Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo

1,472 views

Published on

As mobile device manufacturers improve device and operating system security measures in a bid to protect user data, the forensic process becomes more complex. In this hands-on demo, learn how UFED rises to the challenge with advanced technology, including advanced bootloaders enabling physical extractions and enhanced logical extraction enabling app file system extractions even within logical examinations.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,472
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
91
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Extracting and Decoding Smartphone and Tablet Evidence with the UFED Series: An In-Depth Demo

  1. 1. Presenters:Sonny Farinas – SalesLee Papathanasiou – Sales EngineerUFED SeriesDelivering mobile forensic solutions
  2. 2. Confidential: Not for distribution - © Cellebrite 2012Introduction - Cellebrite•2 Established in 1999, Cellebrite is a world leader in mobileforensics, backup and synchronization solutions A fully-owned subsidiary of Sun Corporation, a publicly tradedcompany on JASDAQ based in Nagoya, Japan Based in Israel with offices in the USA, Germany, Brazil,Singapore More than 60 distributors Worldwide Over 250 employees (150+ dedicated to R&D) Forensic customers include highly respected national and localdivisions of governmental, military and intelligence agencies. Over 100,000 units deployed worldwide (UME and UFED)
  3. 3. Confidential: Not for distribution - © Cellebrite 2013Market SectorsUFED solutions are being used world wide in the followingmarket sectors:‎Police forces MilitaryTax authoritiesCustoms Stock authoritiesAnti-terror agenciesPolice academies ‎Forensic specialistsBorder controls Special forcesIntelligence servicesEnterprises
  4. 4. Confidential: Not for distribution - © Cellebrite 2012Why Cellebrite?•4 Technical Foundation Sales and Tech Support Strategic Partnership with key Market Leaders Customer Base Manufacturer and Carrier Relationship Creator of Market Trends*Cellebrite is built to keep up with the future!
  5. 5. Confidential: Not for distribution - © Cellebrite 2012User Questionaire•5 Understand Market Needs Help with our road map and business strategy Contact users or anonymous Comment, questions or suggestion box How can we provide a better product*Turn in the forms after the meeting
  6. 6. Confidential: Not for distribution - © Cellebrite 2013 Identify Best Practices for mobile forensics Become familiar with the type of data that canbe stored on mobile devices and what can beextracted Understand the background of mobile forensicsalong with the challenges in the process ofextracting and decoding the data. Discover Cellebrite Forensic SolutionsGoals
  7. 7. Best PracticesMobile Forensics
  8. 8. ScenarioIt is midnight on a Friday night, it is just beginning tosprinkle with rain.You are the first officer at the scene of a homicidewhere the victim has been shot several times by oneshooter. Witnesses have pointed out a cell phonethat they saw the suspect using and threw away ashe left the scene.It is clear that the device is still on.
  9. 9. Confidential: Not for distribution - © Cellebrite 2012Considerations Airplane mode? Shielding? Signal Jammer? Dangers of leaving it on and transporting the device Remove SIM card?
  10. 10. UFED Touch: Hardware DescriptionExclusively designed for mobile forensics
  11. 11. Confidential: Not for distribution - © Cellebrite 2013UFED Products UFED Logical Data stored in the memory is acquired by using the file system orthe phone proprietary protocol (known communicationprotocols: AT commands, Obex, etc.) Logical approach represents live system on the phone UFED Ultimate Bit-by-bit‎copy‎of‎the‎phone’s‎physical‎memory‎and‎file‎system Unallocated areas The main effort in physical extraction is to obtainthe extra data (such as deleted files) The data that actually exists on the phone.11‎
  12. 12. Confidential: Not for distribution - © Cellebrite 2013UFED Comparison Portable – easy to carry 10x Faster Extraction Speeds Device Features:• 7”touch‎screen w/ Stylus• Windows XP (Locked Down)• Built in WiFi/Bluetooth & Ethernet port• SIM card reader/writer slot• SD card reader slot• USB 2.0 Ports• RJ-45 Ports• 64 GB Internal SSD- For Software Upgrades & Expansion• 5 Hour Lithium-ion Batteryw/ Battery Status Indicator• Compatible with External Hard Drives
  13. 13. Confidential: Not for distribution - © Cellebrite 2013UFED Touch: Vast Extraction Speed Enhancements
  14. 14. Confidential: Not for distribution - © Cellebrite 2013UFED Touch: HardwareSpeakersTouch ScreenNavigation KeysRight Mouse Click KeyLeft Mouse Click Key
  15. 15. Confidential: Not for distribution - © Cellebrite 2013UFED Touch: Hardware
  16. 16. Confidential: Not for distribution - © Cellebrite 2013UFED Touch: Hardware
  17. 17. Confidential: Not for distribution - © Cellebrite 2013UFED Touch: Hardware
  18. 18. Confidential: Not for distribution - © Cellebrite 2013Tips & Connectors Removed a total of 70 feet of cable from the old kit Extract & Chargers Simultaneously Tip connectors in a magnetic holder replaces longphone connector cables Color coordinated for simple & quick identificationUFED Classic Cable KitUFED Touch Cable Kit
  19. 19. Confidential: Not for distribution - © Cellebrite 2013Software Upgrades Software Upgrade Schedule- Upgrades are released every 4 to 6 weeks- Includes software upgrades to the UFED Touch as well as thePhysical Analyzer PC Software Automatic Upgrade Process- Connect the UFED Touch to a Wi-Fi network or Ethernet cable- The UFED Touch will automatically prompt you to download thelatest upgrade when it is released Manual Upgrade Process- An Email will be automatically sent including download links tothe upgrade files as well as Full Release Notes- Login to the MyCellebrite portal and manage your license aswell as download the latest upgrade files- Save the upgrade file to a USB Flash Drive and connect it to theUFED Touch to perform the upgrade.
  20. 20. Confidential: Not for distribution - © Cellebrite 2013Need Assistance? Technical Support- Based out of the New JerseyOffice (No Outsourcing)- Phone Support: Mon – Fri9am – 7pm EST- Email Support: 7 Days a week9am – 9pm EST Warranty & Repair- Based out of the New JerseyOffice (No Outsourcing)- Call into Tech Support for anRMA #- Unit will be Repair or Replaced- No Repair/Replacement CostLicense Includes Full Warranty
  21. 21. User InterfaceStraightforward user experience
  22. 22. Confidential: Not for distribution - © Cellebrite 2013UFED Touch: GUI
  23. 23. Confidential: Not for distribution - © Cellebrite 2013UFED Touch: Logical Extraction
  24. 24. Confidential: Not for distribution - © Cellebrite 2013Extraction Destinations:‎Logical Extraction Output
  25. 25. Mobile Forensics
  26. 26. Confidential: Not for distribution - © Cellebrite 2013Mobile Device Usage Mobile device market keeps growing Data, acquired from mobile devices, continues to be usedas evidence in criminal, civil and even high-profile cases. People use mobile devices to store and transmit personaland corporate information Mobile devices are used for online transactions, webbrowsing, navigation, instant messaging and more
  27. 27. Confidential: Not for distribution - © Cellebrite 2013Platforms
  28. 28. Confidential: Not for distribution - © Cellebrite 2013Device SupportUFED Touch supports the widest range ofmobile devices & major mobile platforms
  29. 29. Confidential: Not for distribution - © Cellebrite 2013Test Devices
  30. 30. Confidential: Not for distribution - © Cellebrite 2013Connectivity
  31. 31. UFED Touch Ultimate: Extraction CapabilitiesAll-Inclusive Logical & Physical ExtractionThe NEW Industry Standard in Mobile Forensics
  32. 32. Confidential: Not for distribution - © Cellebrite 2013Logical vs. File System vs. Physical extractionLogicalSMSContactsCall logsMediaFile SystemSMSContactsCall logsMediaFilesHidden FilesPhysicalSMSContactsCall logsMediaFilesHidden FilesDeleted dataExtracted DataExtraction Speed‎
  33. 33. Confidential: Not for distribution - © Cellebrite 2013Can I have your SMS?UFED Logical Extraction
  34. 34. Confidential: Not for distribution - © Cellebrite 2013Can I have your pictures as well?UFED Logical Extraction (2)
  35. 35. Confidential: Not for distribution - © Cellebrite 2013How about the emails, please?NOUFED Logical Extraction (3)
  36. 36. Confidential: Not for distribution - © Cellebrite 2013Can I copy your File System?Sure Thing.Good luck with Decoding!UFED File System Dump
  37. 37. Confidential: Not for distribution - © Cellebrite 2013Good morning, sir.Please run this program for me.Here’s‎my‎memory.‎Have a blast figuring it out!UFED Physical Dump
  38. 38. Confidential: Not for distribution - © Cellebrite 2013Mobile Forensic Challenges
  39. 39. Confidential: Not for distribution - © Cellebrite 2013Hardware Based Data ExtractionMethodsHardware-based methods involve a combination of software andhardware to break or bypass authentication mechanisms and gainaccess to the device.■ Hardware-based methods include the following:■ Gain access through ahardware interface (JTAG)■ Examine memory independentlyof the device using memory chip reader.■ Find and exploit vulnerabilities•3
  40. 40. Confidential: Not for distribution - © Cellebrite 2013When All Else Fails ZRT2 from www.fernico.com
  41. 41. Confidential: Not for distribution - © Cellebrite 2012CHINEX – Cellebrite’s Solution forChinese Knock-Off Devices•4‎‎
  42. 42. Confidential: Not for distribution - © Cellebrite 2012Fake Apple & Android Stores
  43. 43. File Systems Challenge
  44. 44. Confidential: Not for distribution - © Cellebrite 2013Computers Mobile Phones
  45. 45. Confidential: Not for distribution - © Cellebrite 2013Computers Mobile PhonesFAT NTFSHFSEXT
  46. 46. Confidential: Not for distribution - © Cellebrite 2013Computers Mobile PhonesFAT NTFSHFSMotorolaProprietaryXSR MCUINODI855 P2KYaffsJFFS2 SymbianFS EFS2QCPDCT4OSEEXTEXTxFAT
  47. 47. Decoding ChallengeThe most powerful decoding, analysis & reporting tool in the industry
  48. 48. All rights reserved © 2011, CellebriteFile systemSMSEmailCallsFile system reconstructionDecoding
  49. 49. Confidential: Not for distribution - © Cellebrite 2012Physical Analyzer: Decoding
  50. 50. Confidential: Not for distribution - © Cellebrite 2012Decoding – iOS Physical Extraction
  51. 51. Confidential: Not for distribution - © Cellebrite 2013Advanced Applications Decoding
  52. 52. Confidential: Not for distribution - © Cellebrite 2013Image Carving Powerful tool for recovering deleted image files andfragments of files (and only part of them is available) Only applicable for physical extraction
  53. 53. Standalone GPS Units & SmartphonesDecoded Data: Locations
  54. 54. Confidential: Not for distribution - © Cellebrite 2013Extraction & Analysis: GPS DevicesSupporting75% of theGPS market
  55. 55. Confidential: Not for distribution - © Cellebrite 2013Smart Phone Location DataCell Tower Locations‎Wi-Fi Locations‎GeoTagged MediaLocations‎Harvested Locations‎GPS Fixes‎
  56. 56. Confidential: Not for distribution - © Cellebrite 2013View in Google Earth
  57. 57. UFED Phone DetectiveIdentifies mobile phone vendor & model
  58. 58. Confidential: Not for distribution - © Cellebrite 2013UFED Phone Detective
  59. 59. Confidential: Not for distribution - © Cellebrite 2013UFED Phone Detective Identifies phone quicklyAnswer up to 8questions relatedto visual attributes‎/ by TACPhone is identified& displayedaccording tofiltered resultsShows phone &data supported forextraction Database of more than 4,000 phones
  60. 60. Confidential: Not for distribution - © Cellebrite 2013www.PhoneScoop.com Enter model of phone Scroll down to the FCC line to obtain copy of the manual Save copy of the manual to file60Click here for manual
  61. 61. Confidential: Not for distribution - © Cellebrite 2012iPhone Hardware VersionsiPhone‎2007‎iPhone 3G2008‎iPhone 3GS2009‎iPhone 42010‎iPhone 4S2011‎iPhone 52012‎
  62. 62. Confidential: Not for distribution - © Cellebrite 2013Cellebrite’s Unique Approachto the iOS Challenge State of the art physical extraction wizard Support for iPhone, iPod Touch and iPadiPhone, iPhone 3G, iPhone 3GS, iPhone 4 GSM, iPhone 4 CDMA,iPhone 4S, iPad 1, iPod Touch 1G, iPod Touch 2G,iPod touch 3G, iPod Touch 4G Support for the widest variation of iOS versions Locked, unlocked, "jailbroken" and "non-jailbroken“,‎encrypted/non-encrypted devices Passcode recovery Revolutionary decoding
  63. 63. Confidential: Not for distribution - © Cellebrite 2013Physical Extraction Wizard
  64. 64. Confidential: Not for distribution - © Cellebrite 2013Cellebrite’s Unique Approachto the iOS Challenge (cont.) Keychain decryption (application passwords) Integrated SQLite Browser iPhone configuration files (Plist and BPlist) iMessages
  65. 65. Confidential: Not for distribution - © Cellebrite 2013Keychain Decryption
  66. 66. Confidential: Not for distribution - © Cellebrite 2013Integrated SQLite Browser
  67. 67. Confidential: Not for distribution - © Cellebrite 2013Facebook Decryption
  68. 68. Confidential: Not for distribution - © Cellebrite 2012Most Popular iPhone Passwordshttp://amitay.us/blog/files/most_common_iphone_passcodes.php71
  69. 69. Confidential: Not for distribution - © Cellebrite 2013Android ChallengesVendors Using various chipsets
  70. 70. Confidential: Not for distribution - © Cellebrite 2013Android ChallengesMultiple OS VersionsMemory TypesMultiple File systems• YAFFS2• FAT32• Ext2• Ext3• Ext4FTL Types• Qualcomm FTL• FSR• More
  71. 71. Confidential: Not for distribution - © Cellebrite 2013Please raise your hand if youbumped into this scenario…
  72. 72. Confidential: Not for distribution - © Cellebrite 2013Pattern Lock Extraction•71 2 34 5 67 8 9
  73. 73. Confidential: Not for distribution - © Cellebrite 2013“Smudge Attack” Pattern LockAnalysis For those of you that are lucky enough:
  74. 74. Confidential: Not for distribution - © Cellebrite 2013BlackBerry Physical Extraction Covering dozens on models Any BlackBerry OS version – 4,5,6,7.x Using Cellebrite proprietary boot loaders ensuring aforensically sound process Applicable for non locked devices or deviceswith known password Non-encrypted/encrypted devices71007130e7250752077508130 Pearl8230 Pearl Flip8330 Curve8350i Curve8530 Curve II8703e88309330 Curve 39350 Curve9350 Curve Sedona9370 Curve9530 Storm9550 Storm 29630 Tour9650 Bold9670 Style9850 Torch9930 Bold8300 Curve9380 Curve9380 Orlando71007130v72908100 Pearl8110 Pearl8120 Pearl8220 Pearl Flip8300 Curve8310 Curve8320 CurveFirst to release physical extraction for dozens of BlackBerry devices‎
  75. 75. Confidential: Not for distribution - © Cellebrite 2013Decoding
  76. 76. Confidential: Not for distribution - © Cellebrite 2013BlackBerry Decoding UFED Physical Extraction or Chip-off BlackBerry OS 4, 5, 6, 7.x Deleted data recovery Real-time decryption of protected content fromselected BlackBerry devicesrunning OS 4-6 using a given password
  77. 77. Confidential: Not for distribution - © Cellebrite 2013Analyzed Data –Special to Blackberry Contacts – phones, emails, photos, addresses, PIN Recent email address (OS 6 and above) BlackBerry Messenger contact list BlackBerry Messenger (BBM): User details (display name, PIN) Contact list (display name, PIN, email if exists) Chats: Sender, Body, TimestampCellebrite exclusive – Decoding of BlackBerry MessengerHistory‎even‎configured‎as‎‘never’‎
  78. 78. Questions?Answers!
  79. 79. Thank Youwww.cellebrite.comRonen@CellebriteUSA.comMobile: 201-500-8182

×