Validation

I always get phones examined by at least two different systems and compare the results.

So, I never give my report based only one output from one particular mobile phone examination device and always compare the results from another tool, like Cellebrite vs Oxygen Forensic Suite vs Mobile Edit. And it is quite often that there are differences in the interpretation of data, especially when it is physical examination.

I even had a case where a SIM card examination produced different results in different tools. One was not able to get the call list from the SIM card while the other does. For instance, Cellebrite can not even extract multimedia messages even if it is present inside the phone.

So, no mobile phone examination is perfect unless verified by two different tools or methods.

Just to play devil's advocate, if you are getting two different results how does that validate either?

Eric

The Computer Forensic Tool Testing (CFTT) program at NIST provides a very comprehensive mobile device validation process that you may find useful. You can find it here

http//www.cftt.nist.gov/mobile_devices.htm

Good luck!

I'm quite new to the field of mobile forensics. With any luck I'll get my Cellebrite certification next week so I need to ask. I fully understand that one should use more than one tool if at all possible, but currently the only thing I have is a Cellebrite.

If Validate means to confirm; could I not validate the devices results by having the same phone run through two different machines (search criteria being the same) and comparing the Hash values? If that were acceptable do any of you feel that the "Validation" could be accomplished by just running one handset/one SIM or would you try two or three?

Is there a better way to validate the results and what might the frequency be, semi annual or quarterly?

Thanks!

If Validate means to confirm

Validation involves assessment, verification provides the means to confirm whether something is or isn't.

http//www.trewmte.blogspot.co.uk/2012/03/examination-techniques5-validation-and.html

The Computer Forensic Tool Testing (CFTT) program at NIST provides a very comprehensive mobile device validation process that you may find useful. You can find it here

http//www.cftt.nist.gov/mobile_devices.htm

Good luck!

EyezOn thanks for providing the link for the topic at hand. With that said, I glanced at the document provided by CFTT posted by EyezOn and it appears validation is confirming.. From what I can gather from the analysis conducted by CFTT, after an analysis/capture of a cell phone has been conducted, the examiner confirms the data extracted to at least one file on the phone.

I was more under the assumption that a confirmation would in line as explained by Yunus. However, this may be one technique, I did conduct a test using Cellebrite and Secure View3 with a Motorola I530, capturing the phone book data.

After the analysis was completed, I compared the data captured which was the same, however the MD5 did not match??? I cannot explain what the cause of this was but maybe, just maybe, the algorithmic formula is different??? And as stated previously, even though the MD5 did not match, the data was the same.

Any thought on this……..

mrpumba,
Do you have access to a second Cellebrite or a second licensed copy of Secureview to run an experiment with?

Greg,
If Validation involves assessment then how does one assess a Cellebrite? Moving away from the words "Validate or Verification" how does one confirm that the device itself is working properly? I'm sure everything on the market, to some extent, has some sort of internal diagnostics, but I think there is a bigger picture here. Just because a piece of equipment/software doesn't spit out an error message, IMO, doesn't mean that it is functioning properly.

Using the Cellebrite example how does one assure that the data extracted will equal data extracted from another machine providing that the versions and search peramiters are the same? In theory if I have one phone and run it through 2 or 10 Cellebrites shouldn't the data extracted be the same each time?

I think, if at all possible, it is a good practice to try and compare results from one machine to another, but many users don't have easy access to another device. For those that may do you feel it gives any extra credibility to the results if the machine is periodically tested against another?

I think this would be best discussed over a wee dram of Irish Whiskey, but we'll have to rely on the forum for right now 😉

hcso1510
I recently read an article regarding validation or varification. In this article it discussed how does one validate or varify an extraction?? Very easy The examiner will need to compare the data collected from the extraction device to what is on the phone. In a sense, compare the data on the phone with the data from the report and if they are the same, you have achieved validation/varification. Seems kinda simple considering what a techincal world we live in (espically our world).

This makes some sense to me, but not sure if this is correct. I have been looking for case law regarding validation/varification, but have been unsuccessful thus far. I will continue to look for an exceptable answer and post accordingly……

As an FYI I conducted 3 test markings with one cell phone using SV3 twice and Cellebrite once. I compared the md5/sha1 results and found that they don't match between SV3 and Cellebrite. However, the SHA1/MD5 collected from the SV3 on both extractions matched.

The order of analysis was SV3, Cellebrite, SV3….. Your thoughts.

ps - more of a draft man…..lol

Also….no second SV3 or Cellebrite. I see where you are going with that, good thinking.