Many people use their cell phones to do a variety of different things, from storing word documents, using programs, playing games, using the GPS for travel, and other such things. Many criminal cases involve some sort of mobile phone or device either as part of the criminal activity or containing evidence of criminal activity. Mobile phones provide many different types of evidence from pictures, videos, text messages, downloaded content, and location of the phone during a crime through GPS location services or triangulation. It is beneficial to be able to prove that information was stored on a mobile and where the phone could have been during the crime. Since technology, especially mobile devices, have advanced extremely fast, it is hard for law enforcement agencies to keep up; many don’t have the time or resources to train all of their employees with the necessary forensic software/hardware used to forensically acquire mobile devices.
We have been assigned to create a guide and tutorials for a mobile forensics tool called Cellebrite. “With more 100,000 units deployed in 150 mobile carriers and retailers globally and with more than 250,000,000 transactions a year, Cellebrite has become a world leader in the mobile retail market” (http://www.cellebrite.com/company/about-cellebrite.html) Cellebrite has support for more than 8,000 different phones, at the time of this blog (http://bit.ly/13Makw8), and it is a tool that we have down here at the LCDI.
Cellebrite has the ability to extract various types of data from different phones, such as Short Message Service (SMS) Text Messages, Multimedia Messaging Service (MMS) Text Messages, Images, Contacts, Call log, Videos, Music, Calendar data,VoiceMail, some application data, etc. Not every mobile device is supported by Cellebrite and some devices that are, don’t have full support to recover all of the data from the phone.
Cellebrite also has the ability, with some phones, to retrieve a physical image (Physical Extraction) of the flash memory or address range of a mobile device, including unallocated space, and Cellebrite has the ability to extract the logical file system (File System Extraction) of a mobile device as a directory structure, but it does not include unallocated space or decoding for deleted files. You can retrieve a Physical extraction from some of the supported devices, but most of the devices (not all) will only allow an investigator to retrieve a File System Extraction.
Over the course of this project we will be creating a training outline for a two day course to teach local law enforcement how Cellebrite works and how to use it. For each section of the Cellebrite Training Course Outline, we will be making guides and how-to videos and tutorials with pictures to try and help officers fully understand how mobile forensics works and how Cellebrite is properly used to obtain data from mobile devices, while also providing them with information that they will be able to use in the field if they ever forget or miss a step.