Thursday, January 7, 2021

Cellebrite Reader: You Don’t Know What You’re Missing!

January 7, 2021

Cellebrite Reader:  You Don’t Know What You’re Missing!

As a digital forensic practitioner who logs approximately 70% of cases in the mobile device forensics arena, it has become the norm for us to receive discovery in any number of forms from opposing counsel, law enforcement agencies, etc.  Being one of the most commonly used mobile forensic tools on the market (particularly by law enforcement), Cellebrite has wisely developed a way for people who wish to view the data on a particular device to do so, also with the capability of generating their own report.  This pared-down or lightweight version of the Cellebrite Physical Analyzer program, called the Cellebrite Reader, is a great free way to browse the 30,000-foot view of the data, particularly for laypersons who may just want to get text messages, pictures, videos, etc.  These are traditionally the “high points” of the data on the phone or tablet and can sometimes include deleted items, but a serious warning should accompany the Cellebrite Reader file:  You don’t know what you’re missing!



Who Should Use The Cellebrite Reader?

The Cellebrite (or UFED) Reader is a lightweight version of the paid version of the analysis tool that accompanies a full Cellebrite product license called Physical Analyzer.  To say it’s a “lightweight version” of Physical Analyzer is a bit of an understatement.  At first glance in the user interface, the two applications look very similar, but as with most things in digital forensic analysis, the devil is in the details.  So then who should use the Cellebrite/UFED Reader?  If your case involves any of the “basic” data areas, such as undeleted text messages, photographs and some location data, then the UFED Reader tool is probably fine.  The tool is best for on-staff investigators, paralegals, private investigators and other mostly non-technical support staff.  If you have absolutely no need to dig into the data at all, the UFED Reader program should serve your purposes just fine.  The issues emerge when we dive into how the data is generated and what is included, or rather not included, by the person who generated the Reader file.


The “Analyzed Data” portion provides a great overview of the simple data areas decoded automatically by Cellebrite, including *some* deleted data (red parentheses)


How Is a Cellebrite Reader File Generated And What Is Included?

A Cellebrite/UFED Reader File is generated within the larger licensed tool called Cellebrite UFED Physical Analyzer.  Many times, because of case backlog or by specific request, the person doing the data extraction from the device(s) will create a “data dump” report, viewable in the UFED Reader.  This creates a .UFDR file, which is only able to be opened and read in the UFED Reader program, which accompanies the UFDR file at no cost to the user.  In the case of a data dump report, ostensibly all of the readily viewable and automatically decoded data on the device is included in the UFDR file. 

However, one strong warning about UFDR files is that they can easily be generated by the analyst cherry-picking or selectively choosing the data to include in the UFDR file, which is NOT a data dump.  For example, the person responsible for generating the Cellebrite Reader file can choose only certain picture file types or certain text messages or message strings to include in the Reader file. This could *look* the same as a data dump within Cellebrite Reader, but would have far less data than the 100% dump of everything available from the device.  There is no clear indication that a data dump file has been generated versus one that is selectively created by the analyst and exported into a UFDR and Cellebrite UFED Reader file.  It is not unlikely that the person generating the Cellebrite Reader file for your review has not included things like the databases from the device (pictured below).  We’ll discuss the importance of this shortly…


The other strong warning about Cellebrite Reader (UFDR) files is that they MAY NOT include all of the data.  While companies like Cellebrite, Oxygen, MSAB and Magnet Forensic try very hard to keep up with the trends in mobile technology, they are always playing a game of catch-up with their support of hardware and software because mobile technology moves so fast.  Add into the support equation that only a fraction of third-party applications are supported for decoding by these tools and the point becomes clear that if you are relying solely on UFED Reader files, you are likely missing data!  There is currently no exception to this rule.

The analogy we often use is that the Cellebrite Reader file is like a “prepared meal”.  A competent digital forensic analyst wants to inspect the ingredients that went into preparing that “meal” to make sure there’s nothing missing.


What Data Is Missing From Cellebrite Reader Files?

At a basic level, all application data (i.e., apps) on mobile devices is stored in roughly the same way.  This common storage approach is in a series of databases that are created, updated and stored as part of the application itself.  The databases work in the background of the user interface to store and present the data to the user on the device in the native user experience.  The problem is that, as stated earlier, a mere fraction (probably 10% or less) of the applications available on the Apple App Store (iPhone) or Google Play Store (Android) are supported for automatic decoding in Cellebrite or any other mobile forensic analysis tool.  This means that manual analysis of these databases will frequently become a necessity in your cases.  And these databases may not included as part of a UFED Reader file, and you may only be provided with automatically decoded data from supported applications.  The illustration below shows a snapshot of how many applications are decoded by Cellebrite on an iPhone 8 Plus running iOS 14.  Among the applications not decoded are common applications like Snapchat, Twitter, Instagram and others:



Even if an application like WhatsApp is supported for automated decoding in your tool, when the developers of WhatsApp make even minor changes to the application in development and roll the new version of the application out to their users, this could cause the mobile forensic tool to no longer be able to decode and display the data automatically.   This is another circumstance where manual analysis of the database(s) for the application will be required and as stated previously, the databases may very well not be included in your Cellebrite Reader file.

This is why you should always consult with a digital forensic professional in any case where you are provided data from an opposing party, particularly if there is a possibility that any of this data could be presented as evidence.


Wrapping It Up

While Cellebrite and their UFED Reader program are used as an example in this article, many other mobile forensic tools also have similar lightweight versions for simple review of the data.  These are often called “portable case files”, or something similar.  Regardless of the tool and what they call their lightweight application, the same limitations and warnings apply.  And when faced with the possibility that your client could go to prison for a significant period of time or lose custody of their children or perhaps even lose a large sum of money, due diligence dictates consultation with an expert who knows how this data is stored, how to appropriately analyze it and what steps should be taken to ensure nothing is missed.  Lives depend on it!


Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/