Database System Concepts 6th Edition
i:i. cellebrite Digitat inteltigence for a safer world Participant Guide I Core Component 2-lntermediate CetLebrite C
Views 140 Downloads 1 File size 28MB
Recommend stories
- Author / Uploaded
- mionel
Citation preview
i:i. cellebrite
Digitat inteltigence for a safer world
Participant Guide I Core Component 2-lntermediate
CetLebrite Certified 0perator
Enh!.cdtf.ne
Nr!..1
-.l
-)l -) -)
a ..] n o -) .) r-)
a .)
o al o rl o o (l o a) C) r._)
i_)
(,) (__)
(,J '.-)
'J i-)
U U i.J L,)
U U U U U U L-)
U k
) ) )
rt.* a. ll'
Cellebrite illf*I:lI;,:,x'.
Participant Guide I Core Component 2 - lntermediate
Celtebrite Certified 0perator
FEtrIEI=
Cellebrite Certified Operator
I
Participant Guide
Copyright This document contains proprietary information belonging to Cellebrite Mobile Synchronization Ltd., and is designed to provide overall information on the company and its activities for
restricted viewing and to authorized persons only. No part of this document may be used for any other purpose, disclosed to any person orfirm, or reproduced by any means, electronic or mechanical, without the express prior written permission of Cellebrite Mobile Synchronization Ltd.
The information in this document is subject to change without notice. Corporate and individual names and data used in examples herein are fictitious unless otherwise noted. Product names
and brands may be owned by the company's to whom they are attributed. Confidential, not for distribution. @ 2013-2017 Cellebrite lnc. All rights reserved. Cellebrite Certified Operator Participant Guide )une 2017
Trademarks Touch, UFED Touch Ultimate, UFED Touch2, UFED Touch2 Ultimate, UFED Touch Logical, UFED 4PC, UFED Physical Analyzer, and UFED Logical Analyzer are trademarks of Cellebrite. UFED
Cellebrite's logo and images, is the exclusive property of Cellebrite and protected by United States and international copyright laws. Other brand names and logos may be trademarks or registered trademarks of others. Background cover photos: lmages used under license t'rom Shutterstock.com
Cellebrite USA
Cellebrite lnc. 7 Campus Dr. Suite 210
Parslppany,
NJ
07054
Tel: +1 201 848 8552 Fax: +1 201 8489982
Cellebrite Global Training: +1-973 387 1026
4
@2013-201 7 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUIvIENTS: Ivlay not be duplicated or disclosed without written consent from Cellebrite Training.
Contents About Cellebrite.... About UFED Series,
.. . .,.. . .9 .. . .......9
Center. Conventions......
Cellebrite Support
Documentation
Modulel: lntroduction. Module lntroduction Module Objectives CourseAdministration ..... CoreTrainingandCertification... TrainingTracks. lnstructor lntroduction Participants. AboutCellebrite.... Cellebrite Platformsand Products Research and Development.... Legal.. Conclusion
...
..
....
. .9
.........10
....11 ........12 ..........14 ........15 ..........17 .....19 ......22
...,,...23 ........24 ..........25 .....27 ......28
.........29
Devices.
. . . . 31
Introduction Legal Considerations. Technologies Hiding Devices ..... Personal Safety. Search Kit- Mobile DeviceTools Phases of the Forensics Process Handling Evidence Process. Makeand Model ldentification Mobile DeviceTerminology. Shielding Web Resources..... UFED Phone Detective Phone Detective SmartphoneApplication Considerationsand NextSteps.. Off State: Data Collection Procedures WiFi and CellularNetwork lndicators On State: Data Collection Procedures PasscodesoniOSDevices..... AndroidScreen Locks. Pattern Lock . . On State: Home Screen - iPhone On State: Settings - iPhone Documentation ..... Peripherals CloudStorage BagandTag Mobile Devices.
........32 .......33 ........34 ........36
Module 2: Forensic Handling of Mobile Module
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
.
.. ..37
.....39 . . . . .41
.........42 ......43 ........44
...........47 ........48 ......49
......... ..5'1 ...........52 .......53 ........54 ........55 .....57 ......60 .. ..
. .61
.,...62
...,......64 .......67 .........69 .......71 ........72
A2U3-2017 Cellebrite
Inc.
All rights reserved.
5
Cellebrite Certified Operator
I
Participant Guide
Transportation and
Storage Detective.
.........73
Step Action 2.1: Phone
Conclusion Module 3:
UFED Touch2 and
. . . .14
....,....77 . . . . .79 ........80
4PC
Modulelntroduction Activity:Explore KitContents UFEDTouch2 UFEDTouch2-Top Screen UFEDTouch2- Back Panel UFEDTouch2- LeftPanel UFEDTouch2- RightPanel UFEDTouch2- Bottom Panel.. UFEDTouch2 - License File.... UFEDTouch2-GetLicense File... UFED4PCComponents. UFED4PC- License File.... Software Updates UFED Firmware- Update Process UFED Firmware- UpdateVersion Update DateandTime- UFEDTouch2 Update Date and Time - UFED 4PC. .. StepAction 3.1:lnstallation of UFED 4PC... UFEDTouch2/4PCSettings DeviceTools Step Action 3.2: Configuration of UFED Touch2/4PC .
Conclusion Module 4: Cellebrite Extraction Methodology
@2013-2017 Cellebrite lnc. All rights reserved.
..........83 ..,.,.....84 ...........85 ......,...86 ..,...81 .... ..BB
..........89 .....90
.........91 ..........93 ...........95 ..........,9f ..,....98 .....
.'1
00
........101 .........103 .......106
.
..
..
.
.'1
0B
........113
.
Module lntroduction lntroduction Data ExtractionApproach. UFEDTouch2 Extractions Physical Analyzer Extractions Download andActivation StepAction4.l:lnstallation and Licensing...... Dongle Licensing Best Practice for Extractions ..... ForensicSterilization of Media. Step Action 4.2: Sterilization of Media SlMCards SIM Extractlons..... SIM PlNs and PUKs SIM File System Organization. SIM Extraction Report Step Action 4.3: SlN4 Extractions and Cloning SD Cards StepAction 4.4:SD Card Extractions..... UFED Extractions... Extraction Methods Extraction Method Options Extraction MethodsExplained Physical Extraction
6
.......81 ...,..,82
....
1'15
.......116 .......118 .........119 ..........123 .......124
..........i25 ....126
..........129 .........'1 31 .,...132 . . . . . .133
.........'1 36 .......138
...... ..
. .139
.. . .140
......142 ,..,..
.143
..........149
..........'l
51
.......153
...,....154 ........155 ......157 .........158
CONFIDENTIAL DOCUMENTS: l\4ay not be duplicated or disclosed without written consent from Cellebrite Training.
Extraction Methods- Physical - Boot
Bootloaders Clients
Loader
-Client. Extractionsummary. Extraction Connections AdvancedADB Extractions..... StepAction4.5: Physical Extraction, FlleSystem Extraction Extraction Methods- FileSystem File System Extraction Summary Step Action 4.6: File System Extraction Extraction Methods-Logical Logical Extraction Report StepAction 4.7:Logical Extraction. StepAction 4.8: Passcodes...... UFED Camera Services Activity 1:UFED Camera Services Extraction Methods- Physical Physical
Activity2: Advanced Logical Extraction of iOS Devices...... Activity 3: Additional Extractions
Conclusion
lntroduction ConfiguringPhysicalAnalyzer Step Action 5.1: Basic Physical Analyzer Configuration Physical Analyzercapabilities Openinga Physical Extraction Decoding ProjectSettings. Physical AnalyzerWorkspace Project Management Extraction Summary Multiple ExtractionAnalysis lndividual ExtractionTabs.. Verify lmage Hashes Device lnfo Pane .. The ProlectTree... OpeningandViewingData... FileSystem Browser Analyzed Data... Data Files. Other Functions.... Activity 1:Viewing User Data SearchTechniques. Tagging Step Action 5.2: Searching, Filtering and Tagging Data . . Conclusion Module
lntroduction lntroduction ReportElements. Module
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without wntten consent from Cellebrite Training.
......161 ..,..162 ......163 ......165 .....166 ....167
........168 ......174
,.........i16 . . . .ifl . . . . . .178
.....,.184 ..........185 .........186 ..........191 .....193
..........i94 ........195 . . . .198
........i99
Module 5: lntroduction to Analyzing User Data
Module 6: Reporting on Technical
........159
Findings
. . . .2O'l
.......202 ......203 . . . . . .205
......210 ......211
..........2i2 ....213
.......2i4 .......215 .......216 ........211 .......218
.......2i9 ........221 ........222 ......223 .......224
..........225 .........226 .......227 .......228 ........232 .. ..233
... .234 ........231 .
.239
.. .....240 .......241
..........242 A201'3-2017 Cellebrite lnc. 7 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
ReportElements- Establish Credibility. Report Elements- ldentification of Mobile Devices Report Elements -Acquisition of Digital Evidence ReportElements-Analysisof Digital Evidence
AnalyzerReportCapabilities ReportFormats ReportCustomization ReportData-lnclusion or Exclusion AdditionalFields.. Reportlocationand Directory Report Elements-Summary Physical
Step Action 6.1: Generating a Reportwith Physical
Conclusion Appendix: Extraction
8
02013-20'1 7 Cellebrite lnc. All rights reserved.
Methods
.....243
.........244 ... .. . .. . .245 ......246 .......247 ....248 ......249 .,......250 .........251 ......252 .......253
Analyzer
. .... .254 ........259 . . .261
..
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
) ) )
About Cellebrite Founded in'1 999, Cellebriteo is a global company known for itstechnological breakthroughs in the cellular industry. Aworld leaderand authority in mobile data technology, Cellebrite established its mobile forensics division in 2007 with the Universal Forensic Extraction Device(') (UFEDo). lts full range of mobile forensic products, UFED Series, enables bit-for-bit extraction and in-depth decoding and analysis of data from thousands of mobile devices. Cellebrite's UFED Series is the prime choice of forensic specialists in law enforcement, military, intelligence, corporate security and eDiscovery agencies in more than 60 countries. www.ufedseries.com [email protected]
About UFED Series Cellebrite's UFED Series provides complete solutions for physical, logical and file system extraction of data and passwords from thousands of legacy and feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets. UFED Series products also enable advanced physical extraction and decoding capabilities for the world's most popular platforms-BlackBerry, iOS, Android, Nokia and more. The extraction, decoding and analysis of vital evidentiary data includes call logs, phonebook, text messages (SMS), pictures, videos, audio files, ESN lMEl, ICCID and lMSl information, and
more.
Cel lebrite Su pport
Center
See the Cellebrite mobile forensics support center at:
http://www.cel lebrite.com/mobile-forensics/su Downlaads
pport
Technical lnquiry
* lPsiruci:ccs llF:a il*ir( llarrage, Ll3rra:s
Video Tutorials ti-Jalth
.rir .r[etiit-{ tiiinfl
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without wrjtten consent from Cellebrite Training.
il
9upported Phones {::riiii iiira;iiar, 1F.l,r: sia;i1iil
My.Cellebrite Hi,;
l)i i,i:cf
raf i:.iiii?t
A2U3-2011 Cellebrite
lnc. I
All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Docu me ntation Conventions ln this documentation, a greater-than symbol (>) is used to separate actions within a step and items within a cross-reference path.
10
O2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
t.i cel lehrite
HrI*lirTlYJ,ix"
Module 1:
lntroduction
CELLEBRITE CERTIFIED 0PERATOR
O 20i 7 Cellebrite Inc. All rights reserved.
I participant Guide
Cellebrite Certified Operator
I
Participant Guide
Module lntroduction
Course Objectives The Cellebrite Certified Operator (CCO) course is a two-day
intermediate level certification program which builds on the concepts from the CMFF course and is designed for those participants who are tasked with
Upon successful completion of this course, the tudent will be able to: lnstall and configure UFED Touch, UFED Touch 2 or UFED 4PC and Physical Analyzer software
extracting data in a forensically sound manner using UFED Touch2
.
or
. .
UFED 4PC.
This course is designed to teach
Explain the best practices for the on-scene identification, collection, packaging, lransporting, examination and storage of digital evidence data and devices Display best practice when conducting cell phone extractions. ldentify functions used within UFED Touch, UFED Touch 2 or UFED 4PC to perform supported data extractions
data extraction team members such as technically sawy investigators, digita I forensic examiners, lT stafl internal affairs investigators, first responders and personnel designated to handle extraction of digital evidence how to perform extractions on a variety of devices. These extractions include logical, file system and physical extractions from mobile devices as well SIM cards, and external storage such as SD ca
12
@2013-2017 Cellebrite Inc. All rights reserved.
rds.
CONFIDENTIAL DOCUMENTS: l\4ay not be duplicated or disclosed without written consent from Cellebrite Training.
lntroduction
Participants in this course will gain a basic understanding of how to open the extractions in Physical Analyzer softwa re, conduct basic searches and how to create tags and reports. Students achieve the CCO certification upon passing a knowledge test and practical skills assessment with a score
. .
Exhibit how
open extractions using Physical Analyzer.
Summarize how to conduct basic searches using Cellebrite Physical Analyzer
. .
1o
.
outline how to create reports using Cellebrite Physical Analyzer. Demonstrate pro{icaency of the above learning objectives by passing a knowledge test and practical skills assessment with a score or B07o or better
or 80% or better. The only way to earn this CCO certification is by taking the exam along with an associated course, there is no test out available. The CCO is the first level of certification offered by Cellebrite and is essential for those who will
handle and acquire data from mobile devices. As this class is designed to teach this audience, it does not include conducting in-depth analysis of the data. Whereas, the Cellebrite Mobile Forensics Fundamentals (CMFF) course was the first requirement, achievement of the CCO certification is also the second requirement to qualify for the Cellebrite Certified Mobile Examiner (CCME) certification exam.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
A2013-2017 Cellebrite
lnc.
All rights reserved.
13
I
Cellebrite Certified Operator
I
) )
Participant Guide
)
Module Objectives Module Upon successful completion of this module, the student will be able to:
'
Describe Cellebrite's core training and certification process.
.
Recount Cellebrite's accolades and accomplishments. Recognize the abilities of Cellebrite Platforms and digital forensic solutions. Explain the legal responsibilities of practitioners using Cellebrite products, software, and services.
14
o2013-2017 cellebrite tnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
lntroduction
Course Administration Course Administration We will cover the following:
. Schedule . Cellebrite Learning Center * Confirm login and enrollment www. cetleb ritelea rni n gce nte r. com
. Cellebrite Training and Certification Programs . lntroductions . Participant Guide and Equipment . Celtebrite Overview 4 .. \!: ., .' !: '::1'/
:'
By the end of this module, you will be familiar with the course and Cellebrite as a leading training provider organization, in addition totheir industry-recognized role as an extraction device technical company. You will receive an overview of course content and receive introductions to your fellow participants and instructors.
This module covers:
. . . . . .
Sched
u
le
Using the Cellebrite Learning Center
Cellebrite Training and Certification Programs
lntroductions Participant Guide and Equipment Cellebrite overview.
Your instructor will cover the exact schedule and briefly discuss the usage of this Participant Guide and equipment. Please ensure you can login to www.cellebritelearningcenter.com. Once logged in, you should
to return to this page to complete required quizzes and/or exams, as well as see your results and download your certificates.
see this course listed under "My Learnin{'. You will need
During this module, you will learn about Cellebrite training courses and certification programs and receive an overview of Cellebrite and its solutions and product lines. The participant guide you received often becomes a valuable reference for students after the course concludes. You are encouraged to take notes within this book and refer back to this training material to refresh your understanding of concepts and extraction methods.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
O2013-2017 Cellebrite lnc. 15 All rights reserved.
I
)
Cellebrite Certified Operator
I
Participant Guide J
)
NOTE: Any equipment provided by your instructor must be returned upon completion of
this course. Remote learners will receive instructions on how to return equipment which may have been provided to you to complete this course.
I
:
l
l
16
O2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
lntrod uction
Core Training and Certiflcation
Core lvlobile Forensic Track
1 Day
2 Days
3 Days
QLralified to Take CCME
The Core Mobile Forensic Track is essential forensics training for law enforcement, military, intelligence and private sector practitioners. Participants will become competent with Cellebrite's industry leading digital forensics tools, how to apply fundamental forensics principles, and practice correct methodologies to accurately analyze and validate extraction results producing evidence that will stand up in court. Cellebrite's core training provides a firm professional foundation and is conducted on the latest UFED Technology. The six days of core curriculum include the following courses:
Cellebrite Mobile Forensic Fundamentals (CMFF) is a one-day entry level program designed for participants to Iearn about mobile devices, understand the general idea of the forensic process, learn how to seize devices, and review data provided to them by examiners. Participants are introduced to baseline concepts to ensure they gain the prerequisite knowledge
to understand issues surrounding the handling of mobile devices
as evidence. This class does
NOT include conducting extractions. The ideal participants include first responders/ investigators and CSI staff tasked with seizing mobile devices for data acquisition. Data
extraction team members; technically sawy investigators; digital forensic examiners; lT staff; internal affairs investigators; arresting officers; and evidence technicians. There are no prerequisites to attend this course.
Cellebrite Certified Operator (CCO) is a two-day intermediate level certification program which builds on the concepts from the CMFF course and is designed forthose participants who are tasked with extracting data in a forensically sound manner using UFED Touch2 or UFED 4PC. Students will demonstrate how to perform logical, file system and physical extractions from mobile devices, extract data from SIM cards, create forensic SIM clones, and extract data from external storage. Students will also gain a basic understanding in howto open the extractions in Physical Analyzer software, conduct basic searches, create tags and reports. Students will achieve the CCO certification upon passing a knowledge test and practical skills assessment
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
A2U3*2017 Cellebrite
lnc.
All rights reserved.
17
Cellebrite Certified Operator
I
Participant Guide
with a score or B0% or better. The only way to earn the CCO certification is by taking the exam along with an associated course, there is no test out available. The ideal participants include data extraction team members; technically sawy investigators; digital forensic examiners; lT staff; internal affairs investigators; first responders; and evidence technicians. Cellebrite Certified Physical Analyst (CCPA) is a three-day advanced level certification program which builds on the concepts from the CCO course and is designed for participants who conduct advanced analysis and employ advanced search techniques using UFED Physical Analyzer. Participants will NOT be conducting extractions from devices in this course. UFED Physical Analyzer software will be used extensively to recover deleted data, understand database contents, conduct advanced searches and analysis. ln addition, participantswill learn about verification, validation and reporting. Students will achieve the CCPA certification upon passing a knowledge test and practical skills assessment with a score or 80% or better. The only way to earn the CCPA is by taking the exam along with an associated course, there is no test out available. The ideal participants include those who have completed CMFF and CCO, or have advanced knowledge in digital forensics.
Progressive Certification and Renewals Due to the rapid evolvement of technology and enhancements to the product line, the Cellebrite Forensic Training System is designed to offer progressive certification which allows practitioners who achieve a higher level certification, to refresh lower level certificates. All of Cellebrite's certification credentials shall be valid for two years. CCO, CCPA, and CCME certificate holders must recertify during the calendar year they are due to expire. For example, if you received your certification(s) in 2016, you must recertify by the end of 2018. For clarification, certifications shall be deemed valid through the end of the calendar year in which recertification is due. Cellebrite only requires you to recertify at the highest level achieved. For example, if you have earned CCLO and CCPA, ybu would only need to take the CCPA recertification to renew both. If you progress to earn the CCME, your CCLO and CCPA would be renewed the date you earn CCME. Recertification requirements and frequently asked
questions can be reviewed at www.cellebritelearningcenter.com.
Cellebrite Certified Mobile Examiner (CCME) is a stand-alone certification examination which can only be taken after successful completion of CMFF, CCO and CCPA. This is a capstone certification examination (not a training course) wherein an examiner's knowledge and
proficiency in mobile device forensics is measured. Qualified participants may enroll and learn more about the knowledge and practical assessments, as well as preparatory workshops at www.cellebritelearni ngcenter.com.
18
O2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
lntroduction
Training Tracks Trai:ning Tracks Expert Forensic Examiner Track
I
,.1.1:r
l) ri..r:.r Ilrrr',!'
;
r'l
.
ta
.t,',
:
nvestigator Track
Analyst Track
LegarProfessiond
*Gm
w
ml
Different training objectives often require different learning environments. Every day around the world, digital data is impacting investigations. Cellebrite's curriculum reflects our commitment to digital forensics excellence; training forensics examiners, analysts, investigators and legal professionals around the world to achieve a higher standard of competency and success. The Cellebrite Academy offers a series of sequential learning paths of five tracks.
The Expert Forensic Examiner Track goes well beyond the bounds of vendor-specific training and explores the use of highly advanced tools and techniques to recover data from devices where there is no automated tool support or other barriers to automated examination exist. The Investigator Track familiarizes investigators with digital forensics technology and explores social media and cloud investigation issues. Participants will learn howto extract data from mobile phones and how to utilize basic analytical tools to better interface with, search for and identify digita I forensic artifacts. The Analyst Track content covers the technologies required to extract a broad base of digital evidence, as well as the methods for establishing connections and building timelines from service provider Call Detail Records (CDR) and all forms of mobile data. This track also builds analytical proficiencies, exploring current solutions and best-practice approaches for extracting, analyzing, storing, reporting and sharing digital forensics evidence.
The Legal Professional Track focuses on current and emerging legal issues surrounding the collection, preservation, and admission of digital forensic evidence in legal proceedings. Participants will gain a deeper understanding of and proficiency with digital forensic tools and analytics solutions, as well as how to more effectively work with forensics experts, lnvestigators and analysts to streamline litigations.
CONFIDENTIAL DOCUIVENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-2017 Cellebrite lnc. 19 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Below is a brief description of additional courses outside the previously mentioned Core Mobile Forensic Track:
Cellebrite Advanced Smartphone Analysis (CASA) is a four-day course which takes an indepth look into the challenges presented by iOS, Android, and Windows Mobile devices. This hands-on class focuses on the forensic recovery of application (app) data in SQLite and ESE databases, defeating passcodes and demonstrates how to bypass various versions of iOS device security. Participants will learn about data structures like SQLite databases, which serve as the backbone of most smartphone applicatlons so that participants can effectively retrieve evidence from these structures even on applications which are not automatically decoded by forensic tools. Cellebrite software, as well as other forensic tools and utilities, are used in this class, just as they would be used in real-world labs.
Cellebrite Advanced Smartphone Extraction (CASE) is a five-day program that focuses on different high-tech methods of recovering and analyzing data stored directly on flash memory chips in instances where lesser intrusive methods are not available or desirable. Using chip-off and direct read methods to access data from flash memory chips, students will learn about three different methods of chip removal and the ways to minimize risk associated with these advanced methods. This hands-on class allows the participants to learn and experience chip removal through polishing and milling. This class is currently provided in our brick and mortar Cel
lebrite Academy locations.
Cellebrite Advanced JTAG Extraction (CAJE) is a four-day course lead by Cellebrite Certified lnstructors (CCls). During this course, participants will learn about theJTAG process, electrical theory, methodologies, and purpose as well as understand the equipment and accessories necessary for successfulJTAG extractions. lnstructors will help attendees to not only develop, but also to hone fundamental soldering skills, gain practical knowledge with hands-on practice as well as share best practices and legal considerations for processing.JTAG extractions. Additionally, participants will learn how to fully leverage the Physical Analyzer to decode JTAG extractions properly. As part of their attendance, participants will receive a RIFF 2JTAG box, a Z3XPro (EasyJTAG) box, a Molex adapter kit, a class specific toolkit, and a Cellebrite soldering practice board.
Cellebrite Evidence Repair Technician - Forensic (CERT-F) is a five-day course designed to allow the forensic user to identify, diagnose and repair common issues and damage encountered in the real world work of recovering mobile device evidence. Participants get hands on experience in diagnosing and repairing devices so that automated extraction can be performed in cases where that is desirable over more intrusive or destructive methods. Students will learn how to diagnose level 1, 2 and 3 failures which include cosmetic, board/ component level and water/fluid immersion damage and how to mitigate and recover. Beyond the mobile device there is an added section about repair and recovery of data from USB thumb drives. Cellebrite has removed all of the commercial "how to run a phone repair business" aspects found in similar repair classes and focused on direct hands on action to getyou to the data. Certification attempt is provided in this class which involves taking a damaged phone, correctly diagnosing and repairing a damaged device to power-on state to extract data. This class is provided in our brick and mortar Cellebrite Academy locations. Cellebrite
is a one-day course designed to introduce nonforensic level users to the UFED Kiosk and the lnField software which it runs. This allows users to carry out extractions from mobile devices and SIM cards and examine the data on the Kiosk.
20
@2013-2017 Cellebrite lnc. All rights reserved.
UFED Field
Operator (CUFO)
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
lntroduction
Cellebrite
UFED Field Manager (CUFM) is aTz-day course designed to introduce
the
UFED
Kioskto staff who will be managing units. lt includes licensing, access control, updates, logging and network use.
Cellebrite Social Network lnvestigations (CSNI) course is a 4-day program designed for technically sawy investigators, digital evidence analysts and forensic practitioners. This course provides students with an introduction to social media investigations to include pre-seizure actions and basic investigative techniques. Students will learn how to create undercover accounts and use open source intelligence to gather information from publicly available information from social networks such as Facebook, Twitter, Periscope, and more. Using real life application and comprehensive instruction on legal processes (subpoenas, orders, warrants), students will learn how to identify and contact suspects. To complete the work ow, students will learn how to properly seize devices for extraction and how to work with the data that is returned from forensic examinations. Students will also learn methods to de-conflict their cases from other law enforcement officers. As course progresses, students will be exposed to tools and techniques to collect social media evidence from devices and cloud data sources (UFED Touch and Cloud Analyzer). UFED
Analytics (UA)
is a two-day course is designed for examiners tasked with using UFED
Analytics to learn various techniques to search effectively, review, analyze and report on evidence items collected from a variety of sources. Using customized workflows, gain insight into complex links between different custodians from a variety of extracted data within each collection. Students will learn about the many advanced features, including Text and Graphic analytics to quickly sort through volumes of data in an informed manner.
Cellebrite Digital Forensics for Legal Pros (CDFL) is a two-day
class for those professionals
charged with Iitigating cases that involve digital evidence derived from mobile devices. ln this class legal professionals will use the same tools used by trained forensics examiners to understand the possibility of evidence that may be recovered along with the inherent limitations associated with digital mobile forensics. This two-day class features one full day with an expert forensic practitioner that has testified as an expert in court and another full day with an attorney that is also in the cutting edge of digital forensic issues in court. Get ready to qualify your expert witnesses and know what to ask for from contributing investigators.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
A2013-2011 Cellebrite Inc. 21 All rights reserved.
Cellebrite Certified Operator
I
I
Participant Guide
nstructor ntrod uction I
Your instructor for this class: [instructor name] [instructor email]
-rfffi*r Your instructor for this course is:
Name:
Email:
22
O2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
lntroduction
Pa
rticipa nts
Partici lntroduce yourself to the instructors and other members of the class:
. . . .
Name & ranklagencyirole Experience with mobile device and computer-related investigations
What software do you use for mobile device examinations your lab? How many cell phones have you processed in the tast 12 months?
$elf
Evaluation
l
l*Beginner ?*tntennadide 3*Proficient it-Advanced $-fxper{
As part of this course, please introduce yourself to the instructor and other members of the class by answering the questions presented.
Self Evaluation Why are we asking this question? The answers help the instructors gauge the current experience level and adjust the pace ofthe course accordingly.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-2011 Cellebrite lnc. 23 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
About Cellebrite About Cellebrite Cellebrite is
. .
. .
A global company A world leader and authority in mobile data technology The prime choice of forensic specialists with the UFED Series of products A leader in the forensic sector with more than 4A,A00 UFED units deployed Forensic 4:cast Awards Phone Forensic Hardware ot the Year Phone Forensic Software of the Year
2A16 WINNf
R
Olgital Forensic Orga*ization of the Yeat
Founded in 'i 999, Cellebrite is a global company known for its technological breakthroughs in the cellular industry. A world leader and authority in mobile data technology, Cellebrite established its mobile forensics division in200f with the Universal Forensic Extraction Device (UFED).
Cellebrite's UFED Series solutions enable the bit-for-bit extraction and in-depth analysis of data from thousands of mobile devices, including feature phones, smartphones, portable GPS devices, tablets, and phones manufactured with Chinese chipsets. Cellebrite's UFED Series is the prime choice of forensic specialists in law enforcement, military, intelligence, corporate security, and eDiscovery agencies in more than 100 countries. USA, lsrael, Germany, Singapore, and Brazil-is a whollyowned subsidiary of the Sun Corporation, a listed Japanese company based in Nagoya, Japan.
Cellebrite-with companies in the
A dedicated international help-desk team provides technical support.
24
@2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
lntroduction
Cellebrite Platforms and Products Cellebrite Platforms and Products UFED Touch2
' .
UFED Logical/Physical Analyzer
Logical
UFED Reader
Ultimale
UFED Phone Detective
a
UFED APC
UFED Cloud Analyzer
a
UFED TK
UFED Analytics
a
UFED fnField Kiosk
CAIS - Cellebrite Advanced Investigative Services
UFED Chinex
Cellebrite Platforms and Products Cellebrite solutions are currently used by government agencies, military agencies, and private entities throughout the world. HARDWARE UFED Touch2
Enables the simplified extraction of mobile data. Supports a wide range of mobile devices, including legacy and smartphones (i05, Android, BlackBerry, Symbian, and Palm), portable GPS devices, and tablets. The UFED Touch2 enables the extraction, decoding, analysis and reporting of mobile data. Depending on the license purchased, the UFED Touch2 performs physical, logical, file system and password extraction of data from a wide range of devices including legacy and feature phones, smartphones, portable GPS devices, tablets and phones manufactured with Chinese chipsets. UFED APC
Much like the UFED Touch2, the UFED 4PC enables users to deploy extraction capability on Windows based tablets, laptops, and desktop computer systems. UFED TK
A ruggedized mobile forensic solution, purpose-designed for users to perform extraction,
decoding, analysis and reporting on a single ruggedized platform. UFED lnField Kiosk
User-friendly, "all-in-one" mobile forensic solution to selectively extract and decode mobile device data such as call logs, contacts, calendar, text messages, media files and more - for your agency, border check point, airport or - if a situation demands it - in the field.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
A2U3-2011 Cellebrite
lnc.
All rights reserved.
25
Cellebrite Certified Operator
I
Participant Guide
UFED Chinex
Solution for the physical extraction and decoding of evidentiary data and passwords from phones manufactured with Chinese chipsets such as MTK and Spectrum. SOFTWARE AND INVESTIGATIVE SERVICES UFED Logical/Physical Analyzer
An analysis and reporting tool for logical/physical extractions. lts capabilities enable
extracted data to be presented in a clear and concise manner. PhysicalAnalyzer provides users the ability to perform advanced analysis, decoding and reporting. Analyzer includes enhanced decodingfunctionalities that support multiple data types, such as chat, email, applications, cookies, notes, MMS, instant messages, Bluetooth devices, locations, journeys, GPS Fixes, call logs, text messages, contacts, web bookmarks (favorites), web history, SIM data and more. UFED Reader
Application allowing users to share analysis reports with other authorized personnel, such as colleagues, other investigators, and attorneys. UFED Phone Detective
Application provided as part of the UFED series and available with all UFED versions. lt helps investigators quickly identify a mobile phone by its physical attributes. UFED Phone Detective is also available as a mobile device application to identify extraction capabilities using the UFED Touch2 and UFED 4PC. UFED
Analytics
Analytics is designed to deliverthe deepest, most accurate insights possible. They simplify and automate complex analytical tasks, cultivating more leads in less time. UFED Analytics is available in three versions: Desktop, Workgroup and Enterprise. UFED
Desktop is geared to serve a dedicated, single forensic specialist working individual cases.
Workgroup breaks down information barriers, streamlines data access, reduces case cycle times, and speed investigations - all while delivering a client-server solution that can accommodate workgroups of up to 50 users and hundreds of data sources. Enterprise builds on UFED Analytics Workflow capabilities to support a complete unified digital forensics workflow - from automatic decoding and indexing of extracted data to centralized role-based analysis and reporting. Advanced analytic engines layered within a server-based centralized forensics data repository bring critical mobile data insights to the forefront quickly, and allow hundreds of users. CA!S
Cellebrite Advanced lnvestigative Services offers customers the ability to recover valuable evidence from heavily damaged and/or locked and/or encrypted devices. CAIS offers specialized services such as the CAIS Unlocking services available global law enforcement agencies breakthrough opportunities to unlock the latest smartphone devices, in a forensically sound manner and without any hardware intervention or risk of device wipe.
26
O2013-2017 Cellebrite lnc. AII rights reserved.
CONFIDENTIAL DOCUMENTS: lvlay not be duplicated or disclosed without written consent from Cellebrite Training.
lntrod uction
Research and Development
.,,
Eq?qqIgT
?
QpySjg-pryq-*
,,
Cellebrite receives new mobile devices before they hit the market, providing Cellebrite with time to support the device before it is released to consumers
Cellebrite plays a key role within the mobile forensic community. Cellebrite is the leader in developing new technologies, such as physical extractions, analytics, and malware discovery on mobile devices. Cellebrite has organized teams within their research and development department with very specific tasks, such as:
. . .
. Ltd) extraction and .
Android extractions and decoding
iOS extractions and decoding
Blackberry (Blackberry decoding
Physical Analyzer interface and capabilities
Updates for the latest mobile devices
.
New capabilities (analytics, malware, and more)
The research and development teams are working around the clock on support for the latest releases of software and hardware for mobile devices. Additionally, Cellebrite has an outstanding customer support that can be contacted through the web, email, or by phone. They will answer questions relating to mobile device forensics (extraction and decoding), UFED devices, and software or training issues. Cellebrite has a relationship with mobile device manufacturers and receives new mobile devices before they hit the market, which provides time to support the device before it is released to CONSU MCTS.
Contacting Mobile Forensics Technical Support lf you need assistance with our products, the best and easiest way to contact us is via our online technical support request. You may complete an online request at http://www.cellebrite.com/ Pages/M o b ile-Forensics-Su ppo rt-Center.
Additional contact information may be found at http://www.cellebrite.com/Contact-Us. CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training
A201r3-2017 Cellebrite lnc. 27 All rights reserved.
)
Cellebrite Certified Operator
I
) )
Participant Guide
)
Legal
)
As with all of Cellebrite's hardware and software based forensic solutions, please be aware and familiar with the legal disclaimer included within your participant guide.
Legal Disclaimer ln providingyou with these training materials and anytraining sessions, Cellebrite is not providing you with any legal advice and is not engaged in the practice of law. We recommend that you consult an attorney regarding using Cellebrite's products in compliance with applicable laws in your jurisdiction. lf you use any of our other products or software, you are solely responsible for ensuring that:
1. You have any legal consents or approvals required in your jurisdiction 2. You are doing so in a manner that is consistent with any applicable laws and 3. You will use our products or software in compliance with any applicable terms
of service,
terms of use or other agreements.
28
a2013-2017 Cellebrite tnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
) )
lntroduction
)
Conclusion
This introductory module covered:
. . .
. .
Course Objectives Course Administration Cellebrite Training and Certification programs lntroductions Cellebrite Overview
This introductory module covered:
. . . . .
Course Objectives
CourseAdministration Cellebrite Training and Certification programs
lntroductions Cellebrite Overview.
I\,4ay not be duplicated or disclosed without written consent from Cellebrite Training.
CONFIDENTIAL DOCUMENTS:
O2013-201] Cellebrite
lnc.
All rights reserved.
29
) I
) ')
)
) ) )
i:i cellebrite ilPI*lT*'Jii'" Module 2: Forensic Handling of Mobile Devices
CELLEBRITE CERTIFIED 0PERATOR
O 2017 Cellebrite lnc. All rights reserved
I Participant Guide
Cellebrite Certified Operator
I
Participant Guide
Module lntroduction
Module Objectives Mobile devices are already an integral part of most crimes that are committed, due in large part to the role they play in daily communication and the types of personal information that they contain. ln some instances, they represent the only source of digital evidence collected at a crime scene for many first responders. ln this module, we will discuss some of the legal issues
Module Objectives Upon successfulcompletion of this module, the studentwill be able to: . . . . . . .
Recognize legal considerations for seizing and searclring devtces Examine mobile device and internet of things (loT) technologies of valLre in an investigation Describe the phases of the digital forensics process Relale the colrect procedures for identifying and handling digital evidence devices as tirst responders. Employ the Cellebrite UFED Phone Detective software to identify mobile devices. ldentify various locking mechanisms found on mobile devices. Explain best practiceslo document mobile device investigations
investigators should consider before seizing and searching devices for evidence. You will also learn about proper evidence handling procedures and how to use tools Iike UFED Phone Detective to identify mobile devices based solely on physical characteristics. We will discuss a variety of locking mechanisms found on today's popular smartphones.
32
@2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Legal Considerations
Considerations Have you consulted for legal advice? Do you have the authority to search the prernises? Do you have the authority to seize mobile devices? Are you restricted in the information you can look at?
Considerations of Legal Authority ln conducting any search and seizure of mobile devices, the legal authorityforyou to seize device as a first responder is critical to supporting a subsequent case.
a
Complying with legal requirements and constraints should be your first concern about whether or not you have the ability to seize these devices. lf at any time you do not know for sure, then as the first responder you should seek legal counsel or advice before making a seizure.
Another responsibility of the first responder is to identify mobile devices at a crime scene. Traditionally this was pretty straightforward, but as new devices are released, identification is becoming more difficult. New technologies that include fully mobile watches with Wi-Fi access to new Point of lnterest adventures such as Project Glass from Google provide an investigator with an increasingly challenging environment. These new devices are very hard to identi!, and first responders must keep pace with the latest technologies to ensure these devices are properly identified at a crime scene. lmage used under license from Shutterstock.com
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Trarning.
O2013-2017 Cellebrite lnc. 33 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Technologies Tech,nololg'iss Be aware of and look for new mobile and other information technologies during your search that may help the investigation. I ..
,
eB
\#;,
@8
fl Considerations of New Technologies Wi-Fi-enabled devices such aswatches and cameras can easily be missed byfirst responders if they don't know what to look for. These new devices have the ability to store information inside of the device as well as transmit information across available Wi-Fi networks. They are increasingly used by business executives, tech-sawy individuals and, potentially, criminals as part of their daily lives. Connected Home: The connected home functionality allows users to control everyday actions within their home. Users can now control things like televisions, lighting, air conditioners, window shades and more directly from their connected wireless device. Many mainstream broadband providers are now offering wireless security cameras which can be monitored by homeowners from anywhere in the world. One of the Iatest and very popular additions of technology which is related to the home are wireless doorbells which notify the homeowner on their smartphone. These doorbells allow them to see and speak to visitors from anywhere in the world. Smartwatches and fitness bands: Smartwatches and fitness bands are wearable technologies which not only provide users notifications on their wrist, but many devices also track the geographic location of the user with an embedded GPS chip. These wearables also usually monitor activities such as heart rate, the number of steps taken in a day, as well as allow users to read and respond to text messages, email and even interact with applications installed on the user's smartphone.
Virtual Reality: Referred to
as VR digitaltechnologies that use programs and hardware to generate realistic images, sounds, and sensationsthat replicate an environment, The user can interactwith this space and any manipulate objects depicted using specialized equipment.
34
@2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: lvlay not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Drones: Although some drones may contain information which may prove valuable in an investigation on the memory chips of the flying device itself, investigators should be aware of data which can also reside on mobile devices used to control drones. Many of the commercially available units will do more than just control the flight of the drone; they can also control the camera, transmit live video back to the controller and even stream that same live video out to the lnternet.
Gaming Consoles: Gaming consoles enable users to communicate with others using voice and text-based channels. These devices may contain artifacts related to conversations and other illicit activity which may be recovered by a digital forensics examiner. lmages used under license from Shutterstock.com
CONFIDENTIAL DOCUMENTS: May not be duplicated or drsclosed without written consent from Cellebrite Training.
A201r3-2017 Cellebrite lnc. 35 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Hiding Devices Hiding Elevices The places the devices can be hidden can become less obvious and more challenging to f ind.
r .,',: i::i, la, r: L;i:
Electronic evidence can be hidden on very small items with large capacity. Micro SD cards can be found in sizes that are up to 1TB in size and the physical size is very smalland easyto conceal.
contain a vast amount of data which are used in cell phones. lnvestigators should be aware thatthese smallstorage devices are easily hidden and/or destroyed. Some phones will store all media files on these micro SD cards and may contain evidence which will not be stored on the device itself. Phonescoop.com can generally be used to research the phone's compatibility with different size and formats of SD cards. We will discuss SD cards in more details later in this course. SD cards can
ln recent years, agencies have deployed specially trained canine to detect hidden electronic devices and peripherals. Much like the well-known drug dogs, these canines alert their handlers to a distinct odor found in electronic components. lmage used under license from Shutterstock.com
36
@2013-201f Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
) )
Forensic Handling of Mobile Devices
)
Personal Safety Personal Personal safety is always your primary con cern ! Do not approach mobile devices connected possible explosives Consider risk vs" benefit Remember.. "lives may be at stake
.
. .
T] Personal safety ls the primary concern when processlng scenes. Mobile devices are commonly used as remote detonators for explosives. First responders should exercise extra caution when seizing mobile devices. lnvestigators should closely examine mobile devices visually before
touching them to ensure that they are not attached or connected to other devices. Appropriately trained personnel should examine suspicious-looking mobile devices before they are handled or seized. Cell phones have been increasingly used to detonate improvised explosive devices (lED). The Nokia 105 is marketed as a durable, inexpensive phone with a long battery life. According to a Conflict Armament Research Report, the Nokia phone is the most popular device among the lSlS
extremist group and is found in many of their lEDs. Online research teaches people how to ignite fireworks remotely using cell phones by wiring to the vibrating unit built into cell phones. When the phone received a call, the electrical impulses are used to ignite the fireworks. This same procedure is used by extremist groups to remotely detonate explosive devices. lmage used under license from Shutterstock.com
CONFIDENTIAL DOCUIVENTS: May not be duplcated or
disclosed without written consent from Cellebrite Training.
@2013-2017 Cellebrite lnc. 37 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
lnvestigators must be careful with handling of mobile devices as they can be used to trigger
improvised explosive devices (lED's)
.
lf you believe a mobile device is connected to an explosive device, contact the bomb disposal unit to assist in disarming the device before trying to process or seize it. This is another risk
versus benefit scenario in which the device may be critical to the investigation and seizing the device is a priority, but you must weigh the costs. Do not put other officers in jeopardy to get the evidence-loss of life is the most critical concern, and personal safety must always take priority. There may be times when you are unable to retrieve the evidence from a mobile device because of safety considerations.
"Tenexplosionsrockedthroughfourcommutertrainsduringrushhouronlvlarchll,2004,in Madrid, Spain. The bombs had been made from bags stuffed with explosives, allegedly the explosive known as Goma-2 ECO, and metal fragments; cell phones with timers were used to initiate the explosive devices. The attack, which was carried out by violent lslamist extremists, killed 'i91 people, and injured more than i,800."
Additional reference to this story can be found at https://www.dhs.gov/sites/default/files/ publications/prep_ied_fact_sheet.pdf and https://www.oig.dhs.gov/assets/Mgmt/OlG_l
0-
68_Ma110.pdf. lmage used under license from Shutterstock.com
38
o2013-2011 Cellebrite tnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Search Kit - Mobile Device Tools ,.,*
$fqlr,I
J{i3
: l$g?}lq Qfylsq fg.;?!? .
,
Ensure that you have the proper equipment to document the status of the devices upon your arrival.
. . . . . . .
with software licenses
Computer appropriate and Tabletop vice VideolStill Storage Cards Tripod External Batteries
Camera
Cables
with
r
. . .
.
.
Ruler Latex Gloves Pens, Pencils, Notepads, Permanent Markers Arson Can/Aluminum Foili Faraday Box/Faraday Bag Magnifying Glass Evidence/Property Forms
Evidence Bags
When preparing to respond to a crime scene involving mobile devices, ensure that you have the proper equipment to document the status of the devices upon your arrival. You will likely already have many of these items in your incident response kit. However, ensure that you carry the additional devices that may be necessary to document a mobile device search and seizure.
Device/Software
Description
Tabletop vice
Allows you to hold devices in place to photograph them and avoid contaminating traditional evidence such as fingerprints.
Camcorder
Allows you to capture video of processing the mobile devices. Be careful to avoid background chatter or blurbs from other officers that could cause embarrassment.
Digital camera and storage cards
Allows you to capture information from crime scene, as well as from the mobile device such as settings and information on screen at time of arrival.
Camera tripod
Allows you to keep video camera or digital camera steady to take quality photos.
Ruler
Helps document the size of smaller devices.
Rubber gloves
Protect against contamination of traditional evidence as well as protect officer from bodily fluids.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
A2U3-2O17 Cellebrite lnc. 39 All rights reserved.
I
Cellebrite Certified Operator
I
) Participant Guide
l
Device/Software
Description
Pens, pencils, note
Used to document information from the crime scene as well as
pads, permanent
from mobile devices.
markers Paint can/aluminum
foil/Faraday box/ Faraday bag/signal
Used to cut off communications to the mobile devices for both WiFi
and radio band frequencies, and each one ofthese techniques has different degrees of effectiveness to consider.
jammer External batteries with cables
40
O2013-201f Cellebrite lnc. All rights reserved.
Supplies external battery source for mobile devices to ensure device does not shut down during seizure or transport.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Phases of the Forensics Process
11'.: :1 :1,:_, :T:i:':: 1:::T:.,
r---**l
.
\ ,
';;;'ilffi'
ldentification
Acquisition Analysis Reporting
lt Duplicate
storage media
Run processes against ihe image to extract information Document the elements of the crime
As discussed in the Cellebrite Mobile Forensic Fundamentals (CMFF) course, four phases occur from the beginning of the investigation to the final results. Each one of these phases is a building block for the next phase and can subsequently affect the results of the following phases if proper procedures and actions are not taken correctly. In this module, we will focus on the first phase, ldentification, and Seizure. This is the first step in the forensic process which requires the individuals to both identify and appropriately secure the digital evidence. ln criminal cases this will typically be performed by officers that are trained
to preserve the digital evidence. ln civil cases, lt will normally be company officers or
IT
personnel, often untrained. ln both Criminal and Civil cases, the individual responsible must ensure they follow applicable laws, company policies and best practices.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-2011 Cellebrite Inc. 41 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Hand ling Evidence Process
,
Hand'liiing€vidence
Proceg::
-.
After digital evidence is located
. . .
. . . ' . .
PhotographA/ideo Document Non-Digital Forensic Considerations (DNA, Fingerprints) On/off status ldentification Lock/passcodes Shield from the network Bag/tag -t ,*0q,$, p '\d{S+q\4 Transport
Investigators processing a scene should document everything they do before, during and after processing. Along with photographs and video documentation, investigators should take the
time to take detailed notes on their actions, including exact dates and times. lf fingerprints or DNA is expected the item should be processed before extensive handling. Later in this course, we will provide additional information on documentation. Depending on the power status of the device, investigators will need to know what to do in each situation. Device identification, lock status, and network shielding are allfactors that must be considered before securing and transporting the device. lt should be noted that some jurisdictions require law enforcement personnel have legal authority before manipulating the device for things as simple as inventory and even placing the phone into airplane mode. lf airplane mode can not be located or the examiner is not comfortable manipulating the phone, they should use shielding to isolate the handset from the networks. The recommended way to transport digitaldevices is on the floorboard in the rear seat are of the vehicle, avoiding exposure to magnetic fields and other electronics such as police vehicle siren modules, etc. lnvestigators should ensure that they complete the proper seizure paperwork including the seizure forms and chain of custody.
42
@2013*2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Make and Model ldentification
Model GT.lg2S0TSGGEN It is imperative to identify IMEI the make and model of the ,'\351 lllllllllililillillillililillt ililt 74605114734S mobiie device. 0P0- -
. . . '
Experience Web Resources Software - UFf D Phone Detective Location - Usually underneath the battery
.ltiul|!!?ilrlfl[[llil. I'lA0l lll 0t{ltlA
,@,',l"ifr,'ff X frrrBErssrEsJl
[,llllfl]I|jry,iltll[llllll,ilJll,", @ Once you determine that you have legal authority, have performed your search, and have located a device, you need to accurately identifythe type of device you have recovered, including its make and model. There may be times when it is easy to identify a device (e.g.,
iPhone 5 compared to an iPhone 6+, as the body styles are completely different). There may be other times when simply looking at the device itself is not enough, and you may need additional resources to correctly determine the type of device you located. The make and model of the device can often determine the capabilities of the device, the isolation technique that can be used to shield it from the network, and what information may be available on the device. Additionally, the make and model may be able to tell you whether the phone is a CDMA- or GSM-based handset and if the device could contain an additional media card such as an SD or Micro SD card. Resources for identification: lvlost mobile devices such as cellular phones usually include the make and model number of the device underneath the battery of the device. You will need to remove the battery to get this information. That will require you to shut down the phone, which may cause issues when you power the device back on. The mobile device may contain PIN codes or a handset password that blocks the examiner from accessing the device.
Additional considerations in whetherto leave the device on or off will be discussed later in this module.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Trainrng.
A201r3-2017 Cellebrite lnc. 43 All rights reserved.
I
Cellebrite Certified Operator
I
) )
Participant Guide
l
Mobi le Device Term i nology
- Code Division Multiple
Access
- Global System for Mobile Communication
ESN: Electronic Serial Number
lMEl: lnternational Mobile Equipment ldentity
MEID: Mobile Equipment lD
SIM: Subscriber ldentity Module
MIN: Mobile lD Nunrber
ICCID: lntegrated Circuit Card ldentifier
MDN: Mobile Directory Number
ll,,1SI: lnternational Mobile Subscriber ldentity
CDMA
GSM
MCC: Mobile Country Code IVlNC: Mobile Network Code
LAI: LocationArea lD MSISDN: Mobile Station lnternaiional Directory Number
As discussed in the Cellebrite Mobile Forensic Fundamentals (CMFF) course, there are two
distinct technologies used by mobile telephone networks. They are Global System for Mobile Communication (GSM) and Code Division Multiple Access (CDMA). Knowing some of the terms associated with each type of service provider can prove beneficial in the identification of mobile devices. Also, these terms, or acronyms, will appear in many digital forensic extraction reports. CDMA CDMA stands for Code Division Multiple Access. These networks connect using different methods to allow multiple callers access to single voice radio waves, hence Code and Time Division. True CDMA networks do not require handsets to have a SIM card, as the network
connects to the device and the subscriber details are contained in the handset rather than a SIM
card. Withtheadventofthe4Gdatanetwork,CDMAhandsetsoftencontainaSlMcard.
Thisis
because 4G is a GSMA (Group Special Mobile Association) standard and requires a SIM card for the data connection. The GSMA represents the interests of mobile operators worldwide, uniting nearly 800 operators with almost 300 companies.l
The Mobile Equipment ldentity (MEID) is the CDMA equivalent of the lMEl for GSM handsets and is often referred to as the serial number of the handset. The MEID (Mobile Equipment lD) replaced the Electronic Serial Number (ESN) because all the available ESN numbers were used in 2005.
The Mobile lD Number (MlN) is often compared to the lMSl found associated to GSM handsets. The MIN is the number which identifies the subscriber to the CDMA network provider. ln some cases, the Mobile Directory Number (MDN) is found to be the same as the MIN in these handsets. The MDN is the phone number assigned to that CDMA device. When reading reports, investigators may find the MIN and MDN are different. This can be for a variety of reasons, to include a user who has ported their number over from another carrier and those that may be on a family share plan.
44
@2013-2011 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
You can use www.numberingplans.com to see the country of origin and service provider for the
phone number. NOTE: lf you have unrestricted access to the handset, the MEID for a CDMA device may display by dialing *#06# depending on the make and model of the handset. Sometimes you will find
this feature will work only if the LTE data usage setting of a handset is set to"data only." GSM GSM systems are the most common system in use globally. lt is rare to find a CDMA system in
Europe. GSM networks connect to the users SIM card for authentication. A GSM handset requires a SIM card and cannot operate without one. ldentification of the subscriber is just as important as the hardware and in devices that follow the GSM network standard, the subscriber data is located on the SIM (Subscriber ldentity Module). ;
The lnternational Mobile Subscriber ldentity (lMSl) is the most important number for a mobile
operator as it is used to identify the subscriber. Once a call arrives at the subscriber's own network, the telephone number, also known as Mobile Station lnternational Subscriber Dialing Number (MSISDN) is mapped to the lMSl and from that point on the lMSl is typically used, not the MSISDN. This is why a SIM card will record the IMSI but may not record the MSISDN. The device itself (Mobile Station or MS) is identified by the lnternational Mobile Equipment ldentity (lMEl). fhis is hard coded into the handset and is broadcast over the network when the
handset is used. Below are examples of how to decode both the lMSl and lMEl.
lMSl Decoding An lMSl can be decoded using sites such as www.mcc-mnc.com. When broken down, the llvlsl will provide you the Mobile Country Code (MCC), Mobile Network Code (MNC) and Mobile Subscriber ldentification Number (MSIN). Here are two examples of an lMSl number and decoding the first five digits:
31038 310
38
23444 234
44
1234567890
ldentifies USA and AT&T, the remaining numbers are the MSIN 1234567890
ldentifies UK and 02, the remaining numbers are the MSIN
lMEl Decoding Here is an example of a decoded lMEl: Full lMEl Presentation
01
Reporting Body ldentifier
01
Type Allocation Code
01
Serial Number
696839
Check Digit
6
34'l 0-00-696839-6
34i 000
NOTE: lf you have unrestricted access to the handset, the lMEl for a GSM device can typically be displayed by dialing *#06#.
The Location Area lD (LAl) may be recoverable during the extraction of SIM card data. The LAI is used bythe networkto locatethe handset. ltwill consistof one or more base stations, and it will likely be necessary to contact the service provider to obtain details of it's meaning.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-2017 Cellebrite lnc. 45 All rights reserved.
I Cellebrite Certified Operator
I
I Participant Guide
-)
NOTE: The Mobile Country Code (MCC) is not the same as the international dialing number.
stM The lntegrated Circuit Card ldentifier (lCClD) is the serial number of the SIM card. This number is generally printed onto the SIM card but may sometimes vary from that which has been programmed into the circuit. The ICCID should start 89 which identifies it as a telecom card. This is followed by the lnternational Dialing number for the issuing country (there are exceptions such as Canada). About the GSMA - Mobile World Congress. (n.d.). Retrieved from https:// www.mobi leworldcongress.com/about/about-the-gsma/ 1.
46
@2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUIVENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Shielding
tl*q1*i*p
_
How will you shield a mobile device that you find from receiving new communications?
. . . . .
Faraday (Tents, Bags, Boxes) Arson Can Aluminum Foil Airplane Mode Radio lsolation Card
Erfiilgr
ffi eirptaneuode $ wr-ri A Btsetaath S cettrl"t
Not
ccnni''ts} o*
You must always consider how you will cut off all communication to the mobile device while it is being processed on the crime scene for either acquisition or seizure. This is one of the most
critical steps, because information from the mobile device can be manipulated or even destroyed (wiped) remotely. Most of the smartphones that are currently in use have a remote wiping capability that will allow them to contact the service provider or use a third-party application (such as Find My iPhone) to overwrite the information on the phone once it gets a signal (Wi-Fi 802.11 or Cellular). Additionally, information can be added to the device or information within unallocated space can be overwritten if new SMS and calls come in to the device after the time of seizure. This goes against the best practices for search and seizure. lmagine seizing a phone at the crime scene and taking it back to your forensic lab. lf you power the device back on and have not properly shielded it from the communications network, the device may go into a cleansing or wiping process. There are several ways to shield a mobile device from a network, but they must be tested and validated to ensure the devices are working correctly. These
a
re just a few of the options that ca n be considered for sh ield ing the mobile devices from
the network. Before usinganyone of these solutions, each solution should betested in a controlled environment and with a test mobile device to avoid data corruption of evidence. More information aboutthe Radio lsolation Card will be provided later in this course. When using Faraday devices or other shielding measures, the mobile device will continually try to connect to the network and may sometimes boost the battery power trying to make these connections. There is a very good possibility the device's battery may drain very quickly, and you may want to use an external backup battery source to ensure the device does not lose power. Some images used under license from Shutterstock.com
CONFIDENTIAL DOCUMENTS: May not be duplicared or
disclosed without written consent from Cellebrite Training.
@2013-2017 Cellebrite lnc. 47 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Web Resources
Do I shut down the device to find out key information? What can you find out about the make and model of the device without having to remove the battery?
,,r.
rn..l ilril:l
r
I/: r. :'
... ii,
lj!r:iir)(i) lr:lrr;il), ,..1';r1r!i:JI11-irr .!
,.r1ii
r r,!i..1i l
wtr-W*.p ha nescoo p.cqfir
There are several very good resources on the Web that you can use to identify mobile devices and obtain additional information aboutthe devices. One of the main resources is known as "Phone Scoop." The Phone Scoop site (www.phonescoop.com) is a valuable source of information about the characteristics of phones, capabilities of phones, processors, memory, Wi-Fi capabilities, manuals, and much more. Another site you may wish to consider is www.Ssmarena.com. You can use the Phone search option and choose the manufacturer of the phone, which will then give you all the makes and model available depending on whether the device is CDMA or GSM based.
4a
A201,3-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
UFED Phone Detective UFED Phone Detective An*wer up ta eighl gueetic*a relatod to
vieucletributee/ TAC/aneasurema*ts
-l
Mobile device forensic suites also have a software solution to assist investigators and first responders to correctly identify a mobile device. Cellebrite released the Phone Detective desktop software solution. lt gives first responders the ability to enter information about a mobile device, such as manufacturer, size, button location, camera location, color, and type of device screen. The software searches a database and locates models that match the entered characteristics. The first responder can look at the selections provided by the software and determine if the device matches the identification. You can download this software by logging into your account at http://my.cellebrite.com lmage used under license from Shutterstock.com
CONFIDENTIAL DOCUIVIENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-2017 Cellebrite Inc. 49 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Phone Detective Desktop Software
.: )*TE
ry#
ffi
H
m
ffi E
Mobile device forensic suites have a software solution to assist investigators and first responders to properly identify mobile devices. The Phone Detective desktop software allows investigators to:
. .
50
a2u3t2017 Cellebrire tnc. All rights reserved.
ldentify devices based on physical characteristics ldentify data which can be extracted.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Phone Detective Sma rtphone Appl ication P'h{m,B
Detecti*e $rmrrtphone App}ication
The Phone Detective application is available for iOS and Android smartphones which allows investigators to;
r
ldentify which devices are supported for extraction by UFED Touch2/4PC
&u&il
* al&t
r
ldentify supported extraction methods and specific items which can be acquired
A\.".t
.*
BLL'
Cellebrite has also released a slightly differentversion of the Phone Detective application for investigators to use on their smartphones. This version of the application provides investigators a great way to identify which handsets are
supported for extraction using Cellebrite UFED Touch2 and/or UFED 4PC hardware. ln addition, the application will identify if a device lock may be bypassed and which data artifacts may be recovered for the selected device. You can download the application from the Play store for Android devices, or the App Store for iOS devices.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-2017 Cellebrite lnc. 51 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Considerations and Next Steps Consideration$ and tlext Standby/Sleep Password protected?
Willwaking cause change?
Airplane Mode available?
The state of the device - whether it is on, off , or in sleep mode - will affect the actions available to first responders on the crime scene.
Nowthatwe have covered the identification of devices, let's considerthe next steps in the seizure process. The state of the device-whether it is on, off, or in sleep
mode-will affectthe actions available
to first responders on the crime scene. All device states have considerations that must be addressed before taking action.
52
O2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Off State: Data Collection Procedures Off $tate: Data Collection Procedures
1. 2. 3.
Protect DNA Evidence Note handset details Note physical
5.
6'
7. condition 4. Research technical 8.
Remove memory card if present Shield from network Package and label Transport
details
Off State-Data Collection Procedures Follow these procedures if the device is off:
1.
Protect against destroying DNA: Wear proper protective equipment to prevent contamination of traditional DNA evidence.
2.
Notehandsetdetails: Determineanddocumentthemakeandmodel
ofthehandset(if
known), ESN, and carrier (may be located under battery).
3.
Note physical condition of handset: Note any damage to the device or other identifying marks. Consider taking pictures of the device to show any specific conditions or markings.
4. Research handset technical details: Use lnternet resources, such as www.phonescoop.com. 5. Remove Memory Card: When possible and dependent on your knowledge regarding the mobile device, remove SlMs and memory card if present. lmage the data with traditional forensic techniques.
6.
Shielding from Network: Even though the device is off, you may still want to consider shielding it from network connections as a precaution to ensure the device's information is not contaminated. Consider using a Radio lsolation Card (safety SIM/Cloned SIM lD), Faraday bags, a Faraday box, arson cans, or signaljammers in jurisdictions where legal. (Note that the use of signaljammers is generally prohibited in the United States-check with appropriate legal counsel.)
7.
Packageandlabel thedevice: Fill outall necessarypaperworktoincludeachainofcustody, incident report, and evidence labels.
8. Transport device: Protect the device, completely
fill out required forms, and transport the
evidence directly backto evidence lab. Ensure the device is not exposed to extreme heat,
moisture, or other environmental factors that can affect the integrity of the evidence. lmage used under license from Shutterstock.com
CONFIDENTIAL DOCUMENTS: IVlay not be duplicated or
disclosed without written consent from Cellebrite Training.
O2013-2O1-l Cellebrite lnc. 53 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
)
I
WiFi and Cellular Network lndicators
)
, ll$iFi and Cellrjlar Netqo$ I'nd'icqfars
aaaaa
LTE 4G
I
,)}}
3c E 1x HSPA EVO
lf the device is on, determine whether it is connected to a WiFi, Cellular network,
Bluetooth and Near-field Communications (NFC) WiFi When devices are connected to an available wireless 802.11 devices, you may see a "WlFl" icon located on the main screen of the device. Most smart phones (Blackberry, Android, and Blackberry) should have this icon on the main screen if connected to a WlFl device. lf this icon is located on the main screen and has active signal strength, it is activelytalkingto a network.
Cellular Network When a device is connected to a cellular network, there is usually an icon on the main screen, which shows how strong the connection is to the network and may also even have the network name of the association. lf this icon is located on the main screen and has signal strength, it is activelytalkingto a network. Some devices willdisplaythe connection type on the screen as well, such as: LTE 4G 3G E 1x HSPA EVO among others. Depending on the device, this will not only indicate the speed of connection, but also becomes an indicator of connectivity.
Bluetooth Bluetooth is a method of communication that uses radios to communicate over short distances using ISM band between 2.4 and 2.485 Gl1z. lf a mobile device is Bluetooth-enabled, it will need to pairwith an additional Bluetooth device. Once paired the devices can communicate and exchange files, photos, text message along with stream music.
Near-field Communication
(N FC)
Near-field Communications is a method of communication that requires two NFC compatible items to be in a proximity of each other (within 10 cm). The technology is used in Credit Cards, Hotel Room Keys, Government lD (including Passports) and contains information that is
transmitted when hit by an electromagnetic field. The data can be read by compatible transmitters. This technology can be found in most modern cellphones.
54
A2U3*2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
On State: Data Collection Procedures
9l SBt*i PrF 9*F,q11* f.Igq'3{,v'q:r .. 1.
2. 3. 4. 5.
Protect DNA evidence Note handset details Note physical condition Shield from network Charge handset
6. Research technical details
7. Determine whether device can be shut down B. Document relevant information Package and label 9. 10. Transport
lf the device is on, you need to considerthe
risks versus benefits of handling the devlce. Device is in On State lf the device is on, you must consider the risks versus benefits of handling the device. Your decision on how to handle the device will depend on the make and model and whether the device's securityfeatures are enabled. Followthe procedures below if the device is on:
1.
Protect against destroying DNA: Wear proper protective equipment to prevent contamination of traditional DNA evidence.
2.
Note handset details: Note the make and model of the handset (if known), carrier (ifit can be determined without removing battery).
3.
Note physical condition of handset: Note any damage to the device or other identifying
ESN, and
marks. Consider taking pictures of the device to show any specific conditions or markings.
4.
Shield from the network: lt is critical to shield the device from networks (Wi-Fi/radio band). Consider using a cloned SIM lD Card (Radio lsolation Card), Faraday bags, a Faraday box, airplane mode, arson cans, or signaljammers (if legal). When the device is shielded from the network, the device's battery may drain faster as it boosts power to the antenna to try and make a connection to the network.
5.
Charge handset if necessary: Ensure that the device continues to have sufficient power as it may be password protected. lf available, you can use an external power supply with batteries and assorted connection tips.
6.
Research handset technical details: Use resources such as www.phonescoop.com or the Mobile Forensics Database.
7.
Determine whether the device can be shut down: This answer will depend on the status of the device and whether the device has a passcode or PIN enabled. lt will also depend on whether forensic tools support physical imaging to bypass passcodes and PlNs. (PlNs and passcodes are covered later in this module.)
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
O2013-2011 Cellebrite lnc. 55 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
. '
8.
Shutdown device option: lf the device can be shut down, shut it down, remove the battery, and note details under the battery (such as the lMEl, ESN, or MEID). Then remove the SlMs and memory cards from the device for the traditional imaging process. Leave device running option: lf the device cannot be shut down, leave it running, continue to shield from networks, and continue to document status. lf the device has a timed autolock, you may want to keep the device active by touching the screen or disabling the autolock if you have access. You may also want to connect it to an external power source.
Document relevant information: Record the date and time, desktop, applications, settings, and open files.
9.
Package and label the device: Fill out all necessary paperwork to include a change of custody, incident report, and evidence labels.
10.
Transport device: Protect the device during transportation. Ensure the device is not exposed to extreme heat or moisture as these can affect the integrity of the evidence. Ensure the device is still shielded from a network during transport. lf the device has been placed in a Faraday shielding, consider using an external battery source to preserve battery power to ensure the device does not lose power and power off by accident.
56
A2013-2017 Cellebrite Inc. All rights reserved.
CONFIDENTIAL DOCUMENTS: l\4ay not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Passcodes on iOS Devices
Most iOS users opt to use a 4-digit passcode and Touch lD as it is the easiest and fastest way to unlock their device and use it. An examiner's success to bypass this type of security varies depending on the version of iOS and the chipset on the device itself. lnvestigators may be able to readily identify the type of passcode being utilized on the device by simply looking at the lock screen displayed.
Touch lD: Can be enabled by a user of an iPhone 55 or newer as well as iPad Pro, iPad Air 2, or iPad mini 3 or later. When activated, the user does not have to use a passcode if they have saved their fingerprint(s) in their phone and turned the feature on.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-2017 Cellebrite lnc. 57 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
The following example screens are taken from an iPhone 6 running iOS 9.3.1. The initial screen you will likely see on an iPhone which is taken out of standby mode by clicking
either the home button or the power button on the device. After sliding the screen to the right as indicated, you will see one of a variety of passcode screens. The screen willvary depending on the type of passcode the user has enabled, including Touch lD. NOTE: ln each of the examples shown, it should be noted thatTouch lD is an option (screens
specify'Touch lD or...")
Type of Passcode:
4-digit - Consists of four numeric characters. 10,000 possible combinations. Depending on the iOS version running on the device and the hardware itself, the four digit passcode may be relatively easy to defeat. Several mobile forensic companies have created both software and hardware solutions to obtain this type of passcode.
I
Touch lD or Ent6r Pas8eode
6-digit - Consists of six numeric characters. 1,000,000 possible combinations.
Toueh ID or Enier Pasacode
58
a2u3-201i cellebrire All rights reserved.
tnc.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Complex - Digits only - Consists of more than six
.
i:.':
A
numeric characters. Documentation has not been found regarding the maximum length of this type of passcode. Touch lD or Enter Passcode
r
Complex - Consists of alphanumeric and can contain special characters. Documentation has not been found regarding the maximum length of this type of passcode.
i ',' .l.a
i.:r:irll:i) irr i ,:1.'r l)ii:ria.-{il
q!..rertV,-r
ioD
asdfghlkl
+ z x c v b rrrr.j
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-201-/ Cellebrite lnc. 59 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Android Screen Locks Android $creen Locks Screen locks for Android devices are dependent on the version running: Face Lock Fingerprint lris $can Voice Knock Pattern Smart Location P|N/Password and Pattern Locked
_c!
Users have a variety of options to choose from when locking the screens on their devices.
Facelock - uses an image of the user captured by the front camera to unlock the device. There must be some movement in the face when unlocking the device, to prevent someone from using a still photo to gain access.
Fingerprint - Newer devices have
a fingerprint sensor built into the home button. The user places their finger upon the sensor to gain access to the device.
Voice - The user speaks while unlocking the device, and their voice gains access.
Knock Pattern - the user taps certain locations on the screen in a certain order to gain access to the device.
lris Scan -
Scans a person eye in
orderto confirm identity.
Smart Location - trusted locations leave the device unlocked for up to four hours when it is turned on, and the device is connected to a secured Wi-Fi access point, trusted Bluetooth device, trusted NFC tag, or if the device detects body movement.
PIN/Password and Pattern Lock - all of the above locks require a secondary lock such as a PlN, password, or pattern lock. Also, a user may select one of these as the primary screen lock for their device. StockAndroid providesthree screen guard unlock methods: pattern, PIN and password (Face Unlock has been rebranded to'Trusted face'and moved to the proprietary Smart Lock extension, part of Google Play Services). The pattern unlock is the original Android unlock method, while PIN and password were added in version 2.2.
50
o2013-201t Cellebrite tnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: IVlay not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Pattern Lock Pattern Lock Android users may lock their devices by way of a pattern
The pattern has numbered waypoints to which it must connect This data is stored in a file: Gesture.key
The system file "gesture.key" stores the SHA1 hash of the "waypoints" connected to by way of pattern lock. lf the device is locked, we may be forced to obtain an extraction of the flash
a
we can decode the pattern lock code from the extraction, we can now unlock the device for a conventional extraction using UFED technology. Unlocking the device also provides the ability to perform a hand-scroll analysis.
memory by alternate means,
e.g. JTAG. lf
Android devices running 5.1 or higher use reveal the pattern ineffective.
a
"salted" hash value, making the scripts used to
Android's pattern unlock is entered by joining at least four points on a 3x3 matrix (some custom ROMs allow a bigger matrix). Each point can be used only once (crossed points are disregarded), and the maximum number of points is nine. The pattern is internally converted to a byte sequence, with each point represented by its index, where 0 is top left and 8 is bottom right. Thus the pattern is similar to a PIN with a minimum of four and maximum of nine digits which uses only nine distinct digits (0 to 8). However, because points cannot be repeated, the number of variations in an unlock pattern is considerably lower compared to those of a nine-digit PlN. As pattern unlock is the original and initially sole unlock method supported by Android, a fair amount of research has been done about it's security. lt has been shown that patterns can be guessed quite reliably using a smudge attack and that the total number of possible combinations is less than 400 thousand, with only 1624 combinations for 4-dot (the default) patterns. l 1.
How Password storage works in Android M (n.d.). Retrieved from http://www.tuicool.com/articles/
ulrMbeq
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
A2U3-2O17 Cellebrite
Inc.
All rights reserved.
61
Cellebrite Certified Operator
I
Participant Guide
On State: Home Screen - iPhone - iP:ftsRs On $tate: Heme Scree,Jl m Documentation is critical to successfully complete an investigation
Note: DoLrble tap the Horne Key in iOS to see running applications
Once you determine the state of the device and you have accessed the device, there are certain artifacts on the device that may be of great importance to you and your investigation. This
section of the module will use a smartphone as the example, as that phone often contains the most amounts of evidentiary artifacts for recovery. The example on the visual is an iPhone 3GS. iPhones are one of the most popular phones currently in use. These devices can send and receive email, instant message, chat, surf the Web, capture pictures and videos, and run thousands of applications available from the Apple Store. The following information may be critical to your investigation and to correctly documenting information from the device.
Applications: Applications provide insight to what the user does on the device. You may see games, office applications, or even hacker utilities such as Cydia or RedSnow for jailbroken or unlocked devices. Document what applications are running on the device, if possible. (For iOS, double-tap of the Home key will display the running applications.)
a
Battery Status: The status of the battery is important because information can be lost if the device completely loses power. Additionally, if a password-protected device turns off, you may not have access to the device when it is rebooted.
62
a2u3-2011 cellebrite All rights reserved.
tnc.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
$ Ctack
@ Fhotos
r-__l Contacts
rrr
L sl trj
PHOTO
Current Time: Document the time displayed on the mobile device as well as the actual time at the crime scene. Note and document any variation between time setting on the device and local time (drift time). Carrier: This icon displays what network the device is currently connected to with a strength signal. When you have properly shut the device off from the network, it will show the connection no longer exists and has been shielded.
Battery Status: The status of the battery is important because information can be lost if the device completely loses power. Additionally, if a password-protected device turns off, you may not have access to the device when it is rebooted.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-2011 Cellebrite Inc. 53 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
On State: Settings - iPhone On $tate: $e$ings - iPhang .:..i.t,w,
On the Settings menu, examine the following: Airplane Mode Wi-Fiand Bluetooth Carrier
it
l(tot
r vta!.i.i
$ eirntamlaooe {.* a$1,tc1((l !l wl-ri .:i rtrrrootl, !l S catrt"t cri €l Pomonat Hotspot
$wu fll carrter $l E lf
notlttcatlons
Sl
oenaal
E
Dbplay&Brightness
i. *+t,ie
eootrclcentet oouotoisturb
On the Settings menu, examine the following information.
Airplane Mode: Cuts off communications to the device. lt is important to note that even
in
airplane mode, the Wi-Fi may still be active.
Wi-Fi/Bluetooth: Shows whether the device is currently connected to a network or Bluetooth device.
Carrier: Current provider for radio frequency band services.
64
@2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
On State: Settings - iPhone
On $tate:
- iPhone
Settings > Privacy > Location Services
iOS has location services ON by default
GPS, Bluetooth, Wi-Fi hotspot, and cell tower locations
r
Control per application
Location Services: Shows whether the device has GPS/Cell Location services enabled, which may be important to tracking the user of the phone by dates, time, and location. iOS has location services turned on by defaultwhich utilizes GP5, Bluetooth, and crowdsourced Wi-Fi hotspot and cell tower locations to determine your approximate location. Location information can be used by both Apple, third-party applications and websites to gather and use the information based on the current location of the device. Location services settings also applyto any Apple Watch which may be paired to the phone. Users can control when location services are used by each application as shown here. NOTE: The screen shown here is from iOS 10.0.1.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
O2O13-2011 Cellebrite lnc. 65 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
On State: Settings - iPhone
On State: $ettings * iPhone {:;*:.q;
Settings > iCloud :
o
i
Find My Phone
r
Remote wipe
lcloud
Home Notes
iCloud
r
-.
$ Fl $ {l! $
Ners
w"tt.t reyctrain oactup rind r'ry inmn"
Mail Share My Location
iCloud: Gives the user the ability to back up the device to the Apple iCloud with a valid username and password. lf desired by the user, iCloud will automatically conduct phone backups when the phone is connected to power and a wireless network. ln some cases, this can occur even if the phone is locked. Find My iPhone: An Apple application that is able to locate the position of the device if the device has an active connection to a network (cellular or Wi-Fi). ln some instances, device owners can use this service to locate devices that have been stolen or lost and provide these details to law enforcement. This application also enables the user the ability to remotely wipe or erase the device if it has an active connection to a network. Remote Wipe: Erases the information from an iDevice. Requires the device to have an active connection to a network. Remote wiping capabilities exist on most smartphones (Blackberry, iOS, or Android). NOTE: The screen shown here is from iOS 'i 0.0.1.
56
@2013-2017 Cellebrire tnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: l\4ay not be duplicated or
disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Documentation flss,glncntation
ffi_.-.---ffi
Document each step and action throughout the investigation through Photographs Hand documentation Specialized tools :
. . .
$
*k
E Z 1
I
There will be times that investigators encounter a phone that is not supported by any tool. By using Cellebrite's Camera Service function which is built into UFED Touch2 and UFED 4PC, investigators have the ability to document information on non supported phones. The Camera Service allows both still photography and video which can be included in the report. lmage of DSLR camera used under license from Shutterstock.com
Whether investigating homicides, robberies, child pornography, computer crimes, or any other crimes, you must document each step and action taken throughout the investigation. You will want to use recognized best practices to document these items. That typically includes photographing the
Documentation Thoroughly document your actions. Helpful documentation forms include:
.
lnvestigative Summary Accountability/Chain of Custody Mobile Device LJIiVIUtj \)iil4ulg Seizure r\Jllll Form MUUIIE t* Mobile Device Checklist -.11r');
devices, filling out
appropriate forms, and using special tools to gather and protect information. The same holds true for mobile device investigations. From the time of arrival, document the details of each action you take on the device, including date and time.
CONFIDENTIAL DOCUIVIENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-201-l Cellebrite lnc. 67 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Any deviations from policies and procedures should be documented with an explanation (risk
versus benefit) of why the action was taken and what data was preserved by taking that action. There are several ways to document information when on the scene and working with mobile devices. The following forms can assist you in thoroughly documenting the crime scene and actions taken:
. . '
lnvestigative Summary: Basic form to document each action taken on the scene along with date and time. Accountability/Chain of Custody: Used to track the custody of evidence from the time it is seized to the time it is presented in court or returned to the victim or suspect. Mobile Device Seizure Form: Specifically designed to document the information from
mobile devices.
'
Mobile Device Checklist: Designed specificallyto assistyou in a step-by-step process on seizing mobile devices on a crime scene.
Each form will assistyou in recording all your actions on the crime scene and the information obtained from the crime scene. Documenting each action is critical as it may be months or even years before you have to testify about your actions on the crime scene. Without this thorough documentation, you may be unable to recall each action, why each action was taken, and the date and time each action was taken.
Documentation is one of the most important steps in searching or seizing a moblle device. The more thorough you are with your notes, the more information you will have available to you when testifying in a court of law. When you have accurate, thorough notes and documentation, you are able to testily to all your actions on the crime scene. Documentation enhances your credibility and ensures your testimony is accurate.
68
@2013-2017 Cellebrite lnc All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Peripherals
Remember to collect:
.
Documentation relevant to device
.
o Manuals Cables
o Proprietary Connections o Chinese Phones Software
o
Shipped with some mobile devices
One of the common mistakes first responders make when seizing devices at a crime scene is overlooking the peripherals to the mobile devices that they are investigating and seizing. Too
often mobile devices are seized at a crime scene and taken to the forensic lab for processingand then, when the forensic analyst receives the device and asks for cables and documentation from the first responder, there is a moment of silence followed bythe first responder asking, "l was supposed to get that too?" Getting the peripherals is not always required, and this truly depends on the type of mobile devices in question. But it never hurts to get them as a backup plan. There are an increasing number of new clone devices arriving on the market (e.g., iPhone clone devices from China). These devices do not use the traditional Apple device connectors but use a proprietary connector to connect the phone for both power and data. lf you as the first responder do not seize the cables while on the scene for these types of devices, there is a distinct possibility the digital forensic investigator will not be able to carry out a full acquisition of the mobile device and consequently may spend additional time having to
hand process the phone, item by item. Apple iPhone device clones that use entirely different power and data connectors. lf the first responder does not seize these connector cables, the digital forensic examiner may have additional complications.
Another common mistake first responders make when seizing a device is not collecting the device's documentation, such as the user manual, as part of their investigation. The manuals to these devices may contain valuable information about the device, its capabilities, and components within the device-and may even include manufacturer back door passcodes to unlock the devices.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-2017 Cellebrite lnc. 59 All rights reserved.
I
Cellebrite Certified Operator
I
) )
Participant Guide
There may also be other documentation on the crime scene that may have information related to the mobile device, such as PIN codes written down on napkins or Post-it Notes. Be aware of and look for information written down close to the area where the devices are seized. When conducting a search incident to an arrest, processing a military prisoner or detainee, or searching a corporate room/device, you may find information located inside of a person's wallet or purses such as a SIM card with the default PIN (Personal ldentification Number) and PUK (Personal Unblock Key). These pieces of information may be critical to gaining access to the device. Clone devices have different power and data connectors. lf these are not seized at the scene, it may cause additional complications for the digital
forensic examiner. lmages under license from Shutterstock.com
L t'" FIF f u t!
70
Az01r3-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed wrthout written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Cloud Storage Cloud Smartphone cloud computing model syncs user data among family of devices using data network: ' Android -*' Google Drive (most) . Apple iOS *-' iCloud
. .
Windows ---+ Microsoft OneDrive RIM ** BES12
Cloud Storage These network demands are in direct correlation with the emergence of cloud services on the smart device platform. This computing model is affecting where data could be located and
where examiners must shift their focus. Pertinent digital evidence can be synced to other devices, including personal computers, or accounts online. Cloud storage typically will span multiple servers at different Physical locations. The decentralized nature of cloud storage provides advantages for the user but can cause issues for an investigator. An example of difficulties that could be experienced, legal authority to gain access to content can be difficult to obtain depending on the service provider. Not only do different manufacturers of the devices offer storage location, butthe cell phone provider might also offer cloud storage to its subscribers. Most Android devices utilize Google drive as the cloud storage platform an exception is the Samsung Galaxy line that uses Dropbox.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
A2U3-2011 Cellebrite
Inc.
All rights reserved.
71
Cellebrite Certified Operator
I
Participant Guide
Bag and Tag Mobile Devices
Bgg Pq$ lggMobile:Pevices
.
Bag and Tag:
. Anti-static bags . Labeling . ldentifying marks . Chain of custody
The next step after you correctly document seizing the device is to bag and tag the device for transport. As with any evidence seized at the crime scene, properly labeling the evidence is critical. You will want to make sure all the evidence from the crime scene has been properly
labeled, identified, and controlled at all times. Since mobile devices are digital devices, they should be placed into an antistatic bag (different from a Faraday bag) to prevent electrical charges from damaging the devices. Ensure all forms (previously discussed) are paired with the devices you are seizing. A sample process (not allencompassing) for bagging and tagging digital evidence typically includes these steps:
1.
Ensure you place evidence (other than the device) inside of proper packing equipment (anti-static bags, Faraday bags, and evidence bags).
2.
Document any unique identifying marks or numbers on the device being seized for proper identification at a later time. lnclude notes and pictures to document the marks.
3.
Place an additional label on the device itself from your unitto correctly identifythe device when outside of the packing.
4.
Placethedeviceinsideoftheantistaticbagtoavoidanelectrical
chargetothedevicefor
packing and transport. IMPORTANT: Place the antistatic bag that holds the mobile device inside of a Faraday bag and then that inside an evidence bag. This evidence bag will contain additional labeling information aboutthe case, such as case number, investigator, date and time of seizure, location, and suspect. Any charging equipment/cords should also be inside the Faraday bag so as not to serve as an antenna.
lmage used under license t'rom Shutterstock.com
72
A201,3-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Tra
nsportation a nd Storage
.
*Irqry.E3$qtlq Transportation and Storage
. . .
Keep device dry Keep device cool Easily damaged
qry$
$lpngt
,
Hm| & *.. 4,u"" ***,
"*.
""":"o-:(-**i:J
Dropitln DryitOut
::-,1
Transportation and Storage After all the evidence has been labeled and packaged, you willthen want to transport all the evidence back to the evidence storage location or your forensic lab. There are several considerations to keep in mind when transporting the evidence:
'
Digital media is fragile in nature and very susceptible to extreme heat. You may not want to leave the evidence in the car for long periods of time on a hot day or leave the device in direct sunlight.
'
Digital media is also very susceptible to moisture and can cause integrity issues with the devices if exposed to moisture. You will want to ensure the device does NOT become wet or exposed to moisture. lf that happens, you may be able to drythe devices out by using a dry bag or placing the device into a bag of uncooked rice to pull the moisture out of the device. It should be noted that repair experts advise this is only a temporary method which may remove enough moisture for an extraction to succeed, but it is not a longterm repairfor the device and corrosion may set in. There are retail"drying bags" available like the one shown here from www.bheestie.com.
'
lf a device is left powered on, you will want to consider using an additional backup battery source to ensure power is NOT lost to the device. lf a device is powered down, consider removing the battery and including it in the bag with the phone.
There are several backup battery sources available with connectors for mobile devices which can be found on major on-line shopping sites and in many retailstores. IMPORTANT: Ensure the evidence is protected and handled to avoid any damage or contamination to the devices. Digital media is extremely fragile and a simple drop of the device could cause enough damage to the device, which may cause the device to no longer function properly. lmage of phone with baftery used under license from Shutterstock.com
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
A2013-2017 Cellebrite
lnc.
All rights reserved.
73
Cellebrite Certified Operator
I
Participant Guide
StepAction 2.1: Phone Detective
ln this exercise, you will learn to use phone detective software and how to use the smartphone application.
Cellebrite developed a product known as the UFED Phone Detective that gives examiners the ability to identify a mobile device without removing the battery or if the make and model are not displayed anywhere on the device itself. By entering the device's physical characteristics into the software, the examiner can determine its make and model. NOTE: lf you have not yet downloaded and installed UFED Phone Detective, it is available to at
https://my.cellebrite.com Once installed, continue with this step action. Remote Learners: Use the phone sent in your student kit during this exercise. Step 1. Open UFED Phone Detective. Launch the application bydouble-clickingthe UFED Phone Detective icon located on the
desktop. The application will open and show the different characteristics that can be used to determine
the make and model of the device to include a Quick Filter option. You can see there are thousands of devices when the software is first opened. As we select different options, the number of displayed devices will decrease based on the filters selected.
Depending on the version you are using, thin number can be different. Step
2.
Select the Body Style
One of the easiest and first selections that you can use to determine the make and model by
filtering is the body style. Select the body style of the device you are attempting to identify. For classroom purposes, use
the style of the device that the instructor distributed to you.
74
@2013-201-l Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: l\4ay not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Step
3.
Select the Characteristics
At the bottom of the tool there is a bar that contains the different characteristics of mobile devices and gives the examiner the ability to add additional filters to narrow the results of ha
ndsets.
The next option is the Basic option. This option allows you to identify the vendor of the device if it is known. Most handsets have some vendor information displayed on the device. Step
4.
Select the Technical Specifications
Next, you can select the technical specifications (tech) of the mobile device if known. Select the technical specification of the device the instructor distributed to you. lf unknown, you may also be able to use search engines such as Google. You may be unable to identifythe technical
specifications since removing the battery may not be advisable due to PIN codes or handset passwords. Step
5.
Locate the Connection Port
Locate the connection port to the mobile device you are attempting to identify. lf the connection
port is unavailable progress to the next step. Step
6.
Select a Cable Connector
Next, examine the cable connection port and identify the type of connection your mobile device has. lf the cable connector is unavailable progress to the next step.
Step
7.
Select a Charging Socket
Next, select the charging socket where the power adapter connects to the mobile device. lf the charging socket is unavailable progress to the next step. lf the charging socket is unavailable progress to the next step.
Step
8.
Select the Type of Headphone Port
Next, select the type of headphone connection, if one exists. Select the location where the headphone jack is located on the mobile device you are
identifuing. lf the headphone is unavailable progress to the next step. Step
9.
Select the Antenna Type
Next, select the type of antenna located on your mobile device. lf the device does not have one,
selecttheNoneoption. lftheantennaisunavailableprogresstothenextstep. lfanantenna exists, select the location on the mobile device where the antenna is attached.
Step 10. Select a Main Camera Select if the device has a camera or does not have a camera. lf the device contains a camera, select the location where the camera is installed on the mobile device. lf the main camera is
unavailable progress to the next step.
Step 11. Determine if it has a Front Camera Next, determine if the device has a front camera as well. lf a front camera exists, select the location of the camera on the device. lf the front camera is unavailable progress to the next step.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
A2013-2017 Cellebrite lnc. 75 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Step 12. Determine if there is a Flash and Mirror Next, select if the mobile device contains a flash and mirror. lf the flash and mirror exist, select how the flash and mirror are configured. lf the flash and mirror is unavailable progress to the next step.
Step 13. ldentify the Frame and Cover Type Next, determine if there is a coverto the camera located on the device. lf a camera cover exists, select the type of cover. lf the Frame and cover is unavailable progress to the next step.
Step 14. ldentify the Button Select the Buttons and identiflT the power button. lf the buttons is unavailable progress to the
next step. Step 15. ldentify Misc Select the Misc button and identify the battery cover. lf the Battery cover is unavailable
progress to the next step. Step 16. ldentify the memory card Select the Memory card and identify the type of card the device uses. lf the memory card is unavailable progress to the next step.
Step 17. Measurements Select the measurements and input the device measurements. lf the device measurements are unavailable progress to the next step.
Step 18. ldentify the Device From the filtering, you have performed, you should now be able to identify the make and model of the mobile device in your possession.
Step 19. Choose device ln the Results menu, select the device by clicking the device name. The information for the device will be displayed to include what options are supported by UFED Extraction.
76
@2013-2011 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Forensic Handling of Mobile Devices
Conclusion ln this module, we covered:
. . . . . .
Legal considerations for seizing and searchinq devices. The value of device data in investications. The phases of the digital lorensics process. Procedr.rres for handling digital evidence. ldentifying mobile devices, locking mechanisms and best practices to use while documenting steps in a rnobile device investigation. How to apply best practices when seizing digital evidence.
In this module, we covered:
. . . . . .
Legal considerations for seizing and searching devices. The value of device data in investigations.
The phases of the digital forensics process. Procedures for handling digital evidence.
ldentifying mobile devices, locking mechanisms and best practices to use while documenting steps in a mobile device investigation. How to apply best practices when seizing digital evidence.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
A2013-2017 Cellebrite lnc. 77 All rights reserved.
i::: cellebrite iJrrl',ff:lT;,ix'-
Module 3: UFED Touch2 and 4PC
CELLEBRITE CERTIFIED 0PERAT0R
(t) 2017 Cellebrite Inc. All rights reserved
I Participant Guide
Cellebrite Certified Operator
I
Participant Guide
Module lntroduction
Module Objectives Cellebrite UFED technology has evolved to include several platforms and solutions designed to perform data extractions from:
. . .
Mobile devices (phones, tablets) Subscriber ldentity Modules (SlM) External media cards (SD/Micro-
Upon successful completion of this module, the student will be able to:
. .
SD)
The UFED solutions can perform logical, file system and physical data extractions and include deleted information from mobile devices, GPS units, and tablets.
.
List the components, features, or functions for the UFED Touch2 and UFED 4PC
Describe how to purchase and maintain the license UFED technology. Discuss how to update softuare and firmware for UFED Touch2 and UFED 4PC
. .
lmplement an installation of UFED 4PC on a computer workstation. Modify UFED Touch2 and UFED 4 PC configurations for the extraction of different devices and investigative needs.
UFED solutions that are licensed physically provide users the capability
to bypass many locked (password protected/pattern locked) devices. Additional licensing gives users the capability to perform physical extractions from iOS devices, GPS devices, and many devices with Chinese Chipsets (Chinex license). The UFED Serles of devices has long served as the primary workhorse for investigators performing extractions. This training module will provide an overview of the UFED Touch2 and the Pc-based UFED 4PC hardware, licensing and updates, installation of UFED 4PC software, and configuration options.
80
@2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
UFED
Touch2 and 4pC
Activity: Explore Kit Contents Activity: Explors Kit Cantents
, In this exerci$e you will open your kit and explore its contents. When purchasing the UFED Touch2 device or UFED 4PC, you will receive multiple components wlth the package. ln this section, we will discuss the components and how they are used to extract data from mobile devices. The UFED Touch2 Ultimate device is available as a standard device or as a rugged device used for "in-the-field" investigations. When purchasing the UFED 4PC Kit, you will receive multiple components with the package that are very similar to the UFED Touch2 equipment. Additional equipment issued with the UFED 4PC is used in order to perform extractions.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
A20113-2011 Cellebrite
Inc.
All rights reserved.
81
l
) Cellebrite Certified Operator
I
Participant Guide
) ')
UFED Touch2
UF-[D Touch2 Kit UFED Touch2 Cables and Tips
82
@2013-2017 Cellebrite tnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
UFED
Touch2 and 4pC
UFED Touch2 - Top Screen
Users control the UFED Touch2 application through the UFED Touch screen. The touch screen allows navigation of the application using a finger or stylus. The SIM reader is located under the left flip up door panel on the UFED Touch2 device. This slot is used for extracting information from SIM cards and creating cloned SIM lDs-also referred to as a Radio lsolation Card (RlC) or a Cellular Network lsolation Cards (CNIC).
Different sized slots are provided to accommodate standard, nano, and micro SlMs. To correctly insert a SIM card, place the contacts down with the notched-out corner to the right. We will discuss this in more detail in the SIM card extraction exercise performed later in this module. Use this slot to insert the standard size Cellebrite SIM Access lD Card for cloning. During the cloning process the UFED Touch2 device will ask for the evidentiary SIM card and then write the information to the Cellebrite SIM Access lD Card placed into the same slot.
IMPORTANT: Only one SIM card should be used at a time.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-2017 Cellebrite lnc. 83 All rights reserved.
) ')
Cellebrite Certified Operator
I
Participant Guide
)
UFED Touch2 - Back Panel UFED Touch2 Ilfi' display $P card pcrl slol
* Back Panel IJSB porls
Wireless/Bluetioth $letch
Recavery bxllcn
Power buiton
Fltlemet Power
polt
lack
Ken$ifigton sfcurity slol
The back panel of the UFED Touch2 device contains several different connections for different purposes. ln this section, we will discuss each connection or switch and their uses.
. . . . . . . . .
84
@2013-2017 Cellebrite tnc. All rights reserved.
Mini display port SD card slot USB ports
Wireless/Bluetooth switch Power button Ethernet port Power jack
Kensington security slot Recovery button.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
UFED
Touchz and 4pC
UFED Touch2 - Left Panel
The left panel of the UFID Touch2 device is known as the Source side.
50urce,tJ{3 pod Sou,ce USB
Left Panel The left and right panels of the UFED Touch2 device are extremely important when it comes to the extraction of mobile devices. These two connections are typically used more than any of the
other connection ports. On the left side of the UFED Touch2 device, you will find the "Source RJ-45" and the "Source USB" ports. These ports are where you will be directed to connect the mobile device you wish to
extract data from.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
A2013-2017 Cellebrite lnc. 85 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
UFED Touch2 - Right Panel UFED Touch2 The right pansl of the UFED Touch2 device is known as the Target side.
Iirtoel US,L Port
e@ Right Panel The right panel of the UFED Touch2 has the Target USB port which is used to write the extracted data contents from the source device to a target device, such as a USB flash drive.
ThetargetUSBportisalsousedtoconnecttheU-441
cablefromtheUFEDTouch2toan
attached computer running UFED Analyzer software. The power "on and off" switch, as well as the power supply connection to power the device, is
located on the right-hand or'Target" side of the UFED Touch2 device. NOTE: When selecting the PC as the target during extractions from the UFED Touch2, you
must use the U441 cable.
86
a2u3-20i7 Cellebrite tnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
UFED
UFED Touch2 -
Touch2 and 4pC
Bottom Panel
The bottom panel of the UFED Touch2 device is where the battery can be accessed
Access to the unit's battery is through the bottom panel.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
O2013-201'/ Cellebrite lnc. a7 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
UFED Touch2 - License File
UFED Touch2 - License File When you turn the UFED Touch2 on forthe first time, it will ask you for the license (.dat) file associated with your device.
To I .
?. 3-
rc$vrL ydr UFEO Logio to your aeeounl io aiy.cdlebrite-com
littnl.:
Reghlsthe nff UFEDrnit - $ari.lf{lnb€r 5S0i183, UFED lDt e0cg Chekthe UFED ir "t'{y Dw;es'rnd ciick on Eelde:ic6soi
4. Tho
licss
wi[
b6 seot vi6
ffiail
ta your
mail acoo(nl
S Updatr lhe ow licms t.om:
E
Once you purchase the UFED Touch2 device and turn it on for the first time, the device will ask you for the license (.dat) file associated with the device.
88
O2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
UFED
Touch2 and 4pC
UFED Touch2 - Get License File
To get the license file: 1. Login to my.cellebrite.com. 2" Register your new UFED unit with your $erial 3.
number and device lD Click the checkbox next to the UFED device listed in your device, then click
Retrieve Licenses ln additian to an immediate downloald, Cellebrite will send you the license via email
4.
Update the license file via the Web or USB.
To get the license file:
Step 1. Log in to my.cellebrite.com. Step
2.
Register your new UFED device with the serial number and device lD.
Step
3.
Select the UFED device listed as your device, then click Retrieve license.
Step
4. Cellebrite will send the
CONFIDENTIAL DOCUMENTS: lvlay not be duplicated or
disclosed without written consent from Cellebrite Training.
license through email
A2013-2011 Cellebrite
lnc.
All rights reserved.
89
Cellebrite Certified Operator
I
Participant Guide
UFED 4PC Components UFEB 4PC Compotwnt$ r
Kit Content UFED DeYrcr
Adnller
-;;;a;il;^---* '' UFED ProteclorCase
*
SIH lO Cloning Cards
llrcr!
T
Sli.l lB Clonhq Cdrds
tlano Slll lD Cloninq Cards f.lult! Sln Adap!er UIEO Ilemory Card Reader Phrxe Porer U! CaIIE USB Flnsh
Drare
g
68
Cleaninq Erush For Pnone
Iip Velc,o Sra0 UflO Erl€nsion cableiorUFEO
Oevice Adapier 150cnl
Tip vetcro Strap
UFED
ffi
4P0Adapter
_ yryq:r?Sirr'{t?Il1ry:g
"
When mobile devices are connected to the adapter by USB, the autodetect routine runs instantly. Mini USB
Interna
I
Bluetooth Module
SIM slot RJ 45 source
90
@2013-20i7 Cellebrire tnc. All rights reserved.
port
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
UFED
Touch2 and 4pC
UFED 4PC - License File UFED 4PC-License File When you launch UFED 4?C for the first time, the device will ask you to supply a license. There are several options. i-.,:il.:;r ti: :;r,jili'ii
i,a
ln:'.:
A licenx for this product was not found, Seiect the type of license that you would like to
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
u*.
@2013-2011 Cellebrite lnc. 91 All rights reserved.
)
Cellebrite Certified Operator
I
) )
Participant Guide
UFED APC - License File
UFED
4Pc*License File
Licensing options:
. Dongle . Software . Network . Online
UFED 4PC
.
licensing options include:
Dongle: A logically or physically licensed dongle in a USB port.
'
USB license dongles are reliable and familiar in the forensic environment and may be
easily moved from computer to computer.
.
UFED Device
' '
Adapter: The license file resides on
UFED Device Adapter.
The UFED Device Adapter can be used as a license container, but it must be presentto perform UFED operations and occupies a USB port just like a dongle does. (Currently requires special configuration at Cellebrite.)
Software Licenses: The license marries to a particular computer and can be deactivated to be transferred.
' '
Online: ln future releases, online licensing will allow users to have a cloud based license cluster and "check out" a license for use and check it back in.
'
92
o2013-2017 Cellebrite tnc. All rights reserved.
Software licenses do not use an available USB port, but they are not as easily moved from computer to computer as a USB dongle.
Online licenses will allow an enterprise using UFED at multiple locations to have the flexibility to check out licenses for use at other installations of UFED 4PC. When done, users can check licenses back in. UFED must be connected to the network in order to check out and check in licenses.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
UFED
Touch2 and 4pC
Software Updates Software Updates The heart of the UFED system is the software updates mechanism. re;llat:ritm highlights :. !y.rfiD .\rr.,. riin i.d rlr.No\
-
e^^Lw\^i
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
\CCI\
\
\qi.
@2013-2017 Cellebrite lnc. 137 All rights reserved.
) Cellebrite Certified Operator
I
l Participant Guide
SIM Extractions
lnformation that may be valuable can be extracted from a SIM card, This includes contacts, SMS messages, lCClD, and IMSI.
SIM v^ USIM
SlMs may contain valuable information for an investigation which includes: contacts, SMS messages, ICCID and lMSl numbers. Contacts existing on a SIM card do not necessarily need to exist on the handset itself. Legacy handsets often push data to the SIM cards by default rather than take up valuable space on the
handset. Modern handset allow the option to retain certain records on the SIM card. SIM is the application which runs on an lntegrated Circuit Card (lCC) and contains subscriber
information and memory that is used on GSM networks. USIM (Universal Subscriber ldentity Module) is used on UMTS (Universal Mobile Telecommunication System) networks (3G and above). USIMs can contain additional phone books that do not exist on SlMs and is generally known to be a more secure environment.
138
Cc)2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrrte Training.
Cellebrite Extraction Methodology
SIM PINs and PUKs SIM PlNs and PUKs SlMs can be protected by a Personal ldentification Number (PlN): Can be changed by the subscriber. Usually 3 attempts before phone is locked.
Bypassing the PIN requires the PIN Unblocking Key (PUK):
. .
B-digit code. Maximum 10 attempts before SIM is permanently locked.
Every SIM can be protected by a Personal ldentification Number (PlN)which is initially set by the manufacturer. This number can be changed bythe subscriber and consists of a 4 to 8-digit code. Upon being prompted, a user has 3 attempts at entering the correct PIN before the SIM PIN becomes blocked.
Bypassing the SIM PIN requires the PIN Unblocking Key (PUK). This 8-digit code is also set by the manufacturer and a user has a maximum of 10 attempts before the 5lM is permanently locked.
CONFIDENTIAL DOCUMENTS: lvlay not be duplicated or
disclosed without written consent from Cellebrite Training.
A2013-2017 Cellebrite
lnc.
All rights reserved.
139
Cellebrite Certified Operator
I
Participant Guide
SIM File System Organization $litlil Fi'le System Grgan,izatian The file system of a SIM is organized in a hierarchical tree structure composed of the following three types of elements:
. ' .
Master File (MF) Dedicated Fite (DF) Elementary File (EF)
The file system of a SIM is organized in a hierarchical tree structure composed of these three element types:
. . '
Master File (MF) - Similar to the root of the file system that contains dedicated and elementary files. Dedicated File (DF) - Similar to a directory containing Elementary Files. Elementary File (EF) - A file that contains various types of formatted data, structured as either a sequence of data bytes, a sequence of fixed-size records, or a fixed set of fixed- size records used cyclically.
This figure shows a basic view
of the hierarchy used in
l-1
1,,,_-]
a
typical SIM card. Notice how
the master file (MF) is at the top (root); Dedicated Files (DF) appear to be directories; and
l..i
i,t ur, I
Elementary Files (EF) are the
ruuv
files containing the evidentiary data.
I
These information types can
provide investigators with legal basis to access a
l','1","
a
suspect's or victim's cellular records. They can also assist in locating an individual or placing an individual in a geographical location at the time of a crime.
140
A201r3-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Cellebrite Extraction Methodology
Below are several items which may be of evidentiary value on a SIM card which should be
reviewed.
Files ICCID
(lntegrated Circuit Card
ldentifier)
Directories Unique numeric identifier for the SIM card. . 20 digits long . Start with 89: Telecommunications
. MCC: Mobile Country Code . MNC: Mobile Network Code . lndividual Account ldentifier I
MSI (lnternational Mobile
Unique identifier (number) assigned to the subscriber.
Subscriber ldentity)
. MCC: Mobile Country Code . MNC: Mobile Network Code . MSIN: Mobile Subscriber ldentity Number
MSISDN (Phone Number
Assigned)
Telephone number assigned to the subscriber for receiving calls on the phone.
SPN (Service Provider Number)
Contains the name of the service provider.
SDN (Service Dialing Numbers)
Contains numbers for customer service.
ADN (Abbreviated Dialing
Numbers)
Retains a list of names and phone numbers entered by the subscriber. Phonebook for device.
LND (Last Numbers Dialed)
List of most recent numbers dialed.
SMS (Short Message Service)
Text messages sent to and from device can include following:
. Date and time . Phone numbers . Message content . SMS Center Address LAI (Local
RAI
Area lnformation)
(Routing Area lnformation)
Composed of the MCC and MNC of the location area nd the Location Area Code (LAC). Will help identify last associated tower. Data communications over the General Packet Radio Service (GPRS).
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013*2017 Cellebrite lnc. 141 All rights reserved.
I
Cellebrite Certified Operator
I
) )
Participant Guide
SIM Extraction Report
To view the report, navigate to its parent folder. The naming convention will include the type of
extraction (SlM card) and the date ofthe extraction. SIM card extraction results and the data files associated with the extraction are inside the SIM
extraction folder. To view the report, double-click the report.html file and any Web browser will open the report for viewing. The information associated with the SIM is displayed within the report along with the UFED information that performed the extraction (Serial Number/UFED Version software). IMPORTANT: There is a possibility of changing the status of information located on the SIM card if the SIM card is extracted while still installed in the device. For example, if an SMS message is unread, and the SIM is processed while inside the mobile device, the status of the message may be changed to read, therefore alteringthe original evidence. Forthat reason,
whenever possible, a separate extraction of the SIM card(s) should be conducted first, before attempting to conduct an extraction involving the combination of the phone and the SIM card.
142
O2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training,
Cellebrite Extraction Methodology
StepAction 4J: SIM Extractions and Cloning
NOTE: Remote learners are encouraged to conductthis exercise using a SIM card which may be available to them. Many students find it beneficialto extract data from their own SIM card (if supported). lf you do not have a SIM card available to you, please watch the instructional video within your course.
Part l: SIM Extraction This step action provides instruction on how to extract user data from SIM cards which have
been removed from mobile devices. lnformation will be extracted and written to a removable flash drive. NOTE: lt is a good forensic practice to extract [he information from the phone and the SIM card separately. Best practice will vary based on the status of the device. Step 1. Select SIM card from the home screen
Sll't
ard
Tools
,:
CONFIDENTIAL DOCUIMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
:,
A2U3-2O17 Cellebrite lnc. 143 AII rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Step 2. Select the SIM Type (lden or other SIM) ,
]li].
..
l. '.i
lf the SIM is from a GSM or CDMA phone select "SlN/". lf the SIM is from an lden phone select "lden". lden technology is usually associated with "push to talk" handsets with trunked radio capability. Older iden phones may not have SIM cards.
Step 3. Select the Extraction Type Slt"l Card
,
sIM
D
Select Extraction Type
ffi*H
stM Data
Extraction
i
Slandard Micro
t
*t
fq+ffi
Fite system
Extrection i
captu.e
lmases
'0
TOUCH NOTE: Users will now be prompted to select a target storage location, Removable Drive
or
PC
(if using U-441 cable)
4PC NOTE: UFED4PC users will be given the option to change the storage path to any available
storage location. The default location is "Documents > My UFED Extractions"
144
O2013-201f Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without wntten consent from Cellebrite Training.
Cellebrite Extraction Methodology
Step 4. Select the Content Type and target path (UFED 4PC)
All supported content types are selected by default.
Step
5. lnsert a standard
SIM
SHr
Uc .c9ubr gM
od sfy (& d @ Nam d tu sIM drd). t,6 tu sl( 6rd l& 6* UFED aPc k Ad.rcr ffi 6c ad ffi f..iq tu .d tu dpp.d ffi6 p, *E StH od *NH k i16d up b tu spF F*tt, tu f!.iB ffi lrt/iry @. tu Mrc d NEm SIH c MuHil AdapE
Sand.rd
8lll..rd
Onlyl
5li
Only standard SIMS fit in the SIM slot and the slot only accepts one SIM at a time. To extract from a micro or nano sim use the Multi SIM adapter provided with the UFED kit. lnsert the evidentiary SIM card with the shiny contacts facing down and the clipped corner pointing toward you.
Nffi tu4
CONFIDENTIAL DOCUI\4ENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
l*
@2013-2017 Cellebrite lnc. 145 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Step 6. Observe progress
Step 7. Select "Finish" or "Open with UFED Analyzer"
,'
SIM Ertradion
T@!: re, 0& iuftt
91il
&i
qH
2014..05..13
i&l)J
Part ll: SIM Cloning (Cellular Network lsolation Card) The "Clone SIM lD" operation does not clone the entire content of the SIM card. lnstead just enough information (lCClD and lMSl) are copied to RAM and then written to a 5lM Access lD card. The 5lM access lD card is cleansed automatically by UFED before the cloned information written to the card. SIM Access lD cards are provided with the UFED kit and are reusable.
146
@2o13-201f Cellebrite tnc. All rights reserved.
is
CONFIDENTIAL DOCUMENTS: l\/ay not be duplrcated or disclosed without written consent from Cellebrite Training.
Cellebrite Extraction Methodology
To clone a SIM lD:
Step 1. Select "SlM Cards from the Home Screen celle?brite I uFErf L{F,c
ffi;:--
ll
I
d'hTc
G@@
186
O2013-2011 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Cellebrite Extraction Methodology
Select the Vendor of the mobile device. You may be asked to select the vendor and the specific technology (like Motorola GSM or Motorola CDN/A. lden, etc.) You can choose the vendor by scrolling through the options, or by using the "Keyboard" and using the search option and entering information about the device. TOUCH NOTE: To scroll up and down on the UFED Touch2 you can use the stylus attached to the device, or use your fingers as the device has touch screen technology. You can also use the "Autodetect" option and the UFED Touch2 will attempt to identify the device for you. 4PC NOTE: When using the UFED4PC Adapter and it's USB source port, autodect runs
automatically. lf not using the adapter autodetect may be selected by the operator. Step 2. Select the model:
rL-!
Selectthe model of the device you are acquiring. Again you can use the Keyboard to quickly locate the model or you can scroll through the options. For classroom purposes, select the model described by the instructor. For distance learners select the model you have deduced using the Phone Detective software or
resources like Phonesoop.com. Step 3. Select Logical Extraction:
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
@2013-2011 Cellebrite Inc. 147 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Step 4. Select Memory ltems for Extraction: (Then press
N EXT)
Operators may select the device only, the SIM Only or the device and SIM card combination. The use of a previously created SIM lD Clone (Radio lsolation Card) is recommended. NOTE: For evidentiary extractions it is considered best practice to process the SIM card FIRST and SEPERATE from the device as extraction with the SIM card in the device may allow the device to change the status of unread messages on the SIM to read. Step 5. Select Content ltems for Extraction: (Then press Next)
Operators may select individual content type for extraction or simply use the "SELECT ALL"
button here. TOUCH NOTE: Touch users will see a prompt on screen here to select the targets PC or
Removable Drive as the destination. 4PC NOTE: UFED4PC users will have the opportunity atthis screen to change the storage path to any accessible storage area.
188
A2013-2017 Cellebrite lnc. All rights reserved.
CONFIDENTIAL DOCUMENTS: May not be duplicated or disclosed without written consent from Cellebrite Training.
Cellebrite Extraction Methodology
Step
6. Follow lnstructions to Select Cable and Connect
Device
On this screen operators should follow the instructions exactly and use the cable or cable and tip combination as recommended on screen. Sometimes the order in which cables and devices are connected will be important so follow the on-screen directions carefully to ensure success.
Step 7. Observe the Progress cellBbrile
'UFEE qPc
E-
t*
w T rc 7r!F
,:''''$,i,.
GAi)
Operators will see visual progress indicators as extraction occurs. lf an extraction fails message will be displayed.
CONFIDENTIAL DOCUMENTS: May not be duplicated or
disclosed without written consent from Cellebrite Training.
a
@2013-2017 Cellebrite lnc. 189 All rights reserved.
Cellebrite Certified Operator
I
Participant Guide
Step 8. Observe the Extraction Summary
l**i: rr