How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
OPERATIONS OF CELLEBRITE.pptx
1. QUESTION 3
DISCUSS THE OPERATIONS OF THE
CELLEBRITE
BY GROUP D
8/29/2022 MSC CSDF557 GROUP D 1
2. CELLEBRITE
• Cellebrite is an Israeli company that, “makes software to
automate physically extracting and indexing data from mobile
devices.”
• Cellebrite’s products are part of the industry of “mobile device
forensics” tools.
• “The mobile forensics process aims to recover digital evidence or
relevant data from a mobile device in a way that will preserve
the evidence in a forensically sound condition,” using accepted
methods, so that it can later be presented in court.
13/08/2022 MSC CSDF560 GROUP D 2
3. What do Cellebrite’s products do?
Cellebrite has a few different products, but as relevant here,
there’s a two-part system in play:
• the first part, called UFED (which stands for Universal
Forensic Extraction Device), extracts the data from a mobile
device and backs it up to a Windows PC,
• and the second part, called Physical Analyzer, parses and
indexes the data so it’s searchable. So, take the raw data out,
then turn it into something useful for the user, all in a
forensically sound manner.
13/08/2022 MSC CSDF560 GROUP D 3
4. Operations of Cellebrite
• Physical Extraction
To allow the most comprehensive and detailed analysis of the device,
Cellebrite’s physical extraction capability accesses the additional data layers,
in both allocated and unallocated space, that construct the phone’s physical
memory. These layers include three different groups of content pertinent to
investigators:
1. "Logical" content unavailable through API (e.g. call logs on smartphones and
feature phones)
2. Deleted content
3. Content that the phone collects without any user action (and sometimes
without user knowledge). For example: wi-fi networks, GPS locations, web
history, email headers and EXIF data on images, and system data.
13/08/2022 MSC CSDF560 GROUP D 4
5. Operations of Cellebrite
• Logical Extraction
• Logical extraction of data is performed, for the most part, through a
designated API (Application Programming Interface), available from the
device vendor. Just as the API allows commercial third-party apps to
communicate with the device OS (operating system), it also enables
forensically sound data extraction.
• Upon connection, the UFED loads the relevant vendor API to the device.
The UFED then makes read-only API calls to request data from the
phone. The phone replies to valid API requests to extract designated
content items such as text messages (SMS), phonebook entries, pictures,
etc.
13/08/2022 MSC CSDF560 GROUP D 5
6. Operations of Cellebrite
• File System Extraction
• Another logical method extends the examiner’s reach to the phone’s live
partition. Available with the UFED Ultimate license, a file system extraction
uses different device-specific methods to copy the file system. While these
are comparable to the API used in logical methods, they use different sets
of built-in protocols, depending on the OS. The mix of protocols often
differs from device family to device family.
• In some cases, with iOS devices, Android and BlackBerry® models, it may be
necessary to rely on device backup files to make available files, hidden files,
and other data that is not necessarily accessible through the phone’s API.
13/08/2022 MSC CSDF560 GROUP D 6
7. Other Operations of Cellebrite
• Understanding File Header Patterns:
Cellebrite uses matrixes to understand what type each file is, e.g.
FF D8 FF FE means it is a JPEG file. Afterwhich, they determine
which category to place this file in, following the example JPEG
would be in the images folder, etc.
• Decoding Hex Values:
Similar to tools that allows you to Encode/Decode Hex, it uses the
ASCII value to correlate and convert it to text e.g. hex value 41 = A,
etc. Refer to the below table for the full ASCII table.
13/08/2022 MSC CSDF560 GROUP D 7