Colleen: Hello and welcome to today’s webinar, Remote Working Capabilities For Mobile Computers And Cloud Collections. My name is Colleen Nugent and I’m part of the marketing team here at Cellebrite. And I’ll be facilitating today’s webinar.
Before we get started, I have a couple of housekeeping items to go over. All attendees are muted upon entry into the event. If you have a question, you can ask it any time during the webinar, and we’ll answer them near the end of the presentation. To ask your questions, you can use the Q&A box in your consult. Just type out your question and hit submit. This webcast is being recorded and we will share it after the webinar’s over.
Today’s speakers are Shahaf Rozanski, he is the VP of Products at Cellebrite; we have Eric Olson, who is a Solutions Engineer here at Cellebrite; and we have joining us today as well Ashley Hernandez, who’s the Director of Products at BlackBag. Now I’d like to turn things over to Shahaf.
Shahaf: Thanks Colleen. Hi everyone. It’s a pleasure to have everyone on this webinar. I hope on the personal level everyone is fine, and your family’s doing good, and you’re coping with the new situation. And I know on the personal level, [indecipherable]. So I guess that you’ll experience similar things. And it’s not only on the personal level. Like I said, also on the business level, things are very different than what they used to be a month ago. So all of us, due to COVID-19, are under travel restrictions. That means that we cannot go and meet our customers face to face. And most of us are probably working from home, and probably in a small room or in an environment that is not ideal for working, but we still need to continue to operate. And we still need to continue to operate in high productivity, especially in these times, and making sure that our business is running, making more business, and continuing to support our customers along the way.
When we are looking maybe deeper into the digital intelligence challenges — and maybe a few words about how Cellebrite looks into digital intelligence. So the way that we are proceeding with digital intelligence is the ability to collect, to store, and to gain insights out of digital data. And then these times definitely require some new challenges in digital intelligence. If you are, for example, service providers, or a law firm, you now need to collect a custodian, or your customers, without their traveling. So how do you get to the office? How do you do the collection from a computer or mobile devices without actually physically meeting your customers? Once you do the collection, how do you analyze the information? Some of you might try and send all the data to a central repository at your lab, but now how do you access this lab? How do you continue to do the analysis and the information, either for a corporate investigation, for instance responsible for litigation?
And last but not least, you know, in some of the cases you might need to ship some of the equipment, whether it be licenses, whether it be actual equipment. Specifically in this time, this is becoming more challenging and has some higher costs. So how do you address that?
And on the other hand, if you’re a corporate, you still wants to continue to do a litigation, to be able to address compliance, and to do investigations while still working from home. And also similar to the service providers and law firms, you probably now have more employees that are outside of your reach, working from home as well. So how do you do those collections without the solving, and how do you continue to do the analysis?
Last but not least, another segment of our customers that’s probably joined this webinar are the academic institutes. And for you, you want to continue business as usual. For you, business as usual means that you continue to provide your forensic or your other curriculum. And you want to be sure that your students can continue to have access to a different equipment that is needed to teach forensics for when you have a curriculum that might be using our equipment. And so definitely different challenges.
Ashley, do you have anything [indecipherable] what you’re saying?
Ashley: Yeah, another challenge, kind of to build off of what you have here, is with employees being remote and not on the corporate network. There are certain challenges to getting data from them, whether that’s that they’re not easily able to be reached across through the corporate network, because now they’re on their own home network and that might be slower or more difficult to get the data across that way. There were ways to do that by sending people drives, but people now may not want to be going out to do shipping, or not have enough devices that they can use to send out to do that type of collection. So we’re also seeing just the fact that they’re not on their corporate network is causing challenges for folks.
Shahaf: Absolutely. And so definitely not an easy time both from the personal level, but also in the business level. So we will try to yse the rest of the time that we have together to share with you how we at Cellebrite believe that we can help you. And then we’ll talk about remote connections and solutions and whether it is for mobile, for computer, for cloud.
We’ll talk about the ability to continue the analysis of information while you are at home, and not in your lab. And how about the a continued working and studying from home? We will touch upon that, how it is possible. And last but not least, I think some of us already realized that this is a really good opportunity for us to learn more and to use some of the time that we might have [indecipherable] to learn more, to gain more, to sharpen our skills, you know, to educate our customers. We can used skills and information that we gain. We’ll look at what kind of options we’ll have as part of that.
So with that being said, let’s jump into the ability to do remote collections, and Eric we’ll start with you.
Eric: Great, thank you Shahaf. So let’s first talk about our remote extraction capabilities for mobile. Now Cellebrite has been working on a a licensing model that we call detached licenses prior to this whole COVID-19 pandemic. But now that that this is the current landscape, it’s the perfect time to explore and open this up to our customers.
Essentially what we do here with our detachable licenses for UFED 4PC is move away from a dongle model for these licenses and actually move them into a Windows utility that houses the licenses. So I can have my headquarters, or my licensing machine, in a lab in in New York that houses my detachable licenses, and then as needed, I can check out licenses from my pool to perform an extraction.
So if I have a collection that I need to perform in Chicago, I can check out a license. I could send it to an examiner out in Chicago to license his machine, perform the collection with UFED 4PC. And then, you know, FTP that data back to the lab, or if that examiner has a Physical Analyzer license, they can analyze it on site there.
There’s another sort of workflow that we’re working out with some of our customers, where they’re actually installing UFED 4PC on a trusted IT resource or custodian’s machine on the other end, transferring a license to that custodian, and then remoting in and actually walking the custodian through performing the extraction. There’s some caveats to to consider here. This is just a UFED 4PC detachable license, so right now, no detached Physical Analyzer or Analytics licenses. So it’s just for collections. And the other limitation is it’s only one transfer per license per day. So we wouldn’t be able to perform a collection in the UK, move it to New York City in the same day, then to California, to do three in a row. But the idea here is that, while we’re limited in the travel that we can do and the face to face contact that we can have with custodians or customers, we still have the ability to collect data and feed it into our downstream tools.
And with that, I’ll show you the interface of the tool here. It’s really simple. It’s just a Windows utility. We see on the left pane, my admin management tool, that’s what houses my licenses. I could set the amount of time that I want to check one out for. And then I provide that to my client utility. So we’re generating a really small license file, so I can transfer that over email, over the network, I can put it on a thumb drive and hand it off to someone. It’s a very small process.
And the idea here is that you can respond to events instantly, or within a matter of minutes, rather than shipping a dongle or shipping an examiner around the country or around the world. And with that, I’ll go ahead and pass it back to Shahaf, to talk about our cloud collection solutions.
Shahaf: Thanks, Eric. Just to comment, in the mobile collection, another piece in the puzzle is to collect information from the cloud. And obviously, Cloud Analyzer is a consent-based solution, meaning that you need to have the username and password to each of the sources that you would like to collect. So in that sense, you will need to get it from the custodian, or from the corporate administrator. And then there are several possibilities, or several types of data, that you can collect.
First of all, you can collect information from the phone by accessing phone backups. What are phone backups? It can be the iCloud backup that we can collect. It can be the Google backup that we can use and collect information from Android devices. And obviously those two store information such as SMS and MMS and some other important information available on the phone itself.
And maybe the second category would be the social media like, you know, Facebook, Twitter, Instagram. Obviously, you know, the ability, to collect WhatsApp, Telegram, is also available as part of Cloud Analyzer.
Soon Ashley’s going to talk about how it looks on the computer side, but cloud storage, where data is being stored on the remote computer or in the cloud… so the ability to access the information from Dropbox and OneDrive. And email services, the well-known ones like Office 365, and also ability to capture a website, like doing a scraping of the website and taking that information and this is usually helpful when you’re having, for example, a blog, or you have a page of a social network that is currently not supported by the product, and you want to quickly copy the information as it was on the website. So this is another powerful tool.
So we’ve been talking about mobile, we’ve been talking about how cloud can [indecipherable] that. Probably the third piece is Ashley with computer data collection.
Ashley: Thank you. So we are focused on this particular spot about gathering information from Mac computers. BlackBag, as part of Cellebrite, has a tool called MacQuisition that typically ships on a physical hard drive that allows you to collect from Mac computers. And part of the challenge that we have right now is shipping is difficult, but also that folks aren’t just on the corporate network to be able to gather data off of those machines. So in order to provide the ability to acquire from these Macs, we are providing a temporary license similar to what you saw above for our MacQuisition software, so that it will run without you needing to ship anything physical to the end person doing the collection.
We’ll have two options for them, as far as doing the collection. The first is you could send them the software and a key that they’ll type in for a software license and they could do the collection themselves.
So within MacQuisition, we have a few options for doing collection. They could either browse using our interface to locate maybe the user’s directory, if they needed to do that, or some basic filtering like dates and times, and they could self choose which files they want to collect. If you wanted to guide that more, there are preset options for what would be collected. So if you wanted to just ensure that you could send them a simple set of instructions and it wouldn’t be left up to them following and looking for particular items, we do have pre-collected items set up for that to happen.
But the third option would be for you to send them the software and then to remotely connect to their machine, whether that’s through Mac’s remote access, or screen-sharing services that are built in, or through commercial tools that would allow you to remotely control and drive the collection that way. So either way, whether they’re doing the driving, using the self collecting option, or you’re remotely running the software, those collected files will be forensically preserved into a logical evidence file format, which gathers the data and all the metadata needed for everything from discovery purposes to internal investigation.
And then you have choices on how to get that data back. Rather than having to wait for it all to be pulled across the internet, you could put them through cloud sharing or email them back.
So those will allow you to complete the collection and get the files you need back, and be able to now move through the rest of the analysis in your workflow. So I think I’m going to hand it back now to Eric to talk about remote desktop access.
Eric: Great. Thank you. So now that we’ve collected this data remotely, the next step is analyzing. And we need to do that remotely as well. So I’m sure a lot of folks on this call, or listening in on this webinar, know remote desktop, RDP access, on Physical Analyzer dongles has been restricted historically. If you started an RDP session with a Physical Analyzer dongle attached, this session wouldn’t pick up that PA license.
What we’re doing now in this current in this current climate is opening up the the restrictions there to allow you to remotely analyze data. So one, it’s for safety, obviously, to allow you to remotely analyze data; you don’t have to go into the lab physically to move your dongle around to a machine, or pull it home and take it with you. And again, a time saver as well. So now instead of having to FTP or pull down an extraction to your local machine so you can analyze it, you can just remote into your forensic workstation in the lab to actually do your mobile analysis.
I know I keep talking about caveats. The caveat here is it’s just for Physical Analyzer. So no RDP access for UFED 4PC or for Analytics. This would still just be for Physical Analyzer, but it’ll allow you to do your analysis remotely. So just reach out to our folks in support or your sales person, and we can talk about getting RDP access on your Physical Analyzer dongle.
For the folks that are working, and the students that are studying, from home — which is probably the vast majority of us — we are offering a temporary software license. So again if you have a dongle or a license in your lab that you either can’t access or physically can’t get into the lab to pull that down, just reach out to us and let us know. We’re happy to issue a temp license for 30 days. It does require you to have an active Cellebrite license. So this isn’t just… you know, we’re not just giving out free a free licenses. You do have to have an active license, but we do have software licenses for UFED 4PC, Physical Analyzer, Cloud Analytics. Just let us know what you need, and we’re here to help.
Let’s talk about what you can do to continue your professional growth or to continue your learning in this COVID-19 situation.
So we do offer a variety of methods of training. Obviously Cellebrite and BlackBag are world-renowned for our in-person training. But we also have our online on demand training and instructor led online training. So don’t let this situation prevent you from continuing your growth. If you’ve been thinking about taking a course this could be the perfect time to do it, to walk out of this situation, or walk out of this quarantine, with another tool in the toolbox or another certification added to your name.
So on the BlackBag side, and on the Cellebrite side, there’s beginner all the way through advanced topics for mobile and computer forensics. And you’ll be better for it in the end. I just talked to a customer where instead of their commute, in the morning and the evening, now they’re just going to use that extra amount of time that they have to log on and do a couple of modules in the on demand course. So it’s definitely a great way to help the time pass instead of watching, you know, the entirety of of the Netflix universe.
Shahaf: And if I may also add, in terms of the training, we are also creating some 15-minute learning bursts that you can use, and live events that are taking place, I think several times a week, one of those is run by Heather Mahalik. And so we wanted to share with you as much information as we can during this period again, to up-level your skills to look for that information in social media or on a website where you can get more information.
So Colleen, do we have a few questions from the crowd?
Colleen: Yeah. So a couple came in, but I also just want to remind everyone to ask your question as you go through a couple of these. You see the question box: type it in and hit submit.
Here’s one that came in: when working with a detachable license, do I need the remote device to be connected to the internet for either license transfer or normal operation?
Eric: I’ll take this one. You do not. So what you’re doing with this detachable licensed utility is generating a license file. So as long as you can get that license file to the person on the other end. So we mentioned, you know, email or on a thumb drive; as long as you can get that file to that person, they can assign it to their machine. It basically impersonates a dongle, so UFED 4PC just thinks that a dongle is attached. And then you don’t have to be online on the other end, or you don’t have to do it over a remote session. The person on the other end, or the client, can just use UFED 4PC as usual without, without the internet.
Colleen: Okay, great. Ashley, I think this one is for you. It’s similar to that one, but it says: does this remote collection mode for computers need internet access?
Ashley: Yes. thanks for the question. And the answer is no, we don’t need access to the internet during the actual connection. You will need to get the software to the remote employee. So it will need to be transferred there in some way. But you don’t need it to be actively connected back to you for the method where you’re doing… running the collection itself. if you want to remote to their machine, you would need internet connection, but you’re not going to be pulling any of that data across the wire. The data is going to stay on the remote machine, and then you can choose to upload it to whatever secure storage place that you have available.
Colleen: Okay, thank you. Here’s another one. What happens if I need to do multiple extractions on the same day using a detachable license for mobile?
Eric: So the best way to do that, to do multiple extractions in a day, I’m assuming like multiple extractions in different locations. You would just need to purchase… have additional licenses in your pool. So as I mentioned, it’s one transfer per license per day, so I could ship a license or send a license, I should say, out to California for a collection, but I won’t be able to use that license again until the next day. But if I had two or three licenses in my pool then I would just assign the the next license, you know, license number two, or license number three to a separate machine for an extraction.
Colleen: Great. thank you. Let’s see. What kind of information can I expect to be collected from a mobile device when doing a cloud collection?
Shahaf: So thank you for your… you can collect them and the backup itself. So if it’s iCloud collection, you can find the SMS, MMS and pictures, and down there, everything that you can find, basically in iTunes backup. With Android it’s pretty much the same: anything that you can find on the Google backup, including text messages and pictures.
And also, we’ve mentioned [indecipherable] to access specific messaging or chat applications like [indecipherable] to collect the WhatsApp backup, either from iCloud or Google Drive, and the ability to collect information from Telegram. So basically you have most of the leading messaging information available for you through the cloud. And you should also be able to gain access to pictures and other possible information on the mobile device itself, as it was like if you were doing a backup of the device itself. Obviously, you know, our implementation is for you to check it out, see if it makes sense for the kinds of job that you need to do. And then based on that, decide whether cloud extraction in these cases is relevant for you or not.
Colleen: Alright, thank you. Can I get a full disk image with the BlackBag solution?
Ashley: Unfortunately, with the limitations on the software licensing, we do need to run the software live. So when we’re in live mode with MacQuisition, when you’re running it on the system you want to collect from, you’re not able to get a full disc image. For that capability, you would actually have to ship the MacQuisition device so you could run the boot environment to be able to do a full disc image.
So this is going to be for targeted files. You could target a large amount of the data off of the drive, there’s not a size limit to what you could target there, but it is not going to be a bit-for-bit full disk image like you could get if you had the full MacQuisition device.
Colleen: Thanks, Ashley. And I have one last question here. How would you recommend to consume the training classes? Is there a preference?
Eric: I mean, my sort of preference or recommendation is: any time that you can interact or have access to a live instructor is going to be the better option. You know, you can talk to someone or ask questions in real time. All of our instructors have vast amounts of experience, both on the public and private sectors. So they’ll give you real world stories and examples of when this might be used. So I think there’s a ton of value in interacting with with a live instructor.
But at the same time, it kind of comes down to your own schedule. And if you need to sort of digest a training course in small amounts, like if you just have an hour or two a day that you can jump on and get through some training then the on demand is perfect. So it kind of comes down to your own schedule. But personally, I would recommend the instructor led live online training.
Colleen: Great. Thanks, Eric. I don’t see any other questions right now. If you guys have questions or they weren’t answered for some reason, or they’re not coming through, we will email you individually and provide you with your answers through a separate email.
So now I’d like to say thank you to everyone for joining us today. A special thank you to our presenters, Shahaf, Ashley and Eric. Once again, the webinar has been recorded, so you will be receiving a copy. And we encourage you guys to follow us on our social media channels, both on LinkedIn and Twitter. And also, we really like your feedback. So please click on the link on your console to take that quick two minute survey. Thanks again. And we look forward to seeing you on our future webinars. Have a great day.
