Cellebrite performance vs documentation
My firm just acquired a Cellebrite Touch2 Ultimate and have been putting it through its paces.
In general, the capability doesn't seem particularly strong vs. what we've been doing using open source methods. We're seeing significant variance between what is supposed to be supported vs what we're actually achieving, also variances between the pure software Physical Analyzer capability vs. the actual Touch2 device capability.
This might be due to the newness and our inexperience with the product, however.
I'm curious as to other people's real world experiences. Is this typical?
For example, we used 4 devices in our initial tests
1) iPhone 4
2) iPhone 5
3) XT1640 Moto G4 Plus Dual
4) SM-G900M Galaxy S5
All of these are significantly older devices.
The iPhone 4 was "connect to iTunes" locked, so inability to access is somewhat understandable.
The iPhone 5 - we could get no data using the touch2 but could perform logical extraction via the software package connected to the desktop/Physical analyzer worked
The G4 and S5 - Appdata was not accessible nor was password extraction, Advanced ADB, and a number of other capabilities using the Touch2. We even were told by customer service that a particular Android patch was the cause of some of this. We're in the process of re-running with Physical analyzer/desktop.
Some possible issues might be the cabling in the kit or the USB port on the desktop.
In any case, I'm very interested in what other people have had success (or not) with Cellebrite.
I'm pretty new to this world and only have Cellebrite experience so far, but here's some input
Cellebrite teaches to do iOS extractions through Physical Analyzer. There's a dropdown at the top for extractions, and it contains both iOS and GPS options I believe.
Due to the large number of variance between different phones in the same base model (g900v, g900p, g900m, etc), you may want to try a samsung generic profile and run different extractions through that. Maybe try Phone Detective and see if that will give you some insight into it.
I have been using Cellebrite UFED 4PC for a year and the best advice I can give you is extract everyway possible and do research about Cellebrite Extraction Methods and know what you get with each different extraction method. Keep up with the release notes and manuals for the specific tool being used (UFED Touch 2 / UFED 4PC). Here is some tips that might help…
Extract using Cellebrite UFED Physical Analyzer Method 1 and Method 2. Then extract using Cellebrite UFED touch 2 for the specific model of iPhone 5 (A1453, A1457, A1518, A1528, A1530, A1533, A1456, A1507, A1516, A1529, A1532, A1428, A1429, A1442) using the logical and filesystem option. There are normally three options under filesystem.
XT1640 Moto G4 Plus Dual
Extract device profile (XT1460) logical and file system. If device is locked and even if it isn't use the following path to extract physical via Qualcomm chip set Browse manually; type smartphone; select smartphone profile look for Qualcomm and select Bootloader (recommended) and extract via EDL.
Here is some links to help determining type of extractions
I can’t look know, but when I researched this earlier today, I believed there was a physical bootloader option for the SM-G900M using UFED 4PC, not sure if it’s there for the touch 2. Also as ItsLily stated you can also extract using the smartphone android profile and the Samsung generic (CDMA/GSM) profile. I looked and don’t believe that chipset (Qualcomm Snapdragon 801 MSM8974-AC) is supported via Cellebrite Qualcomm extraction profile.
Just some tips to help.
I can’t look know, but when I researched this earlier today, I believed there was a physical bootloader option for the SM-G900M using UFED 4PC, not sure if it’s there for the touch 2.
You're right. Bootloader based physical extraction is available.
I've been hit and miss with Cellebrite. With iPhones I always extract through the physical analyzer software because it seems to pull more data. It seems to do a good job with these devices.
With android devices I do a physical if possible or a file system extraction. The FS extraction, which use android backup will many times only get partial data, such as pictures, but many times will not extract SMS and call logs. I usually then swap over to Axiom and can pull all the data without a problem.
I will say that Cellebrite has some good features, such as physical acquisition, device unlock, and ability to do a partial FS extraction even with the device has a pass code (with some phones).
The steps I've taken are to perform all available extractions even though it may be duplicate data. As for missing call logs and sms/mms, you would need to perform a logical via UFED4PC or UFED Touch to get the data.