How to validate a c...
 
Notifications
Clear all

How to validate a cellebrite extraction

12 Posts
6 Users
0 Likes
3,301 Views
 CCSO
(@ccso)
Posts: 23
Eminent Member
Topic starter
 

Seeking advice on how to validate a Cellebrite extraction using Physical Analyzer.

 
Posted : 15/05/2018 1:42 pm
(@jahearne)
Posts: 35
Eminent Member
 

You can see if you can get the same results with a different tool.
https://www.forensicmag.com/article/2011/03/validation-forensic-tools-and-software-quick-guide-digital-forensic-examiner

or you can reach out to Cellebrite to see if they have any documentation.
https://www.cellebrite.com/en/services/advisory-services/
I'd be interested in that!

John

 
Posted : 15/05/2018 3:56 pm
 CCSO
(@ccso)
Posts: 23
Eminent Member
Topic starter
 

Thanks John. Thats what I do now by using a different tool to compare. I was hoping someone here would be able to provide a link that shows cellebrite way.
I can't find any webinar or instructional video!

 
Posted : 15/05/2018 4:03 pm
(@jahearne)
Posts: 35
Eminent Member
 

I'll see what I can find…

 
Posted : 15/05/2018 4:07 pm
(@bostoncelltech)
Posts: 5
Active Member
 

If you go to NIST website, they actually validation tools that you can use. You can find the tools and other helpful guidelines (US) here

https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt

The Scientific Working Group on Digital Evidence (SWDGE) also has guidelines for how to best perform validation. In addition to NIST, they also suggest validation tools from and Defense Cyber Crime Institute (DC3) tools located here

http//www.dc3.mil/technical-solutions#tools-validations

Hope this was helpful

 
Posted : 15/05/2018 7:39 pm
(@bostoncelltech)
Posts: 5
Active Member
 

Also for additional verification/validation, Cellebrite lists the hash values for each new release of the software with the release notes that they send to your email when advising you of the new release. You should also be able to find that stuff on mycellebrite.com and access your account-support.

NIST also has the following reference material on validation/verification that you can review

Mobile Device Test Tool Assertion and Test Plan

And in 2016 Homeland Security produced their own report regarding validation test results (benchmarking I guess) for UFED4PC v4.2.6.5. Obviously it is a couple of years old but nonetheless should bolster any assertions you may make regarding the tool itself.

 
Posted : 15/05/2018 7:46 pm
(@cs1337)
Posts: 83
Trusted Member
 

I took the cellebrite training course and during the training they let you know that cellebrite collections are not forensically sound.

Depending on the type of the extraction method it could be storing the md5 hash just in the XML and the files are all loose and can be meddled with on the destination media.

My instructor recommended putting the extraction into a forensic image format (ad1 or l01) , use a different tool and compare, hand scroll method .

Let me know if you have any further questions I can look in the books they provided for their documentation on a subject.

 
Posted : 17/05/2018 2:45 am
 CCSO
(@ccso)
Posts: 23
Eminent Member
Topic starter
 

Cellebrite does that as a disclosure. Nothing is 100% in the mobile forensic field more than one day lol. Thanks for all the suggestions, I just wanted some input what others were doing to validate cellebrite extractions besides the old fashion way. Thanks again for everyones input!

 
Posted : 17/05/2018 12:24 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

One thing I have done is look at the databases that are extracted and then compare the results that are parsed in Cellebrite.

For example, if the SMS messages came from the mmssms.db, export the database. You can use a SQLite database browser, locate the message, and look at the timestamps. Decode them using a decoding tool like DCode by Digital Detective (free tool by the way. Saved me a lot of heartache in the past.) and compare to what Cellebrite parsed. If they matched, then you are able to validate the results in Cellebrite.

Within Physical Analyzer there is a database browser. I just prefer to use a tool outside of Cellebrite for the validation. I would do this for about 2 or 3 text messages.

If a picture has metadata, you can export out the picture. Then look at it in a tool that allows you to see the metadata. Compare it to what Cellebrite reported. If they match, then you are able to validate the results in Cellebrite. I would do this for 2 or 3 pictures.

All of this can be done in under a half an hour.

 
Posted : 17/05/2018 1:21 pm
 CCSO
(@ccso)
Posts: 23
Eminent Member
Topic starter
 

Awesome idea! Trying it now thanks!

 
Posted : 17/05/2018 1:44 pm
Page 1 / 2
Share: