Every couple of months, I hope to bring you information about digital forensics or e-discovery tools and companies. This month, I had the opportunity to interview Christa M. Miller, Director of Mobile Forensics Marketing at Cellebrite. Cellebrite is the leading provider of mobile device forensics tools and is quickly becoming known for its training and certification program.
Christa M. Miller has worked for more than ten years as a journalist, specializing in digital forensics and other high-tech topics for public safety trade magazines. Miller has a B.A. in Economics from Whittemore School of Business and Economics at the University of New Hampshire, and is based in South Carolina.
Q: My readers are legal professionals. Their clients don’t have a lot of money for experts. When it comes to information contained on cellphones or tablets, it’s right there—the client comes in, brings up the data on the screen and VIOLA! There are the numbers dialed, details regarding incoming calls, text messages, chat logs, Internet history, etc.
First question, why pay an expert to use Cellebrite to download the data rather than just have the client testify to it and show the court? Isn’t it just a matter of the client’s veracity?
It is a matter of the client’s veracity, and that is the issue; plenty of clients would like to make false accusations against other people, and apps exist that would allow them to spoof threatening text messages, GPS data, etc. in order to “prove” that they had said something or done something that the court would frown upon.
Using Cellebrite hardware and software on both plaintiff’s and defendant’s devices can show who said or didn’t say what, who went or didn’t go to a particular place, and even whether spoofing or monitoring apps are or were installed on either device. Being able to drill into the phone’s memory does take expertise, so it is well worth the money to pay. Also, if you are not paying the expert, you are risking that the other side will, and that discovery could work against your client.
Q: When it comes to admitting mobile device data, what have you seen as major challenges with this evidence as compared to, say, electronically stored information that comes from a run-of-the-mill personal computer, data from a network or business records from an Internet Service Provider? Is it the nature of the witness or is it the nature of the data?
We really have not seen significant challenges to admissibility of this data. Keep in mind that mobile forensics is still a fairly young discipline, and a number of cases first tried in its early years – 2009, 2010 – are only now making their way to appeals courts, where admissibility questions are often raised.
In general, though, because our UFED (Universal Forensic Extraction Device) Physical Analyzer software provides the same deep look at the hexadecimal code in the phone’s memory as computer forensic software provides on a hard drive, experts can fulfill the requirement to validate what the software says is on the device. That validation could come from manually looking into the code, or it could come from other sources, such as a wireless carrier’s call detail records or an ISP’s user records.
One thing that readers should keep in mind is that the UFED’s process is consistent; it’s mobile device technology that is inconsistent. What we can extract from one device will not be true across all devices simply because of the variety of operating systems, memory chips, etc. In other words, failure to bypass a password or get deleted data isn’t a UFED failure; it’s more likely just that our engineers haven’t yet found a way to perform those functions.
Q: Can you tell us a little bit about what Cellebrite does and how?
Our UFED tools perform three different types of extractions: logical, file system, and physical. A logical extraction is the “what you see is what you get” process, the easiest and fastest of all the extractions. It relies upon the device’s API (Application Programming Interface) to retrieve data, basically extracting whatever data the manufacturer makes available via API.
A file system extraction, done on smartphones, goes a bit deeper. It also uses the manufacturer’s protocols, though these are different from the API, and are device/family-specific. For example, some file system extractions rely on the device backup method to extract data, and as a result it can obtain some deleted data still stored within the device’s file system structure.
A physical extraction is the most complete (and takes the longest) of all three extractions because it is a bit-for-bit copy of all the data on the device, including data in both allocated and unallocated space on the device’s memory. This includes deleted data and metadata.
All three methods, but especially file system and physical extractions, require extensive research and development around the way devices store data, how device passwords or passcodes work, how apps and devices encrypt data, etc. Cellebrite has more than 200 engineers dedicated to the R&D process, developing technology that enables password bypass, data decryption, and data decoding. (It should be noted that we encourage our users to obtain the legal authority they need before they perform these types of extractions.) We can authoritatively say that we have the most extensive support for Android-based devices in the industry, including Samsung, HTC, Motorola, LG, and other popular device models.
UFED Physical Analyzer also decodes the data extracted from file system and physical extractions. Data extracted via APIs and backups require no decoding because it is intrinsic to these methods, which present media files such as pictures and videos as they are seen on the device. However, data within other database files, such as those that contain text messages, must be separately decoded to parse out the messages. UFED Physical Analyzer automatically performs this decoding process, presenting decoded data both in human-readable format, and as raw data as stored in the device’s memory.
Decoding goes beyond extractions performed only with UFED hardware and software. UFED Physical Analyzer can also decode extractions obtained through other means, including methods known as “JTAG” and “chipoff.” These are used when UFED extraction tools don’t support devices, either because the device is damaged, or its data port is locked (as in the case with prepaid devices.) JTAG extractions use a device’s test access ports (used in manufacturers’ quality assurance processes), while chipoff extractions take advantage of the “wear leveling” process (also explained in the attached white paper). They allow investigators to obtain data directly from the device’s memory. Because criminals use prepaid devices, and damage their phones, in their efforts to conceal evidence, having this capability is very important to both public sector and private sector investigators.
Once the data has been decoded, it can be analyzed in a number of different ways. Both UFED Physical Analyzer and another of our software products, UFED Link Analysis, parse the data into visual analytics. The UFED Link Analysis software is designed to show links between people and places from multiple mobile devices. Investigators can visualize how people are connected, and how significant those connections are, across various communication methods (phone calls, text messaging, chat apps, et al.) and even locations (places in common). It also puts location visits and communications in a Timeline view so that investigators can contextualize the information.
UFED Physical Analyzer also has Timeline view and visual analytics, but with the added benefit (as mentioned above) of allowing forensic examiners to drill into the data and validate that certain evidence exists within the hexadecimal code on the device’s memory.
Q: A threshold issue when a client seeks to have a device examined is managing client expectations about the extraction. Can you explain why it is that we can’t always retrieve all the information from a mobile device?
As stated earlier, the information that any mobile forensic tool can retrieve from a device depends on the device. Because of how a smartphone interface looks and interacts – a touch screen with icons – it’s easy for a lot of people to think that all smartphones work exactly the same way. However, manufacturers and also app developers build in many subtle differences in an effort to stay competitive. It requires constant research on a mobile forensic vendor’s part to understand what those differences are, and how to program extraction and decoding software to account for the differences.
Q: Clients sometimes claim that their call data and emails were spoofed or anonymously re-routed. Can Cellebrite assist in investigating and ultimately determining the actual source of such emails and calls?
Yes, again, if there is suspicion that some kind of malware or spoofing app was used either on the client’s device or on the other party’s device, assuming extractions for that device are supported, it should be possible to uncover whether the mobile device and its owner were complicit in spoofing calls.
Q: Clients also sometimes claim that someone is monitoring their mobile device, a virus or program is being used to “spy” on them. Can Cellebrite assist a forensic examiner in investigating whether or not that is the case?
Our UFED Physical Analyzer software has a BitDefender malware detection tool built in. Assuming it is regularly updated, this is able to identify many different malware signatures on a mobile device.
The forensic examiner still needs to be able to research the malware to find out what it does. It may be, especially on Android devices, that the user inadvertently installed malware that exfiltrates personal data, but it’s phoning home to a server in Eastern Europe rather than being a monitoring tool. So that can be important towards exonerating a client.
Q: Not every mobile device forensic tool is the same. Each has its limitations. For example, not every tool can analyze every phone and some tools have better customer support than others. What would you say have been Cellebrite’s weaknesses in the past? What are you working on and what can we look forward to?
We are continuously striving to improve all aspects of our support, whether it’s new or enhanced extraction and decoding support for devices and smartphone apps, or better customer support. The best way to stay up to date on our latest is to subscribe to our email – we release new software versions every couple of months – and follow our blog, which updates customers on product and other company news.
Q: There’s quite a lot going on with respect to e-discovery with mobile devices. This is true for large litigation, which I am certain you are involved and moderate and small litigation. How is Cellebrite dealing with the range of e-discovery challenges and the sizing of your customer base—from large to small? For example, how do you gauge your products and services to address the needs of different sized and different budgeted companies?
We are seeing growing demand in the private sector to leverage mobile device data for e-discovery processes, as organizations and attorneys recognize the importance of mobile evidence in a wide variety of civil cases. We have significant market penetration here, including large and small consulting firms and a growing number of Fortune 500 customers. The introduction of more UFED platform options last year, in addition to our partnerships with a number of industry leading e-discovery platform providers, increased the flexibility of our delivery model to correspond to the needs of organizations of different sizes and geographic distributions.
Q: There has been a debate within the digital forensic community for many years regarding the value and integrity of software/tool-based credentialing or certification, versus broader based certifications issued by recognized professional credentialing organizations that test practitioners’ knowledge base, confirm their educational qualifications and perform a background investigation.
In the beginning of the field, some years ago, there was a dearth of indices to evaluate whether or not when selecting a digital forensics expert, one was making a correct choice. Today, the field is flooded with certifications of dubious distinction that can be obtained with little effort, some cash and attendance at a few classes.
Cellebrite recently revealed a three-stage program in which it certifies mobile examiners. How does this program ensure that the individuals it credentials are suitable, and what does it mean once said certification is achieved?”
Cellebrite’s certification process is quite rigorous in that it demands practical as well as written knowledge to be successful. First of all, attendees to both our Cellebrite Certified Logical Operator and Cellebrite Certified Physical Analyst courses must demonstrate how well they absorbed class information, by performing practical
applications during the exam process. Exam questions are randomized both from student to student, and from class to class. Also, while it is possible to obtain our capstone Cellebrite Certified Mobile Examiner certification immediately upon receiving the CCLO and CCPA certs, we encourage examiners to bolster their expertise through real-world examinations. Finally, we require students to refresh their training every two years, staying abreast of the latest mobile technology trends, to maintain their certifications.