Best Strategies For Remote Collections Of Computer, Mobile And Cloud Data

Colleen: Hello, and welcome to today’s webinar, Best Strategies for Remote Collections of Computer, Mobile and Cloud Data. My name is Colleen Nugent, and I am part of the marketing team here at Cellebrite, and I will be facilitating today’s call. 

Before we get started, I just have a few housekeeping items I want to go over. All attendees are muted upon entry into the event. You can ask a question at any time using the Q&A box on your console. We will try and get to everyone’s questions today, so you can ask them throughout the webinar and we’ll try to answer them as they come in, and definitely at the end during Q&A. And then, please feel free to view the resources at the bottom section of your console. There’s some good information on there, on the speaker bios, as well as some additional resources that you might find useful.

So I want to introduce today’s presenters. We have John Medeiros and Shahaf Rozanski. John comes to us from Deloitte’s financial advisory services, where he’s a senior manager. And what you need to know about John is, he’s got 38 years of investigative experience. And right now at Deloitte, he is based at the firm’s national electronic discovery solutions and forensic center. And he is also Deloitte’s global mobile device champion. 

And then for Shahaf: Shahaf is the VP of product and strategy for Cellebrite business and enterprise solutions. So he’s been with Cellebrite for over six years. He’s worked in digital analytics, triage, cloud collection solutions, and he has more than 20 years’ experience in the industry. So with that, I would like to turn it over to John.

John: Thanks Colleen. Hey, everybody. 


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


I really wanted to start today by telling you a story about my first failed remote collection. It was back in 1996. I was a young computer examiner, had more hair, and we had an internal resource who was having all kinds of problems getting files off a good old-fashioned three and a half inch floppy disc, for those of you that remember that. And so she reached out to me and she asked if there was anything I could do to resurrect these long-gone files because they were key. And I said, sure, make a copy of the disc, send it to me in interoffice mail, and I’ll take a look and we’ll see what we can do for you. 

So a couple of days later, the mail lady comes by, and she hands me an envelope. I thought, gee, this envelope is awful light, but I opened it up and inside there was a piece of paper — a piece of Xerox paper — that had a Xerox of the floppy disc, both sides. So that’s my first failed remote collection from 1996. 

What I want to help you with is avoiding the misconceptions and misunderstandings that have been with me since 1996. So let’s look at our agenda. We want to identify, and hopefully mitigate with you, the risks associated with remote data collections; the strategies and technologies you can use for remote workstation collections, mobile collections, and cloud collections. And then Shahaf is going to go over Cellebrite’s digital intelligence solutions.

First and foremost, let’s talk about the risks and how we can mitigate them. I hate to tell you guys this, but number one: full dependency on technology has bit us more times than I can tell you. Don’t assume that everyone has an internet connection, or that their internet connection is stable. But without it, you’re going to be limited in your techniques. 

Second, you’re going to rely on some kind of courier. If you’re not going to do it over the internet a hundred percent, you’re going to rely on some courier service to provide that data transfer to the custodian and then back to yourself. And yes, things get lost in the shuffle. 

Third, there is risk here. If you’re doing this over the internet, there is risk. And everybody’s going to have to go along with that. So that includes the client, that includes the custodian. Everybody has to agree to the internet risk. 

Fourth, there are going to be some limitations. Doing full forensic bitstream images of a traditional device, like a laptop, over the internet is not going to be a happening deal. So we’re going to have to adapt and overcome. 

And third or, sorry, fifth, the one that’s beginning to bite us more and more: as companies secure their networks, very often the software that we want to run, or that they believe will run, no longer runs. And so we’re going to need cooperation from IT and the custodian to facilitate this transfer. 

Let’s take a look at remote collection data points. Laptops, mobile devices, cloud: most common. 

So let’s overview each one. For a laptop or a desktop, the ones that come to mind are, you can use enterprise level forensic capabilities in major software packages. You can do it. You can do a good targeted logical with enterprise level forensic tools. Or you can utilize what we call a boomerang forensic kit, or consider and inquire whether or not the custodian or the client has corporate backup, because what you may need may already be in their corporate backup. 

For mobiles, again, we can utilize a boomerang kit. We can utilize native and third-party backups. Consider, especially depending on who the custodian and the client are, do they have real time message surveillance platforms already in place? 

And cloud data. Most of you think of cloud data as O365, but there’s so much more than that. There’s the business collaboration sites, things like Teams, Slack, there’s all the cloud storage shares.

Really what I’m asking you to do with this slide is think about not device centric, but data centric. Where is the data that we need to collect? And go and seek it out there. My example for that is that I cannot tell you how many times people have asked me where the email data is off of a mobile device collection. And my response tries to be gracious, but I also try to explain that really getting email off of a mobile is probably not the right thing to do. If we want the custodian’s email, we should be going to the email server, whether that be O365 in the cloud, or a legacy on-prem installation, to get email, because that’s where the data lives. That will give us the best collection.

Let’s look at workstations. Whether we’re talking about a desktop computer or a laptop, one of the easiest and cheapest ways to get data off of an end point, like a laptop or a desktop, is to utilize the already in place corporate backup. But that may not be available to you. Now the question becomes: between one and two, is this the type of investigation that necessitates a full physical image? If so, you’re probably going to have to do a boomerang. You’re going to have to send out equipment to the custodian and then lead them through a collection. We highly recommend using remote screenshare to facilitate that. If you don’t, then it’s going to be very difficult for you to lead a custodian through a collection over the telephone. Yes, we’ve done this. It’s going to be very difficult for you to lead a custodian through a collection over a telephone. It can be done, but there’s that chance for misunderstanding that we want to avoid. 

If a full physical is not required by your project or by your needs, really think about leveraging the enterprise forensic collection tools. They are excellent for targeted collections, for finding the data, and then allowing you to pull that data back over the internet. Again, that means that the custodian has internet connectivity. 

If not, we’re back to the boomerang forensic collection. Mobile devices really are the end point of the future. And so I’ll start with the boomerang. It’s probably the easiest. And you’re going to ask, well, John, you can’t just send out an encrypted hard drive with tools on it for the custodian to make a collection. 

You’re right, because if you did that, you would be assuming that the custodian had a computer. We have been actually sending out laptops — small laptops — with the hard drive, and our laptop has our software on it, licensed to us. Yes, there is dongle-less versions for all your major products. So that is our primary means of getting forensic collections from mobiles, is to send out the laptop and the hard drive, and then lead the custodian through it. 

Again, same thing. A good viewer is essential. Especially if you’re doing a collection of an Android, there are so many changes that have to be made that leading a custodian through those changes over the phone is almost impossible.

Don’t discount native and cloud backups. I’m skipping to the third. They are a valuable way to keep costs down and get good collections, especially if the device that is in play is an Apple. There are clients out there today who are all Apple shops, and who have reconfigured their corporate backup to go grab the location for an iTunes backup, which means it’s as simple as having the custodian make an iTunes backup of their device weekly, monthly, and the corporate backup solution takes care of the rest. 

It’s also true, as you can see from the slide, that you can pull it from the cloud. That begs the risk question: is the custodian — is the client — comfortable with an iCloud backup? 

And last but not least, increasingly we are seeing message surveillance platforms being used in industry. So if that’s in play, that is a valuable place to go and get all of your third-party app collections. There are some limitations, and we’ll discuss those. 

Shahaf: John?

John: Yes?

Shahaf: John, before you jump into the into the cloud, a quick question from the crowd regarding the actual computer. So there is a question about the boomerang forensic collection of a workstation: is a live image generally acceptable or best practice?

John: Generally we can get a live physical, and that is acceptable. Of course, you have to log all of the changes that are made, right, as you make this live physical. Because one of the things that’s going to change is that we’re going to put our own software… we try to keep our footprint as small as possible, but we’re introducing software onto this laptop. So all of that has to be carefully and diligently logged. But yes, live physicals are acceptable. Live logicals may also be acceptable if your threshold is lower. If this is an e-discovery project and you really just need the user profile, then a live, targeted, logical would work well. Shahaf, did that answer the question?

Shahaf: Yes, it did. And then there was another one now related to mobile collection. Could you elaborate on iTunes based backup and collections?

John: Sure. Stop and think about it guys. And ladies. What’s the difference — with all due deference to Shahaf, I know there is a big difference — but principally, what’s the difference between most mainstream mobile forensic tools collection, and an iTunes backup? Up until we had checkm8 and its related collections, the answer was: none. Yes, the mobile forensic tools were able to pull slightly more data, most of it administrative data, from the device, than an iTunes backup. But really, all of the mainstream tools pulled an iTunes backup. That changed with checkm8. But all of the ediscovery data that you want is in the iTunes backup, which is why we are still using iTunes backup based collections in most Apple situations.

Shahaf: And just to further elaborate about the checkm8 for those of you who are not familiar, it’s basically the ability to access more data out of a device and do what is called a full file system collection of iOS device. We generally give you access to files, meaning you can get all the applications and some of those are not backed up by iTunes. But generally, there’s definitely a great capability to do more if needed.

John: Shahaf is correct. That’s one of the things that has happened in the last two years, is that Apple has given developers the ability to opt out of backups. That was almost always the case with an Android, but in the last two years, that is also the case with an Apple. So be aware of that. If you are not making a checkm8, you are giving up any third party application that is not set up for backup through iTunes. 

Let’s talk about cloud data. And I know this is a really busy slide, but really it’s fundamental. If you start at the left with one, we’re trying to identify where our data lives. And that’s something that we talked about earlier, is finding out where the data really lives. And it can be in any number of places. 

Two is: let’s extract and collect the data directly from those cloud sources, rather than trying to get them from a tertiary source. 

Three, you can leverage cloud collection collaboration sites. This would include things like Slack, things like Teams. 

Four is where the paths begin to diverge. Traditionally, we’ve always kept collected client data on a redundant pair of encrypted hard drives. And that’s still the case, but not all the time. I understand that it’s much cheaper to do it that way, especially in the very, very long run, but consider how much faster it is, and how much simpler it is, if you simply use S3 cloud storage, making reference to AWS, consider using cloud storage. 

Five: if you’re going to use the cloud storage and you want to stay completely in the cloud, this is all possible. You can create a VM on any of the cloud services and upload your tools, which gives you the ability to do six. You can either use your traditional tools in the cloud, or you can use cloud-based tools to do your analysis. You can add machines, you can add bigger machines, you can do password cracking in the cloud. Everything can be done in the cloud. So if it started in the cloud over at number one on the left, give a thought as to why it shouldn’t stay in the cloud through six.

Let’s talk about some of the considerations for remote collections. We already talked about third-party transit. I cannot emphasize enough how this is dependent on internet connectivity and a co-operative custodian. This is not something we want to do if the custodian’s cooperation is in question. 

Three, the custodian’s going to have to help. Sometimes, though, we’re going to need client IT to provide access. Many times we find that our viewer of choice is blocked by rule. And so we have to work with the client’s IT department to either get that blocked, or to find out which one of our potential viewers is not blocked. Try to avoid a single point of failure, a single copy; only using a network collection connection for your collection; something that’s going to be risky. 

Of course, the device operating systems are going to limit the type of collection that can be performed remotely. That will go to those of you who have to collect Macs. You are limited in what you’re going to be able to do with a remote dongleless Mac collection.

If you’re considering mobile monitoring as part of your solution, please be aware that mobile monitoring is not… there is no one app right now that will collect everything. Mobile monitoring is a system of per-app collection capabilities. So there’s a different one for each of the third party text messaging applications. And if you really want to do this inexpensively, make sure you direct the client that they can go back to their provider for simple SMS and MMS. And with the correct authorization, they can get the SMS and MMS from the provider. 

Be aware, before you start cloud collections or mobile monitoring, to check your local laws. I know in the European Union, and probably elsewhere, parts of these techniques may be viewed as wiretaps and be prohibited. So please make sure that you have your legal authority before you make a cloud collection or use mobile monitoring software because of that.

Colleen: Hey John, there’s some questions that came in. 

John: Sure. 

Colleen: All right. We downloaded enterprise backups, but it changes the time and date metadata. How do you deal with this?

John: That’s one of the drawbacks, right, to an enterprise backup, is that it’s changing the date and the time. So that’s just something you’re going to have to account for. If that’s important to you — that you have the external metadata correctly — then utilizing an enterprise backup solution to gather your collection is probably not the best technique. That’s another of the considerations, right? Is that interaction between the software tool and the data.

Colleen: All right. Another one: how do you handle iOS messages that are synced to iCloud rather than included in an iCloud backup?

John: If you pull from iCloud using any of the popular tools, you can pull both backups and synced data. So that would be my recommendation. And that is the next new thing that is difficult about Apples, is that you can now choose to sync to the cloud instead of syncing on the device. And that is changing the paradigm for where the data is located. Colleen?

Colleen: Yeah. Just this is another checkm8 one. Would it be correct to say that checkm8 is made specifically for third party apps? So basically to collect data, the typical iTunes backup would not? If so, would that indicate the checkm8 would not get more data from the traditional locations, such as texts calls, et cetera.

John: Shahaf, do you want to take that one?

Shahaf: Yeah, definitely. So checkm8 is a method that allows you to do a full file system collection. It means it can access all the files on the iOS device. By that, it means that it can by nature access more data. We just mentioned application data because it has access to all the databases, however it can access emails on the device, it can access [indecipherable] on the device. Basically today, this is the most advanced method for collecting as much data as possible from the device. 

So depending on your investigation, in some of the cases we’ve heard, for example, that people have been using advanced collection, like checkm8 in order to do investigation, trying to analyze, for example, if someone was using the device at a certain time or which location they’ve been into. So a checkm8 really enables you access to all the information for each discovery. Well, messaging is [inaudible]. This is where we highlight the benefit of getting access to more data from applications, like Widget or Telegram that are not necessarily backed up in iTunes. 

[crosstalk]

Colleen: Oh, go ahead. Sorry, John. 

John: Thank you. Coleen. Shahaf, would you say, though, if the application is backed up by iTunes, is there a quantum difference between what is… between the SQLite database being backed up by iTunes, or our ability to copy it out with checkm8? Isn’t that about the same? We’re still getting the same SQLite database

Shahaf: It’s about the same, although I must admit that in some of the tests that we we’ve been doing in our labs we have found some differences — slight differences, but in some of the cases we have found differences. For example, in WhatsApp, more data was collected versus what is available in the iTunes. But generally speaking, you are probably right.

John: And that extra data that was collected, Shahaf: was that recovered deleted?

Shahaf: Yeah. It was deleted messages that were recovered.

John: Thank you. So that’s the extras that you get, even from applications that have an iTunes backup set. There is additional data that’s available, especially if you’re looking for deleted data. That would be the time to default… I’m sorry. That would be the time to ramp up to a checkm8, if you were otherwise just going to do an advanced logical; now maybe you’d better consider a checkm8 because you need to get as much of the deleted data as possible. Thanks, Shahaf. Colleen, do we have another question? 

Colleen: Yeah. Well, it’s with iTunes. So with iTunes being retired by Apple and features being locked down in the new iOS versions, will there be a time when iTunes backups are no longer a viable option?

John: That’s a heck of a question and I wish that I had the answer to it, and I don’t. So I’m actually going to punt this over to you, Shahaf.

Shahaf: I think it’s also too much for me to predict that one. Apple can decide one day to do whatever they want, basically, in terms of what they enable on the iTunes and what’s not. So I don’t have a good answer to whether it will happen or not, but we’re at least, you know, trying to serve the community by trying to find out methods, like we mentioned, like the checkm8 and other ways to get access to the data, which are not necessarily relying on the items.

John: Thank you. I think the question is well put, and I’m seeing Apple recognize that there may be security implications by allowing iTunes to continue to exist. Apple is probably the most security conscious vendor there is, whether you’re talking about a laptop or you’re talking about a mobile. And I can see with their new features… for instance, if you go to a store right now and you turn in your phone, there are three ways to move the data from your old phone to your new phone. They’ll make an iCloud backup, if you haven’t already; or if you tell them you’ve already made an iTunes backup at home, and you want to use that, they’re fine with that. Or they’ll put the two devices next to each other and let them transfer the data seamlessly between themselves, which means the questioner is correct. Apple has already set up to sunset iTunes. They’ve gotten rid of most of the music part of iTunes. So I can see that iTunes could be going away soon. Colleen, more questions?

Colleen: Yeah. Yeah. What can one do with a device that has the option to block USB connections, so post iOS 12, or is pair locked to a computer that is not available?

John: Yes. That goes back to the whole problem of, if you look here on the very third line of this slide, you may have to work with client IT, because their MDM may have blocked access to the USB port. So that’s correct. 

The only way to get around that is to have an MDM update pushed to your custodian’s device before you begin the collection and to try to coordinate that so that it’s pushed at the beginning of the day, for instance, 6:00 AM this morning, so that you can collect me now. It’s difficult to know that in advance. So that’s why it’s very important to have good conversations with the client and client IT around MDM, whether we’re talking about an Apple or an Android, understanding what is locked out is key, because you’re going to have to ask the client to make changes to the MDM profiles. It’s essential on Androids. You have got to have IT cooperation in order to make an Android collection, because there’s so many changes that you have to make to that Android.

Colleen: Thanks, John. Yeah. here’s a good one. Do you build dashboards of where your collection points are, for quick reference?

John: Sure. That’s not really part of this discussion, but absolutely. I mean, one of the things you want to do when you’re going to start a project is data map, and figure out: where does the data that we need for this project live? Is it on network shares? Is it on mobile endpoints? Is it on traditional endpoints, like laptops? And we’ve had clients tell us that they have no user data on their laptops that everything’s on servers or in the cloud. 

So it is possible, but you’re going to have to sit down with the client, and client ITS, and map that out. And having that in advance really helps. As you go through your custodians, then, you’ll be able to have, basically, a check sheet. Did I get this for this custodian? It’s an excellent idea and needs to be done every time you start a new project. Colleen? 

Colleen: That’s it for now. There’s no more questions. 

John: Let’s look at the positives to remote collections. One, you never have to meet me. And that is a huge benefit, especially now in the time of COVID. Because you don’t have to travel to meet me, you’re going to reduce costs and the attendant fees from those in-person collections. You’re going to reduce costs. And number three, if you leverage existing enterprise systems, they’re not buying anything, they’ve already got it. They just didn’t know how to use it correctly to make the collection. You’re going to save the client a lot of money and you’re going to look great. You’re going to look like that trusted advisor who came in and helped them get it done faster and cheaper than anybody else. 

Four — and this is a big one — if you’re doing remote collections and you’re doing them in a well-thought-out way, one person sitting in Chicago can collect, today, from custodians in New York, Los Angeles, Nashville, basically five or six cities across the country in a single day. If you were going to have that same examiner travel, they wouldn’t even get one collection done. So really, remote collections are a force multiplier. 

It may have taken COVID to bring all of this to the forefront. But the truth is, if you start to think about remote collections in the way that we are discussing them today, this really is a boon to our industry. 

Cloud collections: if you keep everything in the cloud, it really doesn’t matter whether you are collecting one terabyte, or you’re collecting a petabyte. Now you can’t say that if you come to me with a bunch of hard drives, but you sure can say that in the cloud. So think about cloud whenever you can, and think about keeping it in the cloud, it allows you to rapidly scale up and down as the project needs, you set up different spaces for each project. It really simplifies your billing. Your cloud expenses are the expenses of the project. So if you think about it that way, there are a number of good reasons to keep cloud collections in the cloud. 

And the last one: custodians really do feel more comfortable when they understand what it is that you’re doing in the collection. I mean, that is the biggest part of in-person, face-to-face collections that you can’t let slip away because you’re doing it over Zoom or something else. You really still have to talk to the custodian and try to put them at ease with what you’re doing. 

These are voluntary collections, not under court order, most of the time. And it’s very important to build that trust relationship with the custodian so that they open up to you and are willing to help you out, but making them an active participant really helps. 

I will tell you, I strongly advocate that you get good remote control software if you’re going to do Androids remotely. That is the one device that I think puts custodians ill at ease, when they see how many changes have to be made to an Android to allow a connection and a collection. And so if you can do it remotely on their phone and make those changes for them, then you take away that fear factor. Because a lot of the prompts that come up when you make changes to the Android operating system to allow the collection really are scary prompts, if you stop and look at them. They’re going to scare your custodians. So that’s the one place that runs counter to number six here. Colleen, do we have any other questions?

Colleen: There’s a couple other questions, but I’m going to save them for when Shahaf gets on, since they’re Cellebrite focused. 

John: Perfect. 

Colleen: And I just want to encourage… yeah, sorry John, I just want to encourage everyone, like I said, just please feel free to ask your questions. John’s going to be here for the remainder of the webinar, but as we turn it over to Shahaf, I just want to encourage everyone, make sure you talk to John while he’s here, he can answer your questions live

John: Shahaf, over to you, sir. 

Shahaf: Thank you, John, that was really fascinating and a big discussion with you. I’m learning something new. So, thanks a lot. And really for the audience here, really use the time with John, he’s a great expert, and use the opportunities you have with him to ask him more questions. 

So let’s take the best practices that we have seen so far and see, you know, what we — Cellebrite — as a provider of solutions can help facilitate some of those use cases. And we are going to talk about the way we’re going to with mobile, with cloud and with a computer. And this is just a partial list of what is available today from the Cellebrite team. So the first thing that I wanted to touch on is doing remote collection for mobile, and using what we call a detachable license, that is about the operational efficiency.

So John talked about removing the needs to travel, removing the needs to ship the licenses across the globe. And with a detachable license, this is exactly what you are achieving. So basically you can detach a license from one collection machine that runs our UFED technology and attach it to a different one. So let’s take the boomerang use case that John described. 

So if you are sending a computer to your custodian, you can basically move a license to that machine. Once it gets to the custodian you don’t need to waste the license for a few days while the device is traveling, which gives you great operational efficiency. And if you are doing it within the corporate realm, and you already have a few sites that you know, that you usually collect the information from, so let’s say that we have a big corporate that has their offices in New York, and now we also want to do a collection from Los Angeles, and this happens quite frequently. So what some of our customers are doing, they are placing another inactive four PCs in Los Angeles. And then every time that they need to do a collection from Los Angeles, they are just transferring the license from New York to Los Angeles. 

And another important point here is, who exactly is going to do the collection. And here, I think that the best practices that John mentioned, like being able to remotely collect, to do the machine, guiding the custodian, if you don’t have an IT person there that would do that for you is really critical for the success of the process, and not only for the success of their process, but also from a liability point of view, you want to be sure that you are doing that in the right thing and in the right manner. 

The next collection type would be with respect to collecting from the cloud. And when we are collecting from the cloud, we are mainly talking about consent based collection, meaning you have the username and password, and here there are are the few options that you can utilize. 

For example, cloud analyzer in order to do data collection, the first one is to collect from the phone backup. So for example, doing a collection from the Google backup of the phone that is within the cloud. And from there, you can [indecipherable] that was backed up to the cloud. So this is one option using the cloud analyzer. 

And other option is accessing all those social media like Instagram, Facebook. And once you have the username and password of the custodian, or if it’s in the corporate account, so you can access and collect social media and posts from those applications. 

Another thing that is useful and that you can do is obviously collect some cloud storage, whether it is the iCloud storage, whether it is Dropbox, whether it is OneDrive: connect, select, what are the relevant files that you want to collect, and do that.

Collecting email is obviously very relevant. Think about the Office 365 and GSuite, where you want one tool that will eventually enable you to do the collection from all of those, and eventually see everything in one interface and then export all that into review, or into your investigation platform. That’s definitely a point our customers mentioned. 

And last but not least is website capture, which is, you know, when the dedicated tools or the dedicated… connectors to the cloud. And we have about 60 connectors with cloud analyzer, but when those dedicated tools are not available, you might want to consider website capture, which is a scraping off what you have on the web itself and collecting the information itself, then being able to analyze that information and search through it.

So with respect to the cloud, this is what is available today. Quite comprehensive, and as John mentioned earlier, you really need to know at what time you select going to the cloud and what time means to go to the mobile. 

So we’ve discussed mobile. We discussed cloud. The last piece that is still missing in the equation is computer collection. And today we’re going to talk about Mac imaging. And traditionally, you know, the equipment that Cellebrite has requires shipping off a hard drive for doing the collection. But we did understand that, you know, this might be complex in some of the times. 

And instead of that, instead of shipping a hard drive, we can basically ship an activation to a software. So think about installing a software that is doing data collection next to the targeted machine, transferring the license over there, and then doing a forensic preservation of the Mac device. Once this is done, obviously the backup or the instruction that you made can go through either, you know, sending it over email, either sharing it ovre cloud, or taking hard drive and sending it over to the one that was initiating data collect and the collection.

So similar to the ability to transition the license for mobile, same capability here available for Mac image. With that being said, Colleen, do we have some more questions?

Colleen: We do, we sure do. So let me start with: can Cellebrite collect iCloud synced messages?

Shahaf: So Cellebrite today can collect from iCloud and the iCloud storage. We had an ability to do iCloud the backup collection, but Apple made some changes and we are now trying to look for a solution. So at the current stage, we are still trying to do the collection from the iCloud backup, but what is available on the iCloud data, which is, you know, the, the storage of iCloud, we can definitely collect.

Colleen: Okay. Thanks, Shahaf. Could Cellebrite recover deleted WhatsApp messages from iOS devices?

Shahaf: iOS… yeah. Definitely with the checkm8 or the advanced collection, you can gain access to that information, assuming it is saved in one of the devices. If it’s in unallocated space, obviously this will not be available.

Colleen: Okay, here, here are specific, like, Cellebrite questions. We have two dongle licenses. Is a detachable license is a feature of the current license, or is an additional licensing cost?

Shahaf: It’s a different mechanism that have some different costing associated with that. And we’re more than happy to share more information about it and see, you know, how the one that asks the question can benefit for that then based on that, you know, share [indecipherable].

Colleen: Okay, this is kind of similar. So, if I have a license in my office, I can transfer it temporarily to a project laptop with UFED for PC, which I will then send to the acquisition location, but will I have to wait for the laptop to get back, to be able to use my license in other locations?

Shahaf: So, no, no. You can either set a timeframe and when the license go back automatically, or what you can do on the device that is sent, you can basically release the license and send it back to your pool of licenses. There needs to be at least 24 hours that’s passed between the time that you made the initial release and of the license until you can get it back. But other than that, you can definitely use it once you are done with the collection.

Colleen: Okay. Thanks. Can Cellebrite collect SMS from iCloud or Android cloud backups?

Shahaf: I’m not familiar with that ability, but I’m more than happy to check through it. And I’m not familiar with the ability to back up Android into clouds. If it’s stored on the iCloud, we can gain get access to it, but I think, you know, the question is more complex, so I would be more than happy, to take it offline and see in a way that we can provide the most accurate question and answer.

Colleen: Okay. Thanks, Shahaf. I think this one is probably geared towards John. But what type of investigations have you seen where in an enterprise backup is not sufficient, assuming an enterprise backup can collect system files, browser related files?

John: I think the enterprise backup is going to fail anytime you need a full forensic image. If you’re facing a government inquiry in your project, the expectation is that you made a full forensic image of that device. So any time a full forensic image is required for your investigation — for your project — then the enterprise solution, because it’s limited to bandwidth, is probably not the best source, probably not the best choice.

Colleen: Okay. thanks John. John, this is for you. Can you define or explain boomerang a little bit more? 

John: Sure. We usually just call them remote collections, guys, but we call it a boomerang now, because typically in our methodology, we’ll send out to the custodian a USB — a locked USB drive — with all of the tools necessary on it. And of course, after the collection — and we’ll lead them through the collection remotely, utilizing that drive — of course, there’s a nice pamphlet that comes along with it that tells the custodian how to do everything, which we’re going to lead them through in the collection call. But after that collection, after that is all finished, the other thing that’s in the box is the return label. So that drive goes out, we make the collection, and the drive comes back. Hence the term ‘boomerang.’

Colleen: Thanks, John. I recall iPhone will store texts on iCloud for older items. If so, a traditional backup will not get all the text messages, even with checkm8? If accurate, we would need to do a two factor collection of iCloud and of the device?

John: Was that for me, or for Shahaf?

Colleen: Whoever wants to answer it. Do you want me to repeat it? 

John: Please. 

Colleen: If I recall, iPhone will store texts on iCloud for older items. And if so, a traditional backup will not get all text messages, even with checkm8. And if accurate, we would need to do a two factor collection of iCloud and of the device?

John: If you’re thinking of sync, then your question is answered with: yes, you need to collect iCloud and the device. If you’re not thinking of message sync, then the answer is, the collection of the device is sufficient. So if you’re worried that data is being synced — that mobile message data is being synced to iCloud — then the answer is yes. I would always try to collect the iCloud as well.

Colleen: Okay. thanks John. Here’s another one. Shahaf, is the physical analyzer running on Windows server 2019? 

Shahaf: John, you might know this better than I do. I don’t know the answer for that, we can check, but John, if you know… 

John: I don’t know what we’re running it on, what version of server we’re running it on. I apologize. I think that’s something we need to check and we’ll get back to the questioner on that.

Colleen: Absolutely. That’s that’s a great point. I checked the question. Is checkm8 a program used to pull third-party information from an iOS device? Is that a Cellebrite program? 

John: Shahaf, can I say something? 

Shahaf: Yeah, absolutely.

John: So checkm8 is an exploit. It’s basically a way to root an iPhone. All of the major vendors, Shahaf included, have found a way to secure it so that you really have almost no chance to break the phone by rooting it. In so doing, though, that allows you access to the file system, which is what Shahaf brought up. When you do a checkm8 type collection, you are actually accessing the file system and pulling back everything in the file system. That’s different than what comes back in an iTunes backup. 

Remember we talked about this, that iTunes backups can be turned off by the developer of the application. I won’t mention those applications by name, but there are several third party chat applications whose developers have turned off backup in iTunes. So the only way to really get that data off of the phone is to use some extraordinary means. You can photograph the conversation if you really want to do it that way, or you can use a checkm8 based collection, because the checkm8 will give you access to the file system. 

The file system will pull back all of the databases, not just the ones that are checked for backup in iTunes. And because you get all the databases, then that allows physical analyzer to look at those databases and decode them for you. Shahaf, did I miss something?

Shahaf: No, absolutely not. The only point that I wanted to say is, it’s a temporary rooting, because after that, you know, the device goes back to normal after 38 hours, and the operation is done. But other than that, very accurate.

Colleen: All right. I think we have time for one more question. Do you have documentation available for recommended hardware specs for a project laptop of this nature with Cellebrite installed that we would ship to custodians to enable remote location?

John: Actually, we found that anything that will run UFED for PC or any of the other popular mobile forensic programs is fine. We used the most inexpensive laptop we could find, because we were trying to keep costs down, and we recognized that shipping laptops all over the country to make these collections was going to increase wear and tear considerably. And so we did not want to put frontline equipment at risk. So I would tell you: look at each of your programs and find the minimum for each program that you want to put onto that laptop, including the remote control software, and go with that.

Colleen: All right, you guys, I think that’s a wrap. I just want to, first of all, remind or let people know on this call from a Cellebrite perspective, we have some upcoming events. We have a virtual summit, it’s called Cellebrite Connect, and we have one specific to the Asia-PAC, Europe, Middle East, and Asia area, October 20th. And we also have one specific to North America and Latin America on the 21st. 

Just so you guys know, we have law enforcement ones as well, but since this is our audience, and you guys with business and enterprise have very different use cases and how you collect and gain insights from the data, these are geared towards you. So please, I encourage you guys, if that sounds interesting, to go to our website and register for that event, it’s coming up. All right. John, Shahaf, any last words?

Shahaf: Thank you. Thank you, John, for being with us today and sharing with us for your amazing knowledge.

John: Thank you, Shahaf and Colleen, for inviting us to join you, and to everybody who’s on the call, please be safe.

Colleen: Great, thanks guys. And I also would like to thank everyone who has joined and especially thank you guys, Shahaf and John, for doing this. The webinar has been recorded. So I know there’s been a couple of questions. You will receive a copy of both the slides and the webinar together. And I just want to thank you again, and we look forward to seeing you on future webinars. Have a great day, you guys.

Leave a Comment