±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36738
New Yesterday: 0 Visitors: 138

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Cellebrite dates and time issue

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

kevinspoon
Member
 

Cellebrite dates and time issue

Post Posted: May 26, 09 04:37

Left this message on another forum so if you have veiwed and responded, bare with me. I am wondering if anyone else has had this problem.

I extracted info from a newer type razor phone with the UFED and my dates and times are 3 hours ahead. When I look at the device, the true times are there. I will probably have to break out the Projectaphone but was hoping to keep this phone off the network. The device pulls all of the info but the dates and times are off (text area).

How does one explain this to others?  
 
  

trewmte
Senior Member
 

Re: Cellebrite dates and time issue

Post Posted: May 27, 09 02:14

- kevinspoon
Left this message on another forum so if you have veiwed and responded, bare with me. I am wondering if anyone else has had this problem.

I extracted info from a newer type razor phone with the UFED and my dates and times are 3 hours ahead. When I look at the device, the true times are there. I will probably have to break out the Projectaphone but was hoping to keep this phone off the network. The device pulls all of the info but the dates and times are off (text area).

How does one explain this to others?


kevinspoon, if UFED is giving you the result you have mentioned then it maybe the way UFED is translating the data. In 1968 there was a case (doesn't matter the name of the case because the case itself wasn't in the US) but the principle that came from that case is "nothing lost in translation". The latter ideal in the principle does have universal appeal though when dealing with electronic evidence

UFED may have lost in translation the correct detail in the data from the mobile phone exhibit if it has recorded a time stamp 3-hours ahead of the time stamp on the mobile. Moreover that would be unacceptable and would be analogous to EnCase imaging the date and time stamps on a Hard Disc Drive (HDD) and getting it wrong. No one would accept it, so no one should accept it when it comes to mobile telephone evidence.

Some observations:

1) As standard you need to be using at least two readers for handset examination plus one manual examination:

a) to conduct an integrity/accuracy check of data acquired when using reading devices/software
b) to identify anomalies and problems with a reading device
c) to conduct a full manual examination of the data on the mobile phone exhibit in order to determine/qualify a) and b) above.

2) For the purposes of examination/re-examination it is worth going through the user manual for the features on the make/model of mobile phone in question

Should you find that it is UFED missing reading then:

3) Go back to the manufacturer and ask them in writing to explain why their reading device has done this - you want the answer in writing and not a phone call, so nothing gets lost in hearsay. The reason for getting their comments in writing is that you cannot give evidence on what someone else verbally said to you as they wont be at court, the court wants to know what you know and how you dealt with the matter.

4) The written response from Cellebrite is not intended so that you can strike out at Cellebrite but you are going to need to demonstrate to the court your methodology and how you deal with matters when discrepancies occur.

My views above are just observations. I have slimmed down my views because I do not know how you conduct your examinations and want to avoid a "don't teach me how to suck-eggs" reply.

I have stopped here because you do not say what info it is that you extracted from the mobile phone that you say is 3-hours ahead - is it SMS text messages, call history or something else?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

kevinspoon
Member
 

Re: Cellebrite dates and time issue

Post Posted: May 27, 09 04:13

Thank you, Trewmte. Sent you a PM  
 
  

forensicator
Newbie
 

Re: Cellebrite dates and time issue

Post Posted: May 27, 09 20:13

The differences could be down to the GMT setting on the handset. The handset could be storing the data as GMT then depending on your GMT setting it will change the time visible on the handset + or - the number of hours.  
 
  

bigjon
Senior Member
 

Re: Cellebrite dates and time issue

Post Posted: May 28, 09 11:43

I agree with forensicator
Many phones store the time internally in GMT and the UFED probably also displays a GMT based time that is generally marked as (GMT) time.
The phone, uses its GMT settings when it displays the time, thus, the display time is adjusted (adding or subtracting the GMT offset).
This is most probably the case in your extraction.


"  
 
  

trewmte
Senior Member
 

Re: Cellebrite dates and time issue

Post Posted: May 28, 09 12:36

I understand from the original poster that 2 days ago Cellebrite came out with an update to correct the matter.

Additionally, when talking with another Cellebrite user yesterday it was mentioned to me that they find with their reader that they have to constantly amend the output report to make adjustment for time inaccuracy.
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

kevinspoon
Member
 

Re: Cellebrite dates and time issue

Post Posted: May 30, 09 02:58

Thanks guys. I tried this with the new update but the prob still exist. I am looking into seeing if I can configure the GMT settings on this particular phone.  
 

Page 1 of 2
Page 1, 2  Next