MSAB XRY Office
Strengths: Passcode bypass and extraction, and app support.
Weaknesses: Number of devices supported and installation difficulties.
Verdict: A viable additional mobile device forensic tool, especially good for difficult extractions.
XRY Office is a mobile device analysis tool, unusual in that it is very strong in recovering forensic data from devices that are locked without having to know the unlock code. While this is not 100 percent true for all devices, it is true for many of the most troublesome ones. The tool comes nicely packaged in a mobile case with everything you need to extract and analyse over 5,000 different devices.
However, we had a lot of trouble deploying this software. The software is intended to reside on a PC and the one we used was our standard forensics PC with dual i7 processors, 64GB RAM and terabytes of storage. We had to try three times before the installer stopped hitting some sort of problem, reversing the installation and removing itself from the computer. There were no useful error messages and we were left with simply trying again.
Once the product is installed you attach a device that looks like a hockey puck with ports. The tool can image up to three phones simultaneously on a single license making it a pretty efficient extraction tool.
XRY Office comes complete with a set of pigtails for attaching just about any mobile device you can imagine. We extracted and analysed a Samsung S5 that had given us trouble in the past so it made a good test case. The tool is very good at decoding apps and, in fact, claims to have the most complete app decoding in the industry. NIST agreed when they tested the product as part of its forensic tool-testing programme.
This is not an inexpensive solution. It is in the ballpark, however, with other world-class tools. That said, it only supports 5,000-plus devices while we are used to seeing supported device numbers exceed 7,000. Even so, it does support the typical knockoff Chinese chip sets, a critical issue in cell phone forensics today. It may be argued that it does support the most common devices and its unique ability to unlock many of them without device user cooperation is a big plus. The price includes the first year license fee, but after that the annual renewal is £2,010 per year.
The website is complete with a forum for users, a place to register the license, a FAQ and downloads. We would like to have seen the user manuals available on the website, however. Support is included and consists of eight-hours-a-day/five-days-a-week phone and email. There are no different assistance levels since full support comes with the license and subsequent renewals.
Overall, this is a strong tool. However, we were disappointed with the installation difficulties and the number of supported devices seems a bit low to us. When we asked the company what is supported we received a spreadsheet that listed 5,621 models. Additionally, the vendor provided us with a listing that was a bit ambiguous showing different types of extraction (a single model could support multiple extraction types, so showing them separately is a bit confusing) and including apps, passcode and bypass, and untested devices all as separate items totaling over 15,000. Realistically, we will stick with the 5,621.
This is one of those tools that has definite benefits, largely in the passcode bypass and extensive app support. It fits very nicely as an additional tool in one's mobile device arsenal. That arsenal should include multiple tools because the state of mobile devices changes constantly and not all tools support all devices - or even the same devices - at any given time. XRY, for example, updates four times a year.