how cellebrite`s ufed physical analyzer helps analyze chip

how cellebrite`s ufed physical analyzer helps analyze chip
Case Study
How do you forensically obtain data from a cell phone that can’t be unlocked, jailbroken
or rooted – that may even be badly physically damaged? That was a question Victoria
Police Detective Bob Elder faced recently, with an iPhone destroyed by an arrestee
in custody. Having smuggled the phone through a body search and into his holding cell
with him, the suspect smashed the phone when he saw police coming to confiscate it.
Det. Bob Elder, Victoria
(British Columbia, Canada)
Police Department
Use of Cellebrite UFED Physical
Analyzer to validate iPhone
data acquired during chip-off
forensic procedure
Part of proper forensic
methodology is to validate
tools used to acquire data.
UFED Physical Analyzer was
chosen for its powerful search
capabilities and reliability in
obtaining iPhone data
Physical Analyzer’s search
tools were able to locate even
more user data than manual
extraction methods
The Victoria Police Department is small, serving 300,000 residents with only 280 officers
and just two Detectives staffing its digital forensics unit. The unit sees about 300 mobile
phones a year, and has a 40-50 phone backlog at any given time. So even though it has
access to most of the mobile device forensic tools available, dumping the phones and
then getting evidence to bring to court can cost hours if the devices aren’t working right.
Enter Cellebrite UFED Physical Analyzer. Elder, a mobile device forensic expert, had
used the latest version of Physical Analyzer to acquire physical and file system dumps
from some locked iPhones that were pivotal in a drug trafficking case. Because it was
the only tool that would work on those phones at the time, Elder again turned to
Physical Analyzer to assist with this chip-off case.
As it turned out, not only would the broken phone not power on, but a nearby repair
shop said there was too much damage to put it back in working condition. For this
phone, as for others not accessible through typical means, Elder turned to a newer
data acquisition method: a “chip-off” RAW dump, which he has been involved with
researching and developing for some time.
Chip-off acquisition is a destructive process that involves unsoldering the phone’s
NAND\NOR\eMMC\etc. flash memory chip(s) from its board. “You can’t put the chip
back, so this is a last resort,” Elder warns, “only to be used when the phone is too
damaged or otherwise can’t be acquired in the usual ways, and when the phone’s data
is necessary for a high-profile case.”
Elder spent a month carving data from the iPhone chip, using another digital forensic
software program and HEX Editor with various types of scripts in order search for
specific keywords and file types. Elder also used a variety of other image and hex
carving tools to assist with the user data recovery.
“Data acquired via chip-off is fragmented because of how the NAND chip stores it,”
he explains. “To deal with bad blocks and limits on the number of writes possible on
the chip, flash memory uses a process called “wear leveling” and “garbage collection”.
This maximizes chip life by allowing writes to be evenly distributed across the chip, but
it also fragments the data.”
After manually locating the user data, Elder used Physical Analyzer to validate his
findings, including the date and time stamps. “On high profile cases, it’s important
to carve manually and then validate the findings using a secondary method”,
Elder explains.
In this case, he chose Physical Analyzer because of its search capabilities. “Those search
functions – including Python scripting; regular expressions; searches for strings, dates,
codes, numbers, ICCID, SMS formats, etc. – allowed me to locate other user data missed
during the manual process”, he explains. “That’s why it is always important not to
depend on one method of locating user data.”
Those search functions – including Python
scripting; regular expressions; searches for
strings, dates, codes, numbers, ICCID, SMS
formats, etc. – allowed me to locate other user
data missed during the manual process.
— Det. Bob Elder, Victoria (British Columbia, C
anada) Police Department
Chip-off acquisition is still in its infancy, but together with other unconventional
tools like JTAG and flasher box technology, promises to become important to mobile
examiners when the usual routes of data dumping just aren’t enough. Examiners who
use it need powerful tools, like Cellebrite Physical Analyzer, to help them comb through
badly fragmented data, supplement the other forensic tools needed in the process, and
validate everything they find for a successful conclusion to their cases.
Cellebrite is the world leader
in delivering cutting–edge
mobile forensic solutions.
Cellebrite provides flexible,
field–proven and innovative
cross–platform solutions for lab
and field via its UFED Pro and
UFED Field Series.
The company’s comprehensive
Universal Forensic Extraction
Device (UFED) is designed to meet
the challenges of unveiling the
massive amount of data stored in
the modern mobile device.
The UFED Series is able to extract,
decode, analyze and report data
from thousands of mobile devices,
including, smartphones, legacy
and feature phones, portable GPS
devices, tablets, memory cards
and phones manufactured with
Chinese chipsets. With more than
30,000 units deployed across
100 countries, UFED Series is
the primary choice for forensic
specialists in law enforcement,
military, intelligence, corporate
security and eDiscovery.
Founded in 1999, Cellebrite is a
subsidiary of the Sun Corporation,
a publicly traded Japanese
company (6736/JQ)
To learn more, visit
For more information contact sales
© 2015 Cellebrite Mobile
Synchronization LTD. All rights reserved.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF