Cellebrite Full Fil...
 
Notifications
Clear all

Cellebrite Full File System - New Release - UFED 7.28

23 Posts
11 Users
5 Likes
9,456 Views
(@cs1337)
Posts: 83
Trusted Member
Topic starter
 

For all the Cellebrite users out here….

I'm curious on how everyone is handling workflow with the recent release of Cellebrite Full File System compatibility using Checkm8 exploit.

In testing it can take 8 hours or more to run (depending on iPhone size) so performing an extraction like this while on-site doesn't seem feasible (especially if the client is waiting to get the phone back)

Also I noticed it is only compatible with certain iOS versions of 12+.

Are you all updating the iOS after your collection and re-collecting? Are you manually jailbreaking the devices?

 
Posted : 27/01/2020 7:09 pm
(@the_grinch)
Posts: 136
Estimable Member
 

I know we would definitely not update the phone to a supported version of iOS. Could only imagine trying to defend that on the stand…

 
Posted : 27/01/2020 9:35 pm
(@cs1337)
Posts: 83
Trusted Member
Topic starter
 

I know we would definitely not update the phone to a supported version of iOS. Could only imagine trying to defend that on the stand…

exactly i was thinking the same thing. i'm curious if people are jailbreaking the phones on their own.

 
Posted : 27/01/2020 11:09 pm
(@armresl)
Posts: 1011
Noble Member
 

That is assuming that it makes it to that point.

Anything you do which you know how to do and the intricacies of can be explained to a judge, jury, detective, investigator, prosecutor, attorney.

In addition, to that, you may be finding exculpatory evidence which someone else who didn't want to take that step wouldn't find.
Or you may find proof of fact which may sink the case.

I know we would definitely not update the phone to a supported version of iOS. Could only imagine trying to defend that on the stand…

 
Posted : 28/01/2020 3:56 am
grizzlydigital
(@grizzlydigital)
Posts: 14
Active Member
 

@cs1337

I posted this on Linkedin on Sunday, here are my notes so far

Had first chance using the new checkm8 Advanced Logical Full File System acquisition of an iPhone.

-IPhone 8 - 64 GB capacity running OS 13.1.3
-Available space 48.49 GB
-Yes i had access to the phone PIN passcode

As you can see if the photo included below, the phone shows 40.74 GB extraction as it’s in progress. In total the Physical checkm8 collected a .dar that was 19.8 GB.

I ran Logical Method 1 in Physical Analyzer
Ran Logical Method 2 in Physical Analyzer
Opened Physical Analyzer and loaded Method 1 and Method 2, generated UFDR report.

Next i took same test phone and opened UFED 4PC and went to Advanced Logical then Full File System Checkm8.
Put phone in DFU mode
When it finished, loaded in Physical Analyzer and generated UFDR report.

Here is what was collected

Logical Method #1 .tar - 4.55 GB
Logical Method #2 .tar - 3.46 GB
Physical checkm8 .dar - 19.8 GB

Here are photos of comparison.

On the left is combined Logical Method 1 & Method 2. On the right is Full File System using UFED. What a difference -50,000 more images, web history, and…it picked up email.

Also ran same test on an iPhone 6, with similar results. Will post once i have time to do more testing on other phones.

Checkm8 will aid forensic examiners using Cellebrite in getting access to low level storage, log files, and history that has previously been unavailable for collection. Still cannot access unallocated space as @Rasmus mentioned in linkedin thread.

Have not tested on a locked phone yet - they discuss in detail in link below. Link also contains the different iPhone models and iOS that can be exploited by checkm8.

This helped me get started
https://www.cellebrite.com/en/blog/a-practical-guide-to-checkm8/

Rory

Tried posting pics but wont load properly, so here is link to photos I discussed.
https://www.linkedin.com/posts/rory-montez-543850118_ufed-checkm8-axi0mx-activity-6627110338984841216-qpiQ

 
Posted : 28/01/2020 7:37 am
(@rich2005)
Posts: 535
Honorable Member
 

Are you all updating the iOS after your collection and re-collecting? Are you manually jailbreaking the devices?

No and no.

 
Posted : 28/01/2020 8:50 am
(@cs1337)
Posts: 83
Trusted Member
Topic starter
 

thank you for the info grizzlydigital!

 
Posted : 28/01/2020 3:20 pm
mjpetersen
(@mjpetersen)
Posts: 12
Active Member
 

I am curious, how did you add the dar file into PA? Did you just select the ufd file or select the dar artifact? Did you break the dar file into chunks or keep it as a flat file?

I created a dump from the UFED touch to a USB and made the files into 2GB chunks. When I brought it into UFED PA, i had to carve to get the data.

Thanks

 
Posted : 28/01/2020 5:32 pm
mjpetersen
(@mjpetersen)
Posts: 12
Active Member
 

Regarding the dar files and UFED PA if your interested. Do not make the target USB FAT32. By default, the USB drive that I used was a brand new, 128GB FAT32 drive, plugged into the Cellebrite UFED Touch2 with 7.28.2 installed. The Touch extracted the files to the drive, however the files were broken into 2GB chunks. When I opened UFED PA, and selected the ufd file from the extraction, it only processed the 1st dar file, (Examination of the udr file noted all the dar parts, however it only examined the 1st dar file), giving you less than expected results.

I re-acquired the iPhone using the UFED Touch, but this time to another PC (Windows 10 as noted from Cellebrite), to which I had a 18GB flat dar file. Opening the file using the UFED PA, parsed the data beautifully. I went back and formatted the drive, exFAT and re-performed the extraction, and viola, an 18GB dar extraction. Lesson learned.

When I re-examined the flat 18GB extraction, no problem. I have notified Cellebrite of this issue.

This is why, when a new tool comes out, to test your software on test material rather than be in a position where your test is the real thing. Yes, this was a test case.

 
Posted : 30/01/2020 2:45 pm
(@jadams951)
Posts: 37
Eminent Member
 

Anyone had issues using the checkma8 exploit using Cellebrite to get the full file system extraction? Have a 6+ that it gets to about 13% then goes no higher. Shows still running but never gets past 8.69GB after several hours. Left it running when I left work so I hope it gets passed whatever is holding it up.

 
Posted : 31/01/2020 1:22 am
Page 1 / 3
Share: