|<< go to main contents||< prev chapter||next chapter >|
Chapter 3. Cellebrite UFED
Summary (from Company Information)
The CelleBrite UFED is a standalone self contained Fast reliable system that provides data extraction of content stored in mobile phones. It can quickly extract critical evidence from over 2,500* verified up-to date supported Mobile Devices i.e. Phonebook, Images, Videos, SMS, and Call History and much more… With little to No set up time and No PC or frustrating drivers to install for extraction a first responder can easily and reliably preserve and acquire evidence on-scene in real time, Fast!
*CelleBrite works exclusively with over 140 carriers worldwide including Verizon Wireless, AT&T, Sprint/Nextel, T-Mobile , Alltel, US Cellular, Cricket, Rogers, Bell Mobility, Orange France, Telstra Australia, Orange, Vodafone, SFR, and O2… To ensure that future mobile devices are supported.
The CelleBrite UFED also has a built-in in SIM card reader and cloner. The ability to clone a SIM card is a powerful feature as you can create and insert a clone of the original SIM and the phone will function normally. However it will not register on the mobile carrier’s network, eliminating the need for Faraday bags and the possibility that the data on the phone will be updated (or erased). The UFED package ships with about 72 cables for connecting to most mobile devices available today. Connection protocols include serial, USB, infrared and Bluetooth although I only utilized the USB approach.
Data is extracted onto a USB flash drive or SD card which is organized into clear and concise reports. CelleBrite also distributes the UFED Report Manager which provides an intuitive reporting interface and allows the user to export data/reports into Excel, MS Outlook, Outlook Express, and CSV or to simply print the report. The UFED device fully supports Unicode and thus can process phones with any language enabled. Also, the following data types are extracted:
The CelleBrite UFED solution leads the industry in Speed, Phone Support, portability, and Ease of Use.
- Phonebook Extraction (~95% of all cellular handsets on the market today)
- Multimedia Extraction* (~75% of all CDMA and 95% of all GSM handsets)
- *Pictures, Video, Text messages, and Audio
- Additional extractions
- Deleted SMS messages (SIM/USIM only)
- Deleted Call History (SIM/USIM only)
- Deleted Contacts
- Additional Features
- PC reporting tool (MD5 Hash & SHA256 Signature)
- SIM ID Cloning- Now available
- Extract Phone data while preventing the cellular device from connecting to the network
- Extract Phone data when the original SIM is not available
- Extract Phone data when the SIM card is PIN locked *
- * Varies on Phone device model- User PIN lock can only be bypassed on devices which require only an ICCID from the SIM card to allow access to the phone
- System Files Dump/ Hierarchical “tree” (Beta- ~800 devises supported)
- New Apple iPhone Support (2G, 3G/ 3GS, and iPhone 4 versions jailbroken and non-jailbroken)
- Multi-Language User Interface
Figure 1.1. CelleBrite UFED Kit
The UFED package arrived in a soft case containing the UFED device, manuals/CD, USB Bluetooth radio (Cambridge Silicon Radio Ltd.), 250MB USB drive and roughly 72 cables for connecting to supported devices. The manual was sparse but sufficient and very straightforward.
To start things off, I decided to make sure the UFED software was update to date. There are options to update via a PC, USB, SD card or via the Internet.
I decided to test the convenient online upgrade feature. I powered the UFED on and had to first set the date/time which was simple. Next I connected it via Ethernet to a switch running DHCP and went under Services ->Upgrade -> Upgrade Application Now and selected HTTP Server as the source. On my first attempt, the download froze prior to completion and I eventually rebooted the device. The second time I connected it to a different switch and the upgrade went flawlessly. A few minutes later I was on the latest Application software which supplies the UFED application and support for the various phones. Cellebrite seems to add new phone support often and a forensic examiner should check for updates often. The version used for this test was 188.8.131.52.
The UFED contains two other pieces of software termed Images. One dubbed Tiny contains the core system software. The other image named Full contains additional core system software. Both were up to date (184.108.40.206 and 220.127.116.11 respectively) and I am unclear if this was due to the Application update I initially performed or was shipped as such. The update process for the Image software is under a separate menu in Services and I suspect the updates are performed independently. One minor note, when I checked the manual online , the PDF with update direction for UFED instead opened a UME-36Pro PDF. The platforms are likely very close and this is also probably easily remedied by searching their site or contacting technical support.
The acquisition of the 3G iPhone was simple and fast on UFED (with the exception of acquiring audio files). After powering the device on, I selected Extract Phone Data, Apple, iPhone 2G/3G, USB disk drive (destination), Content types (I pressed F2 to select all including Call Logs, Phonebook, SMS, Pictures, Videos and Audio/Music) and was then instructed to connect the iPhone to the source port with Connect cable 110 and the USB Disk Drive into the target port. After entering the pass code, the extraction began. Total estimated time was approximately 4 hours. Since most of this time was allotted to the “Audio/Music” files, I decided to extract all of the others first. After removing the “Audio/Music” files, the extraction took 5 minutes and the files were copied into an automatically created folder on the attached USB drive.
I then went back and extracted the audio/music files, which was estimated to take just under 4 hours. Throughout this process, I was asked to enter the pass code and click “continue” every so often. I had to be sitting next to the device the whole time for the acquisition to continue. If audio/music files are not necessary for your investigation, you may want to skip over them. However, the extraction took 1 hour 30 min, which was much less than the estimated time.
I also performed a File System dump of the iPhone using UFED’s Physical Analyzer. This software provides physical extraction support, and in this case, provided file system dump capabilities. The Physical Analyzer installation CD was used to quickly and easily install this software on the PC used for testing. The File System Dump option extracts all accessible files using a logical process. To do this, I selected File System dump, Apple, iPhone 2G/3G/, and PC (destination). I was then prompted to click “Read Data from UFED” within Physical Analyzer, then start to begin the process. The File System dump took a couple of hours, and a .zip file was automatically created in the specified destination folder. Also in this folder is a “UFED Dump” file which can be opened and viewed as a report in the UFED Physical Analyzer software.
Results and Reporting
Since UFED has both a “standard” acquisition process and a file system dump option, please note there are two sections detailing the results.
Standard Acquisition Results
The standard acquisition resulted in a roughly 160MB folder containing the extracted audio and images, proprietary files with extensions such as .SMS and .PBB and reports in both HTML and XML containing the following sections: Contacts, SMS, Call Logs, Images, Ringtones (Not Supported), Audio and Video. I was able to easily view the files by opening the UFED Content Manager file into the UFED Report Manager for a user friendly interface. Another option is to also view the “Report.htm” file which is created on the USB by default.
When you run UFED Report Manager, you can import the data from the USB drive by clicking on File -> Open Extraction (from folder). You can then add Optional Information including case, examiner and other investigation information.
Along the left hand side, you can see the major areas of focus including Optional Information, Report, Contacts, SMS, Call Log, Images, Videos, Audio and Ringtones. The following shows some basic information included in the Report section.
Figure 1.2. UFED Report
The Images section previews all images found. You can also open the image files from the Report Manager. EXIF data an image can be viewed by looking at the properties of the file in Windows
Figure 1.3. UFED Images
And the Calls Log shows the type of call (Outgoing, Incoming or Missed) as well as the Name (if found in Contacts), phone number, date/time and duration.
Figure 1.4. UFED Call Log
The SMS section shows the full set of messages and a detailed message window. The details include Number, Name, Message, date/time, SMSC, Status (Send, Read, Unsent, etc.), Folder, where it was stored and the type (Incoming or Outgoing).
Figure 1.5. UFED SMS
The Audio section contains all of the audio (iTunes) .mp3 files. Voicemails were not included in this section.
Figure 1.6. UFED Audio
The final screenshot I took was of the Contacts information, including Name, various numbers, and text fields including Company Name, email address, notes, etc.
Figure 1.7. UFED Contacts
The data can be extracted into Excel (or CSV) as well as importing directly into Outlook or Outlook Express. While this is an interesting feature, I can’t think of a situation in which I would import the information into Outlook.
Physical Analyzer (File System Dump) Results
The file system dump acquisition was 3.76 GB. The top level folder included the following 3 subfolders: AFC Service, Backup Service and Lockdown Service. The majority of the data were songs under the AFC Service -> iTunes_Control -> Music directory. The Backup directory contains important database, Plist and other files allowing a more complete recovery of data from the iPhone.
When imported into Physical Analyzer, the software provided a summary of the data acquired:
Figure 1.8. Physical Analyzer – File System Dump Summary
The file system dump got several more items than the standard extraction, including additional call logs, MMS, notes, web history, bookmarks, cookies, applications, voicemails and more. The following displays 2 deleted call logs which were retrieved:
Figure 1.9. Physical Analyzer – Deleted Call Logs
Also retrieved was an additional deleted SMS Message (shown below). This was most likely a draft, as the Status reads “Unsent.” This message also did not contain a phone number or any text content.
Figure 1.10. Physical Analyzer – Deleted SMS
The keychain-2.db SQLite database contained information about the networks the user attached to including Wi-Fi, VPN, Bluetooth and the Apple iTunes Store ID. In addition, other SQLite databases under the Documents folder contained information from some App store programs such as Pinch Media (used to take video on the device) and Facebook and could provide valuable information to the investigator. All of this was done without jailbreaking the phone, a major plus for any forensic investigation. By analyzing the SQLite databases and Plist files, an investigator can recover deleted information and important configuration and usage information.
I decided to generate a report with all of the acquired data. The report is first generated within the Physical Analyzer application, then you have the option to export it to html, pdf, xml, or just open in a browser. I decided to create the html report. Below is the Summary shown at the top of the report.
Figure 1.11. Generated HTML Report
The report includes the following sections: Summary, Device Information, Geotags, Contacts, SMS – Text Messages, Call Logs, Images, Videos, Audiot, and Text. All of the information is displayed in an easy to read format. For the sections which contain actual files (such as videos, music files, pictures, or voicemails), there is a link allowing you to access the file itself. This is helpful because videos can be viewed and voicemails listened to.
One of the sections within the report is “Geotags” on Google Earth.
Figure 1.12. Geotags Section of Report
Once you click the “Open Externally” link, information on the Google Maps locations is displayed within XML format. The data includes the camera make and model (in this case Apple iPhone 3G), the Google Maps link, and latitude and longitude information:
Figure 1.13. XML Geotags Information
Matrix of Results
The following are the results from the UFED tests.
Figure 1.14. Cellebrite UFED Matrix of Results
Cellebrite’s UFED is an excellent product for forensic analysis of the iPhone. By providing two acquisition methods, the investigator can recover a significant portion of the data on the iPhone. The device is also very simple to use, easy to update, performs acquisitions quickly and is portable. The firmware is updated often to support new phones and functionality and the support department was efficient and professional.
The following ranking establishes UFED’s overall rating of 3.4 on the four criteria established at the beginning of this white paper.
Table 1.1. UFED Rankings
|<< go to main contents||< prev chapter||next chapter >|