This is the first blog post in a series of three about using IEF and Cellebrite to get more mobile evidence for your digital forensics investigations.
Finding and analyzing evidence found on mobile devices may be the most important skill today’s digital forensics examiner can possess. Mobile devices have engrained themselves into our personal and professional lives; become our lifeline to the outside world, and primary way we connect with our networks. We exchange emails with colleagues, chat with friends, browse the internet, and even do our daily banking using applications loaded onto our smartphones and tablets. As a result, mobile devices (and the applications they contain) have become forensic goldmines of evidence – often times more valuable than a suspect’s work or personal computer.
When it comes to your mobile forensics toolkit, you’ve likely become comfortable using tools like Cellebrite’s UFED to process most of your cases. Cellebrite is especially good at acquiring an image from an impressive range of device models, but how do you go about finding evidence from the important third-party applications loaded on them?
An Improved Mobile Forensics Workflow
Back in the spring of 2012, we heard rumblings among the forensics community that recovering evidence from a range of third party applications on iOS and Android devices was difficult. The tools that were out there did a great job acquiring images from a variety of device models, but the capability to analyze those images and pull a range of relevant artifacts was missing. That’s when we decided to add a mobile module to our digital forensics software, Internet Evidence Finder that would allow an investigator to run a search on a mobile image to look for hundreds of mobile applications.
Soon after the launch of our mobile module, customer feedback started rolling in. IEF’s new capabilities had changed their mobile forensics workflow, and enabled customers to find more mobile evidence.
Here’s How They’re Doing It
Step 1: Acquire a mobile image with Cellebrite UFED (or another acquisition tool)
Step 2: Run IEF against the image – our automated search will look for 165+ types of mobile artifacts
*Whether you’re able to get a physical acquisition, logical acquisition, or file dump, IEF supports output from the UFED for many different devices, including iOS and Android devices.
Step 3: Start analysis in IEF Report viewer, where you can review search results that are organized by category, and contain all of the important artifact fields
Step 4: Export reports to share preliminary insights, or include in your final forensics report of findings
To recap, here’s a workflow visual:
Image may be NSFW.
Clik here to view.
Why Should You Add IEF to Your Mobile Investigative Workflow?
Some people might question why they should incorporate IEF into their mobile analysis after the acquisition stage, as Cellebrite also gets data from third-party applications. The answer; each tool returns different results, and specializes in different areas (as is the case with all of the tools in your kit). Cellebrite is the best solution for acquiring mobile images from a wide variety of devices, while IEF returns the most evidence from third-party applications used on the most common devices.
Here’s some recent customer feedback:
“We are currently using other mobile forensic tools, but they don’t recover the Internet-based apps, like BBM. I recently investigated a Samsung S4 mini, which displayed no BBMs; but with IEF, I recovered almost 7000 messages which cracked the case.”
“Generally, Physical Analyzer does a good job parsing out my chip offs, but it can’t get video. IEF is able to grab video and does a better job with the Internet artifacts, especially Kik Messenger.”
The reality is you have to see it to believe it. We challenge you to use your acquisition tool of choice (like Cellebrite’s UFED) with IEF, and see what you get!
In my next post in this series, I’ll show you exactly how to use IEF and Cellebrite to acquire and analyze Android devices to get more digital evidence, then move on to iOS.
As always, please let me know if you have any questions, suggestions or comments. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.
Here are some related resources you might be interested in:
- Read the next blog in our series: How to Use IEF and Cellebrite to Find More Evidence on Android Devices
- See IEF’s Mobile Module in Action: Attend a Demo
- Try IEF and our Mobile Module for Free:
- New to IEF: Request a 30-day trial
- Current customers: Request a 30-day trial of our Mobile Module
Jamie McQuaid
Forensics Consultant, Magnet Forensics
Clik here to view.
