In the last quarter of 2011, a Raleigh, N.C.-area doctor sensed something was off with his wife. She was acting too perfect, as if she was covering something up, but he had no evidence. He even checked out her iPhone, but found nothing suspicious.
Until a few years ago, the doctor wouldn’t have been able to glean any evidence from his wife’s phone without spending a lot of money and taking possession of the iPhone long enough to arouse his wife’s suspicions. Finding deleted files and nonstandard information on a smartphone was almost impossible back then because you could only extract data on a given smartphone’s terms, explains Derek Ellington, president of Ellington IT & Forensics. “Everything you got was filtered through the phone’s own software, and usually didn’t include much in the way of deleted files,” he says.
In 2009, smartphone use was exploding and some of Ellington’s clients — family law firms in the Raleigh area — were looking for ways to access hidden data from phones. To find and extract hidden data from mobile devices, he initially looked to third parties for assistance, with no luck.
Ellington began researching options that his firm could use in-house. He had several criteria for his ideal technology. It needed to work across a wide range of phones and carriers; provide credible, forensically sound data that could hold up in court; and not be prohibitively expensive.
Options in Ellington’s price range of $10,000 were limited. For iPhones, he evaluated the Zdiarski Technique, but it did not meet his standards. “You had to make changes to an iPhone in order to install the tools necessary to copy the physical image from the phone,” Ellington says.
Frustrated, he checked out what law enforcement, government??agencies and large forensics firms used to extract cell phone data. Two vendors seemed to be dominant: Glen Rock, N.J.-based Cellebrite, and Lindon, Utah-based AccessData.
Cellebrite specializes in hardware and software that backs up and restores data to mobile phones, transfers content between phones and performs forensic data capture on mobile devices. The company launched its forensic product, the Universal Forensic Extraction Device, better known as UFED, in 2007. The UFED product line, which includes software and related appliances, extracts, decodes and analyzes data from thousands of mobile phones, tablets and other devices, including devices manufactured with Chinese chipsets.
AccessData Mobile Phone Examiner Plus, or MPE+, is a standalone mobile forensics software product that is also available on a preconfigured touch-screen tablet to engage mobile forensics in the field. MPE+ creates data images from mobile devices and works with Forensic Toolkit (FTK) computer forensics software to surface evidence from multiple mobile devices. In August 2010, Ellington purchased a license for AccessData’s MPE+, for $3,500, when the product was in its infancy, but said he was disappointed that it was not more “plug and play” — MPE+ runs on Windows and requires drivers. He turned to Cellebrite’s UFED, which uses its own operating system and he found it more user friendly, “even if you don’t know anything about computers,” he explained.
In April 2010, Ellington paid about $9,000 for the UFED Ultimate package, along with additional seats of UFED’s Physical Analyzer software. The UFED Ultimate package includes the UFED, a small handheld unit with a built-in SIM card reader and Bluetooth connectivity. It comes with more than 70 cable adapters to connect the UFED to mobile devices of major carriers. The package also includes a 15-volt AC power supply, a 12-volt car adapter, and a carrying case that includes a cable organizer.
In addition to UFED’s Physical Analyzer software, the Ultimate package includes UFED Phone Detective software, which reads a phone’s vendor and model without having to open up the phone. It also includes a standalone UFED Reader, to view investigative results from Cellebrite software.
Ellington didn’t have time to test the UFED Ultimate before putting it to work. “We had a backlog of phones when it first arrived,” so he judged its effectiveness on the fly. The UFED device was able to bypass a phone’s own software, so that Ellington could circumvent security protocols and obtain a physical “raw dump” of the phone’s data.
The UFED supported industry-standard hashing, a constant Ellington used when analyzing PCs. “This mathematical fingerprint verifies that the data you get matches the data from the source,” he says. “You could now go into court with it, show the hash value, and show that on this day, it matched the suspect’s phone 100 percent.”
The UFED produced the same results each time, unlike the methods Ellington previously had used. “Up until this point, you couldn’t get any real validation.”
UFED Ultimate helped Ellington check a phone for deleted text messages, email, or voice mails. UFED extracts relevant information from Skype, Google Voice and even Words With Friends, which has a built-in chat client. “We’ve had so many cases where people were using [Words With Friends] to communicate, thinking it doesn’t leave a trace, but UFED does a really good job of parsing out and making viewable the different data types that these apps store,” he says.
UFED Physical Analyzer software generates comprehensive reports. “An attorney comes in and just wants the communications between Party A and Party B. The Physical Analyzer software lets us specifically target those parties and report all [the communications] between them,” explains Ellington.
Via a recent update, UFED Physical Analyzer now can compile information from multiple parties and phones to create a timeline. Ellington recently finished up a case where five different parties were involved: a woman, her husband, the husband’s girlfriend whom he had met online, the girlfriend’s boyfriend, and the girlfriend’s ex-husband who was suing for custody of their kids. “Under subpoena we copied the phones for all five people, including chats, photos, voice-mail messages, [and so forth], and compiled them all into one timeline using an Excel spreadsheet, which created a minute-by-minute chronology of how this mess unfolded,” he says.
So what did Ellington find out about the doctor’s wife? Ellington says the UFED Ultimate recovered deleted voicemails from her iPhone that delineated her scheme to withdraw all the money from the couple’s joint bank accounts and her search for a new job and apartment in a different city. •