of devices and some A series of devices, you can obtain a secure folder by using the Full Filesystem (Bootloader Pro2) method (Supports both Android 9,10 and 11). When acquiring the active files of the USERDATA partition, the files stored in the secure folder are decrypted and acquired as a single logical image.

 

How to Review Data?

The data in the secure folder is acquired as a separate logical image from the physical image of the USERDATA partition. The file naming scheme for logical images has been changed in MD-NEXT version 1.89.5(Released date Jul.15, 2020), so the file name may differ depending on the version. Information on the file name and extension of the acquired images can be checked in the acquisition report.

Download PDF_MD-NEXT – Samsung Secure Folder

‘MD-LIVE’ New features to Save your Onsite Investigation Time

‘MD-LIVE’ New features to Save your Onsite Investigation Time

Whenever to access the evidence phone at the crime scene, you may always suffer from insufficient time and its complicated steps to use the mobile forensic tool. The search on the apps to watch and the pinpoint of the keywords from the piles of text messages are getting crucial for the first responders. MD-LIVE has armed itself with two useful features to save the investigation time and to meet these needs for smartphone forensics.

 

  1. ‘Keyword’

The keywords that are frequently searched such as drug, sexual assault, murder cases can be grouped and registered by category. Users can select a category that matches the case, it can save much time from repetitive searching keyword routine and prevent missing important search terms. Moreover, user can continuously update the keyword list and share with their colleagues by Import/Export feature.

–                How to register keywords?

Click the ‘Keyword’ icon in the upper right corner of MD-LIVE. Enter the keyword group name in ‘Name’ and list the search terms to be included in the ‘keyword’, separated by ‘;’, and click the ‘Add keyword’ button.

 –                How to search with keywords?

Select the target you want to search from the list of registered keywords and click the ‘Search by selected keyword’. Then MD-LIVE performs a multi-search on the targets registered in the keyword group.

 

  1. ‘Watch List’

If there are apps to be scanned every time or need to quickly scan a specific list of apps according to your institution’s needs, ‘Watch List’ is a preferentially considerable feature. This supports you to easily determine whether a specific app is installed in the device in advance. By selecting a forensic target at a time, it saves you a lot of time from searching multiple apps each time and selecting them as targets. And once app scanning is completed you can quickly determine whether an in-depth forensic investigation is needed on the specific target.

–                How to use Watch List feature?

Connect the device and operate Watch List feature on the [Select Data] step. Target apps can be added by right-clicking on the desired app and the list of apps can be managed by ‘Manage Watch List’ at the top right of MD-LIVE. Select ‘Manage Watch List’ and add the package name of the app you want to specify.

An eye-shaped badge will be displayed next to the app, and you can easily review all the listed apps through the ‘Watch List’ filter and select them as an extraction target at once.

 

 

New Product Introduction – Portable MD-RED’s Viewer program ‘MD-Explorer’

We are excited to introduce MD-RED’s Viewer program ‘MD-Explorer’.
It’s separately executable and portable viewer solution which can support your team to share the analyzed result with your colleagues.
Go check out the video and if you have any inquiry, feel free to contact us!
sales@gmdsoft.com
https://youtu.be/fIH_0-Kkx3c?si=aOhulaa07OG5YCbi

How to acquire cloud data with MD-CLOUD

How to acquire cloud data with MD-CLOUD

‘175 Zettabytes’, this is the number of data IDC estimates will be generated annually by 2025, and among those numbers, the cloud traffic is expected to grow and reach ‘18.9 Zettabytes’ by 2021.

This tremendous amount of cloud data is generated and fueled in the course of building driver assistance and autonomous vehicle technologies, IoT devices including sensors in our bodies, homes, factories, and cities, creating high-resolution content for 360 video and augmented reality and 5G communications globally.

As many digital forensic investigators are facing so-called ‘digital transformation’, finding evidence data from various cloud services is a highly demanding and important mission for digital forensic investigators. Cloud forensics is no more optional but an essential solution since many law enforcement professionals work on the cases with devices with deleted data, which needs further investigation on the backup data. Plus, there is tremendous growing number of smartphones, IoT devices, automobile and many more smart things which stores the whole data only stored in cloud services.

 

This article is to introduce cloud forensic solution of GMDSOFT, a step by step guide about data extraction and data view using MD-CLOUD. Various cloud and email services are supported, and data stored in social networking services such as Twitter, Facebook, Tumblr can be extracted by MD-CLOUD.

MD-CLOUD Overview

 

Product Highlights

–        Supports extraction from global cloud services such as Google and iCloud

–        Supports extraction of Cloud-based IoT device data

–        Supports extraction from cloud services based in East Asia, such as Baidu and Naver Cloud

–        Authenticates via ID and password, two-factor authentication, Captcha, and token credential information found locally on smartphone images, such as iOS Keychain

–        Includes automated web scraping tool for recursively capturing public webpages

–        Provides automatic evidence-tagging feature for intuitive searching

–        Natively integrates with MD-RED

 

Key Features

Supports a wide variety of cloud services

Google, iCloud, Samsung Cloud, Naver Cloud, Evernote, One Drive, Baidu

Supports email extraction

POP3 and IMAP, as well as specific support for Gmail and Naver Mail

Supports extraction from social media services

Current support for Twitter and Tumblr, with Facebook support under active development

Specializes in East Asian cloud services

Baidu Cloud in China

Naver Cloud in South Korea

Acquisition of cloud-based IoT device data

IoT data extraction from AI Speakers and Smart Home equipment

Supports authentication via both public and unofficial APIs

Supports various authentication methods

ID and Password

Captcha image tests

Two-Factor Authentication messages

Credential data pulled from smartphone dump images (such as iOS Keychain)

Provides automated web capture feature

Automated web-crawler capable of recursively extracting from a target web page

Real-time extraction progress monitoring

Displays the progress of ongoing extraction jobs in real time, from zero to one hundred percent

User-friendly interface

Features a simple, intuitive, and effective user experience that warrants little training

Native MD-RED integration

Imports credential information found in suspect smartphone images that have been analyzed in MD-RED

Intuitive ‘Evidence Tagging’ based search feature

Automatically tags and categorizes data as it’s extracted from the cloud so that it can be quickly searched, grouped, and organized.

Built-In data preview

Supports previewing any selected image, video, document, web page, email, and many more

Supports filtering by date range and file type

Allows users to limit the results of their analysis only to the time period and file types relevant to their case

Hash based data integrity assurance

Guarantees the integrity of the evidence data through powerful hash algorithms such as MD5 and SHA256

Report generation

Provides simple-yet-powerful report generation tool that supports both PDF and Excel formats

Here comes also simple but useful guide on MD-CLOUD for those investigators who would like to maximize their digital forensic skills and be prepared for the cloud data Tsunami.

1. Data extraction using ‘Credential information’

1-1 Create New Case

MD-CLOUD can access cloud services in several ways, specific services may ask the user to complete an additional verification process such as a Captcha entry or Two-factor authentication process. To start new cloud data acquisition, select ‘New Case’ and set the case name and its’ path. This time we’ll try accessing using credential information.

 

1-2 Select service and proceed the Data extraction

Various services such as Cloud, Email, SNS, IoT devices are supported by MD-CLOUD and those are displayed and categorized by types.

In this sample case we will try extracting data from Google. Select Google icon on the left side of the screen, and with the checkboxes user can perform selective data extraction. Date range and extraction type can be set before proceeding the extraction process, then the result data will be collected on the extraction filter conditions. Furthermore, even after the extraction is completed additional data sources can be added to the existing case without having to create a new case.

2. Data View: Contact/Event/Note/Email/SNS/Web Capture/Timeline Feed/Search View

2-1 Extraction Summary Dashboard

Once you start the extraction a Summary View will appear and display the progress of ongoing

extractions and some other miscellaneous information.

  1. Timeline Chart: Displays the amount of data that has been extracted so far relative to the dates associated with the extracted files (created/modified/uploaded time).
  2. Tag Statistics: MD-CLOUD automatically categorizes extracted files using tags that are generated through file metadata. The statistics of the tags are displayed here.
  3. List of Site: Summarizes the progress of extraction from data sources. It can be completely stopped by clicking on the stop icon.

 

2-2 Contact View

Displays contact information such as Contact Name, Nick Name, Contact Numbers, Email Address, Address, Profile, Birthdays, etc.

 

 

2-3 Event View

Event data such as Birthdays, Shopping, Meeting, Driving, Celebrations, Conference, Seminar, and other events.

 

 

2-4 Note View

Displays notes collected from Cloud services such as iCloud Notes, Evernotes, etc.

 

 

2-5 Email View

Email View allows users to apply to group and sort based on Date, Subject, From, Credential, etc. Email items can be searched by using the inline search box.

 

 

2-6 SNS View

Posts, multimedia, files and other information extracted from Social Network Services such as Twitter, Facebook, etc. are displayed here.

 

 

2-7 Web Capture View

Contents that have been extracted through data crawling on the provided links and their sublinks will be displayed in the Web (Web Capture) View. Multimedia, Posts and other public contents can be extracted from some sites like Facebook, Instagram, LinkedIn or any other webpages. It displays the below information.

  • Link information: A list of extracted main links and their sub-links are displayed here.
  • Content View: Displays the content of the selected link.
  • Preview: Displays the overall look of the webpage.

 

2-8 Timeline Feed View

Displays the data from every category and arranges them by the Date(Default), Subject, Content, Type or Credential.

 

 

2-9 Search View

When searching keys from anywhere in the entire application, those search keys are maintained in the Search View. Double-clicking on the search key, you can see a list of the search results.

 

3. Generate Report: Case Info/Options/Layout

After the data extraction, user can generate a PDF report of that particular case which will display all the information of the extracted files and thumbnails of multimedia data. Below we have attached the screenshot of extraction report for Google Home.

The call for MD-CLOUD will gradually increase as it has great practical value and importance as a complimentary data acquisition tool that can investigate mobile data backup and new data stored only in cloud storage. Our effort to add various data extraction sources and product advancement on MD-CLOUD will continue.

If you are interested in cloud forensics and want to learn more about MD-CLOUD, please check the product specification from the below link and reach our team via sales@gmdsoft..com 

GMDSOFT Product Brochure – MD-CLOUD

GMDSOFT Video Recovery Solution ‘MD-VIDEO’

GMDSOFT Video Recovery Solution ‘MD-VIDEO’

Rapidly growing needs of securing a safe environment, ‘Digital surveillance systems’ are everywhere. Hence, a significant number of new surveillance systems being installed each year, and the importance of acquiring data from these digital devices is being emphasized worldwide.

According to the recent article states that the number of surveillance videos recovered jumped 66% between 2017 and 2018. This proves and explains the video data is becoming critical more and more. Therefore, the solution to acquire these data complying with the digital forensic regulation shall give a great benefit to law enforcement. 

To investigate the epic scale of digital video data, supporting various media format is one of the top priority features for video forensic solution to secure. MD-VIDEO supports video taken from the global manufacturers’ IP-CCTV, Car dashboard camera, Smartphone, Desktop, Camera, Camcorder, Drone and Wearable device. Moreover, various DVR manufacturer’s filesystem such as HikVision, Dahua, Zhiling, Samsung, Bosch, Honeywell, Sony, and Panasonic are supported.

 We are excited to introduce our video recovery solution ‘MD-VIDEO’, check the below acquisition and recovery sequences of Car Dashboard Camera. If you are seeking for ease of use tool and have dramatically improved digital video investigation, MD-VIDEO is a proved successful choice!

I. Data Acquisition Sequence Method – Disk Image Recovery

Step 1 Recovery Method Selection

You can select the recovery target among three options, Storage, Image and Damaged file. We will select ‘Image’ option to recover video data from acquired disk image. GMDSOFT

 
Step 2 Importing Image file

You’ll get to the Directory exploring screen. If you click ‘Open’ button, the target image file will be shown based on the extension type such as mdf, bin and E01.

Once the image file is selected, a name, size and file system for the image file will be identified in the attribute tab.

 

 

Step 3 Recovery Option Selection

MD-VIDEO will show you the file signature and codec which are identified from the filesystem. If the file or codec is not recognized, it’ll be labelled as ‘Unknown’.  On this sequence we will select ‘Skip Recovery’ option.

 

 

Step 4 Filesystem / Media Exploring

 

You can access the directory of disk images through ‘Filesystem’ and check the file status via ‘File viewer’.

The Audio and Video speed can be controlled and Viewer size can be adjusted.

In ‘Analysis Results’ section, you can see recognized video files by format. You can select all of the sorted video files or individually.

Also, in the media viewer section, there is several tabs that helps user to recognize file specifications such as “Attribute”, “Data”, “Leave Comments” and “Custom”. On the “Attribute”, there is file information and file hex value appears on the “Data” tab. Also, user can easily leave comment to log description for the file. On top of that, custom codec can be imported on the “Custom” tab.

 

 
Step 5  Export File and Report

Also, there are ‘Export function.’ With this function, there are 2 ways to exporting. One is ‘Export File’ to export the file from the filesystem to the location set by user. It will also provide converting function as you can see in the figure. The other one is ‘Export Report’ to make report as PDF or XLSX format for guaranteeing integrity as evidence. Also, you can decide how to design the report. We choose the default way to export report.

The result is shown in figure. Firstly, MD-VIDEO will make cover page of report. Secondly, there will be the table of contents of report. As last, it will show about the video which we analyze in MD-VIDEO. Each video have the hash values to guarantee these video have integrity

 

 

2 . Data Acquisition Sequence Method – Damaged Video File

Step 1 Recovery Method Selection

To recover video data from damaged file, you can select third option ‘Damaged File’.

 

 
Step 2   Importing damaged file

With those buttons, you can put files or folders to recover the video from. We put a damaged file named ‘2017_09_04_07h_27m_42s_F_event_Broken.avi.’

 

 
Step 3  Recovery Option Selection

Once you put a file, MD-VIDEO will automatically scan the file and show these results, file signature and codec in the file. Due to the file is damaged, there was no file signature and codec identified from this file. To see ‘frame recovery function,’ we will skip recovery in this process.

 

 

 
Step 4  Recovery with frames

So, the damaged video will be recovered by MD-VIDEO’s frame recovery function. To recover with frame, select the files which need recovery and have to click “Recovery” button on the left side. After option screen pops up, you can select ‘Frame Recovery’ menu. Also, to get precise recovery result, you have to know specific codec of video file. In this case, the codec was identified as ‘H.264’ based on other active video files’ codec.

After select codec, MD-VIDEO starts the frame recovery process

 

 

Step 5  Recovered Frames

After ‘frame recovery’, list of recovered frames will appear as ‘Analysis Results. Based on the extracted frames appeared above, MD-VIDEO can recrate video.

 

 

Step 6  Export File and Report

MD-NEXT has export function for both source-result files and report. With export function, you can convert recovered frames to video formats. Also, you can still export each of recovered frames to photo file, even for sound formats.

In case of report generation, the generated reports contain about the case and evidence information. For strong integrity, MD-NEXT calculates each of hash value for the extracted frames and the hash value data is also contained into the report.