Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.Dan: Hello and welcome to the latest Cellebrite webinar. This one is tailored for the APAC region, and it will cover the keys to unlocking critical evidence from encrypted digital devices with Cellebrite Advanced Services. We thank you all for joining, and we hope that you enjoy the next hour of presentation. For those that have signed up for this, if you’re obviously not able to join, if your colleagues have signed up, then you will receive a link at the end of this, with access, in the next couple of days, to the recorded version of this webinar.
On the webinar panel today is myself, Dan Embury, Technical Director of Advanced Services. We also have Desmond Soh. He is based in Singapore and he is a Technical Forensic Specialist with Advanced Services. Finally, we have Simon Wooley, he’s a Senior Technical Forensic Specialist based in Canberra, Australia, and he has recently joined us, in September, and he will have more to talk about our new opening of the Canberra lab.
In terms of the agenda for the webinar, we are going to be covering an introduction of Cellebrite Advanced Services and an overview of the current forensic landscape. We will also cover some of the unique unlocking and extraction capabilities, and how to submit a case to one of our Cellebrite Forensics Labs via Cellebrite Advanced Services. We’ll wrap up with a question-and-answer session, and any questions that are not able to be answered during the webinar, we will make sure to reach out to you after and provide the answers that you are seeking.
In terms of housekeeping, all of you should have a clear view of the ON24 platform for the webinar. In the bottom corner, you should see a Q&A button, or a window should already be appearing. Essentially, everyone is muted during the webcast, but if you do have any questions, we encourage you to type your question into the box, and we will do our best to answer your question during the final 15 minutes of the webinar.
In terms of an introduction, for those that are not familiar with Cellebrite Advanced Services, we are basically the forward-thinking, cutting-edge providers for new and advanced solutions from Cellebrite directly. The security research labs are constantly evolving and creating new solutions that are ultimately going to be destined for our UFED products, but we are able to offer them to our customers as quickly as possible, to address your most critical needs. And it’s pretty clear these days that mobile devices are playing a defining role in criminal investigations. And obviously, the information contained within a locked device, once liberated, can help to reveal the truth, and most definitely lead to significant case breakthroughs.
Over the past few years, Cellebrite Advanced Services has evolved from the initial iOS8 breakthrough that allowed us to access the data within the iPhone 4S, the 5, and the 5C, to a more comprehensive ability to unlock many different devices as well as provide advanced extraction services to ensure the best evidence is extracted to further the investigation.
Cellebrite Advanced Services, as mentioned previously, provides advanced unlocking, advanced extraction, and additionally, advanced technical capability. So, these are unique solutions that we’re able to offer in-house and through trusted partners, to bring advanced technical capability to your most important cases. Additionally, our team is comprised of many different experts, situated around the world. So, we have a unique position of being able to offer professional advisory services to help review cases that are complex, basically give a second set of eyes to look over evidence and prepare the best case in conjunction with you, so that you can see through to a successful prosecution.
Finally, by having global coverage, we are able to respond to operational urgencies and mass events that may occur in this world that’s evolving into, in some situations, a dangerous place. Obviously, there’s terror attacks that are happening all over the world, and other sorts of terrible situations. And Cellebrite’s very proud to be able to help out immediately and, in most situations, get into devices that would otherwise not be possible to unlock and extract.
I’m going to turn it over now to my colleague Simon in Canberra, and he’s going to cover the next few slides here.
Simon: Afternoon, everyone. My name is Simon Wooley, and I’m one of the senior forensic technical specialists in Australia. We now have eight labs around the world, and we’ll start with the US side. We have a lab currently in Washington. We also have a lab in New Jersey, our lab in Canada, our lab in the United Kingdom, in London specifically, we have a lab in Germany, which is in Munich, we also have our headquarters in Israel, which also has its own forensic lab as well, we have a lab in Singapore, where Desmond, my colleague is currently, and we also now have a brand new lab in Canberra, Australia, where we offer all the services of the Cellebrite Advanced Services, including the unlocking and extraction, and [extraction of phones].
Some of the capabilities we have … I’ve gone too far … we’re able to close the time between actually receiving information from our research labs in Israel and are able to unlock the [large amounts] of phones at our Cellebrite labs around the world. We also offer the advanced unlocking and extraction methods that no one else in the world is currently offering. We also maintain the chain of custody and ensure that forensic integrity is maintained at all times, and at the end of the process, we also supply a full witness statement to comply with standard chain of custody.
It also allows us to reduce the time to react to urgent cases and critical cases in our own regions. So, specifically for Australia and New Zealand and the Asia-Pacific region, we have the Australia lab and the Singapore lab to look after those capabilities.
Dan: Next, we’ll have Desmond cover some of digital forensics landscape challenges that all of us are facing, as digital forensic practitioners.
Desmond: Hi everyone, my name is Desmond. I’m based in Singapore. I’d like to talk about a little on the digital forensic landscape. Alright, in the [good olden days], we used to extract data by performing the [j-tag ISPA] or [07:41]. However, because of the forensic method is dying for hardware, our challenge actually today is faced against [07:50] of encryptions and security and [07:55] that actually prevent us from getting the case [08:00]. This means that our challenge has shift from a pure low level of reverse engineering to intensive research.
Based on the research that was conducted in the year 2015, nearly 5% of the forensic practitioners mentioned that the device and application encryption was their biggest challenge in mobile forensic. Basically, [the slides explained] that they have their encryptions in Apple that was introduced in about four years ago. Before the iPhone 4S, you can do a physical extraction and recovery. But since iPhone 4S and the rest of device have entered the market, you can’t get into the device, due to the hardware encryptions. However, since June 2015, Cellebrite can obtain the full file system from any Apple devices that was running in any iOS variants. This type of extractions is available, they are our service … Advanced Services, and you can actually decode the data using the Physical Analyzer.
So, what does this mean? Well, from every device, there is always a way to get the data. Even if the device is locked. At the moment, we support 89% of the Apple devices and 90% in Samsung devices. I’m pretty sure that you guys are thinking that if we are going to support on the new release … but I can tell you that we are working on the latest release [10:00], and soon, we believe that we will be able to support.
I’m going to hand over to my colleague, to talk about few more slides. Thank you.
Dan: Thank you, Desmond. And you may have noticed that the trend survey that we previously quoted was dating back to 2015. We’ve just recently completed a mass campaign to generate more statistics and gather feedback from our customer base to ensure that all of this [10:29] helping to drive our research and our product offering development are basically in line with the current needs of today. So, although it’s 85%, based on our previous survey from 2015, we wholeheartedly believe that it continues to be a challenge, and I believe that the number will surely have grown from 85% upwards, which is not boding well for the overall forensic community, especially as we’re struggling, as a group, all of us, to find ways to get into the latest devices, and liberate the data that’s needed to advance an investigation.
This whole concept of Cellebrite Advanced Services originated back in 2015 as well, and there is some initial concern that some capability would be withheld from the UFED product and not go into all the new updates that come out every month or so. And what we’d like to try to do over the next couple of slides is explain why we are keeping some of these capabilities as a service and not incorporating them into the UFED product.
By taking a high-level zoom out, and looking at the entire vulnerability research arena, and looking at the definition of what an actual vulnerability is, it’s essentially a weakness of the design or the implementation that can basically lead to something strange happening, with the computer system, the network and application, or mobile device.
So, the concept is that these things are inherently occurring, they’re vulnerable systems that every person on earth is carrying in their pocket, and it just requires some very focused, very experienced personnel that are working together, to do some cutting-edge research in order to find solutions that might benefit the forensic community.
As I previously said, vulnerabilities exist in all products. Perhaps it’s because the code is written by humans, they’re inherently prone to making mistakes. And especially with the push to market, to get devices ready for back-to-school or for the holiday season, oftentimes, hardware limitations might prevent a full and proper implementation of a particular solution for either locking or for encrypting the data. So, some of these vulnerabilities are occasionally subtle, sometimes they’re not so much. But overall, finding these sorts of vulnerabilities can be very difficult, and they have become very difficult to find. And things like the Google Project Zero and other freelance white-hat researchers are really helping to make the computers and mobile devices that we’re utilizing much more secure. And of course we want this as government users, of course we want this as individual citizens whose privacy matters are paramount.
But when it comes to encountering a device that is on the body of a victim that has been murdered, I think in the best interests of everybody, it would be good to be able to access the data and perhaps solve his or her murder. So, ultimately, if these vulnerabilities can be turned into something usable for the forensic community, obviously it’s going to help out.
There are two concepts for vulnerabilities. The name Zero Day basically means that it is inherent in the product from the first day that it’s released. Whether it’s coming from the factory or if it’s software that’s pushed out in a new release, on the zeroth day, these vulnerabilities exist. So, they’re undisclosed, undiscovered, unpatched by the vendor. Once the vendor learns of the vulnerability and they start trying to find a way to fix this – they’ve either been alerted by some private research or some exposure, even at worst case, techniques do get exposed in court from time to time – so once the vendor realizes and starts trying to fix it, it becomes a one-day vulnerability. So, it’s more than one day after the product is released.
Now, the overarching philosophy is that anything that has not been discovered yet is probably best suited for initial release via Cellebrite Advanced Services. Anything that is a bit more exposed, something that’s already been patched but is still likely to have a positive benefit for the forensic community, then we will put that into the UFED Touch 2 and the UFED for PC products.
There are some things that are still extremely unique, but we still make a judgement call from time to time, and determine that it is likely to be patched in the near future or it is so obtuse and strange and is not going to likely get patched or exposed by putting it into the product, so we go ahead and do this anyways. So, we’re always trying to put value into your UFED investment, but from time to time, a breakthrough is so unique and so valuable to prolonging police efforts to be able to combat crime and make the world a safer place, we ultimately decide to keep it as a service to protect it.
I’ll turn it to Simon now, who will talk about the best evidence ideals for performing a full iOS extraction.
Simon: Alright, everyone. So, just some information about the iOS devices. So, we have an iPhone here with 32 gig of flash memory in it. One of the possibilities we have currently with just the standard touch would be Method 1, and that would be possibly a seven-gig iTunes backup, that also could be encrypted via an iTunes password. Another option we have via the UFED is the Method 2, which would be a four-gig AFC, which is an Apple 5 conduit extraction. Then you have the 21-gig active file, full file system. The only way we’re going to be able to access that information would be through the Method 3, which would be a non-forensic jailbreak. Now, having worked in the industry, modifying data via jailbreak, just to access the full file system would be a last resort, due to modification of [the data], and obviously the implications that would have in court.
However, with the Cellebrite Advanced Services, we’re able to do a full forensic extraction of the full file system. No modification of the data would take place, which is obviously an ideal situation. There would also be 11 gig of old data on the actual phone as well. This would be data that’s been deleted, and the [AES] encryption keys would be gone from the system, so you wouldn’t be able to access that information at all.
This is some case examples of using a Method 1, a Method 2, and also using the Cellebrite Advanced Services. I just want to point out, on the iPhone 6 Plus there in the middle, if we look at some of the numbers that have been pulled out of locations, for example, with Method 1, there was 362 location pieces of data and 73 deleted. And then, Method 2 pulled out five. Using your Cellebrite Advanced Services through the labs around the world, we will be able to pull out 1557, and 97 deleted. So, that’s a fairly big contrast. Using the iPhone 6 Plus in the middle again, if we look at the images on that phone, 3000 or so Method 1, 4000 Method 2, and using the Cellebrite Advanced Services, we’re getting 65550. So, there’s a fairly big contrast, of the amount of data that we’re able to pull out using our Cellebrite Advanced Services laboratories around the world.
Some of the things we’re able to access using the full file system extraction – we’re able to bypass the iTunes backup encryption password. This was a fairly big bugbear when I was working in the forensic community. You would go to extract a phone using the UFED Touch, and the first thing it would say is “Do you have the iTunes backup password?” Generally, that wasn’t supplied by the suspect, meaning that you were unable to extract that data.
We’re able to gain full file system access, including all the data that’s been recently deleted, not the fully deleted information but the recently deleted data. So, we are going to be able to produce the best evidence you can possibly get off that phone.
Because of the not having to jailbreak the phone, and it’s a fully forensically sound method, you can reduce the number of questions you have at trial. at Cellebrite, they asked how much information or how much evidence is [left that we’d been in there] to extract that data, and the research team basically said that there’s not a single trace, [or maybe] a powering-on event, on the phone itself.
And we’re also able to fully extract iPhone emails. This was a big bugbear again, when I was working at forensic labs, that we’d be able to get the From and the To and the subject, but we weren’t able to get the body of the emails. Using our Advanced Services, we’re able to extract full emails from iPhones.
We can also recover things like Facebook Messenger, BBM, Telegram, and other third-party applications that are normally excluded from the iTunes backup. This includes things like [health] data and WhatsApp as well.
And also, we recover a large amount of locations, including on the iPhone the locations of interest, like the most-used locations, that generally haven’t been able to be accessed via any other means at this stage. And also, system logs and applications logs – these logs hold a wealth of information nowadays, and using our system, we’re able to access that additional data.
I’ll hand back to Dan now.
Dan: Thank you, Simon. We did have one question, to rewind to Slide 17. And I think what’s important to understand with this overview is that if you think of the iPhone here as containing 32GB of flash memory in a single chip, the forensic ideal is to extract everything possible. And over the past seven or eight years, the only capability that has been available is the iTunes backup or Apple file conduit mechanism. Now, anything that can be seen on the device by the user plus anything that has been recently deleted, obviously that’s very important, and that’s actually what forms the active full file system. And ideally, that’s what should and can be extracted, with the proper techniques and methods.
Previously, before we came up with our solution, a couple of years ago, for the full file system, the only way would be to jailbreak the device. And again, it’s making changes to the system partition and it’s really not ideal to be explaining in court. So, a Method 3 would pop up as an available advanced logical extraction if the device was jailbroken, but alternatively and more forensically sound would be to perform a full extraction from Cellebrite Advanced Services.
As Simon mentioned, the 11GB of old data that is outside of the active full file system, there is data present, but all of it is encrypted. There is no ability to carve text or carve images, because the data, although it’s still there, it’s encrypted with keys that have been discarded. So, it takes nanoseconds for the encryption keys for a picture to be purged forever. The 5MB picture might still be in the flash memory, but since the keys are gone, there’s no feasible way to brute-force [AES] encryption, at least in our lifetime.
We’re going to move ahead into some Android topics, and talking about Huawei file-based encryption. Now, for those that recall, back in July of 2018, we had a pretty significant update to the UFED in version 7.8. And in this, we added full support for full-disk encryption, SDE devices that are either locked or unlocked. And we’re able to either bypass the lock or, if the device is unlocked or the passcode is known, we can produce a full file system extraction.
For other devices – and again, it’s hard to know precisely what type of encryption is being used on any given Huawei device. There is some consistency, but even we’ve struggled to determine what it is by looking at the model number, and we really only know for sure until we start working on the device. The good news is that we’ve put some pretty good logic into the UFED, and it will indicate whether something is supported or not. And if it’s not, in most cases, it’s going to be a newer Huawei device with file-based encryption that is locked. In this situation, the actual passcode needs to be brute-forced. So, if it’s a PIN or a pattern or a password, then obviously we have to [brute-force] some effort, that is only doable within the Cellebrite Advanced Services CBS cell locations, and with that, we’re able to produce a full extraction of the file system once we determine the passcode.
In a similar fashion, Samsung Secure Startup poses significant challenges to the forensic community. From our understanding, there is no other solution in the world that can help to get through this sort of passcode. And to the user or to the forensic examiner, this is the sort of image that would be seen on the device when it initially boots up. So, it would come up very quickly on the right, black screen for Samsung, and it basically says that the device is encrypted, and in order for it to start up and fully mount all the data partitions, you must enter the passcode. And you could have a password, as shown here, with a full keyboard, there could be a pattern lock, or there could be a PIN code.
There’s even something called a direction lock, which is used for accessibility options, for handicapped people. And if you really want to play around with it on your Samsung device, go into Accessibility and choose a direction lock as your passcode. And you basically draw patterns of up/down, left/right, I think it has to be between six and eight directions. And you get some audible feedback, and the phone vibrates as well. So, it’s something that’s very suitable for those that require these additional accessibility options to operate the phone.
For this situation, via Cellebrite Advanced Services, when a phone is submitted to the Cellebrite Forensics Lab, we would essentially have to brute-force the passcode in order to produce the full physical extraction.
Now, speaking of Android physical extraction, this is where it differs from the iOS world. Since, in most situations, full-disk encryption, [SDE], is utilized, once we are able to get past the encryption, we are able to have access to the full decrypted physical [within] the phone. And we’re able to produce a bit-by-bit copy of all of the flash memory.
In some devices, we will extract the block-device data as abstracted in the OS, and in older phones, we may actually even have ability to have raw access to flash pages. Now, these would be old, discarded pages that are not part of the active file system, and it could be interesting for carving small bits of data, your text carving or, depending on the page size, perhaps even thumbnails of pictures or thumbnails of video screenshots.
The device file systems can be reconstructed, and in some devices, you might see dozens of partitions. In others, there might be maybe eight or ten. And essentially, we can carve, within those file systems that are contained within the flash memory for deleted items that are still resident in the unallocated space. So, the file system can no longer access it, but through intelligent carving available through UFED Physical Analyzer, it may be possible to recover additional data from the unallocated space.
For Samsung devices, the goal obviously is to get a full, decrypted physical extraction. In newer versions of Android, there are limitations in terms of what can be backed up using the typical Android backup mechanism. Additionally, there could be third-party applications that rely on keys stored outside of the user-accessible space. So, in order to fully decrypt the database contents for WhatsApp and Telegram, it is necessary to have the keys, in order to perform that decryption within UFED Physical Analyzer. Again, it’s very difficult to make generalizations, based on the number of different handset manufacturers in the Android world, but these are ideals that we strive for, and you’ll see in the next few bullets that, essentially, we try to put as much as possible into the UFED in a generic fashion, in an easy-to-use, push-button solution.
Now, there are other methods that might allow you to gain root access, and enable you to have a fully-mounted, decrypted user data partition, but some of these methods will actually wipe the device when you try to root the device and gain access to what you’re trying to do.
So, the beauty of the UFED solution that we’ve implemented – they’re forensically sound, there’s no need to root, everything is temporarily performed in RAM. And what we try to do is make better solutions that what might be out there in the [flasher] box and hacking world.
Now, something that was present a few years ago is Dirty COW, and this is a global vulnerability that affected many, many Linux platforms and millions of devices. COW stands for Copy on Write, and it was a vulnerability that was discovered by some researchers, and that is what we turned into Advanced ADB within the UFED. And this probably helped to liberate data from thousands of devices in hundreds of countries around the world and basically provide some great benefit to the UFED platform.
We also added some interesting Samsung capability about a year and a half ago that allowed for a method to do a physical bootloader but while bypassing the screen lock. Earlier this year, we added the Smart ADB capability, and that is basically any device running Android 6 or 7, it [31:23] was provided in UFED 7.5, and it provides for a full, decrypted physical extraction of the device. And this is quite unique in terms of the breakthrough that we provided via the UFED platform.
In September of this year, we added Samsung physical bypass for a large number of low-end Samsung devices running Qualcomm processors. Again, bypassing the screen lock – it’s not secure startup. For that, you would have to consult with Cellebrite Advanced Services. But essentially, this helped out in … I can’t even imagine how many devices this applies to, based on the five main Qualcomm chipsets that it supports.
And then, ultimately, if something’s not in UFED, [we’ve made apparent] that additional help may be found via Cellebrite Advanced Services. And we’ve tried to do a good job of adding a little flag that says TAS, to make it clear, but in many situations, there’s so many different possibilities with the UFED, we may not have tested every single model out there. We do have 26,000 phones within our inventory, but there could be some devices that are just untested in some parts of the world. So, we strongly recommend getting a similar device to the case that you’re dealing with, trying similar profiles, trying generic profiles, and again, making sure that your process is sound before attempting something with the UFED. If you’re at your wits’ end and you don’t have any success happening, we’ll definitely help to consult and basically tell you if there’s something possible or not via Cellebrite Advanced Services.
One unique capability that we’ve just added over the past couple of months is the ability to extract a secure folder from Samsung devices. Now, this is a tremendous breakthrough for anybody that’s hidden an application or hidden data within the secure folder, that is really quite straightforward for a user to set up on the device. We provide a full archive of the files and folders within the secure folder, and it winds up being easily parsed with UFED Physical Analyzer, once you receive the deliverables. And we’ve seen users put Kik Messenger inside a secure folder, we’ve seen other users put hundreds and hundreds of pictures and movies that they obviously don’t want others seeing.
As you can see, we have quite a large amount of capability. Everything will one day make it into UFED, but Cellebrite Advanced Services is here to help you gain access to the latest capabilities to solve your most urgent needs.
I’m going to turn this to Desmond now, and he’s going to go over the case submission process that we’ve put together for Cellebrite Advanced Services customers, by way of a community portal.
Desmond: Alright, thank you, Dan. Basically, I’m going to go through the [34:35]. To start your journey with [us], you can actually send in the enquiries, to www.cellebrite.com/en/cas-sales-inquiry. So, basically, in the first step, our sales representative will then send you a request document, and prepare [the quote] basically. And then, you will go to the second step, when a request has been approved and you will receive an email that contains a voucher and the instructions to submit a case via our Advanced Services Portal.
And of course, it’s time to open a case. So, go through the portal and log in or register for a new account, if you are a new user, and enter the case information. In the first step, you basically review the case and then check that the device is supported, and then … don’t send the device until you have received our confirmation, as it will be part of our chain of custody.
This is the portal address. The fifth step – once the case has been confirmed, you will be receiving an email with a CAS work order, and shipment instructions. Or, if you are dropping off, a CAS forensic specialist will contact you and arrange a schedule for the drop-off. On the sixth step, you will be receiving email notifications about every change in the case status. You can also log into our portal at any time to actively monitor on the progress of the case, or you can check with [36:19].
On the seventh step, you can … actually, once we have completed the case, we will send the device back or we will arrange a schedule for you guys to pick up. Once you have received the device, you can actually log into the portal to acknowledge the receipt and the passcode [we actually revealed] in the product.
This is the eight simple steps. I’m just going to go through a quick walkthrough on how our portal looks like. Basically, this is our login page. Once you have logged in, you will see this interface. You can enter the voucher number in the Advanced Unlocking & Extraction Services section that is found on the left of the screen. Once you click Use, a form box will appear and ask you to fill up the details. You can fill in the case number or any reference as the case needs.
At the bottom, you can select the device model and you can enter the type of password model and other information to continue. To click Next, you will see this interface, and basically, this interface will have a selection between the shipment or the drop-off options. You can easily click on the left, the shipment, to [include] a new address for the shipment. On the next step, you can save the address basically. And this is one of the examples of the drop-off of the device.
The next step, you can upload any file that is related to the case, for example, a court order, images that were taken [of] the device before it’s sent over, and comment on the files that were uploaded.
You can check the terms and conditions, and proceed with the case submissions. And basically, once you click to submit the case, you will see a form saying that the request has been submitted, and you will receive a unique case number that applies to each device. This is a unique identity, to identify the device that has been submitted to our lab, and it has been used for reference for in terms of enquiries and so on.
This is the interface once you have submitted the case. The orange at the right top … on the left top [gives] a status of New, is the current status that you are currently at. When there is a status change, you will basically see the orange status hop through the next one. This is the example where the status was a received status, where we have received the case from the shipment or from the drop-off. And the case status is updated on the fly, in real-time.
Once it has been completed, the shipment information will be shown in the portal, as well, when you click on the Received button, the passcode and other information will be actually reflected in the portal.
You can easily click on the top right arrow in the Home page to view the existing case that has been submitted for [better] case management as well. And you can export into a CSV file, which is able to open with Excel … Excel sheet.
You can actually click on the case details, zoom down into … to view more information about the case. And you also can quick View Voucher to look at the existing vouchers that you currently have, [if it is tied to] your account. You can also click on the Use Voucher to use the voucher again.
That is the simple … I’m going to hand over to Simon, to talk a little bit about the case study that [we guys have] experienced before. Thank you.[crosstalk]
Simon: Thank you. So, we’ve got a couple of cases here that the Cellebrite Advanced Services lads have actually helped out with in the past. This first one is the Gerard Baden-Clay case. It was a case in Queensland that was quite prolific in Australia, made the media. It was about the grandson of the person who originated the scout movement, the movement in Australia and around the world. His wife went missing, he was the main suspect throughout the case. And her body was found at the bottom of a river a fair way away from their house. There were a few things that kind of hinted towards who was involved, and part of that was that some of the plant specimens that were found at his house, in the garden of his house, were also found on his wife’s body. And also, that some information on his phone sort of led to the fact that he may have been involved as well. [And I think that’s more in the next slide, which I’ll show you now.]
Using the log from the phone, they were able to see that Mr. Baden-Clay had said that he was in a heavy sleep at night, however, the logs on his phone actually showed that his phone was plugged into a charger at 11.30 AM, even though he’d professed that he was actually in a heavy sleep at the time.
A request came through from the Queensland police to assist. He had an iPhone 4S at the time, which was obviously PIN-locked, and they were unable to bypass the PIN. So, they contacted the Cellebrite forensics lab in Singapore, which is where Desmond works, and needed our assistance for the unlocking and extraction of the data on that phone. Not only that, they also wanted us to be able to decode that data. Generally, we don’t decode the data unless we’re specifically asked for that service. That saves us looking at the data and having to test upon that data. And it keeps the data just in your organization. So, we don’t generally look at it.
However, they asked us to decode the data and also give them the full extraction and PIN as well. Ultimately, whilst going through that data, the Queensland police discovered the actual message that he used to order the murder of his wife at the time.
I’ll now pass over to Desmond to talk about the next … actually, maybe it’s Dan who’s going to talk about the next one in Germany.
Dan: Thank you, Simon. Just for some clarification, the first case, with Gerard Baden-Powell, that actually predated Cellebrite, but we did find it quite interesting that [it is a] very good situation demonstrates the power of looking through the system logs that were actually keeping track of the battery level. I’ve been in contact with the originating agency as well as [CCL] Forensics in the UK, who did the research to point out that this is very interesting data that’s being recorded within the phone itself, within the iPhone, and once plotted against a time graph, it became pretty apparent that his alibi was not what he said it was. He was not consistently plugging his phone in every night, religiously, like he did on the night that he killed his wife. He was in fact two hours late getting back into bed and plugging it in like he normally would have.
So, along similar lines, we learned of this case earlier this year, and this customer in Germany had actually utilized our services, we had produced a full extraction of this iPhone device, and then they went to great lengths to go through all of the extracted information. And what they were able to do was decode the health data, fully, and basically, really help to find the truth and lay down some pretty specific and compelling data points in the theory of what led to this young girl getting murdered.
Essentially, she was found dead, drowned, in a river. And the health data from the suspect’s phone showed that he was actually walking up and down steps before and after this occurrence. Now, geographically positioning the phone and looking at the altitude change, and actually measuring … typically, for health reasons, as you’re climbing up and down … the actual position was him dragging her down the river bank. And that was being registered as steps. And then, at the end of the terrible ordeal that she went through, and she was ultimately killed, the suspect then walked back up the river bank, and that was registered as steps, climbing up the building. So, really quite unfortunate.
But it was very interesting to see that this amount of data that is liberated from locked iPhones, it’s really up to the investigators to dig as deep as possible. We are continuously adding support within UFED Physical Analyzer to decode as much information as possible. But again, some good due diligence, obviously squeezing through every single SQLite database led to some pretty interesting … circumstantial evidence, mind you, but additional information that really, truly led to a solid conviction.
Those three case studies are wrapped up. We’ve got about 13 minutes left to cover some questions from our attendees here. Thank you all for participating by asking questions. Now, there seems to be a lot of confusion with slide #17, so I will go back to it for one final, brief clarification. And understandably – there is a lot of information on this slide. But this one refers to, ultimately, the 11GB of old data. Now, theoretically, if you were to do a chip-off on an iPhone, you would have access to all 32GB of information within the chip. But with the way that the hardware encryption is implemented, there would be no point, all you would do is destroy the circuit boards potentially and also maybe the actual flash memory chip.
But using electronic methods, such as the iTunes backup or the Apple file conduits or the Advanced Services route, you can gain access to the data within the active full file system. Now, this is the 21GB that is currently utilized within this sample example here. The 11GB of old data, through Advanced Services we can extract it, but there is really no value whatsoever, because there’s nothing sitting there in that unallocated space that could be carved. There might be some random bits of strings pertaining to the user, maybe their iClouds, email account, maybe some low-level characteristics of the phone itself, but there should be no user data whatsoever within this unallocated space. And again, that’s because of the encryption that’s utilized. Once something that the user created or received on that phone, once they delete that, the key is thrown away almost instantaneously, and the actual payload that is stored within the flash memory cannot be revealed because it’s encrypted.
So, I hope that answers the question for that. I’ll leave this up on the screen while I answer a couple of other questions that have come through. There is an enquiry about the iPhone 10S and the iPhone 10R. In the interest of ensuring that police techniques are kept confidential and basically in order to protect capabilities, we won’t get into specifics of what models we can and cannot support, here on the webinar. Know that we do have very comprehensive coverage of Apple devices, and Samsung, and many other Android handsets out there. So, your best bet, if you have a specific enquiry, please contact technical support or your sales representative, or you can complete the web form that Desmond described here on this first page of the CBFL submission process.
Another question: Can you unlock the latest iOS 12 that should have new security measures? Again, we know that Apple has been responding to various threats out there, from both the hacker community and also from the police community, where best efforts are being utilized to try to help out with investigations and basically threat closure to victims’ families and help to administer justice. Again, we won’t comment publicly here about iOS 12 support, but please contact us directly, and once we can verify who the request is coming from, then we’ll be able to tell you if we can assist or not.
A question came in about Android capability for some of the newer versions that would be running on a Samsung device. Occasionally, with newer devices, you might see a pop-up on the UFED that basically states that the security patch is too new or there’s another error or issue affecting the ability to extract the data. Now, in a lot of these situations, it is something that we could possible or most probably assist with via Cellebrite Advanced Services.
So, please exhaust all opportunities with the UFED, and only once you’re certain that you’ve tried everything possible … you may also wish to contact technical support if you’re seeing something strange happening with the product, but ultimately, if it’s urgent and it’s a high-profile case, we’d be more than happy to provide some guidance via Cellebrite Advanced Services.
Simon, I believe you had a question about Line Messenger, which is quite prevalent in parts of Asia-Pacific.
Simon: Yeah. I haven’t actually seen Line data in Australia. So, is Line a specific [52:26]?
Dan: Yeah, so I’ve been to Japan, and it’s quite popular in Asia, as an alternative to WhatsApp or WeChat. And as long as we have full access to the decrypted physical, we should have access to the application data that’s stored in an SQLite database, as well as any encryption keys that are also being utilized to protect that data. So, I believe the answer should be yes, we should have full support for any third-party application. Essentially, if the user can see it, once we apply our methods, we too should be able to see that information.
Simon: another question on here about deleted photos, from [Heather]. I’m [going to] answer that one myself. I know with iPhones, if you delete a photo from your iPhone, it generally sits in a folder like a trash like in Windows, for up to 30 days. So, it doesn’t instantly go to that 11GB unallocated. However, after that 30 days, when the file is properly deleted, then there’s no chance of actually recovering that file after that point.
Dan: Great. There’s another question her about timeframes, for unlocking an Android or iOS device. Now, our typical turnaround time is 10 business days, and in most situations, we are achieving that. But occasionally we do encounter either a technical difficulty or an instance where we have to go through some more complicated brute force for the passcode – only if it affects the ability to truly gain access to the extracted data. We do have an automated system that will send out a notice every 30 days and actually provide some good information on our brute forcing process and progress, as well as to possibly solicit some hints or some other information that might come about, such as favorite numbers, dates of birth, basically anything that would help to form a better dictionary that would be tailored specifically to the owner of the phone.
We are all creatures of habit as humans. We’ve done some significant optimization of our dictionaries that we’re using, and what’s interesting is that after doing thousands of phones and finding passcodes that real live humans set on their devices, it really helps us to narrow down and optimize the dictionaries in an efficient manner. So, with a six-digit passcode, it might take a million different attempts if we happen to have the worst sequencing and the owner happened to pick the last passcode in that list. But we’re finding that we’re achieving success … 80/20 rule generally applies, so 80% of the passcodes are within the first 20th percentile of items that are listed in the dictionaries that we’ve put together.
Simon: I see there’s a question here from [Chris], asking about if there’s a hotline specifically for emergency situations for Cellebrite Advanced Services. I’ll contact you, Chris, after this, and I’ll send you my details so that you can contact me if you’ve got anything like that.
Dan: Yeah, certainly. So, we have good coverage in the region. Obviously, there are still some gaps, where there’s time zones that aren’t fully covered. Ideally, the customer support portal can be utilized to reach out to somebody in the technical support organization at Cellebrite. And when you create it through the community portal, you can actually score the severity yourself. So, you can say it’s a critical issue, and put the details of it. And we basically have almost 24/7 coverage using the technical support portal.
There’s also a question about court testimony and whether, once … basically, I would read into it as knowing whether we will fully support the prosecution. So, we do become part of the chain of custody. We are part of your investigation, because you have to send the phone to us, for us to unlock it, perform the extraction. Everything we do is detailed in a witness statement, it’s signed by the forensic specialist within our Cellebrite forensics lab. If there’s anything additional that’s required, we are here to work with you hand in hand, to see you through to a successful prosecution. We obviously want to see justice prevail. There may be some things that we can’t explicitly state on the record or state within a written statement. There’s special techniques that we may be using. But ultimately, the forensic process that’s applied is fully documented, and it has gone through the courts in many jurisdictions over the past couple of years without any hiccups whatsoever. And generally, the prosecution and the defense come to an agreement that, yes, the device was locked, Cellebrite helped to unlock it, the data is there, that did not change, and that is what is used to prove the case.
Simon: I see there’s a question here as well about how long it takes to do a full file extraction. That varies, obviously, depends on how much data is on the phone, how big the phone is. We’re seeing now that there are phones with 512GB, and they’re talking [not far off] having a 1TB mobile phone. So, really, the time that it takes to do a full file extraction really depends. It’s very hard to put a figure on that, unfortunately.
Dan: There’s one more question here that looks interesting: Does CAS include the ability to recover deleted messages from an app like WhatsApp or WeChat, since in UFED sometimes we couldn’t see the deleted messages, but actually, the deleted messages are somewhere in the app database? So, this almost sounds like a decoding issue, perhaps with UFED Physical Analyzer. As long as the full extraction has been performed, there should be an ability to decode everything from within the databases. So, you may wish to reach out to our technical support for assistance with this decoding issue. But it could also be the fact that maybe all the data is not present, because some of it’s encrypted still, and additional, more advanced methods would be required to fully decrypt it.
I think at this point we’ll conclude the webinar. We’ve got about 10 seconds left. But I would really like to thank everybody for joining. I think it’s been very productive. And any questions that we did not answer, we will be sure to contact you in the coming days. Additionally, for those that have colleagues that might be interested in seeing a recording, we will have that available as well. And once again, thank you so much. For those that are still in daylight, have a great day. And thank you again.
Simon: Thank you, everyone.
End of transcript