RabbitHole is increasingly a fixture in the DF analyst’s toolkit - but what do they actually think of it and just how do they use it? We’ve asked Richard Walker, our Mobile Device Laboratory’s Operations Manager and highly experienced DF practitioner, to give us his thoughts.
Richard writes:
RabbitHole is a file investigation and exploration tool used for digging into source files on smart devices of any format. RabbitHole is used on pretty much every single case involving a mobile device to enable better forensic process and more efficient analysis activities. In particular for our manual verification and cases requiring investigation, but ultimately all cases where commercial forensic tools have reached the edge of their capability.
Verification: RabbitHole is primarily used as the go-to for manual verification of smart devices, Android and iOS. Currently, even with a physical or full file system extraction of a device, commercial forensic tools do not (nor do they claim to) support decoding of all application data. It’s therefore important that practitioners check how the tool has performed in recovering and presenting data on any given exhibit. It is also important to minimize manual interaction with any exhibit, in order to reduce the potential of accidental changes to evidence occurring.
Analysts at CCL would export a full file system extraction to its files and folders, opening up our ability to access the source files that store user data (e.g. databases, PLists, JSON, xml). Once isolated, the source file can be opened in RabbitHole, no matter what the format, and we can interrogate the evidence stored within. This is used to verify the quantity of live records and accuracy of decoded data against the forensic tool. If issues are found and relevant to the case, we would seek alternative means of reporting the unrecovered evidence in human readable format.
Investigation: RabbitHole further picks up where commercial forensic tool limitations are reached, in terms of decoding/parsing data extracted from mobile devices. This might be investigating facets of information from an application or identifying evidence within obscure applications used in criminality. With RabbitHole, our Analysts will dig down and recover unprocessed or hidden data present but due to a lack of processing support, not displayed to Analysts. You can drill down into embedded data within data to again identify evidence which would otherwise go undetected.
With RabbitHole being that all-in-one investigation and exploration tool, it saves Analyst’s time.
Furthermore, RabbitHole has helpful built-in functions such as timestamp detection and decoding, encryption detection and image visualization. Without the use of tools such as RabbitHole, data and potentially case (life) changing evidence could be missed from:
RabbitHole is the all-in-one solution. Just drop the file in and go from there. This saved significant effort and cost in validation of the tool and when it came to adding to CCL’s ISO17025 Schedule of Accreditation. With only one tool used for these multiple purposes, our testing and extension to scope required just the one application.
To start your free trial of RabbitHole, click here.
Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.
Get in touch