Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

Quick Look - Cellebrite UFED Using Extract Phone Data & File System Dump

It is not the intent of this blog post to be an all-encompassing guide to the forensic analysis of an iPhone. Rather it is a look at some of the tools I use in my practice and how they can be applied to iPhone forensic analysis. That being said lets get to it.

Why would you use the Cellebrite File System Dump instead of the traditional Extract Phone Data ?

If the subject of your forensic analysis is collecting information regarding the telephone such as call logs, phone book, SMS, pictures, video and audio/music then you will find what you need using the standard Cellebrite processing found under "Extract Phone Data". However if you want to do a deep dive in to the file structure, Internet usage or look deep in to the applications that are being used on the device and perhaps run some of your "favorite forensic tools" against it, I highly recommend complimenting your traditional Extract Phone Data analysis by also doing the File System Dump.

For the purposes of my testing for this blog post I am performing a forensic analysis on a 16 GB iPhone 3G Version 4.02.


Let me begin by noting that I am running a Cellebrite UFED with the Physical Analysis Option.

Version information is as follows

UFED Software Versions:

App: 1.1.4.7 UFED

Full: 1.0.2.4 UF

Tiny: 1.0.2.1

Reporter Version 1.8.280710

Physical Analyzer version 1.9.0.5213

The UFED Physical currently supports 2455 different phones for standard processing and 1462 for physical processing. See highlights on the most current release below (Figure 1).

Current Release


Figure 1


The previous version of the Cellebrite Report Manager was somewhat limited for use in my practice as it only ran on a Windows XP environment and my lab is predominantly Windows 7 x64 based. The new/current version 1.8.2 will now operate on a Windows 7 x64 machine. Further Cellebrite has recently released their Physical Analyzer software that works on Windows 7 x64 for both physical dump files and file system dump files.

Using The Cellebrite UFED "Extract Phone Data" Option

The Main Menu of the Cellebrite UFED offers several choices for collecting evidence from a mobile device:

  • Extract Phone Data
  • Extract SIM/USIM Data
  • Clone SIM ID
  • Physical Dump
  • File System Dump
  • Extract Passwords
For the initial part of my testing I wanted to see just what was available with the standard "Extract Phone Data" option.

Extract Phone Data -> Apple ->

Several options are available for Apple products:

  • iPad
  • iTouch
  • iPhone 2G/3G/3GS
  • iPhone 4
I chose the selection for the "iPhone 2G/3G/3GS"

Target selections include:

  • USB Flash Drive
  • SD Card
  • PC
I chose the "USB Flash Drive" for a 16 GB FAT 32 formatted USB drive

Options for Extraction are:

  • Call Logs
  • Phone Book
  • SMS
  • Pictures
  • Videos
  • Audio/Music
I selected all available options except audio for my test run and extraction was completed in around 8 minutes. I moved the USB stick over to a forensics workstation running the Cellebrite Report Manager and copied it to sanitized case drive and then opened the analysis file.

The file opened quickly and presented the following initial display in the Report Manager GUI. Phone Exam Properties (Figure 2) are provided in a tabular format and include the typical cell phone specific details that I would expect to be available with a mobile phone forensics product. On the left side bar of the page is an icon driven menu that also provides information (in total) on what was collected and or is available from the collection:

  • Contacts (2951)
  • SMS (2521)
  • Calendar (0)
  • Call Log (100)
  • Images (7)
  • Audio (0)
  • Video (0)
  • Ringtone (0)


Figure 2


Selecting the contacts icon brings up the contacts display (Figure 3), all available fields are displayed in the Report Manager "spreadsheet like" GUI. Selecting any column header will resort all of the listed information in either the ascending or descending order of the selected column. This can be very handy on a phone with many contacts.



Figure 3


The SMS message page is selected by clicking the SMS icon and is displayed in tabular format with details of each selected SMS message shown in a view at the bottom of the page (Figure 4). Note that the time stamps for each message are provided. As with other tabular pages in the Cellebrite Reporter software selecting any column header in the SMS display will resort all of the listed information in either the ascending or descending order of the selected column.


Figure 4


Viewing call information in the Cellebrite Report Manager is as simple as clicking the Call Log Icon in the menu area. All 100 of the last calls made/received on the iPhone are displayed in tabular format and include as expected the type of call incoming/outgoing, phone number, time/date as well as duration of each call (Figure 5). Note: on an iPhone, if a given number exists in the phonebook on the iPhone the contact name is also displayed in the call log details. As with other tabular pages in the Cellebrite Report Manager software selecting any column header in the Calls Log display will resort all of the listed information in either the ascending or descending order of the selected column.



Figure 5


The Image page is selected by simply clicking on the Images icon in the menu area. Images may include any image on the phone such as thumbnails from the SMS message display as well as a larger copy of the image stored on the iPhone that can be displayed by clicking on the smaller picture within the SMS display on the iPhone. Other images such as those taken with the iPhone internal camera are also extracted and made available in the images display (however they are not differentiated) by the Reporter software. Images are presented in a list view but you can choose an Icon or detailed view from the toolbar (Figure 6). In order to view the image you must click on the image name or icon and a Windows Photo Viewer window is opened to display the image. It is important to note that images that were deleted on the iPhone are not recovered and made available in this extraction and EXIF information is made available by right clicking on the image while it is being viewed in the Windows Photo Viewer.

Care should be taken in viewing and interpreting the EXIF data in the Windows Photo Viewer (Figure 7) as the data displayed in the Properties Window for Origin — Date Taken represents the time and date the photo was taken and the data provided under "File" contains the path to the image on the viewing workstation (not on the iPhone) and the file time stamps represent when the file was created/accessed in the extraction process — not the time the photo was taken.



Figure 6



Figure 7


Taking A Deeper Dive - Using The Cellebrite File System Dump Option

With today's more powerful mobile devices such as the Apple iPhone 3G collecting only the traditional "phone" data is simply not enough you need to do a deeper dive to perform a thorough forensic analysis.

The Main Menu of the Cellebrite UFED offers several choices for collecting evidence from a mobile device:

  • Extract Phone Data
  • Extract SIM/USIM Data
  • Clone SIM ID
  • Physical Dump
  • File System Dump
  • Extract Passwords
For the purposes of this test run I chose to select the creation of a "File System Dump" rather then just the traditional "Extract Phone Data".

On the UFED menu

File System Dump -> Apple ->

Several choices for Apple supported mobile devices include:

  • iPad
  • iPod Touch
  • iPhone 2G/3G/3GS
  • iPhone 4
  • iPod Nano 5G
I chose the selection for the "iPhone 2G/3G/3GS"

Target selections include:

  • USB Flash Drive
  • SD Card
  • PC
I chose the "USB Flash Drive" for a 16 GB FAT 32 formatted USB drive

The iPhone contained a large number of songs, a few videos, photos and 11 different applications — roughly 13.1 GB of data. The extraction took a little more then 14 hours to complete. The resulting extraction resulted in 12.4 GB being written to the USB stick.


Figure 8


I copied the folder from the USB stick to a forensics workstation and then selected the respective UFED Dump file (Figure 8). This automatically opened the archived files within the UFED Physical Analyzer (Figure 9) on my Windows 7x64 server.


Figure 9


Drilling down into what information is available within the Physical Analyzer software it literally opens a "treasure trove" of potential valuable evidence not found with the traditional "Extract Phone Data" option on the Cellebrite UFED. Selecting the available Hex data and drilling down in to the application folders I was able to not only find the application user names and passwords for several applications I also found the user's Skype chat conversations that are being stored on the iPhone — information simply not available using the traditional "Extract Phone Data Option".

The Cellebrite Physical Analyzer Itself Is Good But Other Tools Can Enhance Your Analysis

While examining the data in hex format within the Cellebrite Physical Analyzer software is interesting and some would perhaps believe to be "enough" I prefer the automation provided by tools like those found in the "SANS SIFT Workstation" for Windows to present the evidence in a more "forensicator friendly" manner.

Create A File Set For Analysis

From within the Cellebrite Physical Analyzer software Toolbar I chose to copy the extracted data out of the Physical Analyzer to a folder on my forensic server:

Tools -> Dump Filesystem

This created a folder set in the original iPhone hierarchy and enabled me to then copy them on to a USB stick for further analysis

Some Analysis Using The SANS SIFT Workstation With The Cellebrite Physical Analyzer

Knowing that I had found Skype related data in viewing the files in the hex display of the Physical Analyzer I decided to use the tool included in the SANS SIFT Workstation called "Skype Log Parser". Starting up SIFT and connecting the USB stick with the copied folders from the Cellebrite Physical Analyzer allowed me to quickly run the Skype Log Parser against the collected data resulting in a clean representation of the available data in a much easier to read format then simply viewing it in Hex. Here is just a sample of the evidence found using the SIFT Workstation and Skype Log Parser (Figure 10 — 13) when run against the data extracted from the Physical Analyzer files extracted with the UFED in File Dump Mode.


Figure 10



Figure 11



Figure 12



Figure 13


Having found the tools within the SIFT Workstation able to use the data extracted from the iPhone by Cellebrite was encouraging so I decided to try another available tool on my forensics server - "NetAnalysis" against the collected data to see if a representation of the iPhones Safari browser history was available and could be processed by Net Analysis from the data structures collected by the Cellebrite UFED. As expected the NetAnalysis software was able collect the browser history from the Cellebrite extracted data structures of the iPhone Safari browser (Figure 14).


Figure 14


Taking It Up A Notch - Using FTK 3.1 To Analyze The File Dump From The UFED — Physical Analyzer Export.

I prefer to create an AD1 image of large amounts of data that will be part of a case in FTK 3.1 rather than simply add the individual files or folders directly in to an FTK case. To create the ADI image you simply use FTK Imager (Figure 15):

File -> Create Image -> Contents of a folder -> enter source path -> Finish

Add -> complete case information form -> Image destination -> Image name


Figure 15


With the available AD1 image you can now start FTK 3.1, create a new case and add the AD1 file you just created to the new case (Figure 16) and configure your evidence refinement options (Figure 17). These are not necessary, the optimum refinement options for an iPhone but were selected simply to process this example for this blog post.


Figure 16



Figure 17



The small size of the AD1 file is processed in minutes by FTK 3.1 and you are quickly presented with the FTK Explorer and evidence tree showing the complete file structure collected by the Cellebrite UFED File System Dump (Figure 18) from the iPhone. FTK 3.1 provides the ability to view plist files and some SQLite files. Further the index search is available to search the image for your selected keywords.


Figure 18


Under the Overview Tab select the plist extension to see the power of analysis using FTK on the UFED extracted iPhone file dump. The total number of plist files found on this iPhone are 176 and they contain a wealth of potential forensic evidence. Drilling down to the file named Bookmarks.plist we find that it contains potentially valuable data associated with the iPhone map application — complete data on a specific location saved as a bookmark in the map application (Figure 19). Other potentially valuable plist files would be the user's speed dial list (Figure 20), network identification plist (Figure 21) that contains valuable historical network connections details, several browser cookie plist files that reveal browser history details even if the user deleted browser history, just to name a few.


Figure 19



Figure 20



Figure 21



Figure 22


Other great potential forensic evidense can quickly be viewed using FTK and an external program such as SQLiteSpy to view the data contained within the many iPhone SQLite databases. Simply right click in the SQLite db file in the FTK tree view and select "view with external program -> SqliteSpy" (Figure 23) Here we have all of the notes the user of the iPhone stored with the Apple Notes application on the iPhone.


Figure 23


Another missing detail in using the Extract Phone Data is that it simply did not collect the calendar data from the iPhone. However the File System Dump does capture the SQL database associated with the user's calendar application. Right click on the CalendarSqlite.db and select "view with external program -> SQLiteSpy" to view the SQL database table containing the users calendar data. (Figure 24)


Figure 24


In conclusion: Clearly the File Dump option for the Cellebrite UFED Physical provides a wealth of potential forensics evidence for an Apple iPhone. The traditional Extract Phone Data option is significantly faster but simply can not be regarded as a thorough analysis of an Apple iPhone because of the other forensic data it may in fact contain. The Cellebrite Report Manager is great for a traditional phone analysis and the Cellebrite Physical Analyzer software provides the capability to analyze the File System Dump created with the UFED Physical for a deeper dive into the data contained on an iPhone. While the Physical Analyzer software is good with its Hex display, filtering and search capability, the file structure created is also usable by other forensic tools such as those within the SANS SIFT Workstation like the Skype Log Parser, the well known and powerful stand alone browser analysis tool from Digital Detective called Net Analysis and lastly the powerful AccessData FTK 3.1 analysis software with its point and click bookmarking and reporting capability along with additional tools like SQLiteSpy to further expand its capability.

14 Comments

Posted September 22, 2010 at 6:16 PM | Permalink | Reply

allchange

Excellent post! I've wanted to try Cellebrite for some time but it has been cost prohibitive unfortunately. I didn't realize SIFT included the Skype Log Parser which is something I'll have to play with. In the US I don't see as many people making Skype -> off-net calls.

While only doing logically dumps, BitPim is free. Also have you tried CellDEK? It's the only other alternative to Cellebrite that has as many features. I'm wondering how it compares...

Posted September 23, 2010 at 8:14 PM | Permalink | Reply

paulhenry

The tools that come with SIFT - ROCK but admittedly I am a little biased as I teach FOR 408 at SANS. In my practice I have a number of comercial products available to me but I regularly turn to SIFT when I need something quick and specific. On Skype - I do not see a great deal of off-net call activity in my cases but do see a lot of Skype chat and file transfer activity. Personally I see a real need to move away from a logical analysis and to a complete physical dump in order to provide a more through analysis.... patiently waiting for the physical dump capability from Cellebrite for the iPhone and iPad - hear it is right around the corner. I looked at the CellDEK before purchasing the Cellebrite and decided to go with the Cellebrite but everyones needs are different so your always better off doing your own comparison and basing your decisions on your own specific needs and requirements.

Posted September 22, 2010 at 7:15 PM | Permalink | Reply

Sean Morrisssey

This must be painful to do on all iPhones. If you have to use a windows tool, O2 can do all of the above. So can Mac tools for much, much less $$.

Posted September 23, 2010 at 8:02 PM | Permalink | Reply

paulhenry

Sean;

There is always a cheaper cost alternative.... but you have to consider licensing restriction for comercial use, the training and the labor costs - for me what I am using is relatively painless and it allows me to leverage tools I already own and that I am familiar with to process the phones. For that matter the hex capability of the sw that comes with the Cellebrite UFED is very capable and for some would be all they need to process the wide range of phones they support. I choose to use alternates like SIFT and FTK for processing the image as I am more familiar with them and feel I can do a better job with them not because they are necessarily any better but because of my familiarity and experience with them. I have found that in both security and forensics you will always tend to do best with what you are most experienced in working with...

Posted September 22, 2010 at 7:30 PM | Permalink | Reply

Shafik

great idea for windows based analysis assuming you can afford UFED and FTK 3.1.2

i can do all this on my mac with lantern, several free sql viewers and omnioutliner (for viewing and exporting plist to html nicely) an all this at a very reasonable cost of less than 500-600 usd

Posted September 23, 2010 at 8:31 PM | Permalink | Reply

paulhenry

Shafik;

A couple of years ago I started getting a number of case RFQ's that included forensics on both servers or PC's and cell phones together. I did not want to respond that I could do the servers but was unable or limited on the cell phones as it would likely cause me to lose the larger part of the business - the servers and PC's. I needed to support a wide range of phones but did not want to have to have (and learn) a number of different products to image them... I use my Cellebrite to leverage the support of the wide range of phones and often when necessary use the other tools I am most familiar with to process them. Choosing to handle forensics on cell phones can be an expensive proposition and the math does not always suport the cost of equipment to do it alone as a vertical in a forensics practice but in my view not being able to handle them can cost you in not getting cases that involve both PC's and phones together.

Posted October 04, 2010 at 7:12 AM | Permalink | Reply

terry goldwin

Call logs keep an extensive record of all your calls and transactions, as well as details such as name of caller, time, date, length of the call and result of transaction. .

Posted June 14, 2012 at 2:24 PM | Permalink | Reply

Chip Hogsed

I would like to extract information off of my iPhone. Can you do this or can you point me the right direction to have this done? I live in Atlanta GA. Thanks so much.

Posted June 14, 2012 at 2:38 PM | Permalink | Reply

Paul Henry

Chip

I can do it myself if you want to FedEx it to me but you should be able to find someone locally that can do it.

Best;

Paul

Posted October 04, 2012 at 10:39 AM | Permalink | Reply

Richard

Excellent blog.Its been great to read this.I never thought about it.You have done a brilliant job. I didn't recognize SIFT involved the Skype Log Parser which is something I'll have to play with.too good features.

Posted December 04, 2012 at 2:30 AM | Permalink | Reply

p patowry

i have extracted data from my iphone 4 ios 6, got 4gb data but i hv not found anything other than anything presently available in the phone, i wanted to know how to find deleted data

Posted December 04, 2012 at 7:21 PM | Permalink | Reply

Paul Henry

One quick question so I can frame me response "Did you perform a logical or physical extraction?"

Posted December 06, 2012 at 4:10 PM | Permalink | Reply

IT Consulting Los Angeles

Well explained!Thanks.

Posted June 18, 2013 at 5:44 PM | Permalink | Reply

Marcus Alexander

I think the best way to keep business monitored is to track metrics through some innovative tools, and these day its better to go mobile than the rest. I will give some of your favorite tools a try in the upcoming months and let you know. Thanks for the share mate.!

Post a Comment






Captcha

* Indicates a required field.