Presenters: Shahaf Rozanski – Director of Product Management Forensics at Cellebrite, Jim KempVanEe – Director of Digital Forensics at LogicForce Consulting
Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.Hello everyone. My name is Seth Augenstein. I’m a reporter with Forensic magazine. Welcome to today’s webinar, brought to you by Cellebrite. Today’s presentation is called Leveraging Social Media & Cloud Data to Accelerate Investigations. Social media is an important part of almost everyone’s lives in the modern world, and can be a rich resource for investigators with the right tools and know-how.
While you are listening to the presentation today, I would encourage everyone to submit questions at any time by typing into the designated Comments section on your screen. Following the presentation, we will have a question-and-answer segment where today’s speakers will answer individual questions submitted by members of the audience. Remember that today’s webinar will also be available on demand, so you can view it again at your convenience or share it with friends and colleagues. You’ll receive an email with a link to access the webinar within the next few days.
Now I would like to welcome today’s speakers. Jim KempVanEe ran the digital forensics lab at the Tennessee Attorney General’s office, and has been in law enforcement since 1992. He is currently the director of Digital Forensics at LogicForce Consulting. Shahaf Rozanski is the Director of Product Management at Cellebrite. Please find the entire biographies for today’s speakers in the slide show available at the end of the presentation. I will now turn it over to our speakers for the presentation. Enjoy the webinar, everyone.
Jim: Yeah. Thank you, Seth. As Seth explained, my name is Jim KempVanEe. I’m the Director of Digital Forensics at LogicForce Consulting in Nashville, Tennessee. I’ve been active in law enforcement since 1992 and have about 16 years of digital forensics experience. Shahaf is the Director there at Cellebrite, 17 years of experience in bringing this technology to law enforcement, and we are absolutely lucky to have Shahaf around.
What I want to talk to you guys about today is cloud storage and cloud service accounts. I want to discuss a little bit of the background on what these accounts are, some of the methods that we can use in obtaining [that] information. Shahaf is going to discuss one of the tools that’s out there, Cloud Analyzer from Cellebrite, that is available to law enforcement to collect this information. And I’m going to discuss a case study of an event that I was party to, where Cloud Analyzer was absolutely critical in obtaining some information that got a child sex offender off the street a lot faster than we normally would have. And then we’ll end the presentation with a demonstration of Cloud Analyzer and some questions.
So Cloud Service accounts. I think at some point in our law enforcement career, we’ve all encountered cloud service accounts. How we handle these account certainly varies area by area and department by department. However, the data that’s there is still very relevant to our investigations most of the time. A lot of the cloud service accounts that we know of are iCloud… thank god for Google, for once. Google Services has a lot of information that’s available to us about suspect activities. Facebook, Facebook Messenger, Instagram, Twitter. Web-based email is another great place that often gets overlooked by us as we’re doing investigations. Dropbox and those third-party applications that I’m sure we’ve all dealt with at one time or another through one of our investigations.
So we’re going to talk about some of the obstacles that we encounter when we’re dealing with these cloud service accounts. We know that it’s out there, but really, how do we get this information? An investigator may get a handset. If it’s on the network – and the individual user can do this also – they can access an enormous amount of data, the Facebook messages, those cloud accounts for email, etc. But really, as investigators, how do we get to that?
Our forensics practice, as we’ve all been instructed, and probably even instructed our investigators to do – step one is to get the phone off the network. By doing that, which is a very sound forensics practice, we limit ourselves to the information that we’re actually going to get. So the detective who’s brought a phone into the lab may be under the assumption that everything that he saw on the phone out in the field is going to be in that report, when in fact that doesn’t really end up being the case.
The other thing with the cloud accounts that we are too painfully familiar with is the ability for any user that has the username and password to be able to remotely log into these accounts and destroy evidence. I’m going to talk about that. That’s kind of important in my case study. And then the other thing that’s a pretty big obstacle, and we’re seeing this more in more, is that these cloud service providers, whether it be Google or Facebook or whoever it is, they’re being a little bit more picky about how quickly they get us the information and exactly what they will produce to us. A lot of times it takes so long to get this information that by the time we get it to the investigator, it’s not really actionable any more. And that’s one of the things that we’re trying to overcome here.
So one of the stories that I ran into here that’s very relevant to this is in July 2015, a court in New York actually ruled against Facebook, who was trying to quash 381 search warrants. And the word ‘quash’ there is pretty important, because they were treating this just like a subpoena. So they don’t really see these search warrants as what we normally look at them as. And some of these providers are even placing their own limitations on how much data they’ll give to us. And I’ve personally dealt with this once, with location data from Google. We had a warrant that allowed for a very large period of time, because of the type of investigation, and about a month after we filed the warrant, we got a call from Google asking the seven days that we wanted them to produce. After some discussion about the warrant and what they should produce, they went ahead and gave us some more information. But nonetheless, it was still a battle.
So identifying the cloud service accounts. So we know they’re out there, but how do we know what’s associated with the suspect or with this particular case? Some of the places that we can get this information is through the victim and the witness. So we’ve all dealt with the case where the victim comes in to report that they’ve been, for example, sexually assaulted, and perhaps they met this person on Instagram – not that we’ve ever dealt with one of those cases. So we’ve got some communication between the victim and the suspect prior to the police really getting involved. So we’ve already got some intelligence there on the accounts that might actually be used in this investigation.
One of the other things that I think is not looked at near enough by any of us as we investigate these accounts is what other intelligence can we get?
It’s pretty common for us to reach out to other agencies to ask for some background if they’ve had other contacts with these particular individuals, or maybe getting some of that type of intelligence, maybe someone in the office doing some online research to see what they can find out there. But one thing that I’m seeing that gets overlooked frequently is the call to the adjacent department to find out if they’ve already dealt with this suspect and have a copy of his phone. We’re seeing that more and more actually, where this individual may have been in investigation at some other point, by another agency, and they’re actually holding a copy of that individual’s phone that was taken by a search warrant, which, as we all know, can hold an enormous amount of information for the current investigation. So that’s just something I would to throw out there for y’all to think about.
And then we’ve got the suspect’s media. So we may end up with that suspect’s phone, we put the suspect’s phone through Physical Analyzer. Physical Analyzer is nice enough to give us a real nice list of the user accounts, and that’s one of the primary ways that we’re starting to figure out what this individual was doing.
And then the last one is what’s the suspect say? Because we all know the suspect will never lie to us, he’ll tell us everything and be honest. But you may be a Jedi when it comes to being in the interview room, and get this gentleman or this lady to actually give you some relevant information as to what accounts you need to go after.
So then comes the question of how do we get to it. So we’ve got the information that is out there, we’ve identified the accounts that are probably relevant, but how do we actually get that information, especially for the information that’s not actually held on the handset itself.
So one of the things – and I’m sure that we’ve all dealt with this a couple of hundred times – is the preservation letter. And thank goodness for Facebook for actually giving us a web portal where we don’t have go to type up a whole letter, we can just put in some credentials. But the preservation letter is great. Most of the time, it only takes a couple of minutes, because we have templates or, like Facebook, we’ve got a portal, and we can get that preservation out there. Now, the problem with that is that we’re relying on these providers to comply with our request to preserve.
And I had a particular case when I was at the Attorney General’s office, where our entire case relied on Google Docs. This was shortly after Google Docs came into existence. I sent out my preservation letter, like we always do, took a couple of days to write my search warrant, sent it, only to find out that nothing had actually been preserved by Google. So when we called, very frustrated, they simply told us that it was a new product and they didn’t know how to preserve it. So it works most of the time, but I don’t really know that I want my case, all of the evidence residing on a simple preservation request.
So we got valid consent. We all know, probably back all the way to your patrol days, that the answer is always going to be no if you just don’t ask the question. So we obviously don’t want to overlook that. And that consent is for your victim, for the witness, and even the suspect. I’m going to talk a little bit more about why this is important, and the nuances when you’re dealing with online accounts and consent. Because I’m sure we all have those consent forms that we have in the trunk of our detective car, that we pull out, scratch out the line that doesn’t fit, and handwrite in whatever it is that we want to search, and that’s how we move forward with our consent. Online accounts, a little bit more delicate, but I’ve got a template here that I’ve put together, albeit it’s a template, not a hundred percent, but it might be something that’ll help you out in your investigations.
So we’ve got the traditional search warrant. These search warrants, we’ve all done them a million times I’m sure. You get the handset in, the detective’s written the search warrant for this type of information, relevant to his investigation, they have the description of the phone, we bring it into the lab, hook it up to our Cellebrite, pull down whatever information is available to us, and we produce that to the detective in the report. So those work fairly well, but it still doesn’t address our issue with cloud service accounts. So we still have this data that’s sitting out in the cloud. We’ve got the suspect’s phone in our lab, but we still haven’t really got this stuff controlled to where nobody can delete it.
So one of the things that I’m going to talk about here is how, through this case that I worked, we kind of developed a way of extending those traditional search warrants from the normal device warrant or the service provider warrant, and extending those into the cloud. And these are simply ideas. So in full disclosure, I’m not a lawyer, I’m just a guy that’s done investigations for a number of years, and pretty familiar with case law, so I thought we would give this a shot. And I was fortunate enough to be blessed with a case that was just perfect for trying this out.
So written consent – this is the sample template that we pulled up. And if any of these templates, anybody wants, afterwards, feel free to reach out to Shahaf or I, and we’ll get you a copy of them. Like I said, I’m not a lawyer, this is just something I put together that we’ve had some success with, so I would encourage that if you do use them, that you pass them up the chain to your District Attorney and make sure that they’re consistent with all the relevant laws in your area.
The important thing here is that you’ll see that there’s the user name and the password. For me this is important because it actually gives the person a chance to write down each of those accounts that they’ve got, that you’re going to be getting into. And then we’ve all heard the defense’s issue with, “Well, my client consented, but he really wanted to revoke it,” because the detective didn’t give him a way to contact him, so therefore the consent is not valid. I’ve tried to address that in here too, so there’s the address to your department, a 24-hour number, etc. So you feel free to use those if you like. And now we’re going to talk about extending the warrants into the cloud.
So the first one we’re going to talk about is that traditional device warrant, that warrant that we’ve probably written a hundred times, but how do we take that and extend it out to these cloud accounts? Now, remember that the user of the phone, as they would hold that phone in their hand with their internet connection, they can access this information. They could delete it, they could add to it, they could be sitting there talking to you on the side of the road, contributing to that information or data source. So that was kind of my thought process as we went through this evolution here in our case.
So some of the language that we included in our affidavit – and I’ll show you, there’s a template that I’ve made for this that you’re more than welcome to chop up as you see fit – but there are several paragraphs of articulation in the template, and the articulation here can really be summed up in this next paragraph, that the use of these cloud storage accounts has become so closely tied to these handsets that in essence they are an extension of the handset itself. Most of the time, these people don’t even realize where the data resides. They’re accessing their Facebook Messenger, they’re accessing their webmail, whatever it is, their Instagram, and they may not even realize that some of that information that they’re pulling down actually in the web, or in the internet, rather than on the handset.
So that was kind of the thought process as we extend these warrants out. And then, in the actual warrant itself, we’ve added some information in here on what we’re allowed to search. Because we all know we’ve got the affidavit and we’ve got the warrant. So I this case, the physical device, what we’re asking for here is for the court to allow us to not only collect this information from the handset, but also to be able to remotely collect any cloud-stored data, as long as we can show that that cloud account is associated with the phone. So we’re not asking the court to give us every account that this person could possibly have. We’re simply saying, “Your Honor, if we can see that this account is accessible through the phone, we would like to have that information also.” When I broke my first one, I wasn’t real sure if that would work. I’ve written several since, and I haven’t had any problems with a judge understanding that concept yet, thank goodness.
So here’s a sample of that search warrant. There in the yellow, towards the bottom, you can see where that language is added into the actual warrant. There’s obviously the affidavit with all the articulation, but that’s really the biggest change that I’ve made to what our standard warrant would look like, to extend this out to the cloud. This has become kind of a standard for a lot of our warrants now, where we get the device and have that just in hand, so as we’re doing that Cellebrite extraction, we’re able to get over to the cloud data.
The next type of warrant – and I’ve used this one for the provider – I’m going to explain to you how these all work here in a minute, when we go through the case study. But in essence, it’s the same articulation, that device being so closely tied with the internet, that it’s basically an extension of the handset. The only thing that I’ve really changed here is the language in the actual warrant. So what this is is we’re already writing a search warrant to the provider. So we’re saying, “Google,” or Facebook, whoever it is, “We would really like to have this information from this user account, which we have articulated through probable cause to our judge, that we’re allowed to have, and now we would like to get that information.”
So where we have our obstacle currently is that we’re stuck with whatever Google or Facebook decides that they want to comply with. What this allows us to do, that you can see in the green, is to remotely collect the data. So if we do have those credentials, we can reach out and pull that information very quickly, and we can have that information in the detective’s hand hopefully before he even goes into an investigation to make sure that it’s very actionable.
And there’s a couple of things that I want to just bring up here with these warrants. So one, I would encourage detectives to use some reasonable date ranges. You got to understand this extension end of the cloud is a new concept, there’s not clear case law out there that your prosecutor can rely on, so we in the investigative community probably need to do everything that we can to not have our name associated with bad case law. Nobody wants that. It’s kind of a career-ender for some of us. And then the other thing, especially with these service provider warrants, is what I would encourage that you do is if you have that warrant to Google, and that warrant does extend into the remote collection, don’t get too excited about jumping right on the warrant inside your lab. Take that warrant, get it served to Google, make sure you’ve got that documented, and then do your remote collection. So if there’s some type of a legal issue that can’t be seen or somebody does try to come in and get that evidence excluded from your remote collection, you can show that that warrant was already in process with the third-party provider, so when those records come in, we can hopefully salvage those also. Don’t anticipate that’s going to be a problem, but I do like to just put that out there, so we have that safety net in place.
And here’s the sample search warrant for the provider, and if anybody’s got any questions on those, like I said, I’m more than happy to talk to you afterwards.
So in our case, I was not really familiar with Cloud Analyzer, quite frankly. I had ignored most of the things from Cellebrite that had come to my email, unfortunately – that was to my [demise]. But Shahaf and his team over in Israel had been working really hard on this product to bring to law enforcement to help solve these problems. I had just missed it. Luckily, I was able to get it on the case that I’m going to talk about, but Shahaf is going to take a couple of minutes here, and explain to us how he’s helping to address these issues in the law enforcement community.
Shahaf: Yes, thanks. Thank you, Jim. So by now, listening to what Jim said, we probably understand why cloud is so important for the investigation itself, and we also understand what would be the legal process to go and pull out information from the cloud. Now, we also understand that our challenges with the kind of approaches that law enforcement are taking to go into the cloud, whether it is relying on username and password, which are not always available, or whether going in to the cloud provider and asking for the information, as you probably experienced it daily, it takes time. You don’t always get all the information. And there is a big question – what do you do if you need to approach more than one cloud provider? How do you eventually analyze all this information.
So we here at Cellebrite that originally came from the mobile forensics space, thought what we can do. And one of the things that played to our end is an interesting statistic, that is all around the world, but specifically in the US, which means that about 87 or 89% of the people that are using social media and other cloud providers are doing it from the mobile phone. And then we thought about it, “Hey, mobile phones, we probably know something about those fellows. Maybe we can do something with that.” And we came up with a solution that actually leveraged the mobile phone in going out into the cloud.
So the solution is called UFED Cloud Analyzer, and it is available for the last year in the market. And it provides you with four main core values. The first one is the instant access to the information in the cloud, with the username and password or without the username and password, and I will explain in a second how it works. Obviously, all working under the relevant legal authority, as Jim just explained. But from your point of view and from the point of view of the investigation, it’s about getting the data that can eventually be actually used to further investigate the person or to press charges, as opposed to getting it after you already press charges, and then this evidence is probably not as useful as it could be.
The second point is – again, we are talking about forensics, and we want to make sure that the entire process of collecting information from the cloud is done in a forensic manner. So Cloud Analyzer is doing just that, and by using Cloud Analyzer, we make sure that the data is pulled from the cloud in what we call a read-only interface. So nothing is changed in the cloud, and all the information is collected in such a manner that you can eventually stand behind this evidence in a court.
The third point is, as I mentioned, you probably need to work with more than one data source. So statistics shows that usually people around the world are using between five to six social media or messaging applications, not to mention obviously looking into cloud storage services. So when you try to analyze all this information, you need something that eventually will make sense and will help you do it easily. And with Cloud Analyzer, we actually unify the information coming from the different data sources. So from your perspective, whether there is a message from Facebook or there is a message from Instagram or there is a message from Gmail, everything looks like the same, and everything is aligned to the same analysis methodology, that you can apply on the information, and then getting to the evidence and to the right insights is just much more easier.
And last but not least is the fact that like every forensic tool or every tool that you have, it needs to have a next step. And cloud is part of an ecosystem, an ecosystem that contains other digital data like mobile, like PC, and eventually when you collect information from the cloud, you obviously want to share it with others within the force, whether it would be the investigators, whether it will eventually go into the legal department. So like our other solution, Cloud Analyzer enables you with the ability to share that information, either as [human-readable] format like PDF, or you can take it into other applications that can process information, such as our UFED Link Analysis that eventually can process information from the cloud and from the mobile and from operator data, and then you have one set of [views] to look into all the information, providing you with all the information relevant to solving the case. So it’s about instantly accessing the data, forensic preservation of that data, and the ability to unify the information and then afterwards share that information.
The way that we bring this magic to life is done in a couple of manners. And we will see that later in the demo, but I would like to restate them now. The first method is using username and password. So you get username and password from the suspect or from the victim or from the eyewitness. Let’s say that you do have access to that. You just type it into the user interface of Cloud Analyzer, and then everything is pulled out for you in a forensic manner. So in a sense, we are streamlining the process of collection of data, and just recently, I read an article about one of the [course] – I don’t remember in which jurisdiction in which state in the US that actually ruled out an evidence because of a screenshot, a screenshot of a Facebook page. Just because it was a screenshot, and they didn’t think that [this evidence] is strong enough. So with Cloud Analyzer we make sure that we pull out all the data for you in a forensic manner and we take all the relevant metadata that eventually allows you to substantiate this evidence in court.
So this is the first option, but this is not the real magic. Real magic is coming from what is called the cloud keys from mobile devices, and the easiest way to explain that is for you to think about your mobile device – if you go into your mobile device and you click on your Instagram application, it automatically opens up. How come automatically Instagram is pulling out information from Instagram? I didn’t do anything. Well, I did do something. I did do something at the beginning when I called the application and used it the first time – I typed in the username and password. Now, the username and password is not stored in the device, but what is stored is a key. A key to the cloud. And every time that you are clicking on the Instagram application or the Facebook application or the Gmail application, this key is being used by the application to go into the cloud, authenticate your session, and then pull out information from the cloud for you.
When today, you or your forensic lab is doing the extraction of the phone, those keys are already part of that extraction, and what we added with Cloud Analyzer is the ability to decode those keys from the forensic phone extraction, and actually use them in order to go into the cloud and pull out information from the cloud. And we will see it very shortly in the demo, but with that being said, let’s see how Jim actually used it for his benefit, to solve one of the crimes in his jurisdiction. So Jim, back to you.
Jim: Right. Thanks, Shahaf. So I want to talk about one of the cases that I was personally involved in. This was my introduction to Cloud Analyzer. Since this case, we have used this product several different times. One time in a robbery, where the bad guy had dropped the phone, broke the screen, PA was able to get around the passcode lock and non-functional screen, Cloud Analyzer was able to get location data, and we were able to figure out where this robbery suspect had been just prior to the robber. So this is just one of the instances. There’s plenty of times that we can use this. It’s really been a blessing for us. So in this particular case… and I’m going to be not very detailed, some of this is still going through the court process. But I believe everything that I’m going to be giving here isn’t going to be detrimental to our case.
So in late 2015, we had a 12-year-old victim disclose some ongoing sexual abuse by a male suspect who had been coming to her home and sexually assaulting her on several occasions. So as our initial investigation into this individual starts wrapping up, we realize that we’ve got a whole bunch of other victims besides just this 12-year-old girl who had originally come forward. Fortunately for us, one of the investigators on this case had talked to the suspect very early on, and during that meeting, had seized this gentleman’s phone. As a good detective does, first thing he did was put that phone into airplane mode, which ends up helping us down the road, but nonetheless is very beneficial.
So we ended up doing a search warrant on this suspect’s home, we find a home PC. On that home PC, we find that this gentleman is running Bluestacks, which is an Android device simulator, allows the person to sit in front of his computer and act like he’s on a phone and send it out. For anybody that’s done a Bluestacks investigation, as far as forensics, god bless you, because it’s not fun. But in the process of looking at this gentleman’s computer, we find that shortly after the detective had released him – because we didn’t quite have enough to arrest him at that point – the first thing he did when he got home is went into the Android device manager and tried to remotely wipe that Android phone. So we know that the people are out there, we know that they know how to use these remote portals to get in and start erasing their data, and this is just a prime example of that person trying to do that to the investigator, and the investigator doing just like he should have.
So the way that this case ended up coming to light for us, at least with Cloud Analyzer – when we had that phone, we wrote our traditional device warrant, like we always have. The phone was in our custody, the judge had no problem with it, we threw it into Physical Analyzer, got the data that we were looking for, at least some of it. This gentleman had a habit of deleting a lot of information, so there was some of it that didn’t get caught, only because he had simply deleted it. But we were able to get a lot of information. Specifically, we were able to identify about six cloud accounts. So from the Physical Analyzer extraction, we ended up writing an additional warrant to those service providers. So this is the methodology we had used for years when we were dealing with phones and cloud storage.
So we had one big warrant to six different cloud providers, looking for some information. So at this point, I start digging around with these cloud accounts, and that’s when I ran into Cloud Analyzer, and I thought, “Well, maybe this is something that I could use. I don’t know.” The way that I ran into this was kind of funny, because there was just a new little button on the Tools bar in Physical Analyzer that allowed me to collect user profiles. I had no idea what that was, but it looked really cool, so I pulled that down, did a little bit of research, and found that it was associated with this Cloud Analyzer. So through some communication with Cellebrite, they were nice enough to give us a demo license and some great instructions on how this whole thing works, and I went ahead and started the process.
So as I was confronted with this, I was a little concerned because I had never written a search warrant, didn’t even know if I was on good legal ground for getting into this cloud storage information. I couldn’t find any case law, and there was just really nothing. But I was really fortunate, because we’d already written the search warrant for the phone, so that information was secured with another warrant. And we’d already written the search warrant for those cloud provider records, so I knew that if my warrant got quashed somehow, then we would still have something to fall back on. So I thought, “Well, this might be a good chance to try this out.”
So I went ahead and talked to our prosecutor, we developed those search warrant templates that I showed you, and I went ahead and authored one of those. We took it to the judge, quite frankly not expecting… really not knowing what was going to happen. And the judge signed off on it, really with no issues at all, very little explanation. He really understood what was being done there.
So in this particular case, we were able to use the credentials from the phone… this guy wasn’t talking to us. He’s already tried to wipe the phone. He’s already told us that he’s not going to be real cooperative with the investigation. So that account package information was just critical to us. And I was able to use that account package information, put it into Cloud Analyzer, got all ready to go, and fired it off.
One of the things about this case is when we started doing our investigation, we only had one call at this victim’s house, and it was a prowler call. The neighbor had called – we’ve all heard the prowler call before – the neighbor had called, “Somebody’s on the front porch at my neighbor’s house, I don’t think they’re supposed to be there.” We send out a [marked] unit, by the time that the police officer shows up, there’s nobody there, and they clear the scene. Don’t have anything to associate the suspect with the call at that point.
So that was something that I had that was a specific date and time, so I thought, “Well, that’s where I’m going to start.” So I pulled information from this gentleman’s Google account, specifically I pulled his Google location data. Didn’t know much about it at the time, but I pulled it and I started looking for that date and time. And I was absolutely astonished at what I found. Not only did I find that this gentleman’s handset was around the victim’s home at the time of this prowler call, I could see where this handset was just prior to, and then after the prowler call. So I can tell you basically how he got there, I can give you an idea of how long he was at the victim’s home in relation to when the 911 call comes in, and it looks like our guys missed this guy by two minutes, assuming that all those dates and times are correct.
So that was pretty good information for me. I got about a year’s worth of this gentleman’s location information, and it took me about 30 minutes, which is pretty phenomenal, considering this is about a week into our investigation, and we’d already had a warrant out from Google and haven’t heard anything back from them yet.
So we started looking into this location data a little bit more, and as I’m going through there I was able to establish that that handset was around that victim’s home and the pattern of activity that the victim had described was very much supported by the handset records that we got from the Google location information.
Shortly thereafter, we get a call from Google. Believe it or not, we actually got to talk to a real person at Google, and they asked us, “Well, what seven days do you guys want for this location information?” And like I said earlier, this case is multiple victims over a very long period of time, so we weren’t very happy with having seven days’ worth. And after that brief discussion about search warrants, they said that they’ll see what they can do. About a month and a half later we got a response from Google, which included four months of location information, that’s it. We had a year with Cloud Analyzer, but only got four months back from Google.
So using that information from Google, I was able to confirm some of the victim’s statements. Within a day of the collection, I was able to present that to the prosecutor, had our probable cause, got our warrant, and had our sex assault suspect in custody – something that we wouldn’t have had necessarily. The prosecutor would have not necessarily had the comfort of, had they not had that supporting information so quickly in our hands. We were able to get this person off the streets rather quickly.
So here’s an example of some location information when it’s pulled into Cloud Analyzer. This is not location information – and full disclosure – this is actually a handset, my test handset as I was validating the process later. But this is my location information. So I looked at this in my case, and I thought, “Man, there’s a whole bunch of points here. How do I get into this?” And I learned that there’s a Points of Interest tab. There’s a little thing that you can pick about creating these points of interest. So if the person has been at a certain location a certain number of times for a certain length of time – and this is all stuff you can adjust in the program, it’s pretty cool. So I tried it out.
In this particular example, there’s three points of interest in my location information for my test phone. And this doesn’t say much for me, but there’s the three points you can see at the bottom left of the screen – that’s where my office is, and at the top is where my home is. So one of the points of interest is the home. And everybody asks, “Well, Jim, what’s the other one?” Well, that’s Wal-Mart – because apparently, I don’t have much of a life. I live at my house, Wal-Mart, and at the office. But nonetheless, that information was very critical when it came to comparing to our victim.
One of the things that I was concerned about when I looked at Cloud Analyzer is: You know, this sounds really neat, and I’m sure that Cellebrite is going to tell me all this neat stuff and all the good stuff that it does, but how do I really know that it’s true? So out of an abundance of caution – one of the reasons that you saw those test images there is how do I tell the prosecutor with any confidence that what I am getting is actually truthful information?
So when I got this location information back from Google I compared it. What you see on the left hand side of the screen is some of the information that we collected from Cloud Analyzer on an incident, and then we compared that to the official records that we got from Google in response to our request. The red boxes there is just a small portion, just to give you an idea that you can see that the information that Google has, that official third party record is consistent with what we got out of Cloud Analyzer. Now, keep in mind, Cloud Analyzer I got in about 30 minutes; Google took over a month and a half to get that information. So without this product, we would have potentially had our suspect on the street, potentially victimizing additional people while we were waiting for Google to respond to our warrant.
With that, I think Shahaf, you’re going to do a demonstration for everybody on Cloud Analyzer, and I’ll turn it over to you.
Shahaf: Thank you, Jim. And let me just see that I can share my screen with everyone. Okay, awesome. I hope you can see my screen now. If it’s not come on, please let me know.
Jim, thank you for all this [unclear]. As a product person, you [unclear] have some things in mind when you build the product, and some [use cases] in mind, and it’s always very exciting to hear someone who’s actually using it and solving cases with that, and this is [unclear] [your dreams are] coming into life. Thank you very much for sharing this exciting use case.
What I would like to do – I would like to briefly take you through the product demo. And I would also like to leave some time to answer some of the questions. So we will do it very quickly, and just for you to know, we are conducting a weekly product demo session, and you can register to that from our website. [So if what] I am presenting now will not be enough, and probably it will not be enough, you are welcome to join one of our product demos and see the entire [unclear].
So [unclear] begin with, as Jim mentioned, it all starts from the mobile device, and this is an extraction of [something S], the Galaxy S4, that I did in my office. You can see all the different information that is available over the phone, but one of the things that is available, as we mentioned, are the cloud keys. And you can see here the list of cloud keys that we found at Dropbox, at Facebook, at Gmail, at [unclear], [unclear], and all we need to do is basically to export this information into a container we call the [canon] package, and just save this [canon] package to the hard drive, and soon we will be able to use it.
So let’s move into Cloud Analyzer, and I start a new person investigation. Let’s say, for the sake of this discussion, I want to extract information from a cloud account. So let’s type in some information about cloud [unclear]. You have the case number, you have the examiner name – that would be me – or it would [unclear], and this is the examiner ID, and I will create a new extraction.
The first step, which is not compulsory, but as you probably know, is very relevant, is providing the legal authority that you have to go and access the information in the cloud. Again, we cannot force you to do it, but we understand that it is part of your process, so we want to enable you to do it up front, and everything that you will put over here eventually will go into the report, and you can show the entire forensic process that you did, starting from the legal authority.
So let’s say that I have a search warrant and this is the number of the search warrant. I can also attach the search warrant to this extraction, so eventually I will add everything available. The next step is to define what kind of data sources I would like to extract from, and as I mentioned, we have two options – either to manually add the username and password [unclear] that I want to extract information from iCloud. Let me add the username and password of [Claudio Bright]. And I [make that], and this is [unclear]. So this is the first option. And the second option is to take the keys from the mobile device, and add them into the list of extracted data sources. So here I can see the list of cloud data sources that this user had, and [unclear] that I want to get Facebook, let’s say that I want to get Google, location, and Instagram.
The next step would be to validate those [login] information. So at this point Cloud Analyzer actually goes into the cloud and tries to validate that inform. I will just mention at this point of time that when we are taking login information from the mobile device, we are actually mimicking the device. From the point of view of the provider it looks like a [unclear] device was trying to access the information. This has many merits; I will not go through them now, but if you will join our demo session, you will be able to learn more about that.
And the last thing, before I can begin the [unclear] is actually to define extraction criteria. Two main reasons. The first one is, again, to help you to [unclear] mention that you need to come up with a reasonable date range that probably the judge will allow you to do so. So let’s say, for the sake of this extraction, [unclear] allowed me to extract everything from the beginning of 2016. So I can add that over here. And the second reason for this [state] is to allow you to do a quick cloud extraction. In some of the cases we have seen people taking Cloud Analyzer into the field and actually doing extraction of cloud information in the field because the legal authority they have complied with that, or even if you are in the lab and you don’t have the entire day to extract the entire 50 GB of Dropbox files, you can either select specific dates, select specific content, or even select specific files within Dropbox that you would like to extract.
So I’m clicking the Extraction button, information is starting to be downloaded into my PC. Again, we are doing this in a forensic manner, making sure that both the evidence in the cloud is not changed, but also, we are making sure that every piece of [evidence] that we’ve collected is forensically preserved, and is locked, and eventually for every element we can tell you whether it was changed after the extraction or not. So the entire forensic process is [unclear].
And now you can start looking into that information. So we have different views for that. You saw the Map view that Jim showed you, and here’s the Timeline view. It’s actually allow you to look into all the information and unified all the information from different data sources. So as I mentioned, if we go into Facebook, we go into iCloud, we go into Instagram, all is available all together in the same look and feel, and I can apply the same user interface for that.
The last portion is obviously to generate a report. And you can generate a PDF report or you can generate something that you can take into other analysis solutions such as our Link Analysis. So this is like a machine-readable format. And when looking into the report itself, you can see two sections, and I do want to stress that before we finish the demo and go back into the questions, the first part is the entire workflow or the traceability of what you have been doing. So what is the case, who did the extraction, at what time, [unclear], what kind of data sources are extracted, what is the extraction criteria that I defined. Even we go back into the mobile device itself, assuming that we rely on information from the mobile device [and say] this is the mobile device that was used. Again, to provide you with the full traceability and the confidence to show a court what you have been doing.
And obviously the second –
Seth: Yeah, thank you, Jim and Shahaf. Thanks for a great presentation. We are now taking questions on today’s webinar. I’d like to remind and encourage everyone to submit questions at any time by typing into the space provided on your screen. All questions that are not discussed in the Q&A segment here will be answered by representatives of Cellebrite at a later time.
So the first question here before me is: If the phone examination at our lab does not collect this cloud data you talk about how does Cloud Analyzer get it? I guess that question’s for you, Shahaf?
Shahaf: Yes. So as you notice there, there are two options for that. First of all, if you know the username and password, you [can obviously rely] on the username and password to go and access the cloud. And this is the option in case you know that there is no login information available on the mobile device. However, if actually it’s about a matter of a process, [unclear], most of the phones today have cloud accounts on them. So it’s just about asking for that information from the examiner, so to ask them to extract the account package. And if they are not the one that is going to do the cloud collection and pull out information from the cloud, probably you can take the lead on that and pull out that information, again, if it makes sense with the process itself.
Seth: Okay, great. Thanks, Shahaf. Question number two is: Is Cloud Analyzer another tool that will be in our computer lab or is it meant to be used by the actual investigators?
Shahaf: So yeah, I think I pretty much touched upon that in the first question. Again, it’s all a matter of decision and whether you would like your forensic lab to do that or whether you would like investigators to do that themselves. Initially we focused around the lab itself, for them to do the extraction from the cloud [unclear] forensic process. However, we’ve seen different agencies where the investigators are also doing it, because it’s very simple to use and access. But one of the things that is important, regardless of whether the investigators or whether the examiners are doing it, is call the investigator to ask for this information. So if the investigator essentially [stated] part of the phone examination that they give to the lab, that they also want all the information from the cloud or at least the ability to go into the cloud, this eventually enables them to either do it themselves or get that information.
Seth: Yeah, absolutely. Question number three is: What is the benefit of using the account credentials from the handset over just using the username and password for the account? Isn’t that the same thing?
Shahaf: This is a really great question, and thank you for whomever raised that question. The main difference are accessibility to the information, forensically [sound], and more covert operation – and I will explain. As I told you… [or let’s start differently].
First of all, you know that [the password] are not always available. You cannot always get them from the suspect, and if you have something on the phone and you don’t need to rely on the suspect, it gives you accessibility to the information in the cloud. So this is the first step.
The second step – as I told you, we are actually mimicking the phone itself when relying on login information from the mobile device. What happens is that by mimicking the login information from the mobile device, we are actually bypassing some of the security mechanism applied by Google and Facebook, such as two-factor authentication. And for those of you that are not familiar with two-factor authentication, it actually means that when you login into Facebook, you get a text message, with a PIN code that you need to provide in order to connect. But when you are mimicking the phone itself, you don’t need to do it. Think about it, when you click on your Instagram application it doesn’t ask you for the [second factor of authentication].
This means the ability to go and pull out information from the cloud even when two-factor authentication is applied. So this is access to the information.
The second point, with respect to a more forensic process – eventually this information from the mobile device of the user. And by relying on the login information from the mobile device of the user, and going into the cloud, you’re actually tying the information in the cloud to the mobile device, and eventually to the subject itself.
So this is the second reason. The third one is related to covert operation or [unclear] or making the process more covert. Every access to cloud is logged in Facebook and in Google. Now, there is a difference between if the suspect will look into that and see that the phone is trying to access that with login information from the mobile device, versus a username and password where we are unable to simulate the exact device of the suspect, but we are generating a generic device. So it’s about [accessibility] to data, more forensically sound data, and eventually a more covert operation.
Seth: Great, thanks. Here’s another question, and it’s going back to that case. Can you explain again what you would gain from the authorized remote collections versus what you would gain from the warrant for the six cloud accounts. And I believe that this one goes to Jim.
Jim: Yeah, sure. The biggest contribution to that is that you’re getting this information quickly and that it’s actually still actionable. So like I explained in our case, there was a month and a half delay in getting information from the cloud provider. By having Cloud Analyzer we were able to have that within an hour. We had that information in our hands, and the detectives were able to run with it.
Obviously, if you don’t have the information before you walk into an interview room, you can’t really have a good discussion with your bad guy. The idea here is to get that information as quickly as possible, so when these individuals are being interviewed, we’re streamlining the process and we’re getting down to the information that’s really relevant
Shahaf: And if I may add over here and… Jim’s… one of the things that is very important to understand that there is a difference between the information available on the mobile device and the cloud. And while, for example, you have Facebook on the mobile device, the information is not the same. So if from the mobile device, for example, you can take the contacts or the chat messages, the posts, the comments, the likes are not available in the mobile, they are in the cloud. The same goes for the service that you’ve seen, the location information services, the [unclear] in this case, and this kind of information is not [stored] on the mobile device. There are plenty of location information on the mobile device, but this specific [store] is all available in the cloud. So you need to reach out to that information to complete the information that is already available for you from the mobile device.
Seth: Okay, great, thanks. Here’s another question, I think in a general sense pertaining to that case. Is this only relevant if the suspect has location services turned on? That might be for either of you. Jim, would that apply?
Jim: Yeah, I’ll go ahead and take it. So one thing to keep in mind is we’re not hacking into people’s accounts or getting information that’s really not already available on the handset. I think we all know that location information, especially when it comes to Google, you’ve got some [challenge] screens that come up before that’s enabled on the phone. Most of the people just click through it, yes. But nonetheless, that user has given permission for Google to collect that information. That information is readily available through the handset by the user. So the user would easily be able to access this same type of information, a little bit of a different format because it’s being presented to them on a handset, but nonetheless, we’re not collecting anything that they haven’t already given that third party to have possession of.
Seth: Okay, great. Thanks. And I think that this may be our last question, due to time constraints. But the rest of the questions will be answered by the team offline. But here is the last question: Can the keys or security tokens be exported for use to perform the cloud extraction after the mobile device is returned to the evidence locker or property room?
Shahaf: Yes, definitely they can be used after that. This obviously is a forensic tool that is taking a snapshot of the current information in the cloud, but yes, you can use it afterwards. One of the things that you should consider is that those keys – or some of those keys – have expiration times.
So in some cases, in can be two months, in some cases it can be six months, sometimes they don’t expire at all. And I just today had a case like that from one of the customers, that unfortunately some of the data sources [unclear] because there was a huge delay between the mobile extraction and the cloud extraction, some of the data sources were not accessible any more. So in terms of process and thinking about what you should do, probably you would like to try the cloud extraction as close as possible to the mobile extraction as well.
Seth: Okay, great, thanks. And that concludes our webinar for today. Thank you, everyone, for attending today’s webinar. And a special thank you to our exceptional speakers, Jim KempVanEe and Shahaf Rozanski, and to our sponsor Cellebrite. Look out for an email with a link to access this webinar on demand within the next couple of days. Have a great day, everyone.
End of Transcript