UFED Cloud Analyzer – Unlock actionable intelligence from private user information in cloud data sources

Presenter: Shahaf Rozanski, Senior Forensics Product Manager, Cellebrite

Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.

Transcript

Hello everyone, and welcome to Cellebrite webinar, UFED Cloud Analyzer – Unlocked Actionable Intelligence from Private User Information in Cloud Data Sources. Before we get started, I’d like to update you on the technology we’ll be using today. You will notice on the right hand of your screen that we now provide two audio mode options for our webinar – telephone and [indecipherable] speakers. If you prefer to use your telephone, please set ‘Telephone’ as your audio mode, and call in using the number, access code, and PIN that is displayed in the confirmation email that you previously received.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

If you prefer to listen to this webinar through your computer speakers, please choose the [indecipherable] speaker audio mode option on your panel. You may minimize the panel by clicking the orange arrow located on the far left-hand-side. If you have any questions throughout the webinar, they should be submitted online. You can submit your question to our speaker by typing them in the questions box. Questions will be answered at the end of the presentation.

Our speaker today is Mr Shahaf Rozanski, senior forensics product manager. In his role, Mr Rozanski is responsible for defining and launching Cellebrite’s future solutions to the law enforcement industry, including the UFED Cloud Analyzer. Mr Rozanski brings more than 16 years of experience in merging customer advocacy and technology, which he successfully applied in various global industries.

Shahaf, it’s over to you!

Shahaf Rozanski: Thank you, [indecipherable]. Hi everyone. Excited to be with you this morning or afternoon. Today we’re going to have a very, very exciting adventure together as we will investigate together how you can neutralize the cloud in your investigations. What we do in the course of the next hour – you will find out that you are not alone in your quest to look into the cloud, and we will see some of the market trends that you and other customers of ours shared with us when going into the cloud. We will also identify what kind of challenges you are facing today when handling the cloud, and then we will switch over to the different solutions that we have for you to investigate information from the cloud; the main solution that we are going to talk about today is UFED Cloud Analyzer, a new solution that we announced and released just a few months ago. And we will demo the solution and discuss the different use cases.

So let’s start with the market trend, and before we do that, let’s just clarify between ourselves what we mean by the meaning of ‘cloud’. When we say ‘cloud’ throughout the course of this presentation, we will refer to data that is hosted by cloud remote service provider, such as social media life Facebook and Twitter, such as webmail like Gmail and Yahoo!, storage like Google Drive, instant messaging services or even e-commerce services like Amazon and eBay. All those are what we are referring to as cloud, and those kinds of data sources basically contain lots of information that people are using, you can utilize within your investigation.

So, if we will look into the way our world population is using the cloud, you can see that about 25%, 26%, depending on the region in the world, is accessing social media and cloud-based services. One of the most important points to notice in the right corner of the slide is the fact that most of the people that are using the cloud are accessing the cloud via mobile. Now, if you have capability to gain access to the mobile and utilize that in order to go the cloud, then you can leverage your capability [in] investigating the cloud.

So if most of the world population is using the cloud, obviously, criminals are also using the cloud, and therefore, law enforcement agencies are very, very interested in the cloud. And this is a survey that was conducted by International Association of Chief of Police – they are conducting a survey every year – and you can see that while in 2010 only 50% of the investigations involved social media or cloud information in order to resolve the issue, in the last couple of years it’s almost 80% of those investigations, meaning four out of five investigations are using cloud in order to gain access into intelligence data or even to provide evidence that will be used in court.

Now, when law enforcement are looking into the cloud, basically, there are two kinds of information they are looking into. The first one is what we call the public cloud, which is basically all the data that the user decided to expose with the rest of the world. So if you will go to Google, for example, and type ‘Shahaf Rozanski’, you will probably find a lot of information about me, which I decided to publicly expose with everyone. The more interesting part of the cloud is the private data – that kind of data which is not accessible to anyone, and you cannot go and google ‘Shahaf’ and find private data about me. It is only accessible to those that I have selected.

Now, for you, as law enforcement, to gain access into private data, basically, you have two options. The first one is to get a person from the user… ask for his username and password, and then manually type username and password into the different web interfaces – for example, the web interface of Facebook. And then navigate to the different pages and try to find out the relevant evidence, obviously trying to make sure that you are forensically preserving the data, which is quite a challenge when you are doing that manually. The other option is to go to the cloud provider – to go to Google, or to go to Facebook or to go to Twitter, and ask them for permission to look into the information. For that, obviously, you would need legal authority to do so, and basically you would need to serve the search warrant to the different companies, and you can see the statistics over here.

The challenge, with going to the cloud provider, that you are facing – and you have shared with us quite frequently – is the fact that the time for fulfillment can take weeks to months. And especially for you guys that are outside of the US, for example, people in Poland or in Vietnam or in the UK, for you to go to Google and Facebook and get information from them, you need to go to [indecipherable] or you first need to have a local search warrant; then you need to go over to your local department of justice, send it to the US Department of Justice; they will convert it into a local search warrant, which then will be served to the relevant state – of California, which is where most of those companies are [set] – and then it will be [translated] and sent into Google or Facebook and Twitter.

This takes time, a lot of time, and then obviously you can add to that the time that it takes to process the information. This can take, for people that are outside of the US, something between eight months to a year, which is amazing – and just think about how much time you need to wait just to gain information and intelligence from the cloud. And basically, this is the main challenge that you are facing and expressed with us – the time that it takes to get a response from the cloud provider, which, if it is a year, sometimes can be meaningless to your investigation.

But it’s not only the time that it takes, it’s also the fact that the rate of record production is sometimes insufficient. In the previous slide, we’ve seen the different statistics – in the UK it was about 70%. I can assure you that in different countries it’s less than that. But even with the 70% or the 80% that’s in the US, still, one out of five or one out of four cases is not provided with the relevant information to solve the case. And I don’t think that anyone is willing to jeopardize a murder case solving just because the cloud provider is not going to provide with that.

Now, the reason that they are not providing the information is not because that they don’t like you. It’s because of the fact that, you know, they are a big company; their business is to provide social media or services. It’s not their main concern, and therefore, you [indecipherable] almost about 100 requests to Facebook. They need the manpower to handle that, and they don’t have. So it takes time, so you need to wait for them until they produce the records.

And then, at least a US-based cloud service provider, it is up to them to decide whether they want to produce the record or not. Reminder: they are working according to US law. So, [if there is], for example, there is an offence in your country which is not considered an offence in the US, you might not get the data. So this is a very big problem.

Now, the last challenge that you expressed with us with respect the long cycle that it takes, that even after you get the information from the cloud provider, if you approach more than one cloud provider, you are in a problem. Because each cloud provider is providing you the record in a different format. So you get a long PDF from Facebook, you get a long HTML file from Google, you get a long Word file from Twitter. How do you analyze that? How your investigator is capable of understanding what exactly is going on? And this is a true challenge.

In addition to gaining access to the cloud provider, the time it takes, and the fact that the data is not normalized, we understand that you are basically not only looking into cloud – you are obviously looking into PC, and you are looking into mobile information, and you are looking into call data records from the [vendor]. And basically, you have different tools that you are utilizing today in order to gain insight into those different data sources. Different tools means different training and certification on different tools, higher cost of ownership, and obviously, a lack of data visibility and interoperability between the different tools, because they are not generated by the same vendor.

Therefore, [in] consideration [of both of] those challenges, we came up with Cellebrite with what we call the UFED Pro Series, which is basically a unified solution that allows you to extract, normalize, and analyze data from disparate data sources – from mobile, from cloud, and from operators – all together.

For those of you who are already familiar with our offering and using it in the mobile space, you are probably very familiar with the UFED Ultimate that allows you to extract information from a mobile device, and you are also familiar with the UFED Physical Analyzer that allows you to decode the information. [indecipherable] UFED Cloud Analyzer that we will focus on today, but then, it doesn’t stop there because as we mentioned, you want to look into all the information together. So the next step in the process, and we’ll definitely talk about it, is the ability to integrate information from mobile, information from cloud, information from operators, into a single view and to analyze them all together. And this is exactly what UFED Link Analysis allows you to do.

So our UFED Pro Series that is comprised of different modules eventually gives you an end-to-end solution for looking into mobile, cloud, and operator data all together, both in terms of extracting the data, but also in the sense of analyzing the data.

As I mentioned, we will focus today on Cloud Analyzer. So let’s do a [click down], let’s talk about Cloud Analyzer main highlights. So Cloud Analyzer addresses the challenge of accessing the cloud provider, and it provides you with an instant extraction of insight and admissible data. With Cloud Analyzer, you can forensically preserve data from a rich set of cloud data sources and gain access into cloud data with consent of user or without consent of the user, obviously working under the proper legal authority.

[Not only that] you can gain access and save the year of waiting for the different cloud providers, you also normalize the data with Cloud Analyzer – so if you go to Facebook, if you go to Twitter, if you go to Google, all the information that you get from them is normalized into a common look and feel, and then the investigation becomes very easy because you can look at a message in Google and a message in Twitter, they look the same. And then it’s very, very easy to correlate between the different entities.

Finally, it’s about the ability to move to the next step, and the fact that you don’t stop with cloud; you obviously want to share the information with other members of the police force or export it into other tools that will allow you to do some further investigation – so Cloud Analyzer, as the rest of the UFED Pro Series solution, allows you both to generate relevant reports that you can use and share with other people within the force, or you can export the data into other advanced analysis solutions like the UFED Link Analysis or others.

So we mentioned instant extraction while forensically preserving the data; normalizing the data from different data sources; and the ability to share data and continue with the investigation. Now, you probably ask yourself by now, “Okay, fine, that’s great. You can gain access into private cloud data. How do you do that?” Well, let me share with you the couple of methods that we are using to gain access into the cloud.

The first method is the one that we have already discussed in the past. And it is the ability to utilize username and password. And basically you type the username and password that you got from the user or you got in a different manner from the user, and you type it into the application, and then Cloud Analyzer streamlines the process of extraction for you. So instead of going into the different pages through the web interface of Facebook or Google, you just get all the information that you requested based on the defined extraction criteria, and then you can look into the information, which is forensically preserved, in an easier manner.

The next option that we share in order to gain instant access to the cloud is the more innovative method which we introduced to the market just a few months ago, and it’s the ability to use mobile login information. And what do I mean by that? Think about your smartphone. When you go into your smartphone and you click on your Facebook application, it automatically pops up. It means that Facebook remembers the first time that you provided username and password, and every time you click on the application icon, it uses that. Well, the lucky thing is that today we take [indecipherable] that you have from Cellebrite, those that are extracting information from the mobile device, you can already capture those login information from the mobile device. What we recently added as part of the UFED Cloud Analyzer capability is the ability to decode this username and password or this login information that gains you the access into the cloud, and utilize that in a separate application we call UFED Cloud Analyzer in order to pull out information from the cloud.

I think that the demo will definitely demonstrate to you the full capacity of these tools. Let’s move into the demo, and we will start by looking at the Physical Analyzer. For those of you that are not familiar with the Physical Analyzer, basically, after you [did] a forensic copy of the mobile device, you take the extraction file and then you open that in Physical Analyzer, that basically decode all the information from the extraction and show you all the valuable information that was available on that device. So in order to get the login information from the mobile device, we added a simple and basic option that’s basically called ‘Export account package’. An account package is basically the list of cloud data sources that the user was using on his mobile device along with the login information – that piece of code that remembers how to authenticate the user every time that he clicks on the mobile application.

So let me just save the account package. And that’s it. I have the account package, now I can go into my UFED Cloud Analyzer. When you start looking into UFED Cloud Analyzer, the first thing that you would want to do is that you would want to create a new person investigation. So I’m clicking on ‘New person’, and let me provide some details about this person that I’m investigating. Let’s say that I want to investigate someone by the name of Cloudio Brite. And I will enter the investigation number and my examiner ID and my name, and I can also add a nice picture of Cloudio Brite. Let’s use this one. And now I am creating the new extraction.

The first step when creating a new extraction is a logical step that is meant to give you the conscious alert that you are going into private user data in the cloud and you probably need a relevant legal authority. Now, whether you need the legal authority or you don’t need the legal authority, it depends on you and your standard operating procedure, but we allow you to provide that information here, like the search warrant or the subpoena number or your chief constable approval number, or even the consent number from the user. So any kind of information that you want to provide, eventually log it as part of the process, should be entered in here. As I mentioned, there would be some agencies that will say, “Hey, listen, it’s not applicable for me,” and they can just click that process without filling in any information.

The next step is to define what kind of data sources I would like to extract from. And as I mentioned, we have two options – the first one was the ability to import the account package from the mobile device. So let me import the account package – let’s take this one. So this is the list of data sources that the user was using on his mobile device, along with the login information. So this was the first option, and another option is to manually add login information, [let’s say that you] got the consent from the user, you get the user name and password, and then I can type here, ‘cloudio.brite@gmail.com’ and let’s put something that will not work, ‘notworking’. Okay.

Now I will select the different data sources that I would like to extract from, and I will click on ‘Next’. What happens at this point is that UFED Cloud Analyzer goes into each of the cloud providers that were specified in the list before and try to authenticate the user based on the login information that was taken either from the mobile device or the one that was [indecipherable] provided by the user. So as you can see, this is like a regular login process, where… by the way, if we are using login information from the mobile device, we are actually mimicking the device itself. It means that from a Facebook point of view or from a Twitter point of view, the mobile device is the one that is trying to access the cloud. This is very important from a covert operation point of view or the amount of traces that you leave in the cloud provider.

Now, as we’ve seen, the first five data sources were authenticated successfully, and I can also see the relevant username for this, within this data source. So for Dropbox it’s Cloudio Brite, for Facebook it’s cloudio.brite@gmail.com. Gmail failed, because, as you recall, I provided a wrong username and password. So I can go back and amend that, but for the sake of this demonstration, we can just continue and skip that process.

So I’m clicking on ‘Next’. The last piece, before I begin the extraction, is to define the extraction criteria. And this has two meanings for you. The first one is related to the legal authority that you have, and we understand the fact that you might not be able to extract everything and you might be [bounded], based on your legal authority, to extract only relevant information from the last month or only images and videos. So basically, you can change the different criteria according to your needs.

The second reason that we introduced this step in the process is the amount of time and the amount of data that needs to be extracted. So think about it – for example, if you take Cloud Analyzer to the field. You don’t have 10 hours to extract a few GB of Gmail data. You want something more concise. So basically, you can shorten the amount of data, reduce the amount of data, based on date and content category in order to shorten the time of extraction and the size that it needs on your hard drive.

Good. So let me change the date, for example, and say that I want to extract everything in the different data sources from the beginning of 2014. And let me change that for all the different data sources. Those of you that have sharp eyes probably noticed that each data source has different content categories that we [support]. And this depends on the nature of the data source. For example, Facebook, you can gain access to messages and contacts, and the other information however in Dropbox, which is a cloud storage service, you can only gain information [to] images and videos, and files, and not to messages.

One important thing to mention is that when you extract a message or a file or a video, you get all the data and the metadata attached to it. So, for example, if I’m sending an email to Mona, and this email contains two images, those images that are [indecipherable] to the message would also be extracted as part of the message. In addition, if, for example, I’m posting a post on Facebook that has location information, the location information metadata would obviously also be extracted as part of the extraction itself.

Good. So I’ve easily defined the different criteria, and now I will click on ‘Start extraction’, and what will happen at this point is that Cloud Analyzer will go into each of the cloud providers and try to pull out information from these cloud providers, and save them on my local PC.

Now, a couple of interesting points to raise with respect to the way that we are accessing the cloud data source. The first one is the fact that we are utilizing the standard API provided by the cloud provider. Why is that important? It is important for the [indecipherable] reason and the fact that you will feel comfortable using that information in court. Now, if we were using the standard API provided by the user, which, by the way, is used by all those application developers all over the world, those [indecipherable] applications [on top] of Facebook and Gmail are using the same API, it will be very, very difficult for someone to claim that the information is incorrect, because if that’s incorrect, so everyone else in the world is using an incorrect data.

The second element is the fact that the connection between Cloud Analyzer that resides on the local PC in the police station and the cloud provider is done directly and over a secure channel. And it means that no one can sit in the middle and change the data, and then the data you will get is not a copy, or not exact copy of the data that is available in the cloud. Those two points are very important because they increase the confidence you have, and you have [points] to make sure that you can admit the data into court.

Good. So extraction completed successfully. And I can now start looking into the data. By the way, I could have done that also when the data did not fully extract – so I can do it in the middle of the extraction. And we have different views that we introduce in order to enable you to look into the information. The first one is the Timeline view that basically shows all the events that took place according to a chronological order. You have the files that basically collect… all the files that were extracted from the different data sources into a single view, so you can easily view them. You have the Contacts, that shows you all the social contacts that this someone had with his social friends. And finally, you have the Map, which shows on a map all the relevant location information that was taken from the cloud data sources.

And this is maybe the relevant point to discuss a new service that we are introducing very soon, which is called Google Location History. Google Location History is a service that is provided by Google, and this service basically helps Google to provide better information or better search results to the user. And what Google is doing is basically they are saving all the location information from the mobile device in their local storage in the cloud, and then later gain access to that. In order to use this service, you need to opt in obviously to that service. But the way that Google presents that to the user is kind of tricky, and therefore, you could expect that there is a large portion of people that will enable that. Basically, what they mention over there is that if you want some more accurate location information, you need to enable that service. But they don’t tell you that they save all your location history in the cloud.

So this is Google Location History, and if you can gain access into the Google Location History, it means that you have a minute-by-minute tracking of what the user was doing, which is amazing. For example, let me click here on one of those events, so you can see almost a minute-by-minute tracking on the way and the path that I took here in South Carolina. And this is awesome because now you can tie back that to where the user has been at the time of the crime. So Google Location History is a service that we introduce very soon, very, very powerful for your investigation.

Let’s jump back into the Timeline. And if you recall, one of the challenges that we discussed in the beginning of the conversation was the fact that if you go to Facebook, you go to Twitter, you go to Gmail, you get information that looks different. And what we mentioned is that Cloud Analyzer basically normalizes all the data into the same look and feel. So, for example, you can see in the same view here information from Facebook, and this is the information from Dropbox, and also information from Google Drive. They all look the same, they are all analyzed in the same manner, and basically, you can decide what kind of information you want to show or view based on the filters, but what you can also do is the ability to cross-analyze those different data from different data sources all together.

Very good. So we noticed that the quick extraction of data, we noticed the data normalization, we also talked about the new Google Location History service. Let’s finalize by showing how you export the data. Let’s say that I want this post, for example, to be exported, I want this file to be exported, this contact, and let’s pick up an event from the location, and I will go to ‘Generate report’, set the location of the report, select folder, and then I will tell Cloud Analyzer that I only want information that I selected in the view, and now I will generate a report.

What we will get is a PDF report that contains two sections. The first section is what we call the extraction summary, but it is mostly used for traceability and authenticity. And what do I mean? For example, you have a unique extraction ID and you have the search warrant that was provided in the first step of the extraction wizard. You have which examiner made the extraction and at what time the extraction started. Also, for each of the other sources that was extracted, you have the data source, the username, what kind of [quick areas] were defined, and even the fact that the login information to those data sources was taken from a user account [indecipherable] package as opposed to taking it from a manually provided username and password, which will also be indicated if that was the case.

But that’s not it – we even go a step further, and we go into the mobile device. In those cases that you took the user account package from the mobile device, we even tell you that this was an account package that was taken from a Samsung Galaxy S device, and the fact that the account package was created on this and that day, and you even have the UFED mobile extraction ID. So basically, you have full traceability from the moment you did an extraction on the mobile to the moment that you did an extraction from the cloud, and if you go into court and use that information, you can show a tracking of exactly what you did, and you can prove that the process that you were taking is correct and the information is relevant and true.

The second piece is the fact that we show the actual… the different information, and the different information… for example, we select the location, we selected the message, we selected the contact, and we selected an image. You can notice that for the image, we also share the hash. And this is a very important piece that I want to talk to you. So let me go back into my Cloud Analyzer for a second and let me open, for example, this post.

So as part of the information that we collect for each data element, we also collect what we call [indecipherable] identifier in data source. This is the unique ID generated by Facebook, in this case, for this post. So if you will go to Facebook web interface and we’ll look for that ID, or you will go to Facebook and ask for that ID, you will get the same post. And the reason that I’m sharing with you this information is basically that now you can [validate the two] to be sure that the information that you get from Facebook and the information you get from the tool is matching. And to do so, you have the hash files. So as you can see in the report, for each data element, we have hash files. We show that for images in the report. And then you can run the same hash algorithm that we are using on the content that you took from Facebook and the content that you got from Cloud Analyzer, and see that those hashes match. And eventually this gives you the confidence to go into court and say, “Hey, this data is authentic, this is exactly as it was on the cloud provider.”

So we’ve done the extraction, and we looked into the [indecipherable] report. The last piece that I want to briefly touch is looking into information from cloud and from mobile all together. And this is done through the UFED Link Analysis solution. So as you notice, I uploaded the extraction from the mobile device, I uploaded the extraction from the cloud. And now, as you can see, both are shown on the same user interface where the PA is… from the Physical Analyzer, it’s in blue; the one from Cloud Analyzer is in green. And I can do an investigation from cross-data sources from the mobile and from the cloud all together, and now it becomes, again, that you have all the information in a single place, and you can get and drill down into the relevant capabilities.

This specific capability will be introduced later this year, so stay tuned and ask our relevant sales account manager when it will be available, because this is a very powerful investigative tool.

Okay. So let’s just briefly review the different steps that we’ve taken here, from the mobile through investigating the data with link analysis. By the way, this is a workflow that we propose – you don’t necessarily need to use that. I am sure that each one of you will develop its own workflow. But this is our initial recommendation for you, that you can use and modify according to your need.

The first thing you want to do is obviously to seize the mobile device, and obtain a mobile search warrant to look into the data in the mobile. Then you want to extract the mobile and decode outside the account package which contains the list of cloud data sources and the relevant [indecipherable] information. Then, for those of you that will need that step, you would want to go and obtain a cloud search warrant or any kind of legal authority that you need in order to gain access to the cloud. You will then extract the cloud using UFED Cloud Analyzer, and you will export all the data and use all the data from the mobile together [within] Link Analysis to investigate the data and get to your relevant [indecipherable] or [indecipherable].

Finally, just a few steps before we go to your questions, I want to share with you some of the use cases that different customers of ours shared with us with respect to using Cloud Analyzer. I am sure that you have many, many other use cases as well, and we will be happy to hear them if you would like to share them with us.

The first one is related to cyberbullying, and the fact that I really like this use case is that it looks into Cloud Analyzer from a different perspective. The most common thinking is to use the suspect username and password or to use the login information of the suspect. But here, we had a cyberbullying victim that basically gives the permission to use her Facebook credentials in order to download the content, and this content basically contains all the other evidence relevant for prosecuting the suspect, and it is done before this data is actually deleted by the suspect, so time here is very critical. And this is where Cloud Analyzer allows you to gain access into that data instantly.

The second one relates to child pornography, and the police basically raid a childcare facility, and they looked in… with the relevant search warrant, basically, they confiscated the phone and computer of the owner, and before the owner was able to delete the data from Dropbox or from Google Drive, basically the police access the data, pull out all the relevant information from there, and was using that information from the cloud to incriminate the user.

By the way, this information, as with other information that we have [discussed], was not available on the mobile device, because you don’t save all your Dropbox on your mobile device. The same goes for your location information and for your Facebook or Twitter messages.

The last use case that I want to share with you is related to major crime, where, after the police responded to an armed robbery, the police arrested two suspects, and investigating the cloud information, and specifically going into the Google location history, they got a tracking of a minute-by-minute of their movement that eventually provided with enough evidence to tie those suspects to a string of deadly robberies – which is huge, again, as I mentioned. This getting the location information is huge because you know exactly where the user was.

The last piece before we jump into your questions. This piece relates to legality or legal aspects. Now, we, as a technology company providing you with a new technology or a new and innovative technology that allows you to gain insight into the cloud, we cannot make, [by any means], statement about how to legally use it and what kind of procedures you need to take in order to legally use it. On the contrary, we advise you to go to your legal authority and ask them how to use Cloud Analyzer, being a very powerful tool at your toolkit. We can obviously… you know, if you want to share with us how you did it… and some customers already did that with us all across the world, how they eventually built a procedure that will allow them to gain access into the cloud. We will be more than happy to share that with you, and consider with you what kind of steps [that the other] using to gain access to the cloud, but eventually, we are a technology provider with this new and unique and innovative technology that allows you a very powerful tool, and to allow you to use it based on according to your standard procedures.

Good. So now I jump into your questions, [and let’s see] what kind of questions you have. Obviously, you will get all the slides of this presentation, and you will be able to look into the presentation later on in the recording. Let’s see.

Can UFED Cloud Analyzer retrieve a full iOS backup from Apple using Apple ID and password like [indecipherable] can? Not yet, but we are working on it, and later this year we will have this capability to gain access into the cloud, and eventually what it will mean is that you will have one toolkit that allows you to gain information from different cloud data sources, a variety of cloud data sources, utilizing login information from the mobile, which basically allows you to gain quick access into the data even without the consent of the user.

Is there a risk that cloud service provider detects a suspicious activity and notifies the user. Well, this is a very, very good question, and let me share some more information about it. The first thing that you need to know about Cloud Analyzer is the fact that, as we mentioned previously, it doesn’t change any kind of data on the data source itself. So no messages are changed, no location is changed, no metadata is changed. The data is the same as the data that was in the cloud before the extraction. However, since this is a cloud-based data source, basically, access into the cloud data source is being logged. Now, the amount of logging that is generated with Cloud Analyzer depends on the method that you have used and depends on the data source itself.

What do I mean? For example, if you are taking login information from the mobile, as I mentioned, we are mimicking the device, so Twitter and Facebook think that the device is the one that is trying to access the cloud. So from the user point of view, if you were to go, for example, to the Facebook security page, and look into recent activities, you will see that this device was trying to access the cloud, which sometimes makes a lot of sense, because those applications get regularly and frequently updates from the cloud. For example, Gmail constantly goes into Gmail server and pulls out the email, which makes a lot of sense. But since we know that this piece of information is very critical for you, we have created a dedicated [recommendation] that specifies for each of the cloud data sources what kind of traces or what kind of alerts the user might get. And my recommendation to all of our customers as well as to those who are interested in them, in Cloud Analyzer, to read this documentation, understand what can happen, and decide at the relevant point where to use Cloud Analyzer, when it can be beneficial to you, or when not to use it, where the risk is too high. We are doing all the effort that we can in order to leave as less traces as possible, but again, you need to be aware of that, and we share that information with you with great respect.

Let’s see. Some more questions. Is the account package exported from the PA encrypted or can we get a token directly without Cloud Analyzer? So the account package that we are using from Physical Analyzer is encrypted, and basically, you need to use our container in order to gain access into the cloud.

What formats [are image] of cloud storage downloaded in? We download the data in the format that was available on the cloud providers – for example, if, on Twitter, there was a message, we download the message. If on Google Drive, there was a jpeg or there was an mpeg file, we download the file as is. Even if there was a database file over there, we just download it as is, and you can open it with any kind of application installed on your PC.

Let’s see what kind of other questions… How many days the token remains active for the app? This is another good question, and it’s also documented as part of the documentation. Basically depends on the data sources – so, for example, Facebook keeps the login information available for six months, Google is doing that for a couple of months. Again, it’s from the last time that the user logged in. So if the user is constantly logging in, the login information would still be available. But since this is a very volatile case, our recommendation is to do the extraction very close to the point of… extraction from the cloud very close to the point of doing extraction from the mobile, although in some of the cases, we saw that we can extract information from previous months. For example, you’ve seen in this demonstration, I did the account package extraction on March, and these accounts are still active, and I was still able to use the account package in order to gain access into the cloud.

Okay, there is another question, that [in some circumstances], accused device like mobile or laptop were successfully recovered by the police, but an associate of the accused try to remove the data from cloud as they were already aware about the accused’s user name. Can it be possible to get data extracted after this? So if the data is deleted, since we are relying on the API, we’ll probably not be able to do much about it. There are some services, for example, Google Drive, that allows us to gain insight into the little data. But if the data is deleted, it also is not saved on the cloud provider. So this might be a problem. This [indecipherable] one of the reasons that you are going to use Cloud Analyzer, because you want to instantly gain access into the data so no one outside will be able to delete the data before. At least you have some kind of snapshot of the information that is currently available.

Are you planning to add more applications into Cloud Analyzer. Yes, obviously, currently we support Facebook, Twitter, Google Drive, Dropbox, Kik, and Gmail. We are going to add Google Location History very soon, and, as we mentioned, iCloud is also on our [coordinates]. Obviously, we want to make this a one-stop shop for you for gaining access into the cloud, and we would be happy to hear from you what kind of data sources are interesting for you, so we’ll be able to accommodate your requests.

Let’s see. Okay, there is a question, how can we retrieve the data if the suspect deleted his account, and what about maximum time limit of data retrieving of that person? So in terms of if there is deleted data and the account is no longer available, I’m sorry, this is something that is beyond the scope of Cloud Analyzer. Again, our recommendation is to do it as close to the point of arresting the user and as close to the extraction that you are capable of doing. By the way, this is why we introduced in the next version that will include Google Location History, we introduced the ability to decode an account package [out of hand] with logical extraction – so basically, it is supported for all extraction types, and therefore what it means that you can, in the field, do an extraction of the information, a very quick one, do the logical one, and then take outside the account package and use that in order to gain access to the cloud. So we want to enable you as quick as possible access to the cloud itself.

About the limitation of how much data you can extract – basically, you can extract as much data as you want. Obviously, it will take the time that is needed to extract the data, but you can extract as much data as you want.

With respect to two-factor authentication, there is a question here, whether we support two-factor authentication. So if we are using login information from the mobile device, as I mentioned, we are mimicking the device itself. So, similar to the fact that you don’t need to use or provide the second factor of authentication when you do it from your mobile app, in the same manner we bypass the two-factor login authentication. So this is where it is so powerful, because basically, you can bypass the two-factor login authentication – if you are using login information from the mobile device. With username and password, it’s a different story.

One point [indecipherable] this will be my last one before we will finalize is that UFED Cloud Analyzer is a different or another module within our UFED Pro Series. It’s a different module with different pricing. If you already have UFED for PC you would need to ask your sales account manager how you can get Cloud Analyzer also as part of your package. But it’s another module, it’s not part of the existing tools that you already have today. And as I mentioned, you can get the account package from a file system or physical extraction.

So let me summarize, and again, thank you very much for all your questions. It seems like you are very interested in that, and I am very happy to hear that. Obviously I would be happy to share with you more questions. You can contact me or any of our account managers.

So we discussed today a new and innovative method to gain access into [inaudible] [matter] that was not used before we introduced that, that allows you to perform timely extraction of private user data while forensically preserving the information from the cloud. Then, once information is pulled out, it is normalized into a unified format so it will be easier for you to investigate the data. And then, you can obviously take the next step and share the information, and use that with other analysis tools in order to solve your case from different sources – from cloud, from mobile, and so on.

[In that sense], I would like to thank you very much for your time this morning. I was very, very excited to talk to you, and again, thank you very much for your questions, and I’m looking forward to further talking to you on different channels. Thanks a lot, and have a good day.

End of Transcript

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles