extracting and decoding smartphone and tablet evidence with the ufed series: an in-depth demo

Post on 07-May-2015

758 Views

Category:

Technology

8 Downloads

Preview:

Click to see full reader

DESCRIPTION

As mobile device manufacturers improve device and operating system security measures in a bid to protect user data, the forensic process becomes more complex. In this hands-on demo, learn how UFED rises to the challenge with advanced technology, including advanced bootloaders enabling physical extractions and enhanced logical extraction enabling app file system extractions even within logical examinations.

TRANSCRIPT

Presenters:

Sonny Farinas – Sales

Lee Papathanasiou – Sales Engineer

UFED Series

Delivering mobile forensic solutions

Confidential: Not for distribution - © Cellebrite 2012

Introduction - Cellebrite

•2

Established in 1999, Cellebrite is a world leader in mobile forensics, backup and synchronization solutions

A fully-owned subsidiary of Sun Corporation, a publicly traded company on JASDAQ based in Nagoya, Japan

Based in Israel with offices in the USA, Germany, Brazil, Singapore

More than 60 distributors Worldwide

Over 250 employees (150+ dedicated to R&D)

Forensic customers include highly respected national and local divisions of governmental, military and intelligence agencies.

Over 100,000 units deployed worldwide (UME and UFED)

Confidential: Not for distribution - © Cellebrite 2013

Market Sectors

UFED solutions are being used world wide in the following market sectors:‎

Police forces Military

Tax authorities

Customs Stock authorities

Anti-terror agencies

Police academies ‎

Forensic specialists

Border controls Special forces

Intelligence services

Enterprises

Confidential: Not for distribution - © Cellebrite 2012

Why Cellebrite?

•4

Technical Foundation

Sales and Tech Support

Strategic Partnership with key Market Leaders

Customer Base

Manufacturer and Carrier Relationship

Creator of Market Trends

*Cellebrite is built to keep up with the future!

Confidential: Not for distribution - © Cellebrite 2012

User Questionaire

•5

Understand Market Needs

Help with our road map and business strategy

Contact users or anonymous

Comment, questions or suggestion box

How can we provide a better product

*Turn in the forms after the meeting

Confidential: Not for distribution - © Cellebrite 2013

Identify Best Practices for mobile forensics

Become familiar with the type of data that can be stored on mobile devices and what can be extracted

Understand the background of mobile forensics along with the challenges in the process of extracting and decoding the data.

Discover Cellebrite Forensic Solutions

Goals

Best Practices

Mobile Forensics

Scenario

It is midnight on a Friday night, it is just beginning to sprinkle with rain. You are the first officer at the scene of a homicide where the victim has been shot several times by one shooter. Witnesses have pointed out a cell phone that they saw the suspect using and threw away as he left the scene. It is clear that the device is still on.

Confidential: Not for distribution - © Cellebrite 2012

Considerations

Airplane mode?

Shielding?

Signal Jammer?

Dangers of leaving it on and transporting the device

Remove SIM card?

UFED Touch: Hardware Description

Exclusively designed for mobile forensics

Confidential: Not for distribution - © Cellebrite 2013

UFED Products

UFED Logical Data stored in the memory is acquired by using the file system or

the phone proprietary protocol (known communication protocols: AT commands, Obex, etc.)

Logical approach represents live system on the phone

UFED Ultimate Bit-by-bit‎copy‎of‎the‎phone’s‎physical‎memory‎and‎file‎system

Unallocated areas

The main effort in physical extraction is to obtain the extra data (such as deleted files)

The data that actually exists on the phone.

11‎

Confidential: Not for distribution - © Cellebrite 2013

UFED Comparison

Portable – easy to carry

10x Faster Extraction Speeds

Device Features:

• 7”touch‎screen w/ Stylus

• Windows XP (Locked Down)

• Built in WiFi/Bluetooth & Ethernet port

• SIM card reader/writer slot

• SD card reader slot

• USB 2.0 Ports

• RJ-45 Ports

• 64 GB Internal SSD

- For Software Upgrades & Expansion

• 5 Hour Lithium-ion Battery

w/ Battery Status Indicator

• Compatible with External Hard Drives

Confidential: Not for distribution - © Cellebrite 2013

UFED Touch: Vast Extraction Speed Enhancements

Confidential: Not for distribution - © Cellebrite 2013

UFED Touch: Hardware

Speakers

Touch Screen

Navigation Keys

Right Mouse Click Key

Left Mouse Click Key

Confidential: Not for distribution - © Cellebrite 2013

UFED Touch: Hardware

Confidential: Not for distribution - © Cellebrite 2013

UFED Touch: Hardware

Confidential: Not for distribution - © Cellebrite 2013

UFED Touch: Hardware

Confidential: Not for distribution - © Cellebrite 2013

Tips & Connectors

Removed a total of 70 feet of cable from the old kit

Extract & Chargers Simultaneously

Tip connectors in a magnetic holder replaces long phone connector cables

Color coordinated for simple & quick identification

UFED Classic Cable Kit

UFED Touch Cable Kit

Confidential: Not for distribution - © Cellebrite 2013

Software Upgrades

Software Upgrade Schedule - Upgrades are released every 4 to 6 weeks

- Includes software upgrades to the UFED Touch as well as the Physical Analyzer PC Software

Automatic Upgrade Process - Connect the UFED Touch to a Wi-Fi network or Ethernet cable

- The UFED Touch will automatically prompt you to download the latest upgrade when it is released

Manual Upgrade Process - An Email will be automatically sent including download links to

the upgrade files as well as Full Release Notes

- Login to the MyCellebrite portal and manage your license as well as download the latest upgrade files

- Save the upgrade file to a USB Flash Drive and connect it to the UFED Touch to perform the upgrade.

Confidential: Not for distribution - © Cellebrite 2013

Need Assistance?

Technical Support - Based out of the New Jersey

Office (No Outsourcing)

- Phone Support: Mon – Fri

9am – 7pm EST

- Email Support: 7 Days a week

9am – 9pm EST

Warranty & Repair - Based out of the New Jersey

Office (No Outsourcing)

- Call into Tech Support for an RMA #

- Unit will be Repair or Replaced

- No Repair/Replacement Cost

License Includes Full Warranty

User Interface

Straightforward user experience

Confidential: Not for distribution - © Cellebrite 2013

UFED Touch: GUI

Confidential: Not for distribution - © Cellebrite 2013

UFED Touch: Logical Extraction

Confidential: Not for distribution - © Cellebrite 2013

Extraction Destinations:‎

Logical Extraction Output

Mobile Forensics

Confidential: Not for distribution - © Cellebrite 2013

Mobile Device Usage

Mobile device market keeps growing

Data, acquired from mobile devices, continues to be used

as evidence in criminal, civil and even high-profile cases.

People use mobile devices to store and transmit personal

and corporate information

Mobile devices are used for online transactions, web

browsing, navigation, instant messaging and more

Confidential: Not for distribution - © Cellebrite 2013

Platforms

Confidential: Not for distribution - © Cellebrite 2013

Device Support

UFED Touch supports the widest range of mobile devices & major mobile platforms

Confidential: Not for distribution - © Cellebrite 2013

Test Devices

Confidential: Not for distribution - © Cellebrite 2013

Connectivity

UFED Touch Ultimate: Extraction Capabilities

All-Inclusive Logical & Physical Extraction

The NEW Industry Standard in Mobile Forensics

Confidential: Not for distribution - © Cellebrite 2013

Logical vs. File System vs. Physical extraction

Logical SMS

Contacts

Call logs

Media

File System SMS

Contacts

Call logs

Media

Files

Hidden Files

Physical SMS

Contacts

Call logs

Media

Files

Hidden Files

Deleted data

Extracted Data

Extraction Speed‎

Confidential: Not for distribution - © Cellebrite 2013

Can I have your SMS?

UFED Logical Extraction

Confidential: Not for distribution - © Cellebrite 2013

Can I have your pictures as well?

UFED Logical Extraction (2)

Confidential: Not for distribution - © Cellebrite 2013

How about the emails, please?

NO

UFED Logical Extraction (3)

Confidential: Not for distribution - © Cellebrite 2013

Can I copy your File System?

Sure Thing. Good luck with Decoding!

UFED File System Dump

Confidential: Not for distribution - © Cellebrite 2013

Good morning, sir.

Please run this program for me.

Here’s‎my‎memory.‎ Have a blast figuring it out!

UFED Physical Dump

Confidential: Not for distribution - © Cellebrite 2013

Mobile Forensic Challenges

Confidential: Not for distribution - © Cellebrite 2013

Hardware Based Data Extraction Methods

Hardware-based methods involve a combination of software and hardware to break or bypass authentication mechanisms and gain access to the device.

■ Hardware-based methods include the following:

■ Gain access through a

hardware interface (JTAG)

■ Examine memory independently

of the device using memory chip reader.

■ Find and exploit vulnerabilities

•3

9

Confidential: Not for distribution - © Cellebrite 2013

When All Else Fails

ZRT2 from www.fernico.com

Confidential: Not for distribution - © Cellebrite 2012

CHINEX – Cellebrite’s Solution for Chinese Knock-Off Devices

•4

1

‎‎

UFED Physical Analyzer (deleted data)

Confidential: Not for distribution - © Cellebrite 2012

Fake Apple & Android Stores

File Systems Challenge

Confidential: Not for distribution - © Cellebrite 2013

Computers Mobile Phones

Confidential: Not for distribution - © Cellebrite 2013

Computers Mobile Phones

FAT NTFS

HFS EXT

Confidential: Not for distribution - © Cellebrite 2013

Computers Mobile Phones

FAT NTFS

HFS

Motorola Proprietary

XSR MCU

INOD I855 P2K

Yaffs JFFS2 Symbian

FS EFS2

QCP

DCT4

OSE EXT

EXTx

FAT

Decoding Challenge The most powerful decoding, analysis & reporting tool in the industry

All rights reserved © 2011, Cellebrite

File system

SMS

Email

Calls File system reconstruction

Decoding

Confidential: Not for distribution - © Cellebrite 2012

Physical Analyzer: Decoding

Confidential: Not for distribution - © Cellebrite 2012

Decoding – iOS Physical Extraction

Confidential: Not for distribution - © Cellebrite 2013

Advanced Applications Decoding

Confidential: Not for distribution - © Cellebrite 2013

Image Carving

Powerful tool for recovering deleted image files and fragments of files (and only part of them is available)

Only applicable for physical extraction

Standalone GPS Units & Smartphones

Decoded Data: Locations

Confidential: Not for distribution - © Cellebrite 2013

Extraction & Analysis: GPS Devices

Supporting

75% of the

GPS market

Confidential: Not for distribution - © Cellebrite 2013

Smart Phone Location Data

Cell Tower Locations‎

Wi-Fi Locations‎

GeoTagged Media

Locations‎

Harvested Locations‎

GPS Fixes‎

Confidential: Not for distribution - © Cellebrite 2013

View in Google Earth

UFED Phone Detective

Identifies mobile phone vendor & model

Confidential: Not for distribution - © Cellebrite 2013

UFED Phone Detective

Confidential: Not for distribution - © Cellebrite 2013

UFED Phone Detective

Identifies phone quickly

Answer up to 8 questions related

to visual attributes‎

/ by TAC

Phone is identified & displayed according to

filtered results

Shows phone & data supported for

extraction

Database of more than 4,000 phones

Confidential: Not for distribution - © Cellebrite 2013

www.PhoneScoop.com

Enter model of phone

Scroll down to the FCC line to obtain copy of the manual

Save copy of the manual to file

60

Click here for manual

Confidential: Not for distribution - © Cellebrite 2012

iPhone Hardware Versions

iPhone‎

2007‎

iPhone 3G

2008‎

iPhone 3GS

2009‎

iPhone 4

2010‎

iPhone 4S

2011‎

iPhone 5

2012‎

Confidential: Not for distribution - © Cellebrite 2013

Cellebrite’s Unique Approach to the iOS Challenge

State of the art physical extraction wizard

Support for iPhone, iPod Touch and iPad iPhone, iPhone 3G, iPhone 3GS, iPhone 4 GSM, iPhone 4 CDMA, iPhone 4S, iPad 1, iPod Touch 1G, iPod Touch 2G, iPod touch 3G, iPod Touch 4G

Support for the widest variation of iOS versions

Locked, unlocked, "jailbroken" and "non-jailbroken“,‎

encrypted/non-encrypted devices

Passcode recovery

Revolutionary decoding

Confidential: Not for distribution - © Cellebrite 2013

Physical Extraction Wizard

Confidential: Not for distribution - © Cellebrite 2013

Cellebrite’s Unique Approach to the iOS Challenge (cont.)

Keychain decryption (application passwords)

Integrated SQLite Browser

iPhone configuration files (Plist and BPlist)

iMessages

Confidential: Not for distribution - © Cellebrite 2013

Keychain Decryption

Confidential: Not for distribution - © Cellebrite 2013

Integrated SQLite Browser

Confidential: Not for distribution - © Cellebrite 2013

Facebook Decryption

Confidential: Not for distribution - © Cellebrite 2012

Most Popular iPhone Passwords

http://amitay.us/blog/files/most_common_iphone_passcodes.php

71

Confidential: Not for distribution - © Cellebrite 2013

Android Challenges

Vendors Using various chipsets

Confidential: Not for distribution - © Cellebrite 2013

Android Challenges

Multiple OS Versions Memory Types

Multiple File systems

• YAFFS2

• FAT32

• Ext2

• Ext3

• Ext4

FTL Types

• Qualcomm FTL

• FSR

• More

Confidential: Not for distribution - © Cellebrite 2013

Please raise your hand if you bumped into this scenario…

Confidential: Not for distribution - © Cellebrite 2013

Pattern Lock Extraction

•7

6

1 2 3

4 5 6

7 8 9

Confidential: Not for distribution - © Cellebrite 2013

“Smudge Attack” Pattern Lock Analysis

For those of you that are lucky enough:

Confidential: Not for distribution - © Cellebrite 2013

BlackBerry Physical Extraction

Covering dozens on models

Any BlackBerry OS version – 4,5,6,7.x

Using Cellebrite proprietary boot loaders ensuring a

forensically sound process

Applicable for non locked devices or devices

with known password

Non-encrypted/encrypted devices

7100

7130e

7250

7520

7750

8130 Pearl

8230 Pearl Flip

8330 Curve

8350i Curve

8530 Curve II

8703e

8830

9330 Curve 3

9350 Curve

9350 Curve Sedona

9370 Curve

9530 Storm

9550 Storm 2

9630 Tour

9650 Bold

9670 Style

9850 Torch

9930 Bold

8300 Curve

9380 Curve

9380 Orlando

7100

7130v

7290

8100 Pearl

8110 Pearl

8120 Pearl

8220 Pearl Flip

8300 Curve

8310 Curve

8320 Curve

8520 Curve

8700f

8700v

8707

8800

8820

8900 Curve

8910

9000 Bold

9100 Pearl

9105 Pearl 3G

9300 Curve

9300 Curve 3G

9350 Curve

9360 Curve

9500 Storm

9520 Storm2

9530 Storm

9550 Storm 2

9630 Tour

9700 Bold

9700 Onyx

9780 Bold

9780 Onyx II

9800 Torch

9810 Torch

9860 Monza

9860 Torch

9900 Bold

First to release physical extraction for dozens of BlackBerry devices‎

Confidential: Not for distribution - © Cellebrite 2013

Decoding

Confidential: Not for distribution - © Cellebrite 2013

BlackBerry Decoding

UFED Physical Extraction or Chip-off

BlackBerry OS 4, 5, 6, 7.x

Deleted data recovery

Real-time decryption of protected content from selected BlackBerry devices running OS 4-6 using a given password

Confidential: Not for distribution - © Cellebrite 2013

Analyzed Data – Special to Blackberry

Contacts – phones, emails, photos, addresses, PIN

Recent email address (OS 6 and above)

BlackBerry Messenger contact list

BlackBerry Messenger (BBM):

User details (display name, PIN)

Contact list (display name, PIN, email if exists)

Chats: Sender, Body, Timestamp

Cellebrite exclusive – Decoding of BlackBerry Messenger History‎even‎configured‎as‎‘never’‎

Questions?

Answers!

Thank You

www.cellebrite.com Ronen@CellebriteUSA.com

Mobile: 201-500-8182

top related