Cellebrite Spotlight: Interview with Director of the Research Group, Shahar Tal, Cellebrite

180020_502158187216_7446504_n

Shahar Tal – Director of the Research Group at Cellebrite –  has built an extensive and impressive career within the realm of R&D. Hailing from an elite military background, Shahar in his current role oversees Cellebrite’s research efforts to provide extraction-enabling solutions – for all devices of interest, including the most complex and challenging.

Read up on his career highlights, opinions on Cellebrite’s future in digital forensics as well as advice to newbies entering this technological sphere.

Have a question for Shahar? Leave us a comment below!

Shahar, you are the Director of the Research Group at Cellebrite. Tell us a bit about your role. What does a day in your life look like? 

In my role, I am responsible for Cellebrite’s research efforts to provide extraction-enabling solutions for all devices of interest. This core role within the company helps define what our products and services can do. Our unmatched research is one of our strongest differentiators, creating high expectations among our customers and colleagues. My job is to ensure that we continue developing unique capabilities to match these expectations. Luckily, I have several research teams made up of top talent that are dedicated to the task in each different research domain. They deserve a lot of the credit for the technical breakthroughs achieved at Cellebrite.

What does a typical day at the office look like?

Hectic – with dozens of ongoing research projects in various stages! One moment, you may hear cheers and excitement from one of the rooms, where researchers successfully discovered a new extraction method for a previously unsolved device; the next moment, you take part in a critical design review for the next UFED version, while simultaneously reviewing open issues and feature requests for five other projects. After lunch, I usually interview several candidates to join the research team, and then round-up the team for a weekly follow-up of progress and status.

The most gratifying moments are when we receive customer feedback – that praise both our technology and efforts, which enable them to solve a critical case, that may happen to appear all over the news that week. This feedback is significantly rewarding, and contributes to the drive and motivation behind our work every day.

Can you tell us a little bit about what first sparked your interest in digital forensics? 

I am still a newcomer to the digital forensics field, and I learn from the experts and my peers at Cellebrite every day. Coming from a research background, my introduction and continued involvement in the digital forensics arena are incredibly interesting. I think it is crucial for a researcher to understand the needs and concerns of the end user, and that is why I personally follow and often respond in community forums and mailing lists.

Shahar, you hail from a military background. I can imagine that this is quite different from work in the private sector. Can tell us how working in the private sector compares with the military life? 

I have a history in elite army R&D units, and in many ways these years have provided the best training possible – by shaping the nature of my work and sharpening my skill sets. Working under tight schedules in an environment where product performance and reliability are absolutely critical, helps you sharpen your instincts and prioritize tasks accordingly. I am also delighted to have had the opportunity to work with some of the best talents in the world on extremely challenging projects.

When comparing, I find that the private sector brings many new aspects into play – where cooperation and outbound communication are legitimate and important facets of your role. I enjoy taking part in and interacting with the research community; I regularly attend and sometimes speak at conferences around the world. I welcome potential collaboration opportunities and keep an eye out for new developments in the field.

This year has been a big year for Cellebrite’s technologies. Which current trends in forensic computing particularly interests you, and what new challenges do you foresee in the future? 

I believe the challenges of encryption are strongly influencing the forensic landscape already, and will continue to do so in the coming years. Full Disk Encryption has easily been the most significant mobile forensics game-changer since last year, in effect rendering chip-off/JTAG/ISP methods useless in all new devices. This landscape shift leaves on-device unlocking capabilities as the only alternative. Fortunately, this is where Cellebrite, as the forensics research leaders, have excelled throughout the years.

I also expect that we will continue to see device manufacturers implementing more layers, mechanisms and obstacles, further challenging evidence extraction. We see this today and witness the difficulty and resources invested per solution – which is increasing steadily.

And, moving forward – what does the future hold for Cellebrite? What can we expect to see over the next year or so? 

Cellebrite is making great strides in providing a complete digital intelligence portfolio. Our dominant extraction capabilities are only where it begins, and I think many law-enforcement and intelligence investigative practitioners will be excited about what’s coming next.

I expect to see us maintain our leadership in device unlocking services – being the first to provide the technology to unlock a newly released device, while simultaneously seeing our analytics platforms integrate into many agencies’ processes and infrastructure.

I think that we definitely have the ability to change people’s perspectives when it comes to mobile forensics. That is, to make people realize that a locked device is not a dead-end road, and that they can turn to Cellebrite – who can help them recover the most available data possible from locked as well as encrypted iOS and Android devices.

As you stated, you are a newbie of sorts to digital forensics. Do you have any advice for individuals who are just starting out in their digital forensics career? 

Be prepared for a rapid rate of change, and understand extraction challenges. Digital forensics is no longer restricted to decoding and analysis of data – examiners and responders from the lab to the field should have a deep understanding of what is possible to extract and under what conditions. Stay involved, read about technology and security research news, be prepared to learn something every day – this will give you an edge in a field where you can never learn enough.

Finally, when you’re not working, what do you like to do in your spare time? 

I enjoy spending time with my family, reading books and playing puzzle games with my young daughter. I am a serious basketball fan and a less-serious, mediocre player – on good days. My favorite team since childhood is Hapoel Jerusalem… and occasionally you may find me waking up at 03:00 AM to watch NBA matches.

Click here to learn how Cellebrite’s mobile forensic solutions meet your investigation needs.

Follow Shahar on Twitter: @jifa

What’s New in UFED 5.0: Q&A from Cellebrite’s Webinar

Earlier this month we hosted a webinar entitled, “What’s new in UFED Touch, 4PC, Physical Analyzer, Logical Analyzer 5.0?” The webinar provided attendees with insights on the latest features and capabilities introduced in version 5.0, including unique extraction capabilities such as temporary root (ADB) solution for Androids, and detailed demo’s on merging multiple extractions into a single project, removing deduplications, and a new and effective validation process, as well as filtering out common images, and other industry-first capabilities that helps you drill into the data that’s most crucial to your investigation.

During the webinar, we received an array of excellent, intuitive questions from participants. A selection of these questions, with corresponding answers, have been compiled into this blog.

The webinar is available for viewing at the bottom of this post.

Note: If you don’t see your question answered below, please leave a comment at the end of this post and we will try to provide you with an answer ASAP.

Q&A – Let’s begin!

Q: Which fields are used to determine duplicated messages for Chat, MMS and SMS?

A: We have set of rules for deduplication. For the analyzed data (SMS, emails, chats), we identify key values for duplication for each model/content type and based on that we remove duplicates and merge items. For data files (text, images, video and more), duplicates are based on hash value calculation.

Q: After the deduplication process completes, are there any reports or items showing that there was a duplication?

A: You can find an indication of deduplicates in any table in the UI. There is also a filter available to filter this information, and there is also an indication in all report formats.

Q: Sometimes physical extractions of a single project contain duplicate messages due to garbage collection, etc.  Is there a way to detect and remove duplicates from a single project?

A: Indeed. Version 5.0 automatically remove duplicates of a single project/extraction as well.

Q: Is the application able to create a hash of the whole Image or project?

A: UFED Touch/4PC 5.0 creates a hash of the whole Image of any physical extraction. UFED Physical Analyzer 5.0 enables you may review this MD5/Sha-256 value and validate/verify it.

Q: I see that you didn’t include merged data when you were gooing through the reporting feature, is there a reason why you would include this information.

A: By default, the merged items are not included in report as we assume that the main items are the most important. You may change this default values and include the merged items as well.

Q: Is there a way to get a summary of all contacts that are on a phone?  The Contacts area doesn’t always capture the contacts from apps (i.e. Whatsapp, Viber, etc.).  I find that I need to extract SMS/MMS/Chats/CallLog and then combine the logs together for a contacts summary.

A: All contacts recovered are presented under the contacts node in the tree, including contacts recovered from 3rd party apps. We do plan to merge SMS, IM, MMS and chats (all messaging events) into a unified view, it is planned in one of the coming versions of UFED Physical Analyzer.

Q: Using the upgraded UFED Touch and Physical Analyzer, I have noticed that looking at results for a logical extraction for some phones deleted data is shown. Can we actually get some deleted during logical extractions now?

A: Deleted information from apps can be recovered as part of logical extraction.

Q: When you change the name of the extraction, does it change the name of extraction file that is placed in the folder?
A: No, the name change is only for viewing and reporting purposes

Q: Since WhatsApp is now encrypted, can UFED 5.0 extract WhatsApp encrypted data?
A: Messages while in-transit are encrypted however this does not affect data-at-rest (forensics) stored in the WhatsApp databases. On top of that, WhatsApp have recently started using a new encryption key – crypt9. We are working to provide a solution for this encryption.

Q: Can UFED Physical Analyzer 5.0 pull data (pictures and videos) from SnapChat, or only text messages?
A: For both iOS and Android devices, media files are extracted as well.

Q: Is there a specific order as to when you have to do the ADB and APK backup and downgrade?
A: It is recommended to use the APK downgrade as a last resort, after other extraction methods have been exhausted (including JTAG and chip-off), since it’s an intrusive method, which requires APK installation on the device.

Q: Why do some of the recovered passwords display as clear data, while most of them are encoded?

A: In many cases, the passwords are stored as tokens, this is why you can’t see clear data. Private data is stored encrypted as tokens. When the password is first entered, it is sent to the server for storage. Every time the password needs to be checked then the public key encrypted password gets sent to the backend server and decrypted by the private key. In PA, you can see these encrypted values.

Q: If you use the time zone support, does it make any changes to the extraction or is it just for easier viewing?
A: For easier viewing and reporting, no change is done to the original

Q: About the timestamp option, can you explain about the options in the settings? When does it prompt when device time zone is detected?

A: To automatically adjust timestamps to UTC+0. Select the Automatically adjust timestamps to UTC+0 check box. This setting is recommended when working on multiple extractions so that all records will be presented according to the same adjusted time zone offset.

In case a time zone is detected as part of decoding, a pop up window will be presented, suggesting you to automatically adjust the time stamp. Alternatively, you can change it in the general settings. When the Automatically adjust timestamps according to the device’s time zone check box is selected, all timestamps will be adjusted to the mobile device time zone, including report outputs.

View the full webinar below.

 

Spring Ahead and See What April Has in Store for Cellebrite: A snapshot of Cellebrite’s April 2016 events

Spring is here and April 2016 is an exciting, action-packed time for Cellebrite. We will be participating in a multitude of events around the world – hitting every one of the globe’s hemispheres. Meet us in Zagreb, Rio de Janeiro, London, Orlando, among other leading international hubs, where our subject-matter experts will present the UFED product line, providing live demos and delivering presentations on hot industry topics for security and law enforcement markets, alike.

Take a look below and see a snapshot of our April events. We hope to see you somewhere around the globe – soon!

April 5, 2016: DATAFOCUS 2016 International Conference on Digital Evidence, Zagreb, Croatia

Cellebrite is springing into April with the DATAFOCUS 2016 International Conference on Digital Evidence in Zagreb, Croatia.  DataFocus is a one-day conference, with two-tracks, aimed towards both lawyers involved in digital cases that include digital evidence and investigators whose everyday jobs entail digital forensic investigations.

Don’t miss the Cellebrite speaking engagement under the umbrella, “UFED Series: Cellebrite Mobile and Cloud Forensic Solutions” – entitled, “Unparalleled Extraction and Analysis Capabilities, Optimized for the Lab and Field.”

April 12-14, 2016: LAAD Security 2016, Rio de Janeiro, Brazil

Next on our April schedule, Cellebrite will be exhibiting at LAAD Security 2016, Riocentro in Rio de Janeiro, Brazil, from April 12 – 14, 2016.  LAAD Security – Public and Corporate Security International Exhibition– brings together Brazilian and international companies in the industry of security, equipment, services and advanced security technologies.

Come by our booth number F.22, Hall 4, where we will be showcasing our many solutions that are sure to accelerate your investigations – anytime, anywhere.

April 19 – 20, 2016: Forensics Europe Expo, London, UK

Moving towards mid-April, Forensics Europe Expo, the only international event dedicated to forensic technology, will bring leading UK and International forensics professionals together to network, learn, and source new products and innovations.

Come and say hi to Cellebrite at booth number 1-C27, and learn about our products and solutions via live demos, among other hands-on sessions.

April 19-22, 2016: National Law Enforcement Training on Child Exploitation (NLETCE), Atlanta, GA, USA

Across the pond, Cellebrite is slated to take part at NLETCE, where subject-matter experts will be providing cutting-edge training on a wide range of trending and important topics. In addition, over 240 lecture and hands-on computer workshops designed specifically for local, state, tribal and federal law enforcement personnel and prosecutors who are responsible for combating child exploitation.  To learn more about Cellebrite’s role in combatting sexual extortion,together with INTERPOL, read our case study here:

April 25-27, 2016: National Cyber Crime Conference, Norwood, MA, USA

Back by popular demand—for its fifth year— the Massachusetts Attorney General’s Office is hosting the 2016 National Cyber Crime Conference to be held  April 25-April 27 in Norwood – and Cellebrite will be there in full-force. The conference will feature three tracks of instruction: a track for prosecutors, a track for investigators and a track for digital evidence forensic examiners. Each track will have multiple breakout sessions featuring instruction from nationally recognized experts in the field of cybercrime. All participants will be provided with an opportunity to receive hands-on instruction.

Drop by our booth number 10, where we will showcaserecent developments and demonstrating how Cellebrite’s mobile forensics solutions can help solve crime.

April 26-28, 2016: IACIS (The International Association of Computer Investigative Specialists), Orlando, FL, USA

Heading into the final stretch of this busy month of April, Cellebrite present at IACIS , a non-profit corporation composed entirely of volunteer computer forensic professionals dedicated to fostering and perpetuating educational excellence in the field of forensic computer science.  The audience will be comprised of professionals from the Federal, State, Local and International Law Enforcement community, as well as the business/commerce and academic communities. Stop by and meet the Cellebrite team!

April 26-28, 2016: Youth Technology and Virtual Communities Conference Bond University, Gold Coast, Australia

With the theme Prevent, Protect, Prosecute, the Youth Technology and Virtual Communities Conference will provide attendees with the latest developments, strategies and challenges across all facets in the collaborative effort to fight crimes against children. The conference is aimed at practitioners in the fields of law enforcement, prosecution, education, child protective services, social work, children’s advocacy and therapy who work directly with child victims of crime. In a testimonial video, hear how Detective Jim Bolt of ASP Security Services used Cellebrite’s UFED Physical Analyzer to recover deleted images as evidence in a case related to child abuse.

Come visit us our booth down under and learn how Cellebrite’s technical and training solutions accelerate investigations.

Visit our website to learn more about our events.