Cellebrite dates an...
 
Notifications
Clear all

Cellebrite dates and time issue

9 Posts
5 Users
0 Likes
989 Views
(@kevinspoon)
Posts: 15
Active Member
Topic starter
 

Left this message on another forum so if you have veiwed and responded, bare with me. I am wondering if anyone else has had this problem.

I extracted info from a newer type razor phone with the UFED and my dates and times are 3 hours ahead. When I look at the device, the true times are there. I will probably have to break out the Projectaphone but was hoping to keep this phone off the network. The device pulls all of the info but the dates and times are off (text area).

How does one explain this to others?

 
Posted : 26/05/2009 4:37 am
(@trewmte)
Posts: 1877
Noble Member
 

Left this message on another forum so if you have veiwed and responded, bare with me. I am wondering if anyone else has had this problem.

I extracted info from a newer type razor phone with the UFED and my dates and times are 3 hours ahead. When I look at the device, the true times are there. I will probably have to break out the Projectaphone but was hoping to keep this phone off the network. The device pulls all of the info but the dates and times are off (text area).

How does one explain this to others?

kevinspoon, if UFED is giving you the result you have mentioned then it maybe the way UFED is translating the data. In 1968 there was a case (doesn't matter the name of the case because the case itself wasn't in the US) but the principle that came from that case is "nothing lost in translation". The latter ideal in the principle does have universal appeal though when dealing with electronic evidence

UFED may have lost in translation the correct detail in the data from the mobile phone exhibit if it has recorded a time stamp 3-hours ahead of the time stamp on the mobile. Moreover that would be unacceptable and would be analogous to EnCase imaging the date and time stamps on a Hard Disc Drive (HDD) and getting it wrong. No one would accept it, so no one should accept it when it comes to mobile telephone evidence.

Some observations

1) As standard you need to be using at least two readers for handset examination plus one manual examination

a) to conduct an integrity/accuracy check of data acquired when using reading devices/software
b) to identify anomalies and problems with a reading device
c) to conduct a full manual examination of the data on the mobile phone exhibit in order to determine/qualify a) and b) above.

2) For the purposes of examination/re-examination it is worth going through the user manual for the features on the make/model of mobile phone in question

Should you find that it is UFED missing reading then

3) Go back to the manufacturer and ask them in writing to explain why their reading device has done this - you want the answer in writing and not a phone call, so nothing gets lost in hearsay. The reason for getting their comments in writing is that you cannot give evidence on what someone else verbally said to you as they wont be at court, the court wants to know what you know and how you dealt with the matter.

4) The written response from Cellebrite is not intended so that you can strike out at Cellebrite but you are going to need to demonstrate to the court your methodology and how you deal with matters when discrepancies occur.

My views above are just observations. I have slimmed down my views because I do not know how you conduct your examinations and want to avoid a "don't teach me how to suck-eggs" reply.

I have stopped here because you do not say what info it is that you extracted from the mobile phone that you say is 3-hours ahead - is it SMS text messages, call history or something else?

 
Posted : 27/05/2009 2:14 am
(@kevinspoon)
Posts: 15
Active Member
Topic starter
 

Thank you, Trewmte. Sent you a PM

 
Posted : 27/05/2009 4:13 am
(@forensicator)
Posts: 6
Active Member
 

The differences could be down to the GMT setting on the handset. The handset could be storing the data as GMT then depending on your GMT setting it will change the time visible on the handset + or - the number of hours.

 
Posted : 27/05/2009 8:13 pm
bigjon
(@bigjon)
Posts: 159
Estimable Member
 

I agree with forensicator
Many phones store the time internally in GMT and the UFED probably also displays a GMT based time that is generally marked as (GMT) time.
The phone, uses its GMT settings when it displays the time, thus, the display time is adjusted (adding or subtracting the GMT offset).
This is most probably the case in your extraction.

"

 
Posted : 28/05/2009 11:43 am
(@trewmte)
Posts: 1877
Noble Member
 

I understand from the original poster that 2 days ago Cellebrite came out with an update to correct the matter.

Additionally, when talking with another Cellebrite user yesterday it was mentioned to me that they find with their reader that they have to constantly amend the output report to make adjustment for time inaccuracy.

 
Posted : 28/05/2009 12:36 pm
(@kevinspoon)
Posts: 15
Active Member
Topic starter
 

Thanks guys. I tried this with the new update but the prob still exist. I am looking into seeing if I can configure the GMT settings on this particular phone.

 
Posted : 30/05/2009 2:58 am
(@burratha)
Posts: 43
Eminent Member
 

Do you have the hexadecimal values for the times and dates? Maybe the UFED isn't taking the GMT offset into account (or miscalculating it) in the PDU?

 
Posted : 31/05/2009 2:01 pm
(@kevinspoon)
Posts: 15
Active Member
Topic starter
 

Cant thank you guys enough. Figured everything out. The machine was reading the phones GMT without the offset, which is -4hrs. I spoke directly to the vendor and they too were very helpful.

 
Posted : 05/06/2009 5:17 pm
Share: