±Your Account
Membership:
New Today: 1
New Yesterday: 3
Overall: 24197
Visitors: 36±Latest Webinar
±Latest Articles
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
With no disrespect intended to UFED technical support, unless UFED are now adding 'clairvoyance' to the UFED system and they have a new tool called 'psychic', how on earth are they claiming they know the answer above for certain?
You have the handset and presumably you have not disclosed the physical image to them have you?
br
_________________
Institute for Digital Forensics (IDF) - LinkedIn
Mobile Telephone Examination Board (MTEB) - LinkedIn
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
ForensicMobex now MTEB Linkedin Subgroup
On that basis, you have actually answered the point I was making to you awiwoho. From what you are confirming it infers that when you asked [them] apparently without seeing any evidence or investigating imaged content the response you got was negative.
This could be though doing an injustice to Cellebrite UFED as I wasn't present at your discussion and it might simply be awiwoho that the person you spoke to has experience in a different area and not the area in which you seek help. You will find from time to time that skills for data recovery do not amount to having knowledge and skills in relation to forensics, data analysis, investigation and/or evidence.
awiwoho does your organisation policies, practices and procedures allow you to distribute evidence to a party not engaged and instructed in the matter under investigation?
Perhaps Ron from Cellebrite would be kind enough to put me right, if I have misunderstood the points raised by the OP, and post at FF confirmation:
1) In an image obtained by UFED does it contain any 'objects'/'artefacts' of any previous tampering or imaging activity on a particular handset that is discernable from analysis of the UFED image?
2) What 'objects'/'artefacts' should awiwoho be seeking in the content recorded in the UFED image?
3) Where would awiwoho find in the UFED image these 'objects'/'artefacts' (e.g. Index offset etc)?
4) With regard to 'objects'/'artefacts' that maybe found in an UFED image obtained from particular handsets; the relevant handsets in question are those mentioned by awiwoho:
4a) Nokia C3-00
4b) Motorola V3xx
Hope that helps
_________________
Institute for Digital Forensics (IDF) - LinkedIn
Mobile Telephone Examination Board (MTEB) - LinkedIn
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
ForensicMobex now MTEB Linkedin Subgroup
[ASK] Identify phone has been tampered or imaged
[ASK] Identify phone has been tampered or imaged
Posted: Wed Jun 27, 2012 4:43 am
Hi everyone,
I physically imaged 2 mobile phones i.e. Nokia C3-00 and Motorola V3xx using UFED Cellebrite. Apart from analyzing the standard file, sms and contact number; I was also requested to analyse:
- If the phones has been tampered or imaged before?
- Identify if the data in the phones have been extracted in any way.
- Have the phone has been bug with a GPS software, so the location can be detected?
I have looked at each file one by one; there are a lot of files in there but I couldn't find any clue to identify such information. My question, is that possible to do such analysis in the mobile phones and how?
Any help gill be greatly appreciated.
Thanks.
I physically imaged 2 mobile phones i.e. Nokia C3-00 and Motorola V3xx using UFED Cellebrite. Apart from analyzing the standard file, sms and contact number; I was also requested to analyse:
- If the phones has been tampered or imaged before?
- Identify if the data in the phones have been extracted in any way.
- Have the phone has been bug with a GPS software, so the location can be detected?
I have looked at each file one by one; there are a lot of files in there but I couldn't find any clue to identify such information. My question, is that possible to do such analysis in the mobile phones and how?
Any help gill be greatly appreciated.
Thanks.
-
awiwoho - Newbie
Re: [ASK] Identify phone has been tampered or imaged
Posted: Thu Jun 28, 2012 9:25 pm
I asked UFED technical support and they said that it is not possible.
-
awiwoho - Newbie
Re: [ASK] Identify phone has been tampered or imaged
Posted: Thu Jun 28, 2012 11:49 pm
- awiwohoI asked UFED technical support and they said that it is not possible.
With no disrespect intended to UFED technical support, unless UFED are now adding 'clairvoyance' to the UFED system and they have a new tool called 'psychic', how on earth are they claiming they know the answer above for certain?
You have the handset and presumably you have not disclosed the physical image to them have you?
br
_________________
Institute for Digital Forensics (IDF) - LinkedIn
Mobile Telephone Examination Board (MTEB) - LinkedIn
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
ForensicMobex now MTEB Linkedin Subgroup
-
trewmte - Senior Member
Re: [ASK] Identify phone has been tampered or imaged
Posted: Wed Jul 04, 2012 8:59 pm
If I disclosed the physical image to them, they would know the answer?
Which information should I give?
Which information should I give?
-
awiwoho - Newbie
Re: [ASK] Identify phone has been tampered or imaged
Posted: Wed Jul 04, 2012 9:08 pm
As far as if the phone has been imaged before that would largely depend on the method that may have been used.
If it was imaged by a competent operator with a non invasive method (ie no jailbreaking or similar) then the previous imaging process should indeed by undetectable.
Same goes for if the phones have had data extracted as the process if pretty much the same, again using good software and sound methodology.
With regards to the GPS bugging that would come down to a manual inspection of every single app or piece of software which accesses the GPS and trying to figure out if anything weird is going on. Well beyond me, maybe some of the guys with programming knowledge might be able to offer advice there, but UFED, XRY don't offer than level of app support or breakdown to my knowledge.
If it was imaged by a competent operator with a non invasive method (ie no jailbreaking or similar) then the previous imaging process should indeed by undetectable.
Same goes for if the phones have had data extracted as the process if pretty much the same, again using good software and sound methodology.
With regards to the GPS bugging that would come down to a manual inspection of every single app or piece of software which accesses the GPS and trying to figure out if anything weird is going on. Well beyond me, maybe some of the guys with programming knowledge might be able to offer advice there, but UFED, XRY don't offer than level of app support or breakdown to my knowledge.
-
Adam10541 - Senior Member
Re: [ASK] Identify phone has been tampered or imaged
Posted: Wed Jul 04, 2012 11:53 pm
- awiwohoIf I disclosed the physical image to them......
On that basis, you have actually answered the point I was making to you awiwoho. From what you are confirming it infers that when you asked [them] apparently without seeing any evidence or investigating imaged content the response you got was negative.
This could be though doing an injustice to Cellebrite UFED as I wasn't present at your discussion and it might simply be awiwoho that the person you spoke to has experience in a different area and not the area in which you seek help. You will find from time to time that skills for data recovery do not amount to having knowledge and skills in relation to forensics, data analysis, investigation and/or evidence.
- awiwohoWhich information should I give?
awiwoho does your organisation policies, practices and procedures allow you to distribute evidence to a party not engaged and instructed in the matter under investigation?
Perhaps Ron from Cellebrite would be kind enough to put me right, if I have misunderstood the points raised by the OP, and post at FF confirmation:
1) In an image obtained by UFED does it contain any 'objects'/'artefacts' of any previous tampering or imaging activity on a particular handset that is discernable from analysis of the UFED image?
2) What 'objects'/'artefacts' should awiwoho be seeking in the content recorded in the UFED image?
3) Where would awiwoho find in the UFED image these 'objects'/'artefacts' (e.g. Index offset etc)?
4) With regard to 'objects'/'artefacts' that maybe found in an UFED image obtained from particular handsets; the relevant handsets in question are those mentioned by awiwoho:
4a) Nokia C3-00
4b) Motorola V3xx
Hope that helps
_________________
Institute for Digital Forensics (IDF) - LinkedIn
Mobile Telephone Examination Board (MTEB) - LinkedIn
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
ForensicMobex now MTEB Linkedin Subgroup
-
trewmte - Senior Member