Wednesday, July 14, 2021

Three Myths About Digital Forensics as a Practice

July 14, 2021


Three Myths About Digital Forensics as a Practice


Following up on last month’s article about “Three FAQs About Digital Forensics as a Service”, we thought it useful to spend some time debunking some myths about digital forensics from both a general practitioner and service provider perspective.  


Every industry comes with “urban legends” or popularized myths that surround the practice.  Many of these rarely represent reality and some are outright false.  The more intriguing or interesting the field, the more pervasive these falsehoods can be.  Digital Forensics is no different than any other industry in this respect.  The reality is that TV and movies have sensationalized what we do to the point where there are several misconceptions about the practice of digital forensics, which run the gamut of the various sub-sets of the practice and affect those in law enforcement, private sector litigation support, incident response and government contractors.  While Hollywood has tried to make the profession “sexy”, there are some realities to this field, including the long hours spent staring at a computer monitor, developing a script or researching an application.  While not overly exciting, those are activities in which any practitioner worth their salt needs to engage on a regular basis… But it doesn’t make for good TV.


In order to dispel some common myths about our field, three of these misconceptions are discussed in this article.  This selection of industry myths has been garnered through discussing and working cases with people outside the industry over the combined time in law enforcement and private sector practice of digital forensics for the past 12 years.


Myth #1:  Nothing Is Ever Truly Deleted


I wish this were true.  However, the reality is that it is not.  Not only are there anti-forensics methods readily available to users on the market (i.e., Hillary Clinton and “BleachBit”), but increasingly there are measures being put in place at the manufacturing level for both mobile devices and higher-end computer systems that make deletion of data a permanent state.  To be more accurate, the security over the stored data is such that when and item is deleted, it is often not recoverable.  


For example, on an iPhone, data is stored in the same basic way for most applications.  However, if an item is deleted from the phone, depending on the type of item (i.e., picture or video vs. text message), the item is sent to free space on the phone memory, which is encrypted and not accessible through the forensic process.  The image may not be gone, per se, but it is not accessible or viewable.  On newer Mac computers and other devices equipped with solid-state memory (i.e., not a spinning hard drive), there is a process in place called “Trim” which also helps clean up the free space of the memory and makes recovery of deleted items extremely difficult, if not impossible.  In the era of heightened data security, these measures are becoming more commonplace.  Deleted text messages that were once partially recoverable are now increasingly unavailable, even with the most state-of-the-art forensic tools.  




There are almost always alternative storage methods, however.  Hard backups (computer-based) or copies or cloud-based data can all be potential areas where valuable evidence can exist, but the reality of the digital consumer marketplace is that if all we have is the device and nothing else, we may not get your deleted data.  



Myth #2:  If It’s Deleted, It’s Gone


I know this sounds totally contradictory to the previous comments and Myth #1, but just because it’s deleted, doesn’t mean the evidence you need is gone.  Indeed, this is and always has been at the heart of the forensic process.  We utilized industry-standard methods to acquire, analyze, recover and report about the data.  The emphasis with this myth is the recovery part.  I tell potential clients and attorneys all the time, the data is *usually* stored in more than one place.  The aforementioned cloud-based data storage being the most ubiquitous, but there can also be additional data stored in some surprising places.  The more data we can get our hands on that is related to the matter at-hand, the more success we will have in getting you some evidence that will help confirm or refute your assertions in the case.  There are also methods of analysis that a trained, competent examiner will attempt to incorporate in many cases, including partial recovery of valuable data from places like file-slack (leftover space where a file may have previously existed) or volume shadow copies that are automatically created in Windows.  




In most cases, the proverbial smoking gun is not a realistic possibility.  We have certainly worked and seen cases where the smoking gun has come about and it has always met with great success, but the reality of our practice is that we will likely find *something* to help you, but it may not be the one piece of evidence that will confirm or refute the matter at-hand.  Will it add value?  Most likely.  The real value comes in with the examiner’s ability to articulate what they did, how they found what they did and to explain these findings in non-technical terms that everyone can understand.  


Tools don’t do the work.  They present the data for the analyst to do the work, so make sure your analyst is knowledgeable and not afraid of doing the work.



Myth #3:  It’s Just A Phone… What’s The Big Deal?


It’s not unlikely that the origination of this myth is rooted in our innate perception of the fact that the size of things should equal more cost.  Bigger vehicles cost more than smaller vehicles.  Bigger houses cost more than smaller ones, and so on.  So why should a device that fits in my pocket be more of a challenge to acquire and analyze data than my laptop or desktop computer?  


In recent years, the marketplace has demanded that phones be more complex, store more data and be much more secure than your computer.  Apple comes out with a new iteration of iPhone every year, and they usually (and much more quietly) update their computer hardware and software as well, but the emphasis since the inception of the iPhone has been on the mobile device.  So what’s so problematic about it?




As I tell attorneys and their clients frequently, many times we are acquiring the data that Apple allows us to have.  To be clear, this is almost always more than what the user could do themselves and in a forensically sound manner appropriate for evidence presentation, but Apple can be quite restrictive for non-law enforcement to obtain data.  We get the basics – messages, photos, videos, web history, and supported app data.  Many times we can also analyze unsupported app data as well.  But much of the deleted data is unavailable.  In recent years, more advanced methods for acquiring iPhone data have come about, but they are only available on certain iterations of the iPhone hardware and software.  But to be clear, we always try to get as much data as possible.


Android phones are increasingly problematic as well.  Last year, we had a Samsung Galaxy S20 in for acquisition and analysis.  I was amazed at how little data we obtained, despite multiple attempts at multiple different methods of acquisition.  Fortunately, the mobile forensic tool developers are always coming out with newer ways to get more data for our use and analysis, but it’s a constant game of catch-up.  


A final point about the volume of data that can be analyzed on phones, Apple currently has up to 512 GB of storage on an iPhone.  Some Android phones are pushing to 1TB or more worth of storage.  That may not seem like a lot when you’re using the phone, but it’s A LOT of data.  And the more we have to search that mountain of data, the longer it takes.  These are not the Nokia flip phones we all had in the mid-2000’s.  They’re not even the Blackberry Pearl you had and thought was so cool.  These are complex computer devices with as much storage capacity as many commonly used computer systems, with many enhanced security measures.  They may be small, but they’re mighty!


Wrapping It Up


The myths discussed here are a small sample of the push-back we sometimes get when it comes to the length of time and the cost associated with acquisition, analysis and reporting about the data on these devices.  For those in law enforcement, phones are seized daily and sometimes the means by which to simply acquire the data are challenging and time-consuming (if not impossible).  We are not miracle workers, but we do try to get you data that you can use in your case to help confirm or refute your suspicions or claims.  Just know, it’s not always easy, it’s not always quick and it’s unfortunately not always possible.  Sometimes, we just don’t know until we get into analyzing the data!


Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!



We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business servicing litigators and their clients, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/ 





Wednesday, June 9, 2021

Three FAQs About Digital Forensics as a Service

 June 8, 2021


Three FAQs About Digital Forensics as a Service


There are many tentacles to the practice of digital forensics.  As explored in a previous article, there can be two main tracks to the practice of digital forensics:  Incident Response & Litigation Support.  Along the same vein, there are practitioners both in the public sector (law enforcement, government contractors, etc.) and the private sector.  While the practice is essentially the same across both sectors, the types of cases called upon to work and the complaints or inquiries received can be vastly different.  


When I was a law enforcement examiner, my time was spent mainly investigating criminal incidents involving child sex abuse material (CSAM) and other crimes, such as fraud, cyber-stalking, etc.  After transitioning to the private sector, I found the case inquiries and cases worked to be quite different.  Sure, there’s a minority percentage of cases in the criminal realm, but many of our cases span family law, corporate law, intellectual property theft and other civil disputes.  One of the most notable areas that the shift has occurred has been in the types of inquires receive.  The three questions explored and answered here are designed to provide those would-be clients with answers that they can readily access without the need to contact a forensic service provider and to help provide guidance for some in our industry as a whole.  These questions are taken directly from inquiries we receive weekly.


FAQ #1:  I think someone (estranged spouse, other person) is “hacking” me.  Can you find out who it is?


This is probably the most frequent question we receive and it eats up a ton of time.  Indeed, there are many reasons why someone might feel they’ve been “hacked”, but at a 30,000-foot level, it’s not likely.  Why isn’t it likely?  Well, the first question anyone needs to ask themselves is WHY would someone hack your devices on purpose?  Jeff Bezos’ iPhone was hacked.  He’s also the CEO of a multi-billion dollar corporation and he was targeted with a very specific electronic exploit by a quasi-trusted source in a coordinated event and the means to hack his device were engineered specifically for that purpose.  Let’s be clear:  No one is likely doing that to YOU.  The time, effort, resources and level of technical sophistication needed to hack an individual’s devices at that level are so advanced and multi-faceted that no one with a standard or mid-range knowledge of computers or cell phones would be able to do that to you.


And just because they “work in I.T.” doesn’t mean they have any advanced coding knowledge to be able to hack your devices.



Most of these allegations surround mobile devices, but to be more specific, an iPhone is quite difficult to “hack”, at least to the level where one would be reading your text messages or tracking your location or listening to your calls.  Everything on the phone needs to run in an application and there are no applications on the Apple App Store which allow this type of activity.  This is why iPhones are generally considered more secure than Android devices – because you *have* to run everything as an app and the only place to get an app is the App Store and Apple has tight controls over what they allow on the App Store. 


What is likely the case in roughly 99.9% of instances is that access was granted by the iCloud account holder (i.e., iPhone owner) to the alleged hacker at some point prior to the “hacking” and they are using utilities like Find my iPhone and iMessage syncing to track these locations and activities.  Also not unlikely is that a formerly-trusted source knows your standard passwords and accessed your account using one of those, and may even have 2-factor authentication access from an older device.  Change your iCloud login and password and make the password strong and unique.  Also, disconnect older devices from your iCloud.  Finally, don’t use public wi-fi.


Android devices, while theoretically easier to “hack” than iPhones, still require some access for 99.9% of users to be able to track location, read messages, etc.  Apple, Samsung, LG, etc. don’t make money and keep customers by making their devices easy to exploit to any sort of hacking activity.  If that were the case, we’d all be walking around with hacked smart phones.  The security on these devices, particularly the newer models, is strong enough to ensure that the vast majority of people to whom access is not granted to the data, cannot access the data… And with each new generation of device, the security gets stronger.  


The reality is that we are all bleeding our location, purchase history, check-in activity, life events and much more on our mobile devices every day without even realizing it.  Google has more data on you than the NSA and they exploit it to make money.  Does hacking of an iPhone or Android phone happen? Yes.  But it is very, very unlikely for 99.9% of users.


As a final note, I tell all potential clients that call with this complaint, hacking in many forms is a crime.  If you have evidence you’ve been hacked, report that to the authorities and initiate a criminal investigation.  They work for you and you pay them with your tax dollars.  They also have the power to issue things like subpoenas and search warrants, which any private practitioner does not.  In short, they can help you much more than we can.



FAQ #2:  Someone is sending me harassing text messages anonymously.  Can you identify who it is?


The short answer to this is, probably not.  If the only evidence we are afforded are the text messages from the phone of the person receiving them, there isn’t much evidence for us to investigate from the device itself.  The existence of the text messages is not in dispute, the origin is what is sought.  Most of these numbers are issued through a third-party and purposely anonymous at a practical level, so our ability to track down the number to a specific person is very limited.  


In order to track the number to a person, litigation needs to be in place or a criminal investigation needs to be undertaken.  This will provide the power of subpoena or search warrant to help track down and follow the bread-crumb trail to who may be responsible.  Even still, this can require multiple levels of subpoena, which can take time and often be a dead-end in the investigation.


Harassing text messages and/or calls are annoying.  They may even be illegal, depending on where you live.  But it’s much easier and less expensive to change your phone number and let trusted friends & family know you’ve changed your number than it is to try to dig down into the rabbit-hole that is a chain of subpoenas to try and track down who is responsible.  As a wise man once said to me, “the juice isn’t worth the squeeze”.





FAQ #3:  I suspect my spouse or significant other is cheating. Can you analyze their phone to let me know if this is true or not?


We get this question a lot.  And it’s usually followed up with a statement by the would-be client that “the account is in my name”.  The problem is, the data isn’t in your name, and the data is what you’re asking us to analyze.  The issue of marital ownership of property can get a bit murky, particularly when one feels their trust is being violated.  


I know a lot about the law, but I am not a lawyer.  Generally, we refer people who ask for this service to consult an attorney and the natural rebuttal is “I want proof that something is going on before I get an attorney”.  At that point, we gracefully exit.  Why?  Because past instances have taught us that getting involved in domestic issues where there is no litigation is messy and fraught with complications.  In short, we’re not going to be the reason you get a divorce.


Aside from that, there are technical issues which can arise in this.  The first is access to the data.  For all modern cell phones, we need the pass code in order to obtain the data.  Period.  There are no notable exceptions to this for private sector practitioners.  Oh, you have the pass code?  Great.  We still won’t do it.  Modern mobile forensic tools also extract authentication keys for social media and other cloud accounts, which is a very powerful tool, particularly if used in the wrong hands.  By accessing the data on the phone and/or the data on the cloud without proper authorization, we are breaking the law.  There is no client or any amount of money who would convince us that our professional integrity and reputation is worth one case.  Finally, if we engaged in this practice and the case did go to litigation, we’d have to testify about how we accessed the data and by what authority.  That would be a tough question to answer.


Are there digital forensic practitioners who will do this?  Absolutely.  Please contact them and let me know how their testimony goes.


Wrapping It Up


The FAQs discussed here are just a sampling of some of those we receive quite regularly.  And while the answers may have a bit of pointed clarification in them, they also touch on a wider theme of ethical practices in private sector digital forensics.  When you are researching a digital forensic service provider, please ask yourself 1) is what you’re asking them to do within the bounds of the law and/or ethical practices and 2) if they agreed to do it for you, what does that say about their ethical standards?   The training, tools and ability to do what we do are all extraordinarily powerful and if used by the wrong type of practitioner, could lead to drastic consequences.  Violations of what could be termed “standards of practice” will affect the industry as a whole.  Let’s all work together to ensure that doesn’t happen.


Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!



We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Monday, February 22, 2021

Keys To Success in Digital Forensics: Incident Response vs. Litigation Support

February 22, 2021


Keys To Success in Digital Forensics:  Incident Response vs. Litigation Support


Digital forensics as a practice and as a service has been evolving for since its inception.  Among the evolutionary explosions we’ve seen in the field are the hardware, the size of data repositories, the data storage technology and the tools we use to acquire and analyze the data we come across in our analysis cases.  The advent of remote work, cloud data storage, universal use of email and internet-based applications and the development of bad actors on a worldwide scale has confirmed that the field of digital forensics will be not only present, but necessary now and well into the future.  We’ve also seen offerings in academia growing with colleges offering coursework in both undergraduate and graduate programs focusing on digital forensics.  What is sometimes overlooked, however, is the nuance that there is more than one path within the field of digital forensics.  So which path will you choose:  Incident Response (IR) or Litigation Support?



Incident Response Path


To help to identify which path is appropriate, it’s probably best to first define the particular path.  Digital Forensic Incident Response (DFIR) is defined loosely by a myriad of online resources as incorporating digital forensics techniques to identify bad actors at the heart of malicious attacks on networks networks and systems.  This can include malware/spyware infections, hacker attacks, data theft, data leakage, etc.  This is often referred to as an arm of Cybersecurity and is part of what many cybersecurity professionals do.  But all one has to do is look up jobs for a Cybersecurity Responder or Engineer to read the litany of responsibilities that are associated with these positions to realize that it is truly only one part of the listed responsibilities.  I’m often boggled when I search for job openings in Digital Forensics and find the dozens of listings that have very little to do with digital forensics at all, but because the job of a DFIR responder is partially to deal with these incidents, forensic response is listed as one of the desired skills.  The argument could be made that the forensic component is a dedicated position in itself.




Regardless of that, the work of a DFIR responder is somewhat different than that of a litigation support professional in several ways.  First, the manner in which you acquire the data to be analyzed can be very different.  It is a common practice in IR work to acquire logical data from a network repository for analysis and not a “dead box” physical acquisition of the data.  This is a practical consideration because networks in enterprise environments can’t be shut down for a physical acquisition.  Many times, network logs, Windows event logs, registry entries and IP log files play a crucial role in determining who is responsible for the incident.  Acquisition and analysis of these logs can be tedious and may only lead to part of the conclusion about what happened.  The job of an IR digital forensic professional is absolutely necessary, particularly in large corporations and those that store sensitive personal information.  We hear about data breaches of personal information almost weekly and security-minded practitioners struggle with constant pulpit-pounding of good practices leading to good security.  


Regular readers of this blog know well that I put forth regularly that “forensics” means the acquisition, analysis & reporting of facts associated with the data in such a manner that is presentable in a Court of Law.  While it is no doubt possible that an IR professional could work a case that would lead to litigation, it is far less likely than in the litigation support realm.  As such it’s probably safe to say that IR practitioners could reasonably be more on the technical side than the presentation & explanation side.  However, every incident has at least one stakeholder, so the ability to explain very technical matters to very non-technical people is still a vital skill.


Litigation Support Path


It’s probably safe to say that when many people decide on a Digital Forensic course of study, they probably think of litigation support as their main path, probably due to the romanticization of the field in TV shows like CSI.  We hear about data breaches in the IR realm all the time, but we rarely hear in popular media the outcomes of their investigations.  Litigation support can be (and often is) the exact opposite.  Most law enforcement digital forensic practitioners are involved in litigation support and do so in very high-profile incidents.  Many private companies are also involved in digital forensic litigation support.  So what does a litigation support analyst do?  We acquire, analyze and report on evidence most often specific to a particular person, company, etc.  The means by which we acquire this data often differs from the IR path because we generally have physical access to the suspect or target media to be analyzed. This means we can acquire physical repositories, instead of just logical data.  Of course, mobile forensics can be a large exception to the last statement, but generally speaking and with current technology, we are able to acquire physical memory of stand-alone computer systems and workstations.  (However, that will probably not always be the case.)




Law Enforcement works criminal litigation support by identifying a criminal suspect, seizing their electronic equipment, acquiring & analyzing same as part of their investigation and reporting about their findings.  Part of their reporting often comes in the form of formal expert testimony in court, which is one of the biggest differences between IR and Litigation Support.  It requires further refinement of the skill of presenting very technical matters to very non-technical people.  


Private companies who engage in Litigation Support also have a similar approach to casework, but work Civil disputes as well.  These civil cases may be everything from divorce/custody matters to intellectual property theft to employment disputes to independent analysis in criminal defense cases.  No matter the court of the case at hand (i.e., criminal or civil), the litigation support professionals seek to add clarity, value and definition to the matters they work as part of the adversarial justice system.  


Similarities between Incident Response & Litigation Support


We’ve highlighted the main differences between IR and Litigation Support, but there are naturally many similarities.  The basic knowledge of how data is stored and analyzed is probably the largest similarity.  Both paths need to have a good basic understanding of data storage and forensic implications thereto.  Another similarity can be in the tools we use.  Fortunately, most modern and popular digital forensic tools, whether open source or proprietary, are capable of handling both IR and litigation support work.  The nuance factors in with the examiner’s ability to properly use the tool, given the particular type of case or incident.  Some forensic tool vendors like to say their tool has “been validated in Court”.  This is a misleading statement.  Tools don’t get validated in court.  Examiners get qualified as Experts in Court and their findings are validated because of their requisite knowledge, skills, abilities and experience.



Finally, the most important part is that the approach philosophy is and needs to be the same across the digital forensic spectrum.  In every case, we operate on the approaches of objectivity & neutrality, analyzing the data as the data is presented to us and never allowing personal bias or beliefs about the suspected parties involved to cloud our ability to prove or disprove what happened.  Digital Forensics is a scientific discipline.  It requires us to constantly evaluate evidence in a neutral environment to arrive to a conclusion of fact.  As experts in the field, we are afforded the ability to draw conclusions based upon our knowledge and experience, even if the data doesn’t explicitly show us what those conclusions are.  But those conclusions are always supported by the data and never created out of conjecture or bias.  


Wrapping It Up


In every field, there are nuanced sub-sects.  If one decides to be a doctor, they can become a surgeon or a psychiatrist.  If one decides to be a lawyer, they can become a corporate risk manager or a criminal litigator.  The refined skill sets for the two paths within the same field are where the differences lie and Digital forensics is no different.  There are nuances within the two paths of Incident Response and Litigation support that dictate which skills will be highlighted and which will be of less value to hone and refine.  Knowing the difference is key to the practitioner’s success, particularly early in the field of practice. Can a DFIR practitioner choose to switch between IR and Litigation support (or vice-versa)?  Absolutely!  Many litigation support professionals from law enforcement retire to work for IR shops.  The take-away here is to start the thought process about which path is the best fit for you.  Ultimately, everyone involved the practice of digital forensics wants to get to the heart of the matter, just like all doctors want to help their patients and all lawyers want to serve their client in the best manner possible.  So do some soul-searching and drill down about what path you’d like to choose.  And as a wise man once said, “Go with your gut, but use your head!”


Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!



We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Thursday, January 7, 2021

Cellebrite Reader: You Don’t Know What You’re Missing!

January 7, 2021

Cellebrite Reader:  You Don’t Know What You’re Missing!

As a digital forensic practitioner who logs approximately 70% of cases in the mobile device forensics arena, it has become the norm for us to receive discovery in any number of forms from opposing counsel, law enforcement agencies, etc.  Being one of the most commonly used mobile forensic tools on the market (particularly by law enforcement), Cellebrite has wisely developed a way for people who wish to view the data on a particular device to do so, also with the capability of generating their own report.  This pared-down or lightweight version of the Cellebrite Physical Analyzer program, called the Cellebrite Reader, is a great free way to browse the 30,000-foot view of the data, particularly for laypersons who may just want to get text messages, pictures, videos, etc.  These are traditionally the “high points” of the data on the phone or tablet and can sometimes include deleted items, but a serious warning should accompany the Cellebrite Reader file:  You don’t know what you’re missing!



Who Should Use The Cellebrite Reader?

The Cellebrite (or UFED) Reader is a lightweight version of the paid version of the analysis tool that accompanies a full Cellebrite product license called Physical Analyzer.  To say it’s a “lightweight version” of Physical Analyzer is a bit of an understatement.  At first glance in the user interface, the two applications look very similar, but as with most things in digital forensic analysis, the devil is in the details.  So then who should use the Cellebrite/UFED Reader?  If your case involves any of the “basic” data areas, such as undeleted text messages, photographs and some location data, then the UFED Reader tool is probably fine.  The tool is best for on-staff investigators, paralegals, private investigators and other mostly non-technical support staff.  If you have absolutely no need to dig into the data at all, the UFED Reader program should serve your purposes just fine.  The issues emerge when we dive into how the data is generated and what is included, or rather not included, by the person who generated the Reader file.


The “Analyzed Data” portion provides a great overview of the simple data areas decoded automatically by Cellebrite, including *some* deleted data (red parentheses)


How Is a Cellebrite Reader File Generated And What Is Included?

A Cellebrite/UFED Reader File is generated within the larger licensed tool called Cellebrite UFED Physical Analyzer.  Many times, because of case backlog or by specific request, the person doing the data extraction from the device(s) will create a “data dump” report, viewable in the UFED Reader.  This creates a .UFDR file, which is only able to be opened and read in the UFED Reader program, which accompanies the UFDR file at no cost to the user.  In the case of a data dump report, ostensibly all of the readily viewable and automatically decoded data on the device is included in the UFDR file. 

However, one strong warning about UFDR files is that they can easily be generated by the analyst cherry-picking or selectively choosing the data to include in the UFDR file, which is NOT a data dump.  For example, the person responsible for generating the Cellebrite Reader file can choose only certain picture file types or certain text messages or message strings to include in the Reader file. This could *look* the same as a data dump within Cellebrite Reader, but would have far less data than the 100% dump of everything available from the device.  There is no clear indication that a data dump file has been generated versus one that is selectively created by the analyst and exported into a UFDR and Cellebrite UFED Reader file.  It is not unlikely that the person generating the Cellebrite Reader file for your review has not included things like the databases from the device (pictured below).  We’ll discuss the importance of this shortly…


The other strong warning about Cellebrite Reader (UFDR) files is that they MAY NOT include all of the data.  While companies like Cellebrite, Oxygen, MSAB and Magnet Forensic try very hard to keep up with the trends in mobile technology, they are always playing a game of catch-up with their support of hardware and software because mobile technology moves so fast.  Add into the support equation that only a fraction of third-party applications are supported for decoding by these tools and the point becomes clear that if you are relying solely on UFED Reader files, you are likely missing data!  There is currently no exception to this rule.

The analogy we often use is that the Cellebrite Reader file is like a “prepared meal”.  A competent digital forensic analyst wants to inspect the ingredients that went into preparing that “meal” to make sure there’s nothing missing.


What Data Is Missing From Cellebrite Reader Files?

At a basic level, all application data (i.e., apps) on mobile devices is stored in roughly the same way.  This common storage approach is in a series of databases that are created, updated and stored as part of the application itself.  The databases work in the background of the user interface to store and present the data to the user on the device in the native user experience.  The problem is that, as stated earlier, a mere fraction (probably 10% or less) of the applications available on the Apple App Store (iPhone) or Google Play Store (Android) are supported for automatic decoding in Cellebrite or any other mobile forensic analysis tool.  This means that manual analysis of these databases will frequently become a necessity in your cases.  And these databases may not included as part of a UFED Reader file, and you may only be provided with automatically decoded data from supported applications.  The illustration below shows a snapshot of how many applications are decoded by Cellebrite on an iPhone 8 Plus running iOS 14.  Among the applications not decoded are common applications like Snapchat, Twitter, Instagram and others:



Even if an application like WhatsApp is supported for automated decoding in your tool, when the developers of WhatsApp make even minor changes to the application in development and roll the new version of the application out to their users, this could cause the mobile forensic tool to no longer be able to decode and display the data automatically.   This is another circumstance where manual analysis of the database(s) for the application will be required and as stated previously, the databases may very well not be included in your Cellebrite Reader file.

This is why you should always consult with a digital forensic professional in any case where you are provided data from an opposing party, particularly if there is a possibility that any of this data could be presented as evidence.


Wrapping It Up

While Cellebrite and their UFED Reader program are used as an example in this article, many other mobile forensic tools also have similar lightweight versions for simple review of the data.  These are often called “portable case files”, or something similar.  Regardless of the tool and what they call their lightweight application, the same limitations and warnings apply.  And when faced with the possibility that your client could go to prison for a significant period of time or lose custody of their children or perhaps even lose a large sum of money, due diligence dictates consultation with an expert who knows how this data is stored, how to appropriately analyze it and what steps should be taken to ensure nothing is missed.  Lives depend on it!


Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/