Platinum sponsor Cellebrite: Labs on mobile forensics best practices, and the latest tools

August 16, 2011

Do you know how that cell phone in your hand actually works? If not, how do you know your mobile forensic tool will get the data you expect? How about that iPhone or Android — do you know what’s really involved with a physical acquisition on these devices?

Cellebrite will be offering multiple mobile forensic labs, both on its own and in conjunction with training partner Sumuri Forensics, on these topics and more. We talked with instructors Keith Daniels, Ronen Engler, and Steve Whalen about what they’ll be offering in September:

Best Practices in Mobile Forensics

One of the most misunderstood aspects of mobile forensics, according to Cellebrite director of training Keith Daniels, is the need for investigators to understand the device from which they’re trying to retrieve data.

“Get the device’s manual from the FCC,” says Daniels. “Log on to an investigative community like [conference Bronze sponsor] Teel Technologies’ Mobile Forensics Central. That’s where investigators talk about phone features and limitations, the hoops you have to jump through to get the phone to communicate with the forensic device.”

Doing so can mean all the difference between getting the correct data in the correct way, and having to take the time to snap photos of each of the phone’s screens. But that’s not all that’s at stake. Daniels points to the Laci Peterson homicide, in which mobile device evidence was crucial.

“Scott Peterson is on Death Row. Fifteen years from now in a new trial, will the original investigators remember case details, or even be available to testify? But if they have the manual, they’ll be able to testify as to what phones could do in 2003, what his particular device was capable of, and why that evidence was relevant to the case.”

Other practices besides knowing the phone:

  • Taking the phone off the network — and understanding the dangers of not doing so.
  • Create the right folder structure. “Some investigators use more than one forensic tool, so the right folder structure will segment the evidence according to the tool that retrieved it,” says Daniels.
  • Thinking outside the box. “The phone can be physical evidence as well as containing digital evidence,” says Daniels, referring to a homicide in which gunshot residue was found on a cell phone.

“Remember,” Daniels adds, “the defense will attack not the evidence itself, but the way it was obtained. Doing your due diligence will elevate your credibility and your position in court.”

Basic and advanced UFED work

Authorized Cellebrite trainer Steve Whalen, Managing Director and co-founder of Sumuri Forensics, will show how the UFED tool puts these best practices to work in his two introductory labs, one each on the UFED and the Physical Pro. “We’ll do a brief overview of each tool and its important features, with examples so that the students can learn hands-on how it all works,” he says.

But the training won’t only be about what buttons to push. Instead, it provides the background of why investigators push those buttons, the way the unit functions and how it applies to forensic methodology.

“So-called ‘push-button’ forensics is not a problem as long as the examiner understands the device’s basic functionality and what it’s doing to perform the extraction,” Whalen says. “It’s not about how hard or easy the tool is to use; tools can be validated.  It’s about following the basic forensic principles that everyone should follow.”

In fact, Whalen says, the UFED’s simplicity is a benefit toward this goal. “The basic UFED Logical lab will show how the UFED extracts information from within the device’s filesystem, such as the call logs, and interprets the directory structure.

“The Cellebrite Physical Pro lab will show how the device extracts both the logical filesystem, and the physical data — the bit-for-bit copy including unallocated space on the chip. We’ll also cover the variety of search functions in Physical Analyzer, including regular expressions, predefined search patterns like 7-bit SMS strings, and GREP,” Whalen says.

“Physical Pro simplifies the process of making a physical image of a mobile device, which significantly increases the amount of evidence that can be located,” Whalen adds. “Because Cellebrite takes the time to ensure its tools’ processes are as un-intrusive as possible, more users can acquire physical data without having to resort to non-forensic hacker tools like flasher boxes, which can ruin evidence if used the wrong way.”

What does all this add up to? Time saved, says Whalen, explaining that the UFED is a standalone unit and doesn’t rely on a good or bad installation of forensic software, or whether that software communicates properly with the device. “Debugging a comm port can take time and increases the chance of hair loss as the examiner troubleshoots the device and/or the computer,” he says. “The UFED saves that time.”

A deep dive into iPhone and Android physical extractions

The final block of Cellebrite instruction will be a “deep dive” into physical forensic exams, as students work with iPhones and iPads that have been locked without having to jailbreak the device. Cellebrite engineering product manager Ronen Engler and Daniels will demonstrate the Physical Pro’s password bypass, along with its data parsing capabilities and a newer feature – decoding for encrypted iPhones, including the iPhone 4.

Decoding will also be demonstrated for BlackBerry. “We showed this in June at the Mobile Forensics Conference,” says Engler, “and we will show it again in Indian Wells.” The decoding process is for physical data recovered during the chip-off process.

Finally, students will be able to see dumps of Android devices using four different methods, two of which, says Engler, are unique to Cellebrite. “We’ll also show how to bypass the pattern lock on an Android without modifying the device,” he adds. (These details are covered more in a recent blog post by mobile forensic tool reviewer Christopher Vance.)

And he and Daniels will discuss the ability to dump Chinese knockoff devices. “The UFED supports logical extractions from more than 150 Chinese clones,” says Engler. These include iPhone, Nokia, Motorola, Samsung and LG knockoffs.

Just getting into mobile device examinations, or want to take your exams further into physical extractions? Register for our conference and be eligible to sign up for these labs!


Our 2011 Case of the Year winners: A web of interconnectedness

August 10, 2011

A lot of things stood out about this year’s Case of the Year, People v. Zumot in Palo Alto, Calif. Those things were enough to get the case featured in major mainstream news media, including Dateline NBC and ABC’s 20/20. For us, though, it was all about the networking that HTCIA was founded to promote.

The networking started when Palo Alto Police Det. Aaron Sunseri contacted Tracy Police Det. Kipp Loving, HTCIA Central Valley chapter president and a member of both the Sacramento Valley Hi Tech Crimes Task Force and the FBI’s Sacramento-based Cyber Crimes Task Force. Sunseri needed help analyzing the iPhone call detail records of a suspect and victim in a domestic violence homicide. Loving, who had trained Sunseri on cell phone evidence collection, had worked extensively with such records.

But Sunseri needed a level of expertise that Loving, with his own full-time caseload, couldn’t provide. Loving referred Sunseri to Jim Cook, a wireless telephony expert in Modesto who uses Microsoft MapPoint to help juries visualize mobile call details: what suspect and victim call patterns look like in the time leading up to, during and after the incident; where and how far they traveled in those times, based on the cell towers that managed their calls or text messages; and how those patterns relate to other evidence.

Even so, there was one piece of evidence that neither Sunseri nor Cook could access: deleted text messages. Although Sunseri had brought the iPhone to Jonathan Zdziarski, a New Hampshire-based iPhone expert who had developed a forensic iPhone imaging methodology, he needed someone in the Bay Area who could recover the data from the forensic images.

Neither the task force local to Palo Alto nor the FBI’s Regional Computer Forensics Lab (RCFL) could help. Meanwhile, James Eichbaum, then a detective with the Stanislaus County Sheriff’s Department and Cook’s fellow Central Valley HTCIA chapter officer, had been working with Loving to recover deleted iPhone text messages related to a homicide in Loving’s jurisdiction. Aware of that work, Cook referred Sunseri to Eichbaum.

“I had been analyzing the iPhone SMS database file to try and figure out how to find them in the deleted space on the phone,” says Eichbaum. “Once I figured it out, I recovered thousands on [Loving’s] homicide and then went to Guidance Software’s EnScript course to learn how to write my own script. I then used that script on the Palo Alto phones, which worked, and I recovered the 74 texts they were looking for, along with 39,000 others.”

From there, the text messages went back to Palo Alto, where Sunseri and his sergeant, Con Maloney, read each one, parsing them for content and sentiment. They also worked with Cook to establish which messages were sent from where, and what it all meant to the case. Together, using the messages and the call detail records, they were able to differentiate between messages that the victim herself had sent before her death, and those that her killer had sent in an effort to give himself an alibi. (This process is outlined in more detail in a Law Enforcement Technology article from May 2011.)

But the networking wasn’t just important as investigators built their case. It also came into play during trial preparation, as investigators presented their findings to Deputy DA Chuck Gillingham. “I give kudos to Chuck, who took all the information that Jim and Jon and I gave him, understood it quickly and asked the questions he needed to help the jury understand it,” says Eichbaum.

The investigators’ working relationships helped again when the defense called the evidence into doubt. As noted in Law Enforcement Technology:

Geragos also attacked Cook’s assertion that the phones had traveled together at all. To refute that, Eichbaum used GPS data from the mobile devices to verify Cook’s methodology and establish his credibility. “GPS data overlaid on a Google Map worked as a rebuttal to the defendant’s claims,” says Eichbaum.

Cook adds: “It was very satisfying to see the jury visualize, grasp and understand the truth in the data we presented. Our maps, call detail records, text messages and other forensic evidence corroborated everything that other witnesses had already testified to. We just helped the jurors put the puzzle pieces together in their own minds.”

Ultimately, says Eichbaum: “It took a lot of resources to get this job done. Everyone needed to steer each other in the right directions to get to the resources we needed.” He credits the connections made over the years via HTCIA, as well as via the training that he, Cook and Loving all provide law enforcement in their area and beyond.

Cook and Eichbaum will be bringing their expertise to a lecture and labs they’ll be teaching in Indian Wells. Join us and help support their hard work!

Image: deBurca via Flickr

iOS Wi-Fi access point verification, smartphone geolocation and other mobile forensics content from Gold sponsor Oxygen Forensics

July 14, 2011

Forensic acquisition of smartphones is one of the most important investigative needs today. The more consumers adopt the robust computing power of iPhone, Android and like mobile operating systems, the more evidence available to law enforcement, corporate and legal investigators.

This is why Russia-based mobile forensics software provider Oxygen Forensics specializes in smartphone forensic acquisition. Co-founders Oleg Fedorov and Oleg Davydov are offering a full day of pre-conference training along with their planned lecture and hourlong Vendor Showcase on these topics.

Verification of Wi-Fi access points data for Apple iOS

Fedorov and Davydov will be co-presenting a lecture on the morning of Tuesday, September 13. “Every iOS device stores a list of Wi-Fi networks it has been ever connected to,” says Fedorov. “This list contains the name of the network, its MAC address and the timestamps for the first and last connections.”

Certain techniques allow investigators to calculate each Wi-Fi network’s approximate geographical coordinates, and from there, the device’s position at the time of connection. However, Fedorov and Davydov caution that investigators may not be able to trust all the coordinates they get.

Their lecture will cover what investigators should know about Wi-Fi access point types, as well as other sources of geolocative information and how to carve Wi-Fi networks information, should the history happen to have been deleted. They’ll also cover timestamp verification and even anti-forensics for jailbroken devices.

Geolocation, according to Fedorov, will be the topic of discussion at Oxygen’s Monday night Vendor Showcase, slated to run from 5:30 to 6:30pm. Android, Symbian and (time permitting) BlackBerry devices will be covered together with Apple devices.

Pre-conference training: Advanced techniques in Forensic Examination of Smartphones and Cell Phones with Oxygen Forensic Suite

In June, Oxygen announced that its Forensic Suite v3.4 is the first tool ever to enable full Android physical acquisition via root access. This demonstration will be among topics covered at its one-day training class on Saturday, September 10.

“We focus on smartphones, therefore the main topics will be Apple, Android, Blackberry, Symbian and Windows Mobile devices,” says Fedorov. The training will also discuss certain models of Nokia, Sony Ericsson, and Samsung cell phones.

Designed for forensic investigators at all levels of expertise, this bring-your-own-laptop training will discuss the main advantages and disadvantages of current mobile forensic procedure, as well as Oxygen Forensic Suite’s advanced features.

It will use case studies to demonstrate these features and issues, “small tasks where students have to find evidence, determine phone geoposition at the given time and so on,” says Fedorov. “Prizes are famous Russian Matreshka dolls.”

Learn more and register for the pre-conference training at Oxygen Forensics’ site; register for the HTCIA conference here. We look forward to seeing you in September!

Image: Phil Roeder via Flickr

This spring: Upcoming events

March 15, 2011

Throughout March, April and May our chapters will be hosting a number of training events — both regular meetings and regional conferences — and they’re looking forward to seeing members and non-members alike.

In March

On Tuesday, March 15 our Central Valley (CA) chapter will be hosting W.R. McKenzie, a Stanislaus County deputy district attorney. McKenzie will address a number of frequently asked questions about legal aspects of high tech investigations, including:

  • sexting, sextortion and sexual harassment via mobile phone
  • cell phone searches
  • discussion of 528.5PC (California’s penal code regarding impersonating another via the Internet)
  • discussion of 637.7PC (another penal code regarding GPS and the private citizen
  • non-law-enforcement searches of workplace computers
  • Q & A

The meeting will start at 11:45 am at the Stanislaus County Sheriff’s Department; lunch will be provided for members and their guests.

On Wednesday, March 16 our Western Canadian chapter will host Jason Smith, Account Executive for Guidance Software. He’ll be providing their views regarding the direction of forensics and forensic investigations over the next few years.  As part of the presentation Guidance will also be providing a demonstration of their Cybersecurity product for proactive auditing and incident response.  This product will be of definite interest for the members in private industry and law enforcement facing increasing demands by management to reduce or eliminate security incidents through proactive measures.

The meeting will begin at noon at the Nexen building in Calgary.

Wednesday, March 16 will also see our Florida chapter’s meeting. At the FDA building in Plantation, Bob Masterson of Windward Development will run through some Basic Linux Forensics. The meeting starts at 9am.

On Thursday, March 17, our Atlanta chapter will be, in conjunction with the Atlanta chapter of the  American Society for Digital Forensics and eDiscovery (ASDFED), hosting AccessData Group for a discussion of:

  • eDiscovery from a practitioner’s perspective
  • legal review & case data management
  • forensic investigations
  • the future of threat detection

The meeting will run from 10:30am – 1pm at the AIU Atlanta campus, located at 500 Embassy Row.

On Tuesday, March 22, our Northeast chapter will host a series of three presentations:

Cyber Situational Awareness through Graph Mining. Tina Eliassi-Rad, an Assistant Professor at the Department of Computer Science at Rutgers University, will outline applications of graph mining to various problems associated with cyber situational awareness.  In particular, it will discuss Eliassi-Rad’s work on (1) traffic profiling in presence of encryption and obfuscation, (2) anomaly detection in volatile networks, and (3) vulnerability-measure of a network and shield-value of a host in the network. Time-permitting, the presentation will detail a linear-time algorithm with a 94% success rate in identifying Web-based attacks.

Responding To Advanced Persistent Threat Intrusions:  Effective Tools, Tactics, and Protocols for Enterprise Intrusion Investigations. Stephen Windsor, who leads Booz Allen Hamilton’s Digital Forensics and Incident Response Team, will focus on effective incident management, investigative techniques, indicators of compromise and how to find them in the enterprise, and ultimately, remediation and risk mitigation techniques. He will follow this up with a conversation on developing an enterprise APT risk mitigation strategy.

Securing Your Mac. Waldo Gonzalez, a detective with the New York City Police Department Computer Crimes Squad, will give a step by step presentation about how investigators should secure and lock down their Macintosh computers from physical and network threats. Although the Mac OSX operating system is considered to be safer because viruses are mainly geared towards the Windows environment, it is still important to secure.

The meeting will run from 9:30 AM – 3:00 PM at Booz & Co. Inc., 101 Park Avenue in Manhattan. It will also be available via WebEx. See more details, including RSVP information, at the Northeast chapter website.

Between March 29 and April 1, the Minnesota chapter will be holding its 9th annual spring conference. Designed for security managers, law enforcement, county and state attorneys/prosecutors, corporate security investigators, homeland security administrators, students pursuing a forensics degree and others, the conference will feature lecture tracks on common investigative problems, three excellent keynote speakers, and breakout hands-on sessions will all be available. See our earlier blog post for many more details!

April meetings

On Wednesday, April 13th, our Arizona chapter will meet from 9:00 a.m. to 12:00 p.m. at the Tempe Police Department – Apache Substation. Featured speaker, InfinaDyne’s Paul Crowley, will present on CD/DVD forensics with CD/DVD Inspector version 4.1 and digital video indexing with Vindex. Meeting attendees will receive a disc containing trial versions of each application. (Remember: these tools will also be available free to all international conference participants!)

Thursday, April 14 from  9:00am – 12:00noon, our Delaware Valley chapter will host Michael L. Levy, Assistant United States Attorney and Chief, Computer Crimes in speaking on recent developments in the law regarding the seizures and searches of computers. In addition, Leonard Deutchman, General Counsel and Administrative Partner of LDiscovery, LLC will speak on theft of trade secrets and confidential information from the corporate perspective.

On Friday, April 15, our Northeast chapter will hold its monthly meeting from 9:30 AM – 3:30 PM. Speakers and topics are to be announced, but you can plan to attend at St. John’s University, NYC Campus. Learn more at the chapter website.

On Tuesday, April 19, our Ottawa chapter will be hosting John R. Schafer, PhD for a talk on Psychological Narrative Analysis (PNA). A new technique based on scientific research, PNA is a professional method that detects deception in both written and oral communications. It applies to social and professional environments, and is a passive technique that can benefit law enforcement officers, attorneys, and psychologists alike as they interview subjects.

Held at Toronto’s BMO Institute for Learning, in person or via a live webcast, the meeting will run from 1-3:30 PM. For more information and to register, please visit the website at

In May

Our Michigan chapter’s next meeting is scheduled for May 11. From 10:00 AM to 12:00 noon, Joel Weever, will present a “Malware Economy Update”. The meeting will be at the Troy Police Department.

And in Ottawa on May 26, our chapter is organizing a one-day training event, “From the Beginning.” Designed for first responders, the session will bring together subject matter experts in various fields to give you an updated view of the challenges faced by today’s first responders under different conditions.

The agenda will include:

  • The legal aspects and challenges for proper collection of digital information
  • Corporate responsibility when faced with a requirement (internal or external) to produce digital evidence current practices relating to computing systems – hard wired, mobile, networked or “in the cloud”
  • Critical data to collect and how to collect it while maintaining its integrity

In addition you will have an opportunity to question our subject matter experts relating to your specific circumstances.

Questions about any of these events? Visit the websites linked from this post, and find contact info there. You can also leave a comment below, and we’ll get back to you with the right contact information.

Call for Speakers: 2011 International Training Conference & Expo

January 7, 2011

HTCIA 2011 International Training Conference & ExpoIn just about eight months, we’ll be gathering at the Renaissance Esmeralda Resort, Indian Wells, CA for our annual International Training Conference & Exposition. As always, the object of our organizing committees is to provide the best possible training on the latest topics in high technology crime, by the best speakers available. To this end we are looking for speakers for the conference in the following areas (not an exhaustive list):

  • Cloud computing
  • Mac Forensics
  • Memory acquisition and analysis
  • Live Forensics
  • Cell phone Forensics
  • Windows 7 Forensics
  • Imaging
  • File structures
  • Your latest successes
  • Social Networking
  • E-Mail analysis
  • E-Discovery
  • Legal issues
  • Lock picking
  • GPS analysis
  • Artifacts of any kind
  • Linux Forensic tools
  • Linux System Analysis
  • Tape Forensics
  • Photo Forensics
  • Printer Forensics
  • Accounting packages
  • SQL Analysis
  • Network and TCP/IP
  • Social Networks for Law Enforcement (Twitter, MySpace, Face Book)
  • Managing Incident Response/Investigations
  • Vehicle black Box forensics
  • Emerging Laws re: eDiscovery-ESI
  • eDiscovery – new legal issues/ Working with Attorneys
  • Advance Issues of Email & Web Mail
  • Collecting internet evidence
  • Investigation of social web sites (MySpace, Face Book, Twitter etc.)
  • Managing Investigations – criminal and civil
  • Network Device Forensics (Log Files from network device) Router
  • Court Room Testimony techniques
  • Financial Crimes – Tax Evasion & Money laundering
  • International Trends – Situations – experience
  • White Collar & Corporate Investigations
  • Legal Issues – Civil & Criminal
  • Legal Mock Trial
  • Memory – court decisions
  • Human Resources Department Internal Investigations
  • Case Studies – criminal investigations (breaches, identity theft)
  • Case Studies – civil
  • Report Writing for Forensic Examiners
  • Report Writing for Investigations

If you would like to lecture on any of the above topics, or have one of your own, please contact Program Chair Jimmy Garcia at

Finding the right tools for the job: Mobile Forensics Inc.’s Lee Reiber talks training

September 8, 2010

Mobile Forensics Inc. HTCIA Conference Bronze SponsorTeaching two of our cell phone labs in just two weeks is Lee Reiber, owner and lead trainer with Mobile Forensics Inc. One of the pioneers of cell phone forensics – he’s been involved with mobile forensics training since 2005, and bought MFI just as the industry started to take off the following year – Reiber will be presenting two 2-part labs in Atlanta:

  • Cellular phone examination fundamentals using automated tools (with Chris Sanft of AccessData)
  • Beyond the tool! Do you really care? And why you should

Details about these labs are on the MFI blog. Meanwhile, we talked with Reiber a little about his teaching style and also about AccessData’s new MPE+ scheduled to launch at our expo:

HTCIA: What do you like best about training, and why?

LR: I like the interaction as opposed to just standing up there and talking. I like the feeling that after the day or the week is done, I have contributed something to law enforcement. When you have done the research, and you have information to share with a class, and you see the lightbulb come on and students say things like, “I never thought of it that way before!” that is very gratifying.

HTCIA: What do you like to see from your audiences?

LR: Lightheartedness. Enjoy the class, don’t take everything too seriously. This is where interaction makes a class different from a lecture!

In fact, my favorite classes are often those where students are required to be there. They have this “Why am I here?” look on their faces – so I start making fun of them. This is what cops do and what they expect!

I do think I have an advantage from having a background in law enforcement. I was a sworn Boise officer for 15 years, 10 of which I worked in digital forensics, and that perspective – my personal experiences with investigations – helps law enforcement students especially relate to me better.

The key is to get them talking about their own experiences, so that we can all learn from each other. Even so, many times students do not want to talk. Sometimes, like in a foreign country, there’s a language barrier and they’re afraid of saying something the wrong way. Other times, they don’t want to sound stupid.

But I’ve found that treating students with respect and understanding, as peers rather than students, and in a way that shows I’m learning from them too, gets us over that hurdle.

HTCIA: How long have you been an HTCIA member? What do you like best about the organization?

LR: I’ve been a member since about 2004. I like the networking and the training opportunities I get through our local chapter. The Idaho chapter is very good about getting information to those members who cannot make their meetings, which helps.

I also appreciate the opportunities I have had to travel to other chapters, especially for teaching, and the knowledgeable people I’ve been able to meet as a result. That network becomes a pool of resources that will be invaluable if you use it!

HTCIA: Tell us more about Mobile Phone Examiner Plus and how it fits in the mobile examiner’s toolbox.

LR: I have always taught [AccessData’s Forensic ToolKit] FTK in my classes, teaching students how to take the data they get from BitPim or Cellebrite UFED or Susteen SecureView and forensically analyze it.

MPE+ makes all that easier. It’s not “married” to FTK, but it allows FTK to do things with file systems that it can’t with data acquired by other tools. Because MPE+ is such an easy fit with FTK, it allows for easier evidence parsing.

That’s important because it furthers our goal of changing examiners’ view of “push button” forensics. Some “push button” is necessary to make the job easier, of course. But we want to make people look beyond automation to find artifacts on different file systems – we want to take mobile forensics to the level of computer forensics, where you’re not just dumping data but also analyzing it to nail down that “smoking gun” data.

Right now MFI is offering one-day training on MPE+, just like we do on GPS forensics, BitPim, Oxygen and other tools. But we do plan to include it in a portion of our training alongside Cellebrite UFED, Paraben Device Seizure and Susteen SecureView.