Using Cellebrite to Deal with a Mobile Data Dump

Problems with Storing Data on Your Mobile Phone
June 23, 2014
Is GPS Tracking by Police Legal in Virginia?
August 12, 2014
Show all

Using Cellebrite to Deal with a Mobile Data Dump

cellebriteAs a private investigator, the ability to use mobile forensic analysis is an important one. Cell phones are the most often-used mobile devices, and they can provide a wealth of important information for those in the investigation field. The Cellebrite UFED unit provides plenty of options for finding this information, making it a standalone unit that you need to add to your readily available tools. The unit is designed to allow for extraction of data on the spot using a system that is easy to handle, which is a necessity when you have very little time available to work with the system.

The Cellebrite system offers a wide range of features to help you gather information quickly, including a SIM cloner that can allow you to remove the original SIM for further investigation, without the switch being detected. The unit comes with numerous cables to ensure that you can connect to the mobile device you need, without needing to order additional cables or accessories. Once you have received the UFED unit, you are ready to begin your mobile device investigation.

Cellebrite offers a few different options for extracting mobile device information, including the popular Extract Phone Data option. While you can certainly opt for the traditional Extract Phone Data option alone, if you want something that can dig even deeper, the Cellebrite File System Dump is something you need to consider.

What is the Cellebrite File System Dump?

Traditional phone data extraction from Cellebrite allows you to collect information including contacts, call logs, video and music downloads, photos, and text messages. The File Dump System, however, allows you to gather information about internet usage, application data, and the file structure of the device to determine exactly what has been done on the phone. Additionally, this system also allows you to run other forensic tools against the information to gather even more data.

The Cellebrite system is available for use on Apple iOS devices, including iPhone 5 and later models. The system can also be used on iPods and iPad minis, Blackberry, Android, and GPS devices. When using the UFED physical analyzer from Cellebrite, you will notice that there are several different options available. For a complete analysis of the phone’s memory, you will choose the File System Dump option.

Running the Dump

Once you have chosen the File System Dump, you will need to select the appropriate mobile device, which for the purposes of this explanation will be Apple. From there, you will need to choose the supported device under the Apple subheading that you are working with. After choosing the device, you will need to decide the correct target location for the dump, which can be an SD card, USB flash drive, or a connected PC.

The device that I ran the system dump on had over 13GB of data, which required around 14 hours to complete the extraction. All of this information is written to your chosen target location. After the extraction is complete, simply load the USB drive or SD card into your forensics computer to open the Dump file.

Results

Once you open the file for analysis, you will see a variety of concise reports of the information that the system gathered during the extraction. While your results may look quite similar to the Extract Phone Data reports that you are used to, the system Dump file allows you to delve deeper into the information on the device. You can select Hex data options that will allow you to go through the applications folders to reveal even more information, including Skype conversations, deleted call logs, cookies, web history, bookmarks, Geotags, and other data that cannot be found with the normal extraction option.

The typical Extract Phone Data system can provide plenty of information for forensic analysis, but the File System Dump can provide considerably more information that can be analyzed using the Physical Analyzer. This option collects information from all accessible files, which can recover information that has been deleted or otherwise removed from the device. You will have the option of choosing whether to include music and video files in the extraction process, but understand that choosing to extract this information can be quite time consuming. If these files are not important, skipping them will save you valuable time.

The Cellebrite system provides all the tools needed for complete forensic analysis of a mobile device. While you can always stick with the more familiar Extract Phone Data, if you truly want to reveal as much information as possible, you need to use the File System Dump.

If you would like to improve your investigation with Mobile Forensics in Virginia, Maryland or Washington, D.C. contact Prudential Associates to get started.

Sources: