Revolutionizing Mobile Data Collection: Streamline Investigations With Cellebrite Inseyets

Michelle: Hi, everyone, and thank you so much for joining today’s webinar, Revolutionizing Mobile Data Collection: Streamline Investigations with Cellebrite Inseyets. I’m Michelle Durenberger, and I’m the field marketing manager here with Cellebrite Enterprise Solutions. Before we get started, there are a few notes that we’d like to review. We are recording the webinar today and will share an on demand version after the webinar is complete. If you have any questions, please remember to submit them in the questions window, and we will answer them in our Q&A section. If we do not get to your question, we will follow up with you after: don’t worry. Now, I’d like to introduce you to our speaker today, Paul Murphy.

Paul enjoys the challenges and ever evolving nature of digital forensics, especially when it comes to mobile phones. He previously spent nearly 30 years in law enforcement, with the last fourteen years as a digital forensic investigator in the world of counterterrorism, where he worked on a number of high profile cases. He joined Cellebrite three years ago and now works as a solutions engineer bringing his knowledge and experience to assist customers on a day to day basis. Paul resides in Manchester in the North of England, where he enjoys mountain biking and watching one of Manchester’s two famous teams: is he a red or a blue? Thank you for joining us today, Paul. If you’re ready, I’ll hand it over to you so we can get started.

Paul: Thank you, Michelle. And welcome everyone to this webinar. So what we’re going to look at today is Inseyets for Enterprise. What is it, and how can it benefit you? So Inseyets for Enterprise is combined of a number of products, which is going to enable you to access data, extract data, decode data and at the end produce your evidence. And all this has come about because the world of digital investigations changes on a day to day basis. People now communicate on many different platforms, use social media more than ever before. And this requires you to change your approach to the way you’re gathering data.

So, what actually is the Inseyets Solution? Well, it’s made up of a number of products. Some of them you may be familiar with, and some of them you may not be. So, first of all, we’ve got UFED. UFED is a longstanding product and is used for the logical extractions, advanced logical extractions from smartphones, feature phones, and SIM cards.

Combine that with Mobile Elite, which allows access to file system extractions from all the modern smartphones. Combined together, this gives you access to devices and data previously unreachable, and enables you to extract the full file system, including data from containerized applications. Talking about things like Telegram, Signal, WeChat, these type of communication platforms. We’ve also got a new version of Physical Analyzer called Inseyets Physical Analyzer, and this is going to enable you to process, decode and analyze your data from the broadest range of apps and data sources.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


It will enable you to get immediate insights into key information, such as most visited locations, top five messaging parties, the last ten searches conducted. Also uses AI for media classifications, which enables you to quickly identify relevant media. And also a really useful feature of Inseyets PA is it enables you to process the data only once and reopen cases in seconds as many times as you want. You can save space by exporting cases. Gives you the ability to import them at a later date if you want to review them. More importantly, it also allows you to dive into the hex view or leverage the database viewer or the directory browser. The capabilities of Inseyets’s Physical Analyzer just go on and on and are being developed on a daily basis.

Added into Physical Analyzer is an option to add in Legalview. This would enable you to create the relevant formats of eDiscovery load file and RSMF. These are useful for RelativityOne platforms. Now built into Inseyets PA, we’ve got UFED Cloud, and this enables you to extract, preserve, analyze cloud data using device based tokens, or known user credentials (if you’ve got them), and give you access to valuable data that is not usually stored on the device.

So let’s just look at some of the different types of data that you’re going to be getting. We’ve got on the left hand side there, we’ve got logical extractions and on the right hand side, we’ve got the advanced extractions. This is full file system extractions. And as you can see from there, there’s substantially more data. This is a full file system level. And this gives you stuff like activity sensor data, application usage, application usage logs, the applications themselves, gives you access to the databases within the applications, gives you access to locations, email, device activity, the list goes on. All the data is there using Cellebrite Inseyets full file system extractions.

So let’s just have a look at a average workflow when you’re using Inseyets for Enterprise. It’s made up of a number of components and from the left hand side there you can see we’ve got a mobile phone. We’ve then got a piece of hardware called the TurboAdapter. That’s connected to the software on your workstation called Inseyets UFED. And that, in turn, requires a connection to Cellebrite Enterprise Vault Server, which is a cloud based server where all the resources, mechanisms needed to exploit the device, that’s where they sit.

So, first of all, the user connects the device to the Server Link Adapter. The UFED software identifies the device and makes a request for resources to the Enterprise Vault Server. These are downloaded back to the UFED in an encrypted form where they move to the Turbo Link, which decrypts the resources and exploits the device. Now the number of resources will depend on the exact make/model of phone.

So steps three, four and five may happen two or three times during the initial exploitation of the device. Once you’ve exploited the device, it’s as simple as the user selecting the acquisition type that they want to do. An important point to note here is that there is no exchange of user data between the device and between the Enterprise Vault Server.

So what I’m going to do now is just switch over to a live demo of the product just so that I can show you what the dashboard looks like, and then we can look at a phone that’s actually connected to it and see what type of extractions we can get from it.

So this is now a live running version of Cellebrite Inseyets. And as you can see here at the top of the screen where it says resources were connected to a server, which is providing us access to the resources we require. It’s made up of three main components. So we’ve got here, we’ve got full file system extractions from supported iOS devices. Here we’ve got full file system extractions from supported Android devices. And here, we’ve got you UFED, and this is the UFED for PC that you may well have used before. And this is quite a familiar tool to a lot of people has been around for quite a number of years. And you move between the two using this.

So what we’re going to do is we’re going to have a look at an extraction of a device and look at the different features that are built into Inseyets because there’s a number of new features that are built in one of them being quick insights. Another really important one, a really useful one called Streamline, and this enables you to streamline the process from the extraction all the way to decoding and reporting. So it’s as simple as selecting the operating system.

In this case, we’ll go with Android. The workflows are the same. And we’ve now got a choice to make: is it locked or is it unlocked? But what do we mean by unlocked? And unlocked means that the passcode is known or no passcode is set. And locked means that the passcode is unknown. Inseyets for Enterprise comes with the unlocked version of the tool. If you’re interested in the locked version of the tool, if you can speak to us separately, we can discuss options with you. But for now, we’re just looking at the unlocked side of the tool.

So you need to enter a few case details. This is configurable so that you can match it up to your workflows. Follow the simple instructions to prepare the device, and then you’ll see the instructions here. Number one, connect the Turbo Link to the computer. This will turn green when it’s ready. It will then initialize the Turbo Link environment, which simply means that the environment is verifying its connection with the Enterprise Vault Server to get the resources. This will then turn green. And then it will ask you to connect the device.

Once you’ve done that, it takes a few minutes and it gets to this state. And this is now ready for us to make extractions from the device. So what’s been happening in the background? If we look at the progress console bar, we can see here that it’s downloaded a number of resources. And you can see here as a resource there, it’s been downloaded. There’s another one here.

This one takes about three resources to download. And it gets into a state where we can exploit the device. We mentioned earlier a number of other features that are available with Inseyets. One of them being quick insights, which is a new tab that’s been added here. And if we look at that, this is going to give us some really relevant device information before we’ve even done an extraction of the device. And if we look at one or two of the items here, we can see…here, you can see the last SIM cards that were installed in the device.

You can see some information about the IMEI number, the chip set, the make/model of the phone, the battery level. If we look at this page, we can see here the email associated with the device. We can see here a list of different accounts on the device. You can see here, it’s an Android device. We’ve got Samsung account. We’ve got Signal account and various other Facebook accounts in between.

And on this page, we can see (which I think are two really relevant items), we’ve got a list of the Wi-Fi networks that this device has been connected to, but also a list of installed applications. And this is searchable. So you can actually type in the top. If we look for Telegram, you can see that org.telegram is installed on this. Worth checking this before you do an extraction, because if you’re particularly looking for an application, why don’t you just check it’s on the device? Because if it’s not on the device, it’s safe to do the extraction in the first place.

There’s an export option here, which allows you to export it to a PDF. So going back to the device status, we’re now ready to look at the different extraction methods. So if we simply click into that, we’ve got two options: we’ve got streamline and manual. Look at the manual one first because this is what you may be familiar with. And this gives us a number of options. We can do a full file system extraction. We can do a selective file system extraction. If it’s an older device like this one, you can actually do a physical extraction. We’ve also got triage built into this, and this is a first to market full file system scan of mobile devices against a set of criteria and profiles which you create.

Full file system extractions, depending on the amount of data, may take quite a long time. So sometimes it’s worth considering doing a selective file system extraction first. And that means you can actually start working on your data before you’ve done the full file system. You’ve actually got some data to work on at this point. And if we look at what’s included in there, we can see here that I can just pick off the data types that I want to extract quickly. For example, I could just take chat applications, I could take finance, or I could simply take Telegram and WhatsApp and just do an extraction based on those. And that would be fairly quick.

So if we now look at Streamline, Streamline is a new feature that’s been added into Inseyets. What this enables you to do is start the process, the full file system extraction, start it running, and then in the background, it will also create you a case in Inseyets Physical Analyzer. It will decode the case, and it will also create a report for you. And this enables you to almost streamline your workflow process because no longer do you have to sit in front of the machine, waiting for things to happen, clicking buttons.

And it’s as simple as deciding on what type of extraction you want to do. In this case, we look at the full file system extraction, fill in some case details. Do we want a report creating at the same time? So we’ve got a number of options here. We can actually just go with decode and create a case only, but we can also select from a number of different report options there, including UFDR, PDF, HTML, Word, XML, and if you’ve got the Legalview option, you can use a Relativity Short Message Format, the eDiscovery load file as well.

So we’ll just select that one. We can actually move the report to a particular save location using this button here as well. And this is a summary of what we’re going to do before we actually do it. So here we’ve still got an option to change the path of the extraction. This can be set globally at the beginning in the settings, but you’ve still got an option to change it through each individual extraction if you want to. We’re using the Streamline method. We’re doing a full file system extraction and we’re also going to create a UFDR report. So it will be as simple as selecting extract from there.

This will then start the full file system extraction, but it will also call Inseyets PA in the background. There you go, perform full file system and it will start running on that. And if we take a quick look at what’s happening with Physical Analyzer. So this is, for those of you who have not seen it before, the new Inseyets Physical Analyzer. We’ve got a new tab now called pending cases. This is the case that I just created. I created this and it’s now doing a full file system extraction.

So as you can see, Inseyets PA has also turned into a dashboard for your extractions. What about these other ones above it? So we’ve got a number of ones on hold, and these are simply on hold because I’m actually using Inseyets PA to do some work on today, so I don’t want it taking over the processing power. But when I go home in the evening, or on a Friday at the weekends, I can simply click resume all and pause all, and this will queue up the work for me to do. So once I come back to it, these will all be processed and reports generated.

So just moving back to Inseyets PA, you can see here now cases, you have as many cases you want on here, and they open really quickly. The process once stored in database file that takes a few seconds to reopen them. At the beginning, I mentioned about some insights into the data you’re going to get. Here you can see visited locations, last ten calls, messaging parties and media classification. Also mentioned Cloud Analyzer. That’s here, and that’s built in. Everything down this left hand side has got device tokens and enable you need to bypass two factor authentication and on the right hand side, any of these, if you know the user credentials, you can simply enter these and you can gain insights into that cloud data as well.

That’s a quick overview, Michelle of the Inseyets. Is there any questions that we’ve got so far?

Michelle: Yes, absolutely. Thank you so much for that demo and the overview. I know that it’s great to see the capabilities of our product. So, thank you. Okay, we have had quite a few questions. So, let’s start with this one. Okay: I need to be able to access data from several chat applications, including WhatsApp and Telegram. Is that possible with Inseyets UFED?

Paul: Yes, of course. Inseyets UFED enables you to extract a full file system as we mentioned earlier. Once decoded in Inseyets PA you’ll have access to a lot of data including all the chat applications all the way down to the database structure of them. You’ll also be able to browse through data at a file system level and just validate all the information you’ve got.

Michelle: Great, that’s fantastic to hear. We do have a few more questions. So, let’s see. We normally have access to the pin code for phones we examine, but if we do not, what could we do?

Paul: So on the initial screen I showed you, there was a locked and unlocked option. So Cellebrite Inseyets UFED has an additional option to access data from locked devices, including using supersonic brute force and using what’s called the after first unlock mode. And if you’re interested in this side of the tool, if you contact us directly, we’ll be able to discuss various different options with you.

Michelle: Great. It’s good to see that that’s an opportunity there. Okay. And: does Inseyets UFED support the latest iPhones and operating systems?

Paul: Yes, it does. And for unlocked or known PIN code devices, Inseyets is able to extract a full file system from iPhones ranging from the iPhone 5 (if anyone’s still got one of those) all the way to the iPhone 15 running the latest iOS 17.6.1. Inseyets also supports an unrivaled range of Android devices allowing for full file system extractions of those devices as well.

Michelle: Perfect. Okay, a few more here. Okay: from what I understand, Streamline is automation. What happens to the queued and pending cases when I am not there to process them?

Paul: So Inseyets and Inseyets PA is acting as a dashboard now, and it enables you to maximize the efficiency through the automation, which is Streamline, which is what’s built into Inseyets. The simplification of the entire examination process. That’s from device extraction to reporting, just a few simple clicks. So when you’ve gone home in the evening or the weekend, Streamline will continue to work, processing your data into cases and producing your reports ready for when you come back.

Michelle: That is incredible. Definitely a time saver. Okay, I think we have time for one more question. Let’s see. Oh, here we go. Ah! We use RelativityOne Review Platform. Can I create the required file formats directly from Inseyets, and can I also push them directly to RelativityOne?

Paul: Yes, so we mentioned earlier, there’s a Legalview bolt on to Inseyets Physical Analyzer. Using this option, you can create exports in our RSMF format and also eDiscovery load file format. We can also use the insights PA API that’s built in to push these files directly into your RelativityOne instance into the staging platform.

Michelle: Perfect. That is great to hear. And I think that that brings us to time. So, Paul, I just really wanted to say thank you so much for your valuable overview of…into Inseyets. It was so useful to understand the various features available in the platform and how people can use them on a day to day basis.

Paul: You’re welcome, Michelle.

Michelle: Thank you. Unfortunately, we do have to wrap this up. And if we did not get to your questions, please know that we will reach out to you individually after the webinar to answer your questions that we didn’t have time to get to. But Paul, again, thank you so much for a great presentation and remember, for any additional questions or to learn about how you can get started with any of our solutions, please reach out to us at enterprisemarketing@cellebrite.com. And remember to follow us on Twitter, Facebook, and LinkedIn at CellebriteES, that’s Cellebrite Enterprise Solutions. Thank you again, Paul, so much. And thank you all for joining us today. Have a great day. Thank you!

Leave a Comment