SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and Incident Response Blog

Quick Look - Cellebrite UFED Using Extract Phone Data & File System Dump

It is not the intent of this blog post to be an all-encompassing guide to the forensic analysis of an iPhone. Rather it is a look at some of the tools I use in my practice and how they can be applied to iPhone forensic analysis. That being said lets get to it.

Why would you use the Cellebrite File System Dump instead of the traditional Extract Phone Data ?

If the subject of your forensic analysis is collecting information regarding the telephone such as call logs, phone book, SMS, pictures, video and audio/music then you will find what you need using the standard Cellebrite processing found under "Extract Phone Data". However if you want to do a deep dive in to the file structure, Internet usage or look deep in to the applications that are being used on the device and perhaps run some of your "favorite forensic tools" against it, I highly recommend complimenting your traditional Extract Phone Data analysis by also doing the File System Dump.

For the purposes of my testing for this blog post I am performing a forensic analysis on a 16 GB iPhone 3G Version 4.02.

Let me begin by noting that I am running a Cellebrite UFED with the Physical Analysis Option.

Version information is as follows

UFED Software Versions:


Full: UF


Reporter Version 1.8.280710

Physical Analyzer version

The UFED Physical currently supports 2455 different phones for standard processing and 1462 for physical processing. See highlights on the most current release below (Figure 1).

Current Release

Figure 1

The previous version of the Cellebrite Report Manager was somewhat limited for use in my practice as it only ran on a Windows XP environment and my lab is predominantly Windows 7 x64 based. The new/current version 1.8.2 will now operate on a Windows 7 x64 machine. Further Cellebrite has recently released their Physical Analyzer software that works on Windows 7 x64 for both physical dump files and file system dump files.

Using The Cellebrite UFED "Extract Phone Data" Option

The Main Menu of the Cellebrite UFED offers several choices for collecting evidence from a mobile device:

  • Extract Phone Data
  • Extract SIM/USIM Data
  • Clone SIM ID
  • Physical Dump
  • File System Dump
  • Extract Passwords
For the initial part of my testing I wanted to see just what was available with the standard "Extract Phone Data" option.

Extract Phone Data -> Apple ->

Several options are available for Apple products:

  • iPad
  • iTouch
  • iPhone 2G/3G/3GS
  • iPhone 4
I chose the selection for the "iPhone 2G/3G/3GS"

Target selections include:

  • USB Flash Drive
  • SD Card
  • PC
I chose the "USB Flash Drive" for a 16 GB FAT 32 formatted USB drive

Options for Extraction are:

  • Call Logs
  • Phone Book
  • SMS
  • Pictures
  • Videos
  • Audio/Music
I selected all available options except audio for my test run and extraction was completed in around 8 minutes. I moved the USB stick over to a forensics workstation running the Cellebrite Report Manager and copied it to sanitized case drive and then opened the analysis file.

The file opened quickly and presented the following initial display in the Report Manager GUI. Phone Exam Properties (Figure 2) are provided in a tabular format and include the typical cell phone specific details that I would expect to be available with a mobile phone forensics product. On the left side bar of the page is an icon driven menu that also provides information (in total) on what was collected and or is available from the collection:

  • Contacts (2951)
  • SMS (2521)
  • Calendar (0)
  • Call Log (100)
  • Images (7)
  • Audio (0)
  • Video (0)
  • Ringtone (0)

Figure 2

Selecting the contacts icon brings up the contacts display (Figure 3), all available fields are displayed in the Report Manager "spreadsheet like" GUI. Selecting any column header will resort all of the listed information in either the ascending or descending order of the selected column. This can be very handy on a phone with many contacts.

Figure 3

The SMS message page is selected by clicking the SMS icon and is displayed in tabular format with details of each selected SMS message shown in a view at the bottom of the page (Figure 4). Note that the time stamps for each message are provided. As with other tabular pages in the Cellebrite Reporter software selecting any column header in the SMS display will resort all of the listed information in either the ascending or descending order of the selected column.

Figure 4

Viewing call information in the Cellebrite Report Manager is as simple as clicking the Call Log Icon in the menu area. All 100 of the last calls made/received on the iPhone are displayed in tabular format and include as expected the type of call incoming/outgoing, phone number, time/date as well as duration of each call (Figure 5). Note: on an iPhone, if a given number exists in the phonebook on the iPhone the contact name is also displayed in the call log details. As with other tabular pages in the Cellebrite Report Manager software selecting any column header in the Calls Log display will resort all of the listed information in either the ascending or descending order of the selected column.

Figure 5

The Image page is selected by simply clicking on the Images icon in the menu area. Images may include any image on the phone such as thumbnails from the SMS message display as well as a larger copy of the image stored on the iPhone that can be displayed by clicking on the smaller picture within the SMS display on the iPhone. Other images such as those taken with the iPhone internal camera are also extracted and made available in the images display (however they are not differentiated) by the Reporter software. Images are presented in a list view but you can choose an Icon or detailed view from the toolbar (Figure 6). In order to view the image you must click on the image name or icon and a Windows Photo Viewer window is opened to display the image. It is important to note that images that were deleted on the iPhone are not recovered and made available in this extraction and EXIF information is made available by right clicking on the image while it is being viewed in the Windows Photo Viewer.

Care should be taken in viewing and interpreting the EXIF data in the Windows Photo Viewer (Figure 7) as the data displayed in the Properties Window for Origin — Date Taken represents the time and date the photo was taken and the data provided under "File" contains the path to the image on the viewing workstation (not on the iPhone) and the file time stamps represent when the file was created/accessed in the extraction process — not the time the photo was taken.

Figure 6

Figure 7

Taking A Deeper Dive - Using The Cellebrite File System Dump Option

With today's more powerful mobile devices such as the Apple iPhone 3G collecting only the traditional "phone" data is simply not enough you need to do a deeper dive to perform a thorough forensic analysis.

The Main Menu of the Cellebrite UFED offers several choices for collecting evidence from a mobile device:

  • Extract Phone Data
  • Extract SIM/USIM Data
  • Clone SIM ID
  • Physical Dump
  • File System Dump
  • Extract Passwords
For the purposes of this test run I chose to select the creation of a "File System Dump" rather then just the traditional "Extract Phone Data".

On the UFED menu

File System Dump -> Apple ->

Several choices for Apple supported mobile devices include:

  • iPad
  • iPod Touch
  • iPhone 2G/3G/3GS
  • iPhone 4
  • iPod Nano 5G
I chose the selection for the "iPhone 2G/3G/3GS"

Target selections include:

  • USB Flash Drive
  • SD Card
  • PC
I chose the "USB Flash Drive" for a 16 GB FAT 32 formatted USB drive

The iPhone contained a large number of songs, a few videos, photos and 11 different applications — roughly 13.1 GB of data. The extraction took a little more then 14 hours to complete. The resulting extraction resulted in 12.4 GB being written to the USB stick.

Figure 8

I copied the folder from the USB stick to a forensics workstation and then selected the respective UFED Dump file (Figure 8). This automatically opened the archived files within the UFED Physical Analyzer (Figure 9) on my Windows 7x64 server.

Figure 9

Drilling down into what information is available within the Physical Analyzer software it literally opens a "treasure trove" of potential valuable evidence not found with the traditional "Extract Phone Data" option on the Cellebrite UFED. Selecting the available Hex data and drilling down in to the application folders I was able to not only find the application user names and passwords for several applications I also found the user's Skype chat conversations that are being stored on the iPhone — information simply not available using the traditional "Extract Phone Data Option".

The Cellebrite Physical Analyzer Itself Is Good But Other Tools Can Enhance Your Analysis

While examining the data in hex format within the Cellebrite Physical Analyzer software is interesting and some would perhaps believe to be "enough" I prefer the automation provided by tools like those found in the "SANS SIFT Workstation" for Windows to present the evidence in a more "forensicator friendly" manner.

Create A File Set For Analysis

From within the Cellebrite Physical Analyzer software Toolbar I chose to copy the extracted data out of the Physical Analyzer to a folder on my forensic server:

Tools -> Dump Filesystem

This created a folder set in the original iPhone hierarchy and enabled me to then copy them on to a USB stick for further analysis

Some Analysis Using The SANS SIFT Workstation With The Cellebrite Physical Analyzer

Knowing that I had found Skype related data in viewing the files in the hex display of the Physical Analyzer I decided to use the tool included in the SANS SIFT Workstation called "Skype Log Parser". Starting up SIFT and connecting the USB stick with the copied folders from the Cellebrite Physical Analyzer allowed me to quickly run the Skype Log Parser against the collected data resulting in a clean representation of the available data in a much easier to read format then simply viewing it in Hex. Here is just a sample of the evidence found using the SIFT Workstation and Skype Log Parser (Figure 10 — 13) when run against the data extracted from the Physical Analyzer files extracted with the UFED in File Dump Mode.

Figure 10

Figure 11

Figure 12

Figure 13

Having found the tools within the SIFT Workstation able to use the data extracted from the iPhone by Cellebrite was encouraging so I decided to try another available tool on my forensics server - "NetAnalysis" against the collected data to see if a representation of the iPhones Safari browser history was available and could be processed by Net Analysis from the data structures collected by the Cellebrite UFED. As expected the NetAnalysis software was able collect the browser history from the Cellebrite extracted data structures of the iPhone Safari browser (Figure 14).

Figure 14

Taking It Up A Notch - Using FTK 3.1 To Analyze The File Dump From The UFED — Physical Analyzer Export.

I prefer to create an AD1 image of large amounts of data that will be part of a case in FTK 3.1 rather than simply add the individual files or folders directly in to an FTK case. To create the ADI image you simply use FTK Imager (Figure 15):

File -> Create Image -> Contents of a folder -> enter source path -> Finish

Add -> complete case information form -> Image destination -> Image name

Figure 15

With the available AD1 image you can now start FTK 3.1, create a new case and add the AD1 file you just created to the new case (Figure 16) and configure your evidence refinement options (Figure 17). These are not necessary, the optimum refinement options for an iPhone but were selected simply to process this example for this blog post.

Figure 16

Figure 17

The small size of the AD1 file is processed in minutes by FTK 3.1 and you are quickly presented with the FTK Explorer and evidence tree showing the complete file structure collected by the Cellebrite UFED File System Dump (Figure 18) from the iPhone. FTK 3.1 provides the ability to view plist files and some SQLite files. Further the index search is available to search the image for your selected keywords.

Figure 18

Under the Overview Tab select the plist extension to see the power of analysis using FTK on the UFED extracted iPhone file dump. The total number of plist files found on this iPhone are 176 and they contain a wealth of potential forensic evidence. Drilling down to the file named Bookmarks.plist we find that it contains potentially valuable data associated with the iPhone map application — complete data on a specific location saved as a bookmark in the map application (Figure 19). Other potentially valuable plist files would be the user's speed dial list (Figure 20), network identification plist (Figure 21) that contains valuable historical network connections details, several browser cookie plist files that reveal browser history details even if the user deleted browser history, just to name a few.

Figure 19

Figure 20

Figure 21

Figure 22

Other great potential forensic evidense can quickly be viewed using FTK and an external program such as SQLiteSpy to view the data contained within the many iPhone SQLite databases. Simply right click in the SQLite db file in the FTK tree view and select "view with external program -> SqliteSpy" (Figure 23) Here we have all of the notes the user of the iPhone stored with the Apple Notes application on the iPhone.

Figure 23

Another missing detail in using the Extract Phone Data is that it simply did not collect the calendar data from the iPhone. However the File System Dump does capture the SQL database associated with the user's calendar application. Right click on the CalendarSqlite.db and select "view with external program -> SQLiteSpy" to view the SQL database table containing the users calendar data. (Figure 24)

Figure 24

In conclusion: Clearly the File Dump option for the Cellebrite UFED Physical provides a wealth of potential forensics evidence for an Apple iPhone. The traditional Extract Phone Data option is significantly faster but simply can not be regarded as a thorough analysis of an Apple iPhone because of the other forensic data it may in fact contain. The Cellebrite Report Manager is great for a traditional phone analysis and the Cellebrite Physical Analyzer software provides the capability to analyze the File System Dump created with the UFED Physical for a deeper dive into the data contained on an iPhone. While the Physical Analyzer software is good with its Hex display, filtering and search capability, the file structure created is also usable by other forensic tools such as those within the SANS SIFT Workstation like the Skype Log Parser, the well known and powerful stand alone browser analysis tool from Digital Detective called Net Analysis and lastly the powerful AccessData FTK 3.1 analysis software with its point and click bookmarking and reporting capability along with additional tools like SQLiteSpy to further expand its capability.