Embedded Files
End-Point Forensics
End-Point Forensics
Devices Used:
- Nexus S
- Samsung Galaxy S5 Plus
- iPhone 4
- iPhone 4s
- iPad 4
- Nokia Lumia 920
- Cellebrite Blank SIM Card
- Starhub SIM Card
- Sandisk Ultra Flair USB Thumbdrive
- Samsung Evo Plus 128 GB
Problem Statement
Problem Statement
With the proliferation of the usage of smartphones and the increased capability of smartphones, it has become an inseparable part of most if not everyone’s life. The latest smartphones almost have the processing capability of a conventional computer, and in some cases, users are also able to dock these devices to be used on their computer (e.g. Continuum and DeX). This means that a smartphone user can do almost anything on these devices. In addition to convenience, application developers and phone manufacturers also have some form of security in place. With all these considerations, how would it affect what data we are able to retrieve from a phone if a user commits a crime using it?
Aims
Aims
- Through this project, we aim to find out what might be some of the factors that affect the capabilities of Cellebrite UFED TOUCH 2 Device and UFED Physical Analyzer:
-Does the device specifications, ability to handle stress (using benchmarking software to do a stress test), configurations (password vs no password), etc
-How does UFED Physical Analyzer compare to it's other competitor such as Encase and FTK 6.0, etc
-UFED Physical Analyzer Extraction VS Cellebrite UFED TOUCH 2 Extraction (Can only compare using IOS Devices & USB Thumbdrive)
-What information does each type of extraction get?
>Cellebrite UFED TOUCH 2
+Logical Extraction
+File System Extraction
+Physical Extraction
>UFED Physical Analyzer
+Advanced Logical Extraction
-What can the built in tools like translation, Malware Scanner, SQLite database viewer, Hex Viewer, etc
- Through this project, we would also aim to document step by step how to use the Cellebrite UFED TOUCH 2 Device, UFED Physical Analyzer, UFED Cloud Analyzer, UFED User lock Code Recovery, UFED Phone Detective (to determine what we can retrieve from each device using the above mentioned softwares)
- To find out more about other tools that come with the licence and see if it can be applied to the project in some way
- We also aim to prove if the applications that we frequently used, that claims they are the "most secured" with end-to-end encryption, confidential modes (Gmail) are really as secured as they claim to be
Objectives
Objectives
Using the capabilities of the Cellebrite UFED TOUCH 2, UFED Physical Analyzer, UFED Cloud Analyzer, UFED User lock Code Recovery, and UFED Phone Detective (to determine what we can retrieve from each device) would we be able to retrieve every data that we crafted and be able to complete a user story of Alice Chan, Bobby Tan and Charlie Ong, including but not limited to the following:
- Where they stay
- Where they go
- Who do they usually contact
- What do they usually search for
- What do they usually post
- Who are their friends/associates
- What are some bookmarks made by them
- Email used by the user
- Phone Number of the user
- Possibly their passwords (may require additional cryptography skills)
- Wifi used by the user
- Types of websites visited by the user
- What applications are usually used by these users
In addition, to find out if Cellebrite or Physical Analyzer is able to decode or decrypt the information from applications that claim to be the safe and to what extent can information be retrieved from these applications.
User Profiles:
User Profiles:
Applications To Test:
Applications To Test:
- Messaging
- Telegram
- Discord
- Facebook Messenger
- Skype
- Gmail
- Cloud Storage
- Google Drive (File Systems has all the information) OR (maybe android > data > com.google.drive.docs, only for files that are marked as offline)
- Dropbox (File Systems has all the information) OR (maybe android > data > com.dropbox.android > temp)
- Social Networking
- Browsers:
- Google Chrome
- Firefox
- Internet Explorer
- Safari
- Google Maps
Cellebrite UFED Hardware/Software:
Cellebrite UFED Hardware/Software:
1. Cellebrite UFED TOUCH 2
1. Cellebrite UFED TOUCH 2
Android Physical Extraction
Android Physical Extraction
- Exploration Status: 100%
- Bit-by-bit copy of the file system of the android device used for extraction
- Extracts More Than the Logical Extraction, includes contents like call logs, chats, device locations, device users, notes, passwords, powering events, web bookmarks, wireless networks, applications
- Advanced ADB (Generic) [*NEW: Only just made available in V7]
- Currently not possible as we need either a OTG cable, USB or SD Memory Card to do this
- ADB (Rooted) [Available in V5]
- Extracts
- Account Information, SMSes, Calls, Application Data (Whatsapp, etc including decoded application contents, if there is any encryption involved in the app), notes, any browser history (Search and Browsing History, Bookmarks, Cookies), Network Connection History, Configs, All database files, etc. See more details in the Extraction tab.
- Extracts
- Boot Loader (Legacy) [Available in V5]
- Forensic Recovery Partition [*NEW: Only just made available in V7]
- Puts device in recovery mode and replaces the original recovery partition with Cellebrite’s custom forensic recovery partition
- Bypasses the user lock options
- Gathers as much information on the locked device, as if the device was not even locked
- *WARNING: If you use this extraction you would no longer be able to boot into recovery mode as the original partition is replaced by the cellebrite's custom partition, so booting into recovery mode would automatically activate the cellebrite partition instead.
Android Logical Extraction
Android Logical Extraction
- Exploration Status: 100%
- Does not extract as much contents as compared to Physical Extraction
- Extracts
- Account Information, Contacts, SMSes, Browser History (Including search and browsing history, Cookies), Application Data (Whatsapp, etc including decoded application contents, Configs, All Databases, etc. See more details in the Extraction tab.
Android File System Extraction
Android File System Extraction
- Exploration Status: 100%
- Similar in concept to a logical extraction
- Extracts
- Account Information, Calendar, Contacts, Cookies, Emails, Applications Installed and any browser history (Search and Browsing History)
iPhone Logical Extraction
iPhone Logical Extraction
- Exploration Status: 100%
- Extracts
- Calendar, Account Information, SMSes, Calls, Application Data (Whatsapp, etc including decoded application contents), any browser history (Search and Browsing History, Bookmarks, Cookies), location history, notes, media, Configs, All Databases, etc. See more details in the Extraction tab.
iPhone Physical Extraction
iPhone Physical Extraction
- Exploration Status: 100%
- Only for devices running iOS 3.0 or higher and limited to devices like iPhone 2G/3G/3GS/4, iPad 1, iPod Touch 1G/2G/3G/4G
- **NOTE: Even if you have the supported device, after connecting to the Cellebrite UFED TOUCH 2, it would prompt you to use the UFED Physical Analyzer instead
iPhone File System Extraction
iPhone File System Extraction
- Exploration Status: 100%
- Similar in concept to a logical extraction
- Extracts
- location history, Connected Bluetooth Devices, Calendar, Calls, SMSes, any browser history (Search and Browsing History, Bookmarks, Cookies), Device Notifications, Notes, Recordings, etc
2. UFED Physical Analyzer
2. UFED Physical Analyzer
iPhone Advanced Logical extraction
iPhone Advanced Logical extraction
- Exploration Status: 100%
- Extracts
- Bluetooth connection history, calendar, calls, chats, contacts, notes, locations (including user journey), notifications, any browser history (Search and Browsing History, Bookmarks, Cookies), Account Information, Wireless Network history, etc. See more details in the Extraction tab.
iPhone Physical Extraction
iPhone Physical Extraction
- Exploration Status: 100%
- iPhone 4 and below ONLY**
- Extracts
- Chats, Contacts, Calls, notification, Account Information, any browser history (Search and Browsing History, Bookmarks, Cookies), Application Information & Usage, Network connection history, media, configs, all databases.
3. UFED Cloud Analyzer
3. UFED Cloud Analyzer
- Exploration Status: 100%
- Able to get the user accounts informations like, facebook, twitter and instagram
- Not able to get information from other accounts than facebook, twitter and instagram on the free version
- Requires you to have an account in that platform before you can use the tool to view that person’s information (e.g. if you want to get a person’s facebook profile, you need to enter your own account information)
- Only able to get information from accounts that are public (if you set to private it is not able to get anything)
4. UFED Reader
4. UFED Reader
- Exploration Status: 100%
- Able to open the XML or UFDR files
- Shows an exact copy of what you would see in the UFED Physical Analyzer
- Allows you to generate a report based on the information
5. UFED User Lock Code Recovery Tool
5. UFED User Lock Code Recovery Tool
- Exploration Status: 10%
- Literally unable to do it.
- Have Cable 500, 501 for Android & 503 for iOS
- Even if you have the cables, needs the UFED Camera to work
Web App On Cellebrite Portal
Downloadable Software Phone Detective (EXE)
6. UFED Phone Detective
6. UFED Phone Detective
- Exploration Status: 100%
- This allows you to check which devices are supported and for each device what are the supported extraction types
- There are two types of Phone Detectives a software based one and a Web App, but both gives you information about what data you can extract from each device
7. (No Licence For This) UFED Analytics
7. (No Licence For This) UFED Analytics
This tool primarily does an automated analysis of the extracted data and eliminates the need to correlate data manually. In addition, you are able to see connections between the suspect and other potential accomplice relating to the suspect and case.
Cellebrite’s Analytics Enterprise makes it simple to:
- Immediately detect and match objects within images and videos such as weapons, money, nudity, child exploitation or documents
- Focus on persons of interest with automatic facial detection
- Find leads faster with optical character recognition
- Analyze links within case-related networks to reveal hidden connections, group hierarchies and communication patterns
- Perform cross-case analysis by subject, crime type or time period
- Create compelling, easy to understand case reports
Cables Numbers and Usage:
Cables Numbers and Usage:
T-100 -> Micro-USB
T-110 -> Apple 30-pin dock connector for iPhone 4s, etc
T-133 -> Micro-USB, able to put devices into download mode
*All T cables prefixed with T are meant to be used together with the A Adapter-USB wire.
Cable No. 110 -> Apple 30-pin dock connector for iPhone 4s, etc
Cable No. 500 -> to bypass lock to the computer
Cable No. 501 -> For Android devices to recover the user lock
Cable No. 503 -> For iOS devices to recover the user lock
Flow Of An Extraction Using Cellebrite:
Flow Of An Extraction Using Cellebrite:
Pre-Extraction
Pre-Extraction
1. Password Cracking/Unlocking The Device
- Android
- UFED User Lock Code Recovery Tool
- Physical (Boot-loader) Extraction
- Send to Cellebrite Lab for Advanced Unlocking & Extraction Service
- iOS
- UFED User Lock Code Recovery Tool
- Send to Cellebrite Lab for Advanced Unlocking & Extraction Service
2. Enable Developer Mode
- Turn on stay awake mode
- Enable USB Debugging
Extraction
Extraction
Choose Type Of Extraction:
- Physical Extraction
- Android
- Advanced ADB (Generic) [NEW]
- ADB (Rooted)
- Boot Loader (Legacy)
- Forensic Recovery Partition
- iOS (Limited Devices)
- User Data Partition
- System Partition
- User and System Data Partitions
- Android
- Logical Extraction
- Android
- Logical Extraction
- iOS
- Logical Extraction
- Advanced Logical Extraction
- Android
- File System Extraction
- Android
- iOS
Post-Extraction
Post-Extraction
- Opening extracted files in UFED Physical Analyzer
- UFED Physical Analyzer Built-in Tools
- Searching for evidence
- Generate Report
- Correlation of Location Information
Google Sites
Report abuse