Cellebrite - USALearning

Cellebrite

Table of Contents

Mobile Forensics – Tools – .............................................................................................................. 2

Mobile Forensics Programs and Toolkits -1 .................................................................................... 3

Mobile Forensics Programs and Toolkits -2 .................................................................................... 4

Mobile Forensics – Cellebrite UFED -1 ............................................................................................ 7

Mobile Forensics – Cellebrite UFED -2 ............................................................................................ 9

Mobile Forensics – Cellebrite UFED -3 .......................................................................................... 13



Notices .......................................................................................................................................... 17

of 17

Mobile Forensics – Tools –

89

Mobile Forensics– Tools –

**089 Shawn Fleury: So, in this section, we're going to take a look at some of the forensic tools that are available on the marketplace. This is not every forensic tool; this is just a good subsection of the tools. I'll also mention one tool that I don't have a slide for, but I'll throw that in a little bit.

of 17

Mobile Forensics Programs and Toolkits -1

90


Mobile forensics tools tend to consist of both a hardware and software component.

The hardware-based tools may support a number of different cables and perform the same role as a write blocker in typical computer forensic devices.

**090 So, forensic-- mobile forensic programs and tools. These tools tend to consist of both a hardware and a software component. So it's a mix of hardware solution with a software solution also. The hardware based tools may support a number of different cables and perform the same role as a right blocker in typical computer forensics. This is a picture of the Cellebrite UFED. And this is a subset of the cables that come with the UFED. That is not all the cables that come with the UFED. There are quite a few cables. Most of the cables are used on older phones. Most modern cell phones are either

of 17

mini USB or micro USB, other than the iPhone, which uses its own proprietary cable. Cellebrite has the most cables of any unit I've seen. Some units only come with 10 cables. I've seen units that don't come with any cables. And if that's the case, then the investigator has to purchase their own cables, or use cables from another kit, if they'll work.


91


No single forensic tool or program will detect, acquire, process and analyze all mobile devices

Multiple tools may be required to completely extract and analyze a mobile device

Some of the commonly used mobile device forensic tools are:

Cellebrite UFED Ultimate Logicube CellDEKMicro Systemation XRY/XACT Paraben Device SeizureOxygen Forensic Suite MOBILedit! ForensicLogicube CellXtract Radio Tactics AcesoFernico ZRT2 Envisage Systems PhoneBase2

**091 No single forensic tool or program will detect, acquire, process and analyze all mobile devices. Cellebrite might get these six thousand models. XRY might get these five thousand

of 17

models. With some of the phones, between the two of them overlapping-- they both get iPhone; they both get most of the Androids-- but maybe Cellebrite gets 500 phones-- or, in this case, 1000 phones, 1500 phones, that XRY doesn't get. And XRY gets 500 phones that Cellebrite doesn't get. There's a toolbox concept with mobile forensics. You might have to use a different tool to get the information you need from the mobile device. Might not just work. Yes, sir? Student: As far as legacy mobile phones are concerned, how far back do these tools support? . Shawn Fleury: It really depends. Most of them will be from the 2000s. Most of them will be from the 2000s. Like the iPhone 1, the original iPhone, isn't supported by Cellebrite. That doesn't mean it's not supported by another forensic tool. The cell phone forensic capability is still fairly young. They really didn't start coming out until the 2000s, and a lot of the tools didn't come out until the later half of the 2000s. So those are the-- more than likely most of the phones are going to be 2005 on, 2006 on. Student: All right. Shawn Fleury: So here's just some common forensic tools: Cellebrite UFED, Micro Systemation XRY, Oxygen, Logicube. Now, Fernico is

of 17

an interesting one. We do not have a slide of the Fernico ZRT; however, I mentioned that sometimes manual processing is required. So, Cellebrite doesn't support it; XRY doesn't support it. Or you get a phone and the data jack is busted, so you can't hook up the USB cable to it, so you can't use one of the other tools. So you have to do manual processing where you take pictures of the screen, go through each message individually taking pictures of each. Well, Fernico ZRT is a tool that assists with the manual recording process. It comes with a camera and a mountable arm that you could mount to a table so you can position the camera exactly over the phone, and all the pictures you take are imported into its software and hashed. So it turns the manual process and it at least gives it some forensically sound practices. Because at least I can say, "This is the picture I took, and I can tell it's the same picture because the picture was hashed, and the hash value hasn't changed." So if you have to do some sort of manual recording, the Fernico ZRT is a very nice tool to use for the manual recording. And guess what? It's the only tool that works on all phones. I can take a picture of any phone screen that I want to, so it's the fallback device. If Cellebrite doesn't work for some reason, if none of the other forensic tools I have-- the automated tools I have-- will work, the Fernico ZRT is a nice tool to have to assist with the manual recording process.

of 17

Mobile Forensics – Cellebrite UFED -1

92


Cellebrite UFED Ultimate features:• Performs physical, logical, user password, file system extractions• Data extraction of existing, hidden, and deleted data• iOS physical extraction, decoding, and real-time decryption• Android extraction and decoding• BlackBerry decoding

www.cellebrtie.com

**092 So, the Cellebrite UFED. Cellebrite's UFED Ultimate features physical extraction, logical extraction, user passwords for some devices, file system extraction. Data extraction can get existing hidden and deleted; deleted of course is only with a physical extraction. So don't expect to get any deleted information if you're not using fix. IOS physical extraction, as long as it's not an iPad 2 or 3-- it's on iPad 3-- iPad 2 or the "new" iPad, or just the iPad, as they call it, or the iPhone 4S-- those three devices are not currently supported. Android extraction and decoding,

of 17

BlackBerry decoding: They're the first company to have physical decoding of a BlackBerry device. Now, if the BlackBerry is encrypted, they investigator does require the encryption password before they can do a BlackBerry physical analysis. So if the suspect won't give up their password, there's nothing I can do on the BlackBerry. Now, if the BlackBerry was attached to a BES, the BES administrator can force a password change on the device, provide me with a new password, and using that password I may be able to decode it. The problem with that is fundamentally I am making a change to the phone. Even if it's just changing the password, the password's stored on the phone, I'm making a change to the phone, and it has to be connected to a network in order to get the password change. So I have to attach it to the network or via USB cable to a system that can talk with the BES. So I am making changes. Does that mean the evidence will be thrown out of court? No. But you better make sure, or the investigator better make sure, they're documenting all the steps they take.

of 17


93


Cellebrite UFED Ultimate features:• GPS device extraction and decoding• Forensically sound environment• Phone user lock code

— Depends on phone make / model / firmware• Access to internal application data• Phone internal data including: IMSI history, past SIM cards used,

past user lock code history

www.cellebrtie.com

**093 Other features: GPS device extraction and decoding on certain devices. So a phone like the iPhone, I can see recent GPS data from the device. Now, there's gotchas when we talk about GPS data. So one of the things Apple does is collect nearby cell tower data from all the phones. So if there's 500 iPhones in the area, Apple is maintaining a database of all the cell towers they're talking to. And when a phone first connects to a cell tower in the area, it's downloading a portion of that database to the phone so you can see, or you know, what towers are nearby you. It's supposed to assist

of 17

with the handoff procedure between towers, because your phone knows where towers are located. Well, if I'm looking at that data within Cellebrite, the phone might have only ever been connected to one cell tower, but I could have 500 or 600 cell towers in that list of data, and I as the investigator need to know, "Oh, Apple was assisting the phone by dumping all these other cell towers to the phone." So the first time I ever looked at an iPhone's cell tower data, I was seeing cell towers that were up to 20 or 30 miles away, and I was going, "I know the phone was never even near that cell tower." And then doing some research, I talked with some other people in the class, and they had some articles on exactly what was going on. But a lot of times you get things like that. The same thing happens with Wi-Fi networks-- Wi-Fi networks in the area. I might see 300 Wi-Fi networks even though I've only ever been attached to one. It's just, again, Apple's way of assisting the device in knowing what is around them before the device actually needs it. Forensically sound environment: So, this device only allows the one-way transfer of data. Data goes from the phone to either with USB dongle, an SD card, or to a computer. It cannot go in reverse. So nothing is written to the device during-- no other files are written to the device, with one exception. Certain phones require a client to communicate with the UFED.

of 17

A lot of Android devices require a client. In order to use the client on most phones, Cellebrite does have to install client software on the phone, and that should be part of the report. So, yes, a change was made to the phone. However, an investigation would not have been possible without the client being uploaded to the phone, and that was the only change made. Now, the way the iPhone gets-- yes, sir? Student: Is there any technical way to prove that that was the only change made? You have a hash of the phone before you made any changes-- Shawn Fleury: But you can't make the hash until after you upload the client. Student: Oh, I see. Shawn Fleury: Yeah. To do any sort of communication with the phone requires that file. Student: So there's never a way-- I mean, you make the claim and it's good faith, but you can't actually prove that that's the only thing. Shawn Fleury: Right. If the defense attorney wanted to argue that point, at that point I as the investigator would call Cellebrite or whichever forensic tool I was using and have them come testify on that subject. Because they're the experts on it. They know exactly what the client's doing. I know, based on my

of 17

research, that-- and their documentation-- that the only change that was made was the client being uploaded. But that's the extent of my knowledge. Student: Do you as the user install the client, or does the system install the client? Is it an automated process? Shawn Fleury: It's not an automated process. Student: Okay. Shawn Fleury: So the investigator has to give permission. And a lot of times, you have to do something on the device itself to allow for the installation process. So it uploads it, and the device says, "Do you really want to run this?" And you have to tell the device to run it. Yes. So, did that answer your question? Student: Yes. Shawn Fleury: Phone user lock code-- depends on the make, model and firmware of the version. So a good example of this is the iPhone. With the iPhone, as long as they're using a four-digit simple code, and it's an iPhone 4, 3GS or 3-- no, let's not even talk about the 3-- 3GS or the 4-- it will break that passcode. The 3, it doesn't even care about the password because it's not encrypted. So it can read everything straight from the physical memory anyway. So it just-- it depends on the phone. Some phones, yes. Some Android phones can, and some Android phones can't.

of 17

Access to internal application data-- so apps that are actually loaded on the device itself. A good example of this is the keychain file on the iPhone. It can analyze the keychain, find out usernames and passwords that were stored in the keychain. And then phone internal data, stuff like IMSI history, past SIM cards used, past user lock codes, potentially. Again, totally dependent on the phone.


94


Cellebrite UFED Ultimate:

http://viaforensics.com

**094 Here's an image of Physical Analyzer. Physical Analyzer is the computer software used to analyze physical images. There's a different component called Report Manager

of 17

that's used to analyze logical extractions. So they have two different software frontends depending on which type of software is being used.


95




**095 This is an example-- oh, this is a report by viaForensics that shows where they did some tests. They loaded a certain number of files on the device. So they did validation-- right? I talked about validation a little bit earlier-- of quite a few forensic tools. And then they ranked each category. So in this case, Call Logs was ranked five, which was above average. They met the requirements for certain items. They

of 17

missed the requirements for certain items. So there are-- the point of this slide is there are some companies out there that do some validation. So, the validation they've done is a good starting point for an internal validation program. And I think they have it for XRY also, and I think they have it for a couple of other-- they have it at least for five other tools also-- for three other tools also.


96




**096 This is an example of Report Manager. With Report Manager, we can see stuff like the examiner's name, if the manually enter the information. We can see stuff about

of 17

the phone itself. What was the manufacturer of the phone? What type of phone was it? What software version was the phone running? What was the IMEI of the phone? When did the extraction start? When did the extraction end? What version of the UFED software was used? One key point here is for the Cellebrite unit, the extraction start time and the extraction end time is based on the time set on the UFED itself. So one of the first steps an investigator needs to do before doing an analysis is making sure that the time and date information is correct in the unit. There is an internal battery-- sort of like CMOS battery-- that's supposed to maintain that information, but I have seen that information be incorrect. Normally I'll base it off of my cell phone. The cell phone time and date is usually pretty accurate. But I want to make sure that it's as close to the correct time as possible, because this information may change how other dates are viewed in the report. So these dates are very important in an investigation.

of 17

Notices

NoticesCopyright 2013 Carnegie Mellon University

This material has been approved for public release and unlimited distribution except as restricted below. This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.

NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT® is a registered mark of Carnegie Mellon University..

of 17

Cellebrite - USALearning

Documents

Transcript of Cellebrite - USALearning