Mobile Phone Forensics: Understanding Cellebrite Extraction Reports

By Jason Bergerson posted 03-17-2017 17:48


A smartphone from a key employee lands on your desk. What next?

From employment matters and intellectual property theft cases to Foreign Corrupt Practices Act violations and corporate fraud, mobile devices are the modern reservoir for key data in litigation and investigations. In fact, computer forensic examiners are seeing requests to extract and analyze smart phone data increase year over year. Yet, this new data source is uncharted territory for many legal and technology professionals working in law departments and law firms. Since it is only a matter of time before you face your first case involving a mobile device, take time now to understand the key technologies leveraged in a smart phone investigation.

What processes and tools are used to investigate mobile devices?

Drilling into a phone’s memory requires a certain level of process and technology expertise. This is especially true given the complexity of the device and the growing ecosystem of device types – from mainstream devices (such as iPhones and Androids) to legacy devices (such as flip phones and PDAs) and international devices (with varying power sources and geographical specific applications). Further, mobile device extraction attempts, including attempts to recover deleted content, will typically require passwords, PIN numbers or swipe patterns to gain access to the device. While mobile phone forensics is a fairly new discipline, an investigator needs a firm grasp on both the diversity of devices available in the market, as well as the security measures used specifically on phones.

A mobile phone investigation starts like any other investigation, with evidence handling best practices. Once a device is “in hand” and a chain of custody is underway, the investigator turns to technology to preserve data and begin the examination. Cellebrite is the one of the best known and widely used mobile device forensics tool for data extraction and analysis. The combination of Cellebrite software and hardware helps the investigator delve into the messages, phones calls, voicemails, images, browsing history and more contained on a smart phone chip.

What are the common reports generated by Cellebrite?

Cellebrite will generate a series of reports once the extraction is complete. The information contained in these reports is dependent on the types of data retained in the phone’s memory. Below are some of the key areas and examples of information that might be included in a typical Cellebrite report.

  • Device information: name, device type and version, serial number, phone number, Apple ID, accounts logged into, databases installed (e.g., GPS logging)
  • Call history: call logs, contact names and numbers, voicemail
  • Gallery: photos or videos taken with the phone, including locations where taken
  • Internet activity: browsing and internet search histories, including social media activity
  • Text communications: SMS, MMS, iMessage, Facebook Messenger, WhatsApp, WeChat
  • Other: custom apps installed, music files, movies, downloaded data (e.g., PDFs), wireless networks connected to the phone

It is important to appreciate the criticality of the data contained within the Cellebrite reports. In many scenarios, email communications, pictures placed in the cloud, and activity on social media sites will be available from other devices involved in the case, such as a laptop hard drive or corporate server. A seasoned investigator will concentrate on items that are unique to the mobile device, and not easily attainable from other sources, such as text messages and internet browsing history on the phone.

What limitations exist when extracting data from a mobile device?

When reviewing extraction reports during an investigation, remember this somewhat simpleton rule: the information that any mobile forensic tool can retrieve from a device depends on the device. What can be extracted from one device will not be the same across all devices because of the variety of operating systems and versions, memory chips and applications installed on the phone at that point in time. For example, mobile devices offer a variety of texting options, including SMS, MMS, Face Time, Messenger, and iMessage, among others. Each of these messaging options store content in different locations on the mobile device and function in a slightly different manner. This lack of standardization is confounding for forensic investigators and the case teams involved in the matter. As such, documenting the time and date of the extraction is critical, noting that the information obtained is dependent on a variety of highly variable factors.

How are these reports leveraged by a forensic investigator?

The Cellebrite reports will be a significant component of the case; however, the forensic investigator plays a key role in discerning the key issues at stake in the case and bringing meaning and context to the information generated from Cellebrite. For example, consider a workplace harassment matter where the involved employees’ mobile devices are thought to contain vital evidence. The forensic investigator will work to build an understanding of the facts and develop a timeline of events by piecing together chat messages, call logs, location metadata and image files from the phones. Each of the extracted Cellebrite reports are isolated from another and only through comparison of information, and an understanding of the situation’s details, can the investigator link them back together.

A sample screen capture from a text communication is provided below:
Sample Chat Report

The next time one of your matters involves a cell phone, smart phone, PDA, digital audio player or tablet, do not face the extraction of data from that device with apprehension. With the help of a seasoned forensics investigator, valuable information on today’s hottest (and yesterday’s oldest) handheld devices may be just be a click, swipe or post beneath your fingertips.

Jason Bergerson ( is the Director of Consulting Operations within the Consulting Services group at KrolLDiscovery. He is a technological professional with over 20 years of experience in computer forensics, data recovery and ediscovery.