CellDEK® has been developed in cooperation with the UK’s Forensic Science Service (FSS®). The portable CellDEK is compatible with over 1600 cell phones, PDA’s, and satellite navigation devices. This cell phone data extraction device is a self-contained system with a touch-screen display and allows the user to identify devices by brand, model number, dimensions and/or photographs. When the device type is selected a “smart adapter” feature then illuminates the correct USB adapter. Connectivity by infra-red and Bluetooth are also built-in. Up to 40 adapters may be stored in the system’s built-in rack.

The CellDEK captures all stored data within approximately five minutes. The CellDEK software automatically performs forensic extraction of the following data: Handset Time and Date, Serial Numbers (IMEI, IMSI), Dialed Calls, Received Calls, Phonebook (both handset and SIM), SMS (both handset and SIM), MMS messages (not available from all handsets), Deleted SMS from SIM, Calendar, Memos, To Do Lists, Pictures, Video, and Audio. The CellDEK displays the data on screen, and prompts for downloading to a portable USB device. the CellDEK also includes a Secure Erase feature that allows you to completely remove sensitive data from the laptop hard drive.

CellDEK is a completely self enclosed extraction device therefore installation is minimal. The small suitcase sized device contains all of the necessary connectors and internal computer with a 4.5 x 7.5 inch touch screen. The software is preloaded on the internal computer and starts immediately after signing in and agreeing to the the user agreement. The touch screen includes a pop-up on-screen touch keyboard.

Figure 1.1. CellDEK

However, updates may be necessary as it was in this test. Like most extraction devices, updates to support new mobile devices may be needed from time to time. The update needed for this test was iTunes. To extract information from an iPhone using CellDEK iTunes must be downloaded from Apple. This is done by logging onto the Apple website with a separate computer and saving the iTunes download to a USB flash drive.

After dowloading iTunes to the USB flash drive we inserted the flash drive into the USB port on the CellDEK. Simple on screen prompts guided us through iTunes installation process.

This entire process was eased by the detailed manual that was included with the CellDEK. Many of the images in this review are from the manual because we were unable to take screenshots on the self contained computer of the CellDEK.

After installing iTunes the acquisition process took less than 5 minutes.

After the user agreement CellDEK loads to its main applications screen. From this screen the user can choose to manage files, view previous extractions, update software, and read a new device.

Figure 1.2. Main Application Screen

After selecting to read a new device the user is asked which kind of device is going to be read, in our test it was an iPhone.

Figure 1.3. Device Type Selection

Next, an on screen prompt tells the user which cable to use by lighting up the cable connector and tells the user to insert this cable into the device bed near the screen. Once successfully connected the next on screen prompt instructs the user to connect the iPhone. After connected, an information screen is displayed listing the useful files that are to be extracted and what information they contain.

The next screen asks the user to input information about the name of the device, user, and other information that can be used for labeling and referencing the extraction report. The extraction process starts immediately following inputting the information about the test.

Figure 1.4. Case Details Input Form

Once the extraction is complete CellDEK creates and displays the report of the extraction process.

The report from the extraction process is immediately displayed on the built-in screen. The report viewer allows the user to select which area of the report they would like to view, i.e. Contacts, Messages.

Figure 1.5. Standard Data View Screen

The built-in screen and report viewer is very convenient. However the small size of the screen makes looking through large amounts of data tedious. To overcome this CellDEK allows the user to copy the files. The files may be copied to a USB flash drive or can be written to a CD if a CD writer is attached to the CellDEK via the USB connection.

For our test we copied the files to a USB flash drive. After choosing Manage Files from the main application page the user is prompted to choose between copying files or deleting files. The next prompt gives the user the option of copying all or a single file. If copying a single file is chosen a list displaying all reports stored on the CellDEK is displayed organizing the reports by date.

Figure 1.6. Previous Extraction List

Once the report is saved on a USB flash drive it can be transferred to other computers. Unlike other extraction devices CellDEK does not require that a proprietary software be downloaded to view the extraction report. The extraction report can be viewed as an .html document. The folder containing the transferred files includes .csv and .xml version of the extraction report. The extracted files also include images and a folder of user files.

Figure 1.7. Transferred Files

The transferred files also include an Audit Trail text file that shows the exact time that extraction occurred.

Figure 1.8. Audit Trail

The .html version of the report is similar to the on-screen version.

Figure 1.9. .html version

The .html report does include a table of contents but clicking on the title of the section did not bring us to the section. Therefore when looking for something specific on the report the user must either use the .html browser’s find function or scroll down through the large report.

Figure 1.10. .html Table of Contents

Images are available for viewing in both the .html version of the report as well as in a separate Report Images folder.

Figure 1.11. Report Image

Figure 1.12. Report Images Folder

The .html report lists various .plist and .db files but does not display their contents. To do this the user must use a viewer that can read these files and view them separately. These files can be found in the User Files folder that was transferred from the CellDEK.

Figure 1.13. User Files

The following are the results from the CellDEK extraction.

The self contained nature of the CellDEK gives it portability. This portability is probably the biggest advantage of this extraction device. Since the software came preloaded installation was a breeze, but the device did require us to download an update (iTunes) to a separate computer and transfer it to the CellDEK.

The extraction process was quick and the report was immediately viewable on the built-in screen. Additionally proprietary software was not needed to view the report on a separate computer once transferred.

The following ranking establishes CellDEK’s overall rating of 2.6 on the four criteria established at the beginning of this white paper.

Andrew Hoog, Chief Investigative Officer of viaForensics, is a recognized computer scientist and forensic analyst and former chief information officer of a $750 million multinational corporation. He has led investigations, contributed to policy development and lectured at corporations, attorneys’ associations and law enforcement agencies about the computer forensic discipline. He maintains a computer forensics and E-discovery glossary, authors computer/mobile forensic how-to guides and is now writing a book about Android forensics. He is the original author of this ground breaking white paper on iPhone Forensics that has gained recognition throughout the industry.

Kyle Gaffaney is a third year law student at Loyola University of Chicago School of Law. Kyle also has degrees in Accounting and Management Information Systems from the University of Minnesota Carlson School of Management. Prior to law school Kyle served as a staff accountant at a financial management firm.

viaForensics is an innovative computer/mobile forensic and e-discovery company providing expert consulting services to corporations, law firms, law enforcement and government agencies.

Beyond servicing our clients immediate needs, the company focuses on groundbreaking research in areas such as mobile forensics, SQLite forensics, data visualization and general education on forensics by regularly posting HOWTOs, glossary terms and the results of our research, accessible at viaforensics.com.

One key strategy to minimizing this risk is to implement computer forensic techniques. But the question is, why outsource? Often the initial response is that internal IT resources can perform these services in addition to their normal day to day tasks. But the reality is that there are significant burdens including: