This is the second blog post in a series of three about using IEF and Cellebrite to get more mobile evidence for your digital forensics investigations.
In my first blog post in this series, I discussed the desire among the mobile forensics community to find more mobile evidence, especially from third-party applications. Investigators seem to have image acquisition covered with tools like Cellebrite’s UFED, but want to know how to pull more third-party app evidence.
Here’s the workflow we recommend:
With this in mind, here are step by step instructions on how to use IEF and Cellebrite together to acquire and analyze Android devices including physical acquisitions, file system extractions and quick file dumps.
Physical Acquisition
To demonstrate the physical acquisition process, I chose to physically acquire a Samsung Galaxy S Relay 4G with our Cellebrite UFED (pictured below).
When doing a physical acquisition, the UFED will attempt to root the mobile device and image all the available data, including all partitions and unallocated space. To begin the acquisition process, connect the device to the UFED and select the correct device model. The Cellebrite system will then take you through a series of options, including defining a target location to store the retrieved data. Once all the options have been selected, the UFED will begin pulling data from device. The mobile image is stored in fragmented .bin files as raw data, along with a file containing case details with a .ufd extension.
Logical Acquisition
You might choose to do a logical acquisition of an Android device when a physical acquisition is not possible or required. Starting with the Cellebrite UFED, you can choose to “Extract Phone Data” or “File System Extraction,” depending on whether or not you want to retrieve just the user files or the entire file system. Similar to the physical acquisition process, Cellebrite requires you to select the model of phone and the output target.
For a file dump, you need to select which items you would like to copy (call logs, SMS, calendar, contacts, etc.) and Cellebrite will then upload software to the device, enabling it to pull down this data as a backup. To demonstrate a logical acquisition, I chose an HTC One and dumped the data to a USB stick. Once complete, the investigator is provided with a folder containing the data below.
For a file system acquisition, you will be given a .ufd file and a zip archive containing device contents.
Logical acquisitions and file dumps will pull quite a bit of data for the investigator; however, a physical acquisition is always recommended to maximize the recovery of any potential deleted data located in unallocated space.
Analysis with IEF
Now that you have acquired the UFED image, you can upload your data from Cellebrite to IEF to begin analysis. This process will differ slightly depending on the type of image you have acquired (physical, file system, or file dump). For a physical image, open IEF and select “Mobile.” Then choose the correct OS for your image (for our example, we will select “Android”), and click “Image”.
For the physical acquisition, you will find a folder with a number of .bin files and a .ufd file (as noted earlier). The .ufd file is used by the Cellebrite software to load up the case details and images. To analyze the image using IEF, you will need to access the .bin files. If the file is fragmented due to size, select the first one and IEF will automatically load the additional bin files.
If you performed a file system acquisition, you will need to locate and select the zip archive that was created by Cellebrite. IEF will then proceed to extract the archive and automatically begin searching the recovered contents.
Finally, if you chose to extract the phone data as a file dump, you will want to select “File Dump” instead of “Image” when completing the setup options, then browse to the folder containing the dumped data.
Once the desired image is loaded, we can then analyze it just like any other IEF examination. Be sure to select all the artifacts you wish to search for and include any case details relevant to your investigation. IEF will run its search and load the results into IEF Report Viewer for analysis.
From the Report Viewer, results will be sorted and categorized for the investigator. In addition to retrieving data from native applications, IEF will also pull artifacts from third-party apps installed on the device.
Find More Mobile Evidence When You Use IEF & Cellebrite’s UFED
Forensic investigators must be prepared to acquire images from a range of mobile devices; then analyze them to find both native and third-party app data. The more effective your workflow and toolset is at all stages of an investigation, the more chance you have of finding more mobile evidence.
We challenge you to use your acquisition tool of choice (like Cellebrite’s UFED) with IEF, and see what you get!
As always, please let me know if you have any questions, suggestions or comments. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.
Here are some related resources you might be interested in:
- Read the next blog in our series: How to Use IEF and Cellebrite to Find More Evidence on iOS Devices
- See IEF’s Mobile Module in Action: Attend a Demo
- Try IEF and our Mobile Module for Free:
- New to IEF: Request a 30-day trial
- Current customers: Request a 30-day trial of our Mobile Module
Jamie McQuaid
Forensics Consultant, Magnet Forensics
