Q. You have a matter that requires mobile image preservation and analysis of a client’s iPhone. You found and engaged a forensic examiner and, after a device image was acquired by the expert, you received a standard Cellebrite extraction report detailing the recoverable contents of the device. Now what?! The report is hundreds of pages long. How do I read this thing and explain the findings to my team?
A. Good question! The amount of recoverable information from a mobile device can be overwhelming. Combine the number of current and legacy device models with the massive number of mobile application data sources with the number of different mobile OS versions...and…you get the picture. Decoding, reporting, and understanding all this data can be daunting.
Chances are, you have already been challenged to recover and present data from a client’s smartphone. And also, just as likely, you have encountered the analysis and reporting solutions developed by Cellebrite for mobile device forensics. As a Cellebrite partner, we work closely with clients on how to preserve and utilize mobile device data in the most practical way for their discovery or investigation response. Not always the easiest task, given the complexity of mobile data sources.
In this post, we will focus on some of the most frequently asked questions about Cellebrite analysis and extraction reporting. Our purpose here is to help you gain a better understanding of how information is presented in the extraction report and what kinds of mobile device data can be recovered and analyzed.
Q. How do I interpret and use the provided Cellebrite reports? What information is presented?
A. Starting with the basics, as described in Cellebrite’s Physical Analyzer documentation, the standard extraction report contains a series of worksheet tabs or sections where you can browse critical information recovered from the device. You will see the baseline information about a device in the Extraction Summary tab. The following information is included:
- UFED Physical Analyzer version
- Report creation time
- Time zone settings (UTC)
- Case number
- Case name
- Evidence number
- Examiner name
- Device model
- Type of extraction
- Extraction start date/time
- Extraction end date/time
- Path to the extraction file
Information Tabs will include the following key sections:
Device Info: This tab provides a list of active and deleted information as well as SIM card information. The total amount of information displayed here will depend on the device manufacturer and device model.
Analyzed Data: This tab stores the bulk of information related to device features and usage. SMS message data, call log data, and other feature driven data sources are displayed here. Examples include:
- Personal information - Calendar, Call Log, Contacts, Notes, User Dictionaries, User Accounts
- Messaging items – Chats, Email, Instant Messages, MMS, SMS
- Web browser items - Bookmarks, Cookies, History
- GPS information – Fixes, Journeys, Locations
- Device information - Application Usage, Bluetooth Pairings, Cellular Locations, SIM Data, Wireless Networks
Data Files: This tree menu displays common format data sources found on the device. This information is divided in to categories of data sources:
Q. Deleted Item recovery: what are the possible scenarios for an entry to be marked "Deleted?" (Do entries show up as "Deleted" even if they were deleted from another device?)
A. Everyone’s favorite topic. Where’s the deleted stuff? We are regularly asked whether deleted items can be recovered from an iPhone and how those items are both stored and retrieved. As is the case with a traditional computer, when you delete a calendar appointment, contact from your list of contacts, chat, MMS or SMS message, note, picture or recording – these items are removed from view, marked for deletion and are often recovered from unallocated areas of the physical disk itself.
The difference on a mobile device is that the majority of deleted items are stored in unallocated areas of SQLite databases stored as files. Once the items are marked for deletion, they are simply moved to non-active or freelist page areas of the database and can be recoverable if they have not been overwritten.
The primary takeaway here is that a majority of deleted iOS data is recoverable if preservation is performed in a timely manner – even when physical disk imaging is not on option. Partially overwritten deleted data, while possibly not have the full data record nor as much corresponding metadata with them (e.g. date and time stamps), these deleted items can still be searched and recovered by the analyzing expert using specific criteria and can also be marked and highlighted in the accompanying extraction report.
Lastly, if the data was ever present on a device and then deleted – regardless if that data was deleted locally (using that phone), or with another device through a sync operation – the data, when deleted, would be placed in non-active or freelist page areas of the DBs through the same process.
Q. What SnapChat data is preserved in Cellebrite extraction reports?
A. Another popular communication app we are regularly approached with questions on concerns what kind of SnapChat data can be retrieved. While you may not think SnapChat leaves behind many traces, there is still data left behind on a device.
Recoverable iOS Snapchat data includes Chats, Contacts, and User Account data, including available metadata.
At the time of this article, videos and the pictures themselves are generally not recoverable from a mobile image. It’s important to note, however, that certain video and picture-associated metadata is recoverable (e.g. dates, timestamps, participants). Chat bodies associated with an image or video are also recoverable.
Q. How far back does "Source: Recently Contacted" information go? And why do some "Source: Recently Contacted" entries have Timestamps and others do not?
A. Yet another popular investigative topic, “who was contacted with this device and when?”.
On an iPhone, there are two databases used to show “Recent” data:
/var/mobile/Library/AddressBook/AddressBook.sqlitedb – This database contains entries shown in the “Recently Contacted” tab. It shows Contacts only and includes the “Last Time Contacted”.
/var/mobile/Library/Mail/Recents – This database contains all data that populates the “iPhoneRecentLog” tab for Chats, Contacts, Device Locations, Emails, and SMS and includes timestamps** for each of these categories except Contacts data (no Contacts timestamps here).
Put another way: Only one of the above databases (AddressBook.sqlitedb) shows timestamp data for contacts themselves. The other database (iPhoneRecentLog), contains timestamp data for every category in it EXCEPT contacts.
So, the answer here, is that each of these databases shows recent contact data, but only one of them show accompanying timestamps. Hence, the reason for some showing and some not – the information is coming from separate database locations with separate database schema. The reason “why” is an Apple design question.
As far as the timeline for these entries, 100 entries are shown on the iPhone itself. The list itself however, can grow indefinitely! And ‘Recents’ remain in the list database even if the contact itself is deleted.
Q. What do the various entries in the Journeys section indicate (some have coordinates, names, times, addresses, etc., and some do not)?
A. Where has this phone and its owner been and what happened there?
The “Device Locations" section of the report shows the locations found on the mobile device in various GPS related apps and do not necessarily reflect actual locations the device has been.
Specific to the “Journeys” entries, these items show mapped routes extracted from application data on the device (Apple Maps, for example) that include both, starting point and end point. Individual application entry metadata will vary from app to app and also depending on the iOS and app version.
Two primary files are used to extract journey information. One includes timestamps and the other does not as shown below:
/Applications/com.apple.Maps/Library/Maps/History.mapsdata - (iOS 7) - Does NOT include timestamps
/Applications/com.apple.Maps/Library/Maps/GeoHistory.mapsdata - (OS 8 - iOS 10) - Includes timestamps
Q. Under the Locations section, what do the various Category descriptions mean (iPhoneRecentsLog, Mail Content, Reminder Locations, etc.)?
A. You just can’t hide anymore…at least not with your smartphone! Common Applications and device areas containing location data are shown below:
- Apple Maps
- Find My iPhone
- Google Maps
- iPhone Maps
- Maps Search
- Media Locations
- Reminder Locations
- Wireless Networks
Location data in the Locations item is divided into the following categories:
- Cell towers
- WiFi networks
- Harvested Cell towers
- Harvested WiFi networks
- Media locations
- Wireless networks
“Locations" data is extracted from various areas on the mobile device in various GPS serviced apps as shown. It is important to note that this data does not necessarily reflect actual locations the device has visited. Several apps store GPS coordinates as metadata – some of which did not originate on the mobile device being analyzed. So, it’s important to note the source and/or the individual application populating the location data to determine its meaning and purpose.
If Geolocation Services are turned on and the application utilizes the services, these entries will be created in the “Locations” tab according to the application that was being used. Individual application entry metadata will vary from app to app and depending on the iOS and app version.
Q. What does Status "Unknown" mean in the SMS Messages section?
A. “Unknown” describes the iPhoneRecentLog entries extracted from:
As the name suggests, these entries amount to log data and do not contain any actual SMS or other message data - only its metadata – hence the 'Unknown' label for this category of information, as it can contain log entries for many different types or data.
Q. What data is provided in the Activity Analytics section? (what do the column headings indicate, and what is the meaning of duplicate entries?) A.
Analytics and correspondence mapping can be critical in an investigation.
As described in Cellebrite’s Physical Analyzer product documentation, Project Analytics enables you to view the extraction data in terms of the number of communication events between the device and other parties, identified by phone number, or other user identity (such as email address, Skype handle, and so on). The analysis enables you to easily and efficiently identify communication patterns between the device and other parties.
- Parties most communicated with via all types of communication methods.
- Parties most communicated with via phone calls, SMS, and MMS.
If the device user exchanged a large number of phone calls, SMS, and emails with a certain contact, it is easy to see the volume of this communication.
Communication events are listed by volume per type. The following communication events are currently supported:
- Phones - Lists outgoing, incoming, and missed calls, and sent, received, and draft SMS and MMS
- Emails - Lists emails sent, received, drafts, and emails of unknown status
- WhatsApp - Lists messages sent, received, and drafts
- Skype - Lists calls, SMS, and chat messages
- BlackBerry Messenger - Lists chat messages
Q. What formatting options do I have for receiving Cellebrite’s extraction reports?
A. Not everyone wants the same type of report. Depending on the data and how you want to use it, one report format may be better than another. Security can be applied to certain formats as well (MS Excel, Adobe PDF).
Cellebrite extraction reports can be created in the following formats:
- UFDR (creates an export that can be opened with Cellebrite’s accompanying UFED Reader application)
Q. Key POST Takeaways?
A. Hopefully you have gathered a bit of useful information in these questions and answers. These examples are just a small insight into the mobile forensics world. While this Q&A focused on recovery of data from an iPhone and iOS, there are clearly other operating systems (Android) with differing security features, storage schemas, and application sources.
One important item to remember: With the mountain of data that can be held on a mobile device, the more targeted you can be in your recovery requests to the forensic examiner, the more focused the reporting and extraction will be. A comprehensive report will be just that…a reporting of every data artifact on the device. So, don’t be surprised if a full device analysis report runs in to the thousands of pages!
And perhaps the biggest item to remember: Reporting output is variable and volatile across device types, OS levels and application versions. Mobile device applications, operating system designs, and storage schemas are continually changing with the delivery of new updates and releases. Staying current with these changes is critical for both the forensic examiner and the litigation support professional. ♦
Senior Forensics Consultant
Planet Data Solutions
About the Author:
Russ Capps is a certified digital forensics specialist with well over a decade’s worth of experience in information security, incident response, digital forensics, and eDiscovery. He provides expert level consulting services to law firms and corporations - specializing in computer and mobile device forensics, data acquisition, case consultation, incident response, identification and extraction of forensic artifacts, analysis and presentation of digital evidence and data recovery.
About Planet Data Solutions:
Planet Data proudly offers domestic and international eDiscovery solutions from managed services, consulting, data collection and mobile forensics - to ESI processing, ECA, advanced pre-review analytics, document review and hosting. We proudly partner with industry leaders in cybersecurity and managed document review services, giving our additional support where they need it most.
We are the creators of the Exego® technology, and the home of stress-free eDiscovery. Exego is the pillar of our eDiscovery solutions and has processed countless amounts of data since 2004. Our platforms provide clients with a sophisticated, yet easy-to-use set of tools, and come with a support staff of certified experts ready to assist.
We’ve assembled the best and most dedicated people in the industry to create a world class development team, a dedicated hosting team, and a squad of expert project managers that bring hundreds of cases of experience and a passion for problem solving to the table.
Planet Data Provides Solutions for:
- Cybersecurity Risk Assessments
- Second/ITC Requests
- Cross-Border Disputes
- Patent Infringement
- Financial Fraud Litigation
- Construction Litigation
- Mergers and Acquisitions
- Governmental and Internal Investigations
- Environmental Litigation
- Employment Litigation