In the last quarter of 2011, a Raleigh, N.C.-area doctor sensed something was off with his wife. She was acting too perfect, as if she was covering something up, but he had no evidence. He even checked out her iPhone, but found nothing suspicious.
Until a few years ago, the doctor wouldn't have been able to glean any evidence from his wife's phone without spending a lot of money and taking possession of the iPhone long enough to arouse his wife's suspicions. Finding deleted files and nonstandard information on a smartphone was almost impossible back then because you could only extract data on a given smartphone's terms, explains Derek Ellington, president of Ellington IT & Forensics. "Everything you got was filtered through the phone's own software, and usually didn't include much in the way of deleted files," he says.
In 2009, smartphone use was exploding and some of Ellington's clients family law firms in the Raleigh area were looking for ways to access hidden data from phones. To find and extract hidden data from mobile devices, he initially looked to third parties for assistance, with no luck.
Ellington began researching options that his firm could use in-house. He had several criteria for his ideal technology. It needed to work across a wide range of phones and carriers; provide credible, forensically sound data that could hold up in court; and not be prohibitively expensive.
Options in Ellington's price range of $10,000 were limited. For iPhones, he evaluated the Zdiarski Technique, but it did not meet his standards. "You had to make changes to an iPhone in order to install the tools necessary to copy the physical image from the phone," Ellington says.
Frustrated, he checked out what law enforcement, government agencies, and large forensics firms used to extract cell phone data. Two vendors seemed to be dominant: Glen Rock, N.J.-based Cellebrite, and Lindon, Utah-based AccessData.
Cellebrite specializes in hardware and software that backs up and restores data to mobile phones, transfers content between phones, and performs forensic data capture on mobile devices. The company launched its forensic product, the Universal Forensic Extraction Device, better known as UFED, in 2007. The UFED product line, which includes software and related appliances, extracts, decodes, and analyzes data from thousands of mobile phones, tablets, and other devices, including devices manufactured with Chinese chipsets.
AccessData Mobile Phone Examiner Plus, or MPE+, is a standalone mobile forensics software product that is also available on a preconfigured touch-screen tablet to engage mobile forensics in the field. MPE+ creates data images from mobile devices and works with Forensic Toolkit (FTK) computer forensics software to surface evidence from multiple mobile devices. August 2010, Ellington purchased a license for AccessData's MPE+ $3,500 when the product was in its infancy, but said he was disappointed that it was not more "plug and play" MPE+ runs on Windows and requires drivers. He turned to Cellebrite's UFED, which uses its own operating system and he found it more user friendly, "even if you dont know anything about computers," he explained.
In April 2010, Ellington paid about $9,000 for the UFED Ultimate package, along with additional seats of UFED's Physical Analyzer software. The UFED Ultimate package includes the UFED, a small handheld unit with a built-in SIM card reader and Bluetooth connectivity. It comes with more than 70 cable adapters to connect the UFED to mobile devices of major carriers. The package also includes a 15-volt AC power supply, a 12-volt car adapter, and a carrying case that includes a cable organizer.
In addition to UFED's Physical Analyzer software, the Ultimate package includes UFED Phone Detective software, which reads a phone's vendor and model without having to open up the phone. It also includes a standalone UFED Reader, to view investigative results from Cellebrite software.