Reviewed by Clark Walton
In January 2014, I took both the Cellebrite Certified Logical Operator (CCLO) and Cellebrite Certified Physical Analyst (CCPA) trainings in a one-week course held in Washington, DC and taught by Cellebrite Certified Instructor, Joe Duke. The CCLO and CCPA are required predicates for Cellebrite Certified Mobile Examiner (CCME) certification, Cellebrite’s “capstone” forensic examiner certification. The course trains investigators and examiners to perform file system extractions, physical extractions, password bypasses and the advanced analysis of evidentiary items using the UFED Physical Analyzer software.In June 2015, I took Cellebrite’s half-day review for the CCME examination. I then took and passed the CCME certification that same day. The aim of these three certifications, each building upon one another, is to determine proficiency and mastery of mobile device forensics and examination using Cellebrite’s first-in-class forensic tools.
Even with prior training in the field, from start to finish I found Cellebrite’s training invaluable in both understanding the fundamentals of how mobile devices work, the principles of capturing, examining and testifying to digital evidence, as well as the practicalities of operating the Cellebrite Universal Forensic Extraction Device (UFED) Touch and the UFED 4PC software program. Though the CCLO and CCPA courses are now offered online, I took them in person and appreciated the hands-on work afforded by the experience, as well as the ability to have the instructor there in front of me to answer complex questions and troubleshoot issues.
The written manuals and materials provided for each course are also useful and impressive. For each course, I received tabbed printed binders and appendices covering every slide and every step of all processes covered in the CCLO and CCPA courses. Even two years out, I still refer to these to this day when I encounter unique issues examining mobile devices with Cellebrite.
Cellebrite Certified Logical Operator (CCLO)
The CCLO course represented the first two days of the course (my training program ran the courses back-to-back, with CCPA following immediately after CCLO). Joe Duke, our instructor, stepped carefully through each module of the program (8 overall), in each case mixing in real world examples of certain points and giving practical pointers that may not have been as impactful if merely delivered in written form. The big picture areas covered in the course were as follows:
1. Introduction (General course administration, materials, and the like.)
2. Mobile Device Technology Overview and Trends (A general overview of mobile devices, different form factors for mobile devices, the underpinnings of mobile and wireless technology and how data is stored on such devices. Discussion of factors shaping the changes in technology, mobile data volume, and trends in applications, their development and impact on forensics.)
3. Forensic Science and Mobile Devices (Overview of the importance of, and the procedure of, best practices, techniques and documentation related to forensics and mobile devices. Emphasis on preservation of evidence and maintaining integrity of evidence.)
4. UFED Touch Overview (General “tour” of the UFED Touch device and its features. Aside: I primarily use UFED 4PC in my practice and still found this useful and applicable. Even if your organization uses UFED 4PC, understanding the Touch device is still of great value).
5. Logical Analyzer (Using Cellebrite’s Logical Analyzer software program to open and work with logical device extractions. Seasoned Cellebrite users will note that Logical Analyzer is a limited version of Physical Analyzer, covered in the CCPA course).
6. Generating reports with Cellebrite’s tools and using the UFED Reader.
Each module is supported by hands-on action steps as well as handouts to support these practical exercises. The action steps included real-world practical problems such as using Cellebrite’s Phone Detective software to identify certain devices, obtaining logical extractions of mobile devices, cloning SIM cards, extracting SIM cards and passwords, and advanced searching in Logical Analyzer.
Competency of the subject matter was tested at the end of the two-day course with an examination involving written and hands-on exercises to earn the Cellebrite CCLO certification.
Cellebrite Certified Physical Analyzer (CCPA)
The CCPA course represented the second part of the week, approximately three days of training. The CCPA course, as it should be, is a much more in-depth, intensive look at raw data captured from mobile devices – the “physical” extractions of devices requiring an understanding of binary code, of hexadecimal representation, and ultimately of other types of encoding commonly found on phones such as Short Messaging Service (SMS) Packet Digital Unit (PDU) encoding.
The layout of the CCPA course is similar in format to that of the CCLO course, but again, diving deeper into the layers of data stored on a mobile device, and how to analyze that data – not only the “low hanging fruit”, but other layers of data that may be less obvious. The course included the following sections, to the extent not covered in the CCLO training:
1) Media system files and encoding (exploring various mobile file systems, “flash” memory, and types of data encoding).
2) An overview of the UFED Touch and Cellebrite Physical Analyzer software.
3) Advanced searching techniques.
4) Verification and validation of technical findings (particularly valuable, I believe, for those who expect to be testifying on what they find).
5) Reporting on technical findings.
In each case, as with CCLO, the instructor had real-world examples to back up many of the points addressed in the training modules. The Step Action tables for CCPA also emphasized tangible exercises to allow students to perform many of the concepts addressed in the course, including but not limited to data “carving”, malware scanning, reviewing various types of physical device images, and more complex searching functions.
The testing to ultimately obtain the CCPA certification consisted of a combined paper examination and hands-on examination of physical extractions of several types of devices. I found the testing to be fair and straightforward, and the CCPA course adequately prepared me for the concepts tested.
I’ve personally found Cellebrite’s “capstone” examiner certification, the CCLO and CCPA courses, are invaluable in getting the most out of the Cellebrite suite of software (in addition to being prerequisites for the CCME certification). Cellebrite’s UFED Series is user-friendly, enabling users to intuitively follow the instructions and analyze “low hanging fruit” from a large set of mobile devices in the wild. However, to truly perform rigorous digital forensic analysis, and to testify findings in court from a Cellebrite-based examination, I personally could not imagine undertaking such tasks without having the classroom and hands-on training afforded by Cellebrite’s CCLO and CCPA certification training programs. Our firm continues to use the finer points of mobile analysis learned in those courses, on a daily basis. I truly recommend Cellebrite’s Training Program & Certification to all user levels, from beginners to advanced mobile forensic examiners.
Clark Walton, EnCE, CCME, is the principal forensics and cyber security expert for Reliance Forensics, and a licensed North Carolina attorney. Walton is a former state and special federal prosecutor, as well as a former cyber threat analyst and technical project manager for the US Intelligence Community. In that role, Walton briefed at the White House and provided written intelligence analysis to high level consumers including the Director of the FBI, the Attorney General of the United States, and the Office of the Secretary of Defense. You can follow him on Twitter @clarkwalton. He can be reached at [email protected].