Hi everyone,
I physically imaged 2 mobile phones i.e. Nokia C3-00 and Motorola V3xx using UFED Cellebrite. Apart from analyzing the standard file, sms and contact number; I was also requested to analyse
- If the phones has been tampered or imaged before?
- Identify if the data in the phones have been extracted in any way.
- Have the phone has been bug with a GPS software, so the location can be detected?
I have looked at each file one by one; there are a lot of files in there but I couldn't find any clue to identify such information. My question, is that possible to do such analysis in the mobile phones and how?
Any help gill be greatly appreciated.
Thanks.
I asked UFED technical support and they said that it is not possible.
I asked UFED technical support and they said that it is not possible.
With no disrespect intended to UFED technical support, unless UFED are now adding 'clairvoyance' to the UFED system and they have a new tool called 'psychic', how on earth are they claiming they know the answer above for certain?
You have the handset and presumably you have not disclosed the physical image to them have you?
br
If I disclosed the physical image to them, they would know the answer?
Which information should I give?
As far as if the phone has been imaged before that would largely depend on the method that may have been used.
If it was imaged by a competent operator with a non invasive method (ie no jailbreaking or similar) then the previous imaging process should indeed by undetectable.
Same goes for if the phones have had data extracted as the process if pretty much the same, again using good software and sound methodology.
With regards to the GPS bugging that would come down to a manual inspection of every single app or piece of software which accesses the GPS and trying to figure out if anything weird is going on. Well beyond me, maybe some of the guys with programming knowledge might be able to offer advice there, but UFED, XRY don't offer than level of app support or breakdown to my knowledge.
If I disclosed the physical image to them……
On that basis, you have actually answered the point I was making to you awiwoho. From what you are confirming it infers that when you asked [them] apparently without seeing any evidence or investigating imaged content the response you got was negative.
This could be though doing an injustice to Cellebrite UFED as I wasn't present at your discussion and it might simply be awiwoho that the person you spoke to has experience in a different area and not the area in which you seek help. You will find from time to time that skills for data recovery do not amount to having knowledge and skills in relation to forensics, data analysis, investigation and/or evidence.
Which information should I give?
awiwoho does your organisation policies, practices and procedures allow you to distribute evidence to a party not engaged and instructed in the matter under investigation?
Perhaps Ron from Cellebrite would be kind enough to put me right, if I have misunderstood the points raised by the OP, and post at FF confirmation
1) In an image obtained by UFED does it contain any 'objects'/'artefacts' of any previous tampering or imaging activity on a particular handset that is discernable from analysis of the UFED image?
2) What 'objects'/'artefacts' should awiwoho be seeking in the content recorded in the UFED image?
3) Where would awiwoho find in the UFED image these 'objects'/'artefacts' (e.g. Index offset etc)?
4) With regard to 'objects'/'artefacts' that maybe found in an UFED image obtained from particular handsets; the relevant handsets in question are those mentioned by awiwoho
4a) Nokia C3-00
4b) Motorola V3xx
Hope that helps