Case Study HOW CELLEBRITE’S UFED PHYSICAL ANALYZER HELPS ANALYZE CHIP-OFF DATA How do you forensically obtain data from a cell phone that can’t be unlocked, jailbroken or rooted – that may even be badly physically damaged? That was a question Victoria Police Detective Bob Elder faced recently, with an iPhone destroyed by an arrestee in custody. Having smuggled the phone through a body search and into his holding cell with him, the suspect smashed the phone when he saw police coming to confiscate it. WHO Det. Bob Elder, Victoria (British Columbia, Canada) Police Department WHAT Use of Cellebrite UFED Physical Analyzer to validate iPhone data acquired during chip-off forensic procedure WHY Part of proper forensic methodology is to validate tools used to acquire data. UFED Physical Analyzer was chosen for its powerful search capabilities and reliability in obtaining iPhone data RESULTS Physical Analyzer’s search tools were able to locate even more user data than manual extraction methods The Victoria Police Department is small, serving 300,000 residents with only 280 officers and just two Detectives staffing its digital forensics unit. The unit sees about 300 mobile phones a year, and has a 40-50 phone backlog at any given time. So even though it has access to most of the mobile device forensic tools available, dumping the phones and then getting evidence to bring to court can cost hours if the devices aren’t working right. Enter Cellebrite UFED Physical Analyzer. Elder, a mobile device forensic expert, had used the latest version of Physical Analyzer to acquire physical and file system dumps from some locked iPhones that were pivotal in a drug trafficking case. Because it was the only tool that would work on those phones at the time, Elder again turned to Physical Analyzer to assist with this chip-off case. As it turned out, not only would the broken phone not power on, but a nearby repair shop said there was too much damage to put it back in working condition. For this phone, as for others not accessible through typical means, Elder turned to a newer data acquisition method: a “chip-off” RAW dump, which he has been involved with researching and developing for some time. Chip-off acquisition is a destructive process that involves unsoldering the phone’s NAND\NOR\eMMC\etc. flash memory chip(s) from its board. “You can’t put the chip back, so this is a last resort,” Elder warns, “only to be used when the phone is too damaged or otherwise can’t be acquired in the usual ways, and when the phone’s data is necessary for a high-profile case.” Elder spent a month carving data from the iPhone chip, using another digital forensic software program and HEX Editor with various types of scripts in order search for specific keywords and file types. Elder also used a variety of other image and hex carving tools to assist with the user data recovery. “Data acquired via chip-off is fragmented because of how the NAND chip stores it,” he explains. “To deal with bad blocks and limits on the number of writes possible on the chip, flash memory uses a process called “wear leveling” and “garbage collection”. This maximizes chip life by allowing writes to be evenly distributed across the chip, but it also fragments the data.” After manually locating the user data, Elder used Physical Analyzer to validate his findings, including the date and time stamps. “On high profile cases, it’s important to carve manually and then validate the findings using a secondary method”, Elder explains. In this case, he chose Physical Analyzer because of its search capabilities. “Those search functions – including Python scripting; regular expressions; searches for strings, dates, codes, numbers, ICCID, SMS formats, etc. – allowed me to locate other user data missed during the manual process”, he explains. “That’s why it is always important not to depend on one method of locating user data.” Those search functions – including Python scripting; regular expressions; searches for strings, dates, codes, numbers, ICCID, SMS formats, etc. – allowed me to locate other user data missed during the manual process. — Det. Bob Elder, Victoria (British Columbia, C anada) Police Department Chip-off acquisition is still in its infancy, but together with other unconventional tools like JTAG and flasher box technology, promises to become important to mobile examiners when the usual routes of data dumping just aren’t enough. Examiners who use it need powerful tools, like Cellebrite Physical Analyzer, to help them comb through badly fragmented data, supplement the other forensic tools needed in the process, and validate everything they find for a successful conclusion to their cases. ABOUT CELLEBRITE Cellebrite is the world leader in delivering cutting–edge mobile forensic solutions. Cellebrite provides flexible, field–proven and innovative cross–platform solutions for lab and field via its UFED Pro and UFED Field Series. The company’s comprehensive Universal Forensic Extraction Device (UFED) is designed to meet the challenges of unveiling the massive amount of data stored in the modern mobile device. The UFED Series is able to extract, decode, analyze and report data from thousands of mobile devices, including, smartphones, legacy and feature phones, portable GPS devices, tablets, memory cards and phones manufactured with Chinese chipsets. With more than 30,000 units deployed across 100 countries, UFED Series is the primary choice for forensic specialists in law enforcement, military, intelligence, corporate security and eDiscovery. Founded in 1999, Cellebrite is a subsidiary of the Sun Corporation, a publicly traded Japanese company (6736/JQ) To learn more, visit www.cellebrite.com For more information contact sales © 2015 Cellebrite Mobile Synchronization LTD. All rights reserved.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project