Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo

Presenters:
Sonny Farinas – Sales
Lee Papathanasiou – Sales Engineer
UFED Series
Delivering mobile forensic solutions

Confidential: Not for distribution - © Cellebrite 2012
Introduction - Cellebrite
•2
 Established in 1999, Cellebrite is a world leader in mobile
forensics, backup and synchronization solutions
 A fully-owned subsidiary of Sun Corporation, a publicly traded
company on JASDAQ based in Nagoya, Japan
 Based in Israel with offices in the USA, Germany, Brazil,
Singapore
 More than 60 distributors Worldwide
 Over 250 employees (150+ dedicated to R&D)
 Forensic customers include highly respected national and local
divisions of governmental, military and intelligence agencies.
 Over 100,000 units deployed worldwide (UME and UFED)

Market Sectors
UFED solutions are being used world wide in the following
market sectors:‎
Police forces Military
Tax authorities
Customs Stock authorities
Anti-terror agencies
Police academies ‎
Forensic specialists
Border controls Special forces
Intelligence services
Enterprises

Why Cellebrite?
•4
 Technical Foundation
 Sales and Tech Support
 Strategic Partnership with key Market Leaders
 Customer Base
 Manufacturer and Carrier Relationship
 Creator of Market Trends
*Cellebrite is built to keep up with the future!

User Questionaire
•5
 Understand Market Needs
 Help with our road map and business strategy
 Contact users or anonymous
 Comment, questions or suggestion box
 How can we provide a better product
*Turn in the forms after the meeting

 Identify Best Practices for mobile forensics
 Become familiar with the type of data that can
be stored on mobile devices and what can be
extracted
 Understand the background of mobile forensics
along with the challenges in the process of
extracting and decoding the data.
 Discover Cellebrite Forensic Solutions
Goals

Best Practices
Mobile Forensics

Scenario
It is midnight on a Friday night, it is just beginning to
sprinkle with rain.
You are the first officer at the scene of a homicide
where the victim has been shot several times by one
shooter. Witnesses have pointed out a cell phone
that they saw the suspect using and threw away as
he left the scene.
It is clear that the device is still on.

Considerations
 Airplane mode?
 Shielding?
 Signal Jammer?
 Dangers of leaving it on and transporting the device
 Remove SIM card?

UFED Touch: Hardware Description
Exclusively designed for mobile forensics

UFED Products
 UFED Logical
 Data stored in the memory is acquired by using the file system or
the phone proprietary protocol (known communication
protocols: AT commands, Obex, etc.)
 Logical approach represents live system on the phone
 UFED Ultimate
 Bit-by-bit‎copy‎of‎the‎phone’s‎physical‎memory‎and‎file‎system
 Unallocated areas
 The main effort in physical extraction is to obtain
the extra data (such as deleted files)
 The data that actually exists on the phone.
11‎

UFED Comparison
 Portable – easy to carry
 10x Faster Extraction Speeds
 Device Features:
• 7”touch‎screen w/ Stylus
• Windows XP (Locked Down)
• Built in WiFi/Bluetooth & Ethernet port
• SIM card reader/writer slot
• SD card reader slot
• USB 2.0 Ports
• RJ-45 Ports
• 64 GB Internal SSD
- For Software Upgrades & Expansion
• 5 Hour Lithium-ion Battery
w/ Battery Status Indicator
• Compatible with External Hard Drives

UFED Touch: Vast Extraction Speed Enhancements

UFED Touch: Hardware
Speakers
Touch Screen
Navigation Keys
Right Mouse Click Key
Left Mouse Click Key

UFED Touch: Hardware

Tips & Connectors
 Removed a total of 70 feet of cable from the old kit
 Extract & Chargers Simultaneously
 Tip connectors in a magnetic holder replaces long
phone connector cables
 Color coordinated for simple & quick identification
UFED Classic Cable Kit
UFED Touch Cable Kit

Software Upgrades
 Software Upgrade Schedule
- Upgrades are released every 4 to 6 weeks
- Includes software upgrades to the UFED Touch as well as the
Physical Analyzer PC Software
 Automatic Upgrade Process
- Connect the UFED Touch to a Wi-Fi network or Ethernet cable
- The UFED Touch will automatically prompt you to download the
latest upgrade when it is released
 Manual Upgrade Process
- An Email will be automatically sent including download links to
the upgrade files as well as Full Release Notes
- Login to the MyCellebrite portal and manage your license as
well as download the latest upgrade files
- Save the upgrade file to a USB Flash Drive and connect it to the
UFED Touch to perform the upgrade.

Need Assistance?
 Technical Support
- Based out of the New Jersey
Office (No Outsourcing)
- Phone Support: Mon – Fri
9am – 7pm EST
- Email Support: 7 Days a week
9am – 9pm EST
 Warranty & Repair
- Based out of the New Jersey
Office (No Outsourcing)
- Call into Tech Support for an
RMA #
- Unit will be Repair or Replaced
- No Repair/Replacement Cost
License Includes Full Warranty

User Interface
Straightforward user experience

UFED Touch: GUI

UFED Touch: Logical Extraction

Extraction Destinations:‎
Logical Extraction Output

Mobile Device Usage
 Mobile device market keeps growing
 Data, acquired from mobile devices, continues to be used
as evidence in criminal, civil and even high-profile cases.
 People use mobile devices to store and transmit personal
and corporate information
 Mobile devices are used for online transactions, web
browsing, navigation, instant messaging and more

Platforms

Device Support
UFED Touch supports the widest range of
mobile devices & major mobile platforms

Test Devices

Connectivity

UFED Touch Ultimate: Extraction Capabilities
All-Inclusive Logical & Physical Extraction
The NEW Industry Standard in Mobile Forensics

Logical vs. File System vs. Physical extraction
Logical
SMS
Contacts
Call logs
Media
File System
SMS
Contacts
Call logs
Media
Files
Hidden Files
Physical
SMS
Contacts
Call logs
Media
Files
Hidden Files
Deleted data
Extracted Data
Extraction Speed‎

Can I have your SMS?
UFED Logical Extraction

Can I have your pictures as well?
UFED Logical Extraction (2)

How about the emails, please?
NO
UFED Logical Extraction (3)

Can I copy your File System?
Sure Thing.
Good luck with Decoding!
UFED File System Dump

Good morning, sir.
Please run this program for me.
Here’s‎my‎memory.‎
Have a blast figuring it out!
UFED Physical Dump

Mobile Forensic Challenges

Hardware Based Data Extraction
Methods
Hardware-based methods involve a combination of software and
hardware to break or bypass authentication mechanisms and gain
access to the device.
■ Hardware-based methods include the following:
■ Gain access through a
hardware interface (JTAG)
■ Examine memory independently
of the device using memory chip reader.
■ Find and exploit vulnerabilities
•3

When All Else Fails
 ZRT2 from www.fernico.com

CHINEX – Cellebrite’s Solution for
Chinese Knock-Off Devices
•4
‎
‎

Fake Apple & Android Stores

Computers Mobile Phones

FAT NTFS
HFSEXT

FAT NTFS
HFS
Motorola
Proprietary
XSR MCU
INOD
I855 P2K
YaffsJFFS2 Symbian
FS EFS2
QCP
DCT4
OSEEXT
EXTx
FAT

Decoding Challenge
The most powerful decoding, analysis & reporting tool in the industry

All rights reserved © 2011, Cellebrite
File system
SMS
Email
CallsFile system reconstruction
Decoding

Physical Analyzer: Decoding

Decoding – iOS Physical Extraction

Advanced Applications Decoding

Image Carving
 Powerful tool for recovering deleted image files and
fragments of files (and only part of them is available)
 Only applicable for physical extraction

Standalone GPS Units & Smartphones
Decoded Data: Locations

Extraction & Analysis: GPS Devices
Supporting
75% of the
GPS market

Smart Phone Location Data
Cell Tower Locations‎
Wi-Fi Locations‎
GeoTagged Media
Locations‎
Harvested Locations‎
GPS Fixes‎

View in Google Earth

UFED Phone Detective
Identifies mobile phone vendor & model

 Identifies phone quickly
Answer up to 8
questions related
to visual attributes‎
/ by TAC
Phone is identified
& displayed
according to
filtered results
Shows phone &
data supported for
extraction
 Database of more than 4,000 phones

www.PhoneScoop.com
 Enter model of phone
 Scroll down to the FCC line to obtain copy of the manual
 Save copy of the manual to file
60
Click here for manual

iPhone Hardware Versions
iPhone‎
2007‎
iPhone 3G
2008‎
iPhone 3GS
2009‎
iPhone 4
2010‎
iPhone 4S
2011‎
iPhone 5
2012‎

Cellebrite’s Unique Approach
to the iOS Challenge
 State of the art physical extraction wizard
 Support for iPhone, iPod Touch and iPad
iPhone, iPhone 3G, iPhone 3GS, iPhone 4 GSM, iPhone 4 CDMA,
iPhone 4S, iPad 1, iPod Touch 1G, iPod Touch 2G,
iPod touch 3G, iPod Touch 4G
 Support for the widest variation of iOS versions
 Locked, unlocked, "jailbroken" and "non-jailbroken“,‎
encrypted/non-encrypted devices
 Passcode recovery
 Revolutionary decoding

Physical Extraction Wizard

Cellebrite’s Unique Approach
to the iOS Challenge (cont.)
 Keychain decryption (application passwords)
 Integrated SQLite Browser
 iPhone configuration files (Plist and BPlist)
 iMessages

Keychain Decryption

Integrated SQLite Browser

Facebook Decryption

Most Popular iPhone Passwords
http://amitay.us/blog/files/most_common_iphone_passcodes.php
71

Android Challenges
Vendors Using various chipsets

Android Challenges
Multiple OS VersionsMemory Types
Multiple File systems
• YAFFS2
• FAT32
• Ext2
• Ext3
• Ext4
FTL Types
• Qualcomm FTL
• FSR
• More

Please raise your hand if you
bumped into this scenario…

Pattern Lock Extraction
•7
1 2 3
4 5 6
7 8 9

“Smudge Attack” Pattern Lock
Analysis
 For those of you that are lucky enough:

BlackBerry Physical Extraction
 Covering dozens on models
 Any BlackBerry OS version – 4,5,6,7.x
 Using Cellebrite proprietary boot loaders ensuring a
forensically sound process
 Applicable for non locked devices or devices
with known password
 Non-encrypted/encrypted devices
7100
7130e
7250
7520
7750
8130 Pearl
8230 Pearl Flip
8330 Curve
8350i Curve
8530 Curve II
8703e
8830
9330 Curve 3
9350 Curve
9350 Curve Sedona
9370 Curve
9530 Storm
9550 Storm 2
9630 Tour
9650 Bold
9670 Style
9850 Torch
9930 Bold
8300 Curve
9380 Curve
9380 Orlando
7100
7130v
7290
8100 Pearl
8110 Pearl
8120 Pearl
8220 Pearl Flip
8300 Curve
8310 Curve
8320 Curve
First to release physical extraction for dozens of BlackBerry devices‎

Decoding

BlackBerry Decoding
 UFED Physical Extraction or Chip-off
 BlackBerry OS 4, 5, 6, 7.x
 Deleted data recovery
 Real-time decryption of protected content from
selected BlackBerry devices
running OS 4-6 using a given password

Analyzed Data –
Special to Blackberry
 Contacts – phones, emails, photos, addresses, PIN
 Recent email address (OS 6 and above)
 BlackBerry Messenger contact list
 BlackBerry Messenger (BBM):
 User details (display name, PIN)
 Contact list (display name, PIN, email if exists)
 Chats: Sender, Body, Timestamp
Cellebrite exclusive – Decoding of BlackBerry Messenger
History‎even‎configured‎as‎‘never’‎

Thank You
www.cellebrite.com
Ronen@CellebriteUSA.com
Mobile: 201-500-8182

Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo

Ähnlich wie Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo (20)

Mehr von Cellebrite

Mehr von Cellebrite (10)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo