Reviewer: Neil Beet, Blue Lights Digital
The Cellebrite UFED Series has been our mobile device forensics product of choice over the past few years, both in the law enforcement environments we previously operated in, and now at Blue Lights Digital where we conduct complex digital investigations on behalf of our clients whether criminal, civil or corporate. We have found that when performing both roles, the products have proved good value for money, are simple to use and remain focused on the investigative need throughout.
Where we have been continually challenged throughout our investigations is in the field of Cloud Forensics, where clients are seeking to obtain information that is not available within the device downloads but that a user would routinely have had access to and be authenticated to do so on their mobile device. Examples of such data include web based email accounts, instant messaging services and social media networks.When accessed swiftly and effectively, cloud based evidence has regularly proven to be the elusive ‘smoking gun’ in a digital investigation, often providing the key evidence in both criminal and civil cases. Never more has this been the case than recently, in the aftermath of the Paris attacks. Communications and files located in cloud based storage and communications platforms have been crucial in initially identifying offenders then subsequently investigating and locating evidence to demonstrate involvement, intention and crucially their links to individuals and extremist groups (Breitbart).
It has also been critical in other high profile terrorist cases, helping to identify the rationale and objectives of the attackers in the San Bernardino Shooting in the US (Vox).
It was also demonstrated this week in the UK as crucial in initially intercepting then subsequently convicting extremists planning an attack on London on the 10th Anniversary of the 7/7 attacks (BBC).
There are also immense benefits to being able to access such material in other areas. The use evidence from cloud based sources is becoming mainstream in day to day investigations across different disciplines including:
These cases demonstrate the significant benefits that access to cloud based information, intelligence and evidence can bring to an investigation, but cloud forensics poses a number of challenges to an investigator and their organisation.
Challenge of Cloud Forensics
This is a similar challenge that is being faced by investigators across the world, whether operating in a law enforcement environment, or in defence, legal, banking etc. Transparency Market Research recently published a report, titled “Digital Forensics Market – Global Industry Analysis, Size, Share, Growth, Trends and Forecast 2015 – 2021” where it predicted Cloud Forensics would witness significant growth in the next few years as law enforcement and corporate organisations seek to tackle the surging cybercrime trend around the world.
Traditionally digital forensic practices, training, frameworks and products from the leading providers have been purposely aimed at forensics being conducted in a sterile environment, working offline and restricting the capability of a device to communicate with a network to prevent data loss. These processes were conceptualised and documented prior to the development of cloud computing being made available to every user – whether they are aware of the fact that they are using cloud based services or not – and therefore can fail to meet the complex needs of an investigator managing a case with multiple sources of digital evidence.
Conducting digital forensics in a cloud environment also presents new challenges where the data of interest is beyond that which is located in the physical device being examined at a scene or in a laboratory. This data is often fragmented and distributed across a global network of storage locations at the behest of the service provider and so is beyond any computing environment that can be accessed or controlled by a forensic investigator in the same way physical network architecture once could. Historically requests to access data from international service providers would have been managed through mutual legal assistance processes, but these have regularly proved cost and time prohibitive to an investigation, and when defined were not designed to cope with the demand that results from the majority of investigations now having a digital footprint and therefore requesting access to digital evidence.
Cloud Forensics is also where the world of Digital Forensics begins to fuse with Online or Open Source Investigations, and the boundaries of each begin to blur. Whilst both tactics hold very similar principles in the way that specialists search for, acquire and analyse data, they have in our experience historically been performed by different individuals with different objectives. Online investigation has tended to be a manual process and delegates are often still taught to capture evidence through relying on manual navigation through page after page of information, capturing evidence with screen grabs and recording rationale and context for each independently. There has not been a single product that effectively amalgamates both of these complex disciplines… Until now.
Cellebrite UFED Cloud Analyzer
The Cellebrite UFED Cloud Analyzer sets out to address these challenges and more, and aims to provide practitioners with instant extraction, preservation and analysis of social media accounts, cloud-based file storage solutions and other cloud-based account content.
Given our passion in this area, we were incredibly keen to get our hands on this solution and test the capability of the product. Here are our thoughts.
Purchase & Set Up – What should be noted is that the UFED Cloud Analyzer is not a module within another UFED product, but is rather a product by itself, complementary to but not included within the other existing UFED products.
Positioned within the UFED Pro series, this additional capability is offered as a separate solution with a separate pricing and packaging structure.
This also means however that the UFED Cloud Analyzer can be deployed as a standalone solution, and so while in our opinion it performs best when utilised alongside the other UFED Pro series products, it is available to be used and would be effective as a lone deployment to investigators with a targeted objective of the recovery of information hosted in a cloud environment.
Installation of the Cellebrite UFED Cloud Analyzer onto our standard forensics device was as straightforward as expected.
The product installation, guidance and licence key were received physically following our order in the familiar and distinct Cellebrite packaging. Once the software was installed, entering the licence key affirmed the legitimacy of the user licence and the product was ready to use.
Performance – The version of Cloud Analyzer we tested in the drafting of this review was 126.96.36.199.
The testing undertaken was conducted throughout on a medium specification machine:
• AMD A10-5745M 2.1 GHz Processor
• 8GB of RAM
• Windows 10 OS.
Testing throughout was conducted on differing internet connection speeds ranging from High Speed Fibre Optic broadband through to tethering from a poor 3G Mobile device connection. Whilst the speed of connection and extraction of data varied as expected, the performance of the software remained reliable.
Throughout the entire end to end process of selecting our chosen data sources, extracting data from the service providers, reviewing the information within the programme and finally exporting reports, the software was found to function quickly with no lag or lengthy delays at any time.
Ease of Use – As a team who have been involved in software design and build for digital investigation solutions, we have often been critical of other products used by investigators that are involved in the acquisition and analysis of digital evidence for the complexity of their user interface. We are believers that providing complexity to a user is simple to deliver but that delivering simplicity to a user through carefully considered UI and UX is complex but incredibly beneficial when it comes to product adoption and scale.
We were pleased to see that Cellebrite had retained their traditional clean and simple design principles in the UFED Cloud Analyzer that is familiar to experienced UFED users but also very easy to get to grips with for new users.
The software and each step in the extraction process is clear to navigate with a simple root structure that is consistent through the different process steps in the solution, from initial definition of extraction criteria through to data analysis and export.
Setting Up Extraction – The opening screen that a user is presented with in the solution is the Investigation Creation Screen. This is a logical first step for any experienced investigator and presents them the opportunity to define the criteria under which the investigation will be recorded, covering:
– Details of the User
– Details about the Investigation
A great feature that we noted at this early stage was the ability for an investigator to define the time zone under which they are operating their investigation. Whilst a small and simple item to define, this has significant benefits as all dates and times are standardised to the chosen time zone when presented to a user following extraction of evidence. This cuts down the time spent processing times and dates manually and reduces the likelihood of the types of user errors that have occurred in so many other investigations.
Once it has been defined, all of this information is carried by the software throughout the investigation and is automatically included in reporting interfaces and extraction reports later in the investigation process.
The next screen now prompts the user to ‘Enter the Search Warrant Number’ for the relevant case. It is important to note that this is not a mandatory field and can be bypassed by the user if they choose to do so. At first the wording of this screen confused us, given the fact that the use of the UFED Cloud Analyzer may often be used by law enforcement without the need for a Search Warrant, depending on the user case and jurisdiction under which the solution is deployed.
Perhaps a screen that prompted the user to enter a generic reference / authorisation / legal power to complete the extraction would be more applicable and scalable to a wider user base.
That said, we did like the prompt to consider the legislative framework under which the tactic of searching, extracting and analysing cloud data sources is being deployed. However, this review is not designed to discuss legislative jurisdictions and authorisation levels and the different user cases where such a tactic can be implemented, purely to review the capability of the solution.
Identifying Data Sources – The next stage of the process is to define the data sources that as an investigator you wish to extract using the system. The UFED Cloud Analyzer currently offers capability to access and extract data from the following sources:
• Google Drive
• Google Location Data
• Kik Messenger
These sources alone provide significant opportunities to an investigator, however in material we were provided by Cellebrite with the product, it outlined clear intentions to develop this product as a single source for all cloud based solutions. They have on their development roadmap integration of further social networks, communication and messaging platforms and other cloud file sharing services which will make the solution an even more powerful investigative tool.
There have also been plans outlined to integrate access and extraction capability to device back up and storage hosted by both iOS & Android in the coming months which would significantly further the value of the product.
Authentication Methods – Prior to accessing content from a user account, an investigator has to be able to provide the correct authentication credentials to access the data that will be accepted by the end service provider. There are two possible methods of doing this.
The first method relies upon an investigator providing the correct username and password that has been obtained and entering this manually into the applicable fields within the UFED Cloud Analyzer. This process would need to be repeated for each different cloud service they wished to access.
The second method, ’Import Account Package’, demonstrates what an advanced tool this solution is when used alongside the other UFED Pro Series products to form an effective investigative ecosystem. An ‘account package’ is basically the authentication token for a cloud service that exists on a mobile device alongside the login information and is registered against the account and the device. In its simplest format it is the piece of code that remembers how to authenticate the user each and every time that they click on the mobile application on their device so they do not need to enter their
username and password.
The Imported Account package is produced from a device extraction when using the Cellebrite UFED solution and then is available to import directly into the Cloud Analyzer without the need to also possess the username and password of the user.
When using this token as the authentication method, the Cloud Analyzer is presenting to the service provider as if it is the mobile device of the user itself, and therefore access is granted as it would be if the account holder was selecting the application on their device.
From our evaluation, we identified a number of benefits of using the second authentication method of Importing the Account Package from the UFED extraction. While they make no difference to the performance of the solution once authentication has been approved, there are considerations that should be at the forefront of an investigator’s mind during the use of such a solution in the context of a wider investigative strategy:
• Reduced User Error – Extracting the token from the device reduced the likelihood of an investigator or forensic practitioner either initially recording username and password details incorrectly, them being lost in transit, or entering them wrongly when using the system. It also removes the possibility of a user intentionally providing false details of the account login credentials or those belonging to a different user.
• Multiple Accounts – The UFED Solution will extract and then import all generated tokens supported by the Cloud Analyzer that exist on a device, rather than just single accounts. As part of an investigation it may be crucial to identify whether subjects of interest have alternative social network or file sharing systems to the ones that you have already discovered and exposing each token may provide new investigative opportunities, further evidence
and assist in attribution.
• Multi-Factor Authentication – Using the username and password of a user account will only be successful if a user has not implemented multi-factor authentication security configurations on their accounts (A standard complimentary service across Facebook / Google / Dropbox etc…). This is because the service provider will identify a log-in attempt from an untrusted, unrecognised device or IP and request a 2nd Authentication factor that only the account holder could provide. Using the token extraction and import capability often bypasses such security measures as a result of the solution purporting to be the mobile device of the user which will be known and trusted by the service provider and therefore the second method of authentication is unlikely to be sought.
• Investigative Footprint – Even if an investigator successfully authenticates, it must be understood that since these accounts are cloud-based data sources, it is likely that any successful or attempted access into the data is being audited, monitored, logged & potentially proactively being reported to the user. This is inevitable; if any user was aware of where to locate their log on history and searched hard enough for the trace of a remote login then they would be able to identify activity that was not theirs.
As identified above, using the username and password to authenticate is treated by the service provider as a log-in attempt from an untrusted, unrecognised source and so depending on a user’s security settings this may result in a user being sent a communication informing them of such an attempt. Whilst not possible to totally avoid leaving a footprint on the account, the token extraction method will usually bypass such automated communications of new devices / browsers as a result of appearing to the service provider to be the trusted, approved mobile device of the user which falls outside of the majority of security settings for notifications.
A document dedicated to the digital footprint left by the Cloud Analyzer covering both authentication methods and the differences between traces with each of the service providers is available from Cellebrite. Our recommendation would be that before using the solution an investigator takes the time to review and get to grips with the content of this document and understand exactly which traces the precise extraction type they are intending to perform will leave and which notifications could be triggered on a user’s account.
Defining Extraction Criteria – Once the data source has been identified and the authentication method selected and completed, the user selecting ‘Next’ will trigger the UFED Cloud Analyzer to verify each of the different account credentials. This happens before any search or extraction takes place and is the software reaching out to the different cloud service providers to confirm that the credentials entered using either authentication method are valid and will enable the next stage of the cloud forensics process.
Once the credentials are confirmed, the user can then begin to define the extraction criteria. This key step enables an investigator to conduct a targeted search of evidence of different cloud sources rather than simply extract everything relating to that account. This demonstrates how well this solution is aligned to the needs of an investigator as the different categories enable a targeted search and extraction process, with each user being able to define criteria on each occasion according to their needs rather than simply conducting a data dump from the cloud.
The initial parameter that can be set across each of the cloud services is the date range of the search. This functionality was expected, however we were surprised that the Cloud Analyzer did not enable time parameters to be defined, as this could be a crucial feature within the context of an investigation or within the parameters of a search warrant or authority. The Cloud Analyzer then categorises six different types of evidence that can be sought from the currently available cloud service providers:
• Locations Data
Whilst all six categories are always displayed, the UFED Cloud Analyzer is helpfully programmed to offer only the categories available from the respective platform. This means for example that when defining what to extract from Dropbox, the user will be offered only images, videos and files, not messages, contacts or location data as these features are not associated with this platform. This feature is very useful as it leaves no doubt about what type of information can be extracted from each solution.
From the multiple categories offered, the standardised configuration is for all to be automatically selected but a user has the capability to choose only which categories are applicable to their investigation or which categories are covered within the context of their search warrant or authorisation.
A final key feature at this stage is the capability to set advanced parameters which can be configured according to to the investigator’s needs. I will not detail each of these here but they are bespoke fields which differ across each of the cloud platforms offering additional search or evidence aligned to that bespoke platform. For example, when defining the criteria for Dropbox, the UFED Cloud Analyzer offers the user the ability to pre-define and select specific file types or folder locations that they wish to process in their extraction. This is beneficial in completing a targeted investigation in
reduced timescales, rather than acquiring all data and spending a significant amount of effort analysing or removing material that is not relevant.
Once an investigator is happy that they have defined the relevant extraction criteria according to their needs across each of the targeted cloud services, they can select ‘Start Extraction’ which will launch the search and evidential capture process stage of the product.
Extraction Process – Cellebrite are quick to advertise that the Cloud Analyzer utilises the standard API provided to users of the cloud services rather than establishing its own services or drawing data from or through any 3rd party solutions. This is crucial when considering the integrity of evidence between the service provider and investigator ensuring the solution draws directly from the source, removing any opportunity for data to have been amended prior to receipt.
Re-affirming the commitment to evidential integrity, the Cloud Analyzer extracts not only the evidential material such as an image or video but also the unique service provider ID and the applicable hash file for that item of content. This means that should you wish to parallel source this information directly with the service provider then it would result in the identical piece of content that has been extracted as part of your investigation being provided and the hash value would also correlate.
The speed of the extraction process itself will vary depending on a number of factors. Within the software this will be impacted by the size of the search, including date parameters and number of networks being searched. External factors will include the connection speed available and the processing capability of the device being used. Throughout extraction, the UFED Cloud Analyzer informs the user of the progress of completion across each of the different cloud sources being searched by displaying a simple progress bar and % throughout.
Throughout the extraction process, if for any reason the Cloud Analyzer locates an item within the search parameters that it is not able to successfully extract, it will notify the user that this is the case and provide the full location path for that item at the source so that attempts can be made to extract it manually if it is of interest to the investigation. The Cloud Analyzer can also be paused or stopped at any point mid extraction should a user wish to do so.
The UFED Cloud Analyzer enables data to be reviewed by a user as it becomes available during the extraction process which is another useful feature. However unless you have a high risk, time critical case then our recommendation would be to wait for the extraction to be complete before beginning any review or analysis of the results. This ensures nothing is missed and reduces the risk of confirmation bias influencing your investigation.
Reviewing Data – Investigators without access to software solutions such as the Cloud Analyzer have to approach each of the service providers individually for access to data. This can take months to obtain and would return in a different format from each provider, making review and analysis a lengthy manual process. The Cloud Analyzer significantly assists investigators by standardising the returned data from each independent cloud source and presenting these formatted results back to the user for review and analysis.
In addition to the content itself which is available as both a thumbnail and full version, each piece of extracted evidence is accompanied by the following information:
• Event ID
• Event Type
• Event Category
• Content Type
• Date and time of the event
• Parties involved in the event
This process enables an investigator to display the results by configuring filters which allow each data source to be analysed independently or to fuse the results from a variety of data sources so they can be analysed together.
When reviewing data, the navigation tabs at the top left of the interface are used to navigate between different visualisations of the extracted data. These tabs are simple and straightforward to use and their layout and navigation methods will be instantly familiar to the majority of device users.
The different interfaces currently available are:
• Timeline Feed – Displays the data from a single or multiple sources according to its chronological order
• Files View – Displays all of the items that have been extracted and enables quick navigation and filtering to be applied across a number of standard filtering options
• Contacts View – Displays the contact information held within the account for the target individual across the selected data source when available
• Map View – identifies the entries which have geographical location data associated and automatically plots these items onto an interactive map.
Our personal preferences for reviewing our data were the timeline view and map view. The timeline view is superb for those with an investigative mindset. Given the challenge of a complex case and multiple data sources, it offered the most in terms of displaying the information in a clear and coherent manner that could be layered and contextualised alongside other evidential and intelligence material. The map view (when the content had location data assigned) offered huge opportunities and could stand alone or combine brilliantly with analysed communications data to be presented as a compelling evidential package demonstrating a person’s presence or lack of
presence at a key location or in effectively demonstrating movement of the account holder within a defined time period.
It is likely that different users will have their own preferences about which interfaces they prefer depending on many factors including their capability, experience of digital investigation, volumes of data being analysed and objective.
Exporting Data – Once an investigator has completed their interrogation of the extracted data, they can either save their progress and case to return to later or they have the option to extract the data into a report. Report generation within the UFED Cloud Analyzer is both simple and effective.
Selecting the ‘Generate Report’ button within the software will trigger a pop out window to appear from which the user can begin to build their report. As is consistent throughout the Cloud Analyzer, the fields that were entered at the beginning of the process are automatically pre populated.
The report generation then enables the user to further define the content of their report bespoke to their individual case needs using 3 different fields:
• General – Allows the user to change the name, define where the report is to be saved and add notes to the extraction. At this level, a user will also have the option to include or exclude image and video thumbnails in the
report. At this stage the report format can be altered, however PDF is the default setting and this reflects best practice for evidential production.
• Items Included – This allows the user to define which items are of evidential or intelligence value for inclusion into the report. This can be completed by selecting all of the items from the extraction, by selecting all items within a single category from a cloud source, or by selecting individual items of interest.
• Layout – A superb feature which enables a user to personalise the presentation of the report based upon their own organisational requirements. This allows them to upload a logo, images and bespoke text in the header and footer section which ensures the report is aligned to the user and brand when published or evidenced.
Once these different fields have been populated then the report can then be generated. We have experienced other products that can take a significant amount of time to generate detailed reports from multimedia content, however during our testing the Cloud Analyzer produced a PDF report in a matter of seconds that incorporated the information and thumbnails on a total of 2,365 entries.
The extracted report contains two distinctly different sections. The first section is the extraction summary, which does not contain any evidential material but provides all of the relevant information that would be required to trace and audit the authenticity of the material gathered. This includes relevant time and dates, extraction ID, examiner details, which cloud sources have been accessed and the authentication method used to access the data. Crucially, if the token extraction method was utilised then the report will reference the originating handset and UFED extraction ID, so there is a full continuity of evidence throughout both the physical and cloud extraction process.
The second section was as we expected: a detailed extraction of each item chosen to be included in the report along with the relevant accompanying information extracted from the cloud source for each item.
Cellebrite has taken its wealth of experience in developing digital device forensic solutions and combined that knowledge with feedback from users and a mindset aligned to Cloud Forensics which considers the overall outcome of an investigation rather than the individual results of a device extraction.
The outcome is the UFED Cloud Analyzer – a product which perfectly complements and adds significant capability to their already well established UFED Digital Forensics Series. We have little doubt that in due course the majority, if not all users of the Cellebrite UFED solutions will purchase, deploy and regularly utilise the functionality of the Cloud Analyzer in their forensic investigations. It also sets a significant benchmark for other forensic providers to attempt to meet when they release their own cloud solutions (and they inevitably will) into the marketplace.
But digging and thinking a little deeper… perhaps the greatest compliment that can be paid to the UFED Cloud Analyzer is that it does not feel like a digital forensics product, and given its capability, in our opinion nor should it be restricted to a Digital Forensics / Laboratory environment. Within a law enforcement context alone there are many additional user cases for considering a far wider deployment of the solution beyond digital forensics including:
• Achieving in minutes a greater depth of extraction, evidential capture, analysis and presentation than a suitably trained Online / Open Source Investigator adopting traditional manual processes could provide in hours or days.
• Facilitating access to key locational data and GPS information for vulnerable missing persons on which there is an urgent operational need to locate to ensure their safety.
• Enabling reporting officers at incidents of online harassment or domestic abuse to correctly and effectively obtain evidence located in cloud sources with the permission of the victim to do so.
• Providing the platform for resources conducting arrest warrants or searches to capture cloud based information in the state and format it was found at the time of entry, achieving and maintaining best evidence.
Across the globe Pure Cyber, Cyber Enabled & Cyber Dependent Crime all continue to increase and there is a challenge for all law enforcement and commercial organisations to address the current skills deficit by providing investigators with the knowledge and resources they require to effectively respond to, investigate and prosecute digital crime. Effective investigators will however also need to be supported by products that increase their capabilities whilst remaining scalable and simple to use.
In the UFED Cloud Analyzer, Cellebrite have successfully created a solution that many organisations have been crying out for which has the capability to deliver the specialist and currently siloed skills of cloud forensics and online
investigation into the hands of mobile, mainstream responders and investigators.
Significant investment is being made across law enforcement organisations in equipping officers with mobile devices and body worn video cameras.
The opportunities that arise from the use of such technology can only be fully realised if software solutions such as this are quickly understood and widely adopted.
Cellebrite is a global digital forensics company focusing on mobile data technology. Cellebrite's mobile forensics solutions give access to and unlock the intelligence of mobile data sources to extend investigative capabilities, accelerate investigations, unify investigative teams and produce solid evidence. Cellebrite's range of mobile forensic products, the UFED Series, enable the bit-for-bit extraction and in-depth decoding and analysis of data from thousands of mobile devices, including feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets. UFED Cloud Analyzer provides extraction, preservation and analysis of private data residing in cloud environments such as social media accounts.
About The Reviewer
Digital Investigations Director at Blue Lights Digital, Nick Curry is a leading authority on converging the multiple disciplines of digital investigation. He has 17 years' service within West Midlands Police and continues to provide training, guidance and knowledge in his specialist field and is often sought after in the most complex, high profile criminal and cyber investigations. He is a skilled operational user and trainer across multiple Digital Investigation subject matters including Mobile & Computer Forensics & Triage, Communications Data Analysis and Online Investigations. Blue Lights Digital is a UK based organisation who operate across multiple sectors offering digital investigation services, products and training.