±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 33490
New Yesterday: 1 Visitors: 178

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Cellebrite performance vs documentation

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Cellebrite performance vs documentation

Post Posted: Mon Jan 22, 2018 7:19 am

My firm just acquired a Cellebrite Touch2 Ultimate and have been putting it through its paces.

In general, the capability doesn't seem particularly strong vs. what we've been doing using open source methods. We're seeing significant variance between what is supposed to be supported vs what we're actually achieving, also variances between the pure software Physical Analyzer capability vs. the actual Touch2 device capability.

This might be due to the newness and our inexperience with the product, however.

I'm curious as to other people's real world experiences. Is this typical?

For example, we used 4 devices in our initial tests:

1) iPhone 4
2) iPhone 5
3) XT1640 Moto G4 Plus Dual
4) SM-G900M Galaxy S5

All of these are significantly older devices.

The iPhone 4 was "connect to iTunes" locked, so inability to access is somewhat understandable.

The iPhone 5 - we could get no data using the touch2 but could perform logical extraction via the software package connected to the desktop/Physical analyzer worked

The G4 and S5 - Appdata was not accessible nor was password extraction, Advanced ADB, and a number of other capabilities using the Touch2. We even were told by customer service that a particular Android patch was the cause of some of this. We're in the process of re-running with Physical analyzer/desktop.

Some possible issues might be the cabling in the kit or the USB port on the desktop.

In any case, I'm very interested in what other people have had success (or not) with Cellebrite.  

c1ue
Newbie
 
 
  

Re: Cellebrite performance vs documentation

Post Posted: Mon Jan 22, 2018 12:19 pm

I'm pretty new to this world and only have Cellebrite experience so far, but here's some input:

Cellebrite teaches to do iOS extractions through Physical Analyzer. There's a dropdown at the top for extractions, and it contains both iOS and GPS options I believe.

Due to the large number of variance between different phones in the same base model (g900v, g900p, g900m, etc), you may want to try a samsung generic profile and run different extractions through that. Maybe try Phone Detective and see if that will give you some insight into it.  

ItsLily
Newbie
 
 
  

Re: Cellebrite performance vs documentation

Post Posted: Mon Jan 22, 2018 2:05 pm

I have been using Cellebrite UFED 4PC for a year and the best advice I can give you is extract everyway possible and do research about Cellebrite Extraction Methods and know what you get with each different extraction method. Keep up with the release notes and manuals for the specific tool being used (UFED Touch 2 / UFED 4PC). Here is some tips that might help…

iPhone 5:

Extract using Cellebrite UFED Physical Analyzer Method 1 and Method 2. Then extract using Cellebrite UFED touch 2 for the specific model of iPhone 5 (A1453, A1457, A1518, A1528, A1530, A1533, A1456, A1507, A1516, A1529, A1532, A1428, A1429, A1442) using the logical and filesystem option. There are normally three options under filesystem.

XT1640 Moto G4 Plus Dual:

Extract device profile (XT1460) logical and file system. If device is locked and even if it isn't use the following path to extract physical via Qualcomm chip set: Browse manually; type smartphone; select smartphone profile look for Qualcomm and select Bootloader (recommended) and extract via EDL.

Here is some links to help determining type of extractions:
www.phonemore.com/moto...specs/2680
media.cellebrite.com/w...tes_EN.pdf

SM-G900M:

I can’t look know, but when I researched this earlier today, I believed there was a physical bootloader option for the SM-G900M using UFED 4PC, not sure if it’s there for the touch 2. Also as ItsLily stated you can also extract using the smartphone android profile and the Samsung generic (CDMA/GSM) profile. I looked and don’t believe that chipset (Qualcomm Snapdragon 801 MSM8974-AC) is supported via Cellebrite Qualcomm extraction profile.

Just some tips to help.  

bsscott012
Newbie
 
 
  

Re: Cellebrite performance vs documentation

Post Posted: Tue Jan 23, 2018 4:19 am

- bsscott012


SM-G900M:

I can’t look know, but when I researched this earlier today, I believed there was a physical bootloader option for the SM-G900M using UFED 4PC, not sure if it’s there for the touch 2.


You're right. Bootloader based physical extraction is available.

imgur.com/a/YxuFo
_________________
digitalna-forenzika.com 

Mreza
Senior Member
 
 
  

Re: Cellebrite performance vs documentation

Post Posted: Tue Jan 23, 2018 2:52 pm

I've been hit and miss with Cellebrite. With iPhones I always extract through the physical analyzer software because it seems to pull more data. It seems to do a good job with these devices.

With android devices I do a physical if possible or a file system extraction. The FS extraction, which use android backup will many times only get partial data, such as pictures, but many times will not extract SMS and call logs. I usually then swap over to Axiom and can pull all the data without a problem.

I will say that Cellebrite has some good features, such as physical acquisition, device unlock, and ability to do a partial FS extraction even with the device has a pass code (with some phones).  

darin2
Newbie
 
 
  

Re: Cellebrite performance vs documentation

Post Posted: Wed Jan 24, 2018 7:44 am

The steps I've taken are to perform all available extractions even though it may be duplicate data. As for missing call logs and sms/mms, you would need to perform a logical via UFED4PC or UFED Touch to get the data.  

jasonlee
Member
 
 

Page 1 of 1