Cellebrite Full Fil...
 
Notifications
Clear all

Cellebrite Full File System - New Release - UFED 7.28  

Page 2 / 2
  RSS
grizzlydigital
(@grizzlydigital)
New Member

@authoxic Glad I could be of help! Checkm8 has evolved since it came out, and my experience has given me a few interesting anecdotes - I included at end after answering your questions. 

Did you mean that you can now extract emails from accounts logged in to the Apple mail app or any 3rd party mail app?

The testing I did when I posted that included phones that had a few emails accounts, and yes Checkm8 successfully parsed 3rd party mail apps.  If you direct message me, I will send you some photos.  

Would it be possible to pull emails from an specific email app such as Yahoo Mail app or Gmail app using UCEF method 1 and 2?

The full file system extraction successfully identified and included all email accounts on the test phones, and full body messages, dates, times, subject line, etc. 

Or will Method 1 and 2 not pull emails at all? 

Current (as of 9/23/20) Method 1 and 2 extractions will routinely pull emails, but my experience is that the email data Cellebrite pulls is incomplete - it does not contain the body of the email - but it will pull the date, time, sender, recipient, and even subject line data, but I cannot recall seeing unencrypted, email body messages with Method 1 and 2 extractions; I have seen with Checkm8.  Also - even though Method 1 and 2 does get you the limited data I mentioned, it is incomplete (i.e. not a 1:1 as compared to the user's actual mail box).  Why? There are too many variables to render an opinion.  

I have run into a scenario where Checkm8 was outperformed by Logical Method 1 & 2. 

The objective was to obtain text messages/chats/SMS/MMS; Logical Method 1 and 2 had been previously run on phone 6+ months ago and obtained a significant number of messages.  The phone was then placed in storage/off state.  With the release of (and spreading awareness of) the Advanced Logical Full File System Checkm8 method, it was requested for a phone to be reacquired with the new Checkm8 method.  However, the Checmk8 acquisition did not collect any messages.  Why did this happen?  It may have to do with whether the phone is “hot” or “cold” – the recovery of data (especially deleted data) is enhanced if the phone has not been powered off.  

Before COVID, while at Cellebrite’s CCO+CCPA course earlier this year, we discussed Checkm8, live file system analysis, and why the best answer for “Can you get deleted texts?” is “…Possibly

We covered the fact that Cellebrite can dump a Live File System.  As I understand it, the best methods available by Cellebrite are:

  1. Physical (Only available for iPhone 4 or older)
  2. Full File System (you can Possibly retrieve recently deleted information, but no unallocated space)
  3. Logical

Live: After First Unlock (AFU) “Hot”

  • The phone has been kept on since it was unlocked (not powered off)
  • Encryption keys are still in RAM

Restart: Before First Unlock (BFU) “Cold”

  • The phone has been turned off or battery died (such as when phone is stored or shipped)
  • iOS provides some data

Since the phone’s processor is needed to decrypt data, keeping the processor available is critical after seizure.  Since the decryption keys are still present in RAM, we can exploit phone and access decrypted data.  If the phone has been turned off or battery died, phone is in cold state, and only unencrypted data within the file system is available. 

Checkm8 is very powerful, and it has its place in the toolbox. For cold cases/old cases, however,  it may not provide the expected result of a massive increase of extracted data.  

This post was modified 2 months ago by grizzlydigital
ReplyQuote
Posted : 24/09/2020 5:43 am
Authoxic
(@authoxic)
New Member

@grizzlydigital

Thanks for all that information! You were finally able to answer the question I had been searching an answer for, and in great detail, I really appreciate it! Now just one more question if you have time, will UFED Method 1 and 2 be able to get me any attachments on any emails? I believe I read that checkm8 will extract downloaded attachments, but will UFED Method 1 and 2 yield any? Thanks I'm advance!

ReplyQuote
Posted : 24/09/2020 6:32 am
grizzlydigital
(@grizzlydigital)
New Member

@authoxic

Here are screenshots for you of the same phone an iPhone 8, I ran Checkm8 and also ran Logical Method 1 and 2.

These photos show full body text of a private SMTP email account, as well as attachments. I blacked out some data, but you can even see full folder structure of email. 

Additional photos show a Gmail account. Full body text of email, but in this example the photo did not show up under "Attachments" but is visible in the screenshot as embedded in the email body.  These photos are of the same phone, Logical Method 1 and 2 extraction. As you can see, no emails.

I checked one other TEST Logical Method 1 and 2 extraction (an iPhone 6s), no emails or attachments. But a Checkm8 extraction on same phone identified and parsed full emails with attachments (no photos provided)

I have seen Logical Method 1 and 2 pick up emails, but like I mentioned the body of the email is not available, nor attachments. Cannot post screenshots, those are real cases.
Hope this helps!

EDIT: Cannot figure out how to upload the photos to forensic focus.  I will PM you.  

 

ReplyQuote
Posted : 29/09/2020 7:30 pm
trewmte
(@trewmte)
Community Legend
Posted by: @grizzlydigital

EDIT: Cannot figure out how to upload the photos to forensic focus.  I will PM you.  

 

I noted you have mentioned this a couple of times. Having photos connected to your posts would be helpful.

Here is free service that allows you to posts your photos at FF using various weblinks depending on the website/forum you are posting messages.

https://i.postimg.cc/
https://postimages.org/

 

Examples of images posted previously. Use the Thumbnail and Hotlink for websites. The Forum link seems not to work at FF

one-thesis-attempts-to-improve-upon-another

one-thesis-attempts-to-improve-upon-another

ReplyQuote
Posted : 30/09/2020 8:43 am
grizzlydigital
(@grizzlydigital)
New Member

@trewmte

Oh man, you are awesome!  Ok great! I will upload the photos 🙂

 

@authoxic

Here are screenshots for you of the same phone an iPhone 8, I ran Checkm8 and also ran Logical Method 1 and 2.

These photos show full body text of a private SMTP email account, as well as attachments. I blacked out some data, but you can even see full folder structure of email. 

 

Additional photos show a Gmail account. Full body text of email, but in this example the photo did not show up under "Attachments" but is visible in the screenshot as embedded in the email body.  

 

These photos are of the same phone, Logical Method 1 and 2 extraction. As you can see in last photo, no emails.

I checked one other TEST Logical Method 1 and 2 extraction (an iPhone 6s), no emails or attachments. But a Checkm8 extraction on same phone identified and parsed full emails with attachments (no photos provided)

I have seen Logical Method 1 and 2 pick up emails, but like I mentioned the body of the email is not available, nor attachments. Cannot post screenshots, those are real cases. 
Hope this helps!

Link to gallery of photos:

https://postimg.cc/gallery/Ptg47Hb

This post was modified 2 months ago 11 times by grizzlydigital
ReplyQuote
Posted : 30/09/2020 6:37 pm
trewmte liked
citizencain
(@citizencain)
New Member

@grizzlydigital Just an FYI, the Yahoo app is in a lower protection class than both the native iOS Mail app and the Gmail app. Cellebrite WILL get the full Yahoo mail app even with the PA Adv Logical. But here's the kicker. It doesn't parse it, so most of the time you don't know it's even there. If you know the device has it, a simple search should return the UUID. If I remember correctly, the SQLite db is actually in the containers/shared instead of the normal containers/data path.  🙂 Happy hunting!!!

ReplyQuote
Posted : 02/10/2020 3:03 pm
cs1337
(@cs1337)
Member
Posted by: @citizencain

@grizzlydigital Just an FYI, the Yahoo app is in a lower protection class than both the native iOS Mail app and the Gmail app. Cellebrite WILL get the full Yahoo mail app even with the PA Adv Logical. But here's the kicker. It doesn't parse it, so most of the time you don't know it's even there. If you know the device has it, a simple search should return the UUID. If I remember correctly, the SQLite db is actually in the containers/shared instead of the normal containers/data path.  🙂 Happy hunting!!!

was this reported to Cellebrite support. They are pretty good at making fixes to new version of UFED PA

ReplyQuote
Posted : 08/10/2020 9:51 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Checkm8 based Advanced Logical acquisition is a full file system extraction, it is normal that it contains more information then Methods 1 & 2 which are logical client based extractions!

As for the Checkm8 hanging the process, check the extraction log, it will be pretty self-explanatory of what happened. I seen the same device hang with a cable when oding Checkm8 based acquisition and do the full acquisition with another new cable. Nothing else differed in the setup...

If one failes, use another tool 🙂 I simply try the Belkasoft Evidence Center or Oxygen Forensics Checkm8 based extractions or the Elcomsoft client based full file system extraction on open devices.

ReplyQuote
Posted : 12/10/2020 9:01 pm
Page 2 / 2
Share: