Introducing Cellebrite’s new mobile forensics solutions for lab and field

Today we’re excited to launch two new ways for law enforcement, military, and private-sector investigators to approach investigations. Our suite of mobile forensic solutions relies upon tried-and-true, flagship UFED technology together with a couple of newcomers designed to unlock the intelligence of new and disparate mobile data sources and extend investigative capabilities to the field so that actionable information can be qualified and shared quickly.

The new offerings are founded upon insights gleaned in our recent mobile forensics trends and predictions survey. Among them, 60% of respondents indicated that more data stored off the device and on the cloud was of major concern to them, while 80% of respondents reported experiencing some level of device backlog in the last year.

The UFED Pro Series, designed for forensic lab practitioners, and the UFED Field Series, designed for field personnel, each respond to those and other concerns by optimizing data extraction and analysis capabilities by role—and unifying investigative workflows between lab and field.

In other words, field-level investigators now have a way to obtain a simple data preview capability, enabling them to access actionable data without having to wait for a lab, while lab-level investigators can use specialized tools to tackle a larger swath of visible, hidden, deleted, and cloud-based private data, when a situation demands.

The UFED Pro Series comprises Cellebrite’s flagship UFED Ultimate together with UFED Link Analysis and, when appropriate, the all-new UFED Cloud Analyzer in two solution sets: UFED Pro CLX and UFED Pro LX. The integration allows examiners to unify disparate data for easier analysis, helping to bring key insights to the surface quickly.

The UFED Field Series – an integrated software and hardware solution comprised of UFED Field IX and UFED Field ILX — allows field-level personnel to perform simple, efficient, data extractions onsite via in-car workstations, laptops, tablets, or our new secure, self-service UFED InField Kiosks at stations or other locations. This frees forensic specialists to move beyond basic evidence collection and focus on more complex analytical work.

Both solution sets include user and data management controls that forensically preserve evidence, maintain chain of custody through the unified workflow, and promote device owner privacy by filtering data by date, time, and/or content types to focus only on what’s most relevant to an investigation.

Learn more in our press releases about the new UFED Series solutions, including the UFED Pro Series and the UFED Field Series, and be sure to leave us a comment should you have any questions!

Visit with Cellebrite at upcoming events this July

July will be a busy month for us, as we present at four shows in the United States and Brazil. Read on for details about our talks regarding best practices for effective mobile forensics, data analytics, mobile forensics and school safety, and our latest contributions to the mobile forensics workflow:

July 9-10: SANS DFIR Summit

SANSlogoJoin us tomorrow and Wednesday at the Omni Austin Hotel Downtown for the 2013 SANS DFIR Summit. Tomorrow from 12:30pm – 1:45pm we’ll be holding a Lunch & Learn in the Lone Star room – Ballroom Level. There, forensic engineering product manager Ronen Engler will discuss “Using Data Analytics to Focus and Streamline Forensic Exams.”

Both Tuesday and Wednesday we’ll be available at our booth in the Capital Ballroom Foyer – Ballroom Level. Join us there as well!

July 14-16: NASRO

JOSS Conference BannerCurrent case law supports searches of student mobile devices when school officials have a reasonable suspicion that the student has violated school policy, or the law. At the National Association of School Resource Officers (NASRO) Conference, we’re offering an exhibitor demo on best practices, data analytics and the documentation SROs need to communicate their methods to school administrators, parents and students.

Join us on July 16 from 11:20am – 12:00pm on L4 – Level 1 of the Rosen Shingle Creek Hotel in Orlando, Florida, where sales engineer Lee Papathanasiou will detail what data might support or disprove allegations of bullying, assault, drug abuse, dating violence, property crimes and even school violence. We’ll also be available to talk at Booth #11 in the Panzacola F Ballroom – Level 1.

July 16-18: NATIA

memphis_small_natiaThe National Technical Investigators’ Association (NATIA) gives exhibitors three days in their week-long conference, and we’ll be at the Memphis Cook Convention Center (Memphis, Tennessee) in Booth 344 offering demos of UFED Link Analysis, UFED Touch and other products.

We’re also presenting a 2-hour lecture session on two days: July 16 from 5-7pm, and July 17 from 10am – 12pm. In “Secure, Extract, Analyze, Act – Best Practices to Seize, Process and Follow the Data Where It Leads,” forensic sales director Keith Daniels and forensic engineering product manager Ronen Engler will help you understand the best practices that help you build stronger cases and better credibility, as well as how to get more meaningful leads that you can put to work right away in an investigation.

July 23-25: ISS World LATAM

ISS WORLD Latin America 2013ISS (Intelligence Support Systems) World Latin America is the world’s largest gathering of Latin American law enforcement, intelligence and homeland security professionals. At this conference, Cellebrite LATAM’s Nicolas Mauricio Wernicke will be presenting on the latest ways we are “Revolutionizing Mobile Forensics.”

Are you attending any of the above events? Be sure to visit with us once you’re there!

How the past 6 months have shaped mobile forensics trends: MFW 2013 panel

Since releasing our “Trends in Mobile Forensics” white paper in January, the industry has continued to rocket forward. In just six months, some of our panelists’ predictions have remained accurate—and others have arisen. Watch the video to learn more, and keep reading for some additional highlights (and presentations) on mobile apps, evidence validation and gang suppression, among other things:

Mobile forensics as its own subspecialty

David Papargiris, director of digital forensics at Evidox Corp., believes that mobile forensics is becoming its own discipline because phones are so much more complex. For example, even three years ago, malware on mobile devices was unheard of. In addition, Papargiris believes that issues like apps and chip-off extractions are a good reason for mobile forensics to be a separate discipline.

Heather Mahalik, mobile forensics technical lead with Basis Technology and a SANS Certified Instructor, noted that specialization is already happening among defense contractors. In her lab, hard drive forensic specialists don’t handle mobile devices at all and vice versa.

Her team’s ability to specialize has led them to methodology like chip-off extractions, which are most handy on devices damaged by water, bullets or explosives, devices whose locks can’t otherwise be bypassed, and so on. “We rely heavily on tools like UFED to parse the data,” said Mahalik.

However, because these specialists go deep–“sector by sector”–on the devices they do examine, parsing is a “huge issue,” said Mahalik. She questioned whether examiners are fully aware of what they might be missing after they get their data and print a report. “What if a third-party app is the only way [your suspects] communicate?” she asked. “The tool needs to obtain that data.”

Asked what her caseload is like, such that her 4-person team can fully analyze every handset, Mahalik responded that priorities are ranked—and not every device that comes in is processed. “Knockoffs and simple phones are easy because we know exactly where to look,” she explained, while iPhones – especially those containing apps – can take a few weeks.

Dan Morrissey, a sergeant with the Sacramento County Sheriff’s Department, questioned whether mobile forensics was progressing to a point where chip-off extractions—still considered by many to be “hacking” despite efforts to legitimize it within the forensic community—become less popular than wiretapping. “Encryption is getting better, so if [evidence is] not intercepted in transit, we don’t get it,” he explained.

Even so, Papargiris pointed out, while encryption tools like BitLocker led to the same thought process, the forensic community ultimately overcame the issues with better technology and live acquisition.

John Carney, chief technology officer at Carney Forensics, agreed that specialization appears to be a trend. However, he also pointed out an apparent trend towards the integration of computer and mobile forensics.

That fit with an observation from audience member (and 2012 panelist) Shafik Punja, a Calgary, Alberta, Canada police officer, who pointed out that mobile forensics’ foundation remains in the bits and bytes and binary data derived from computer forensics, making the original discipline an important “fallback” to dealing with mobile devices.

Apps are another rich source of data that may require specialist skills, such as Python programming. Learn more in Mr. Carney’s presentation on the subject:

A need for analytics beyond data

The days are going away where all an examiner had to do was dump the phone and give a report. That’s because at one time, asking for everything on phone was doable; today, storage is moving into terabyte territory, not just because of what phones can store but also because of how much removable media like microSD cards can hold.

Because digital forensics’ ultimate goal is to put the suspect behind the keyboard, mobile forensics needs to be about not only how to extract the data, but also perform analytics and explain the data. In cases where investigators don’t know what to look for, analytics can help them determine keywords and other basic information to drive a case forward.

One type of casework where this is most critical: gang suppression. “There’s a distinct difference from the way things used to be on the gang scene compared to where they are now,” said Morrissey. Thirty years ago, gangs were large, paramilitary organizations with distinct hierarchies.

This made it easy to pinpoint and disrupt their leadership. Now, however, small hybrid gangs have created an “asymmetric” threat. Their communication activity is more limited, and they lack a consistent leader. Moreover, members may switch alliances as often as it suits them.

Morrissey observed that this activity echoes what has been happening in overseas battle theaters for about the past 10 years. “In the 2000s in Iraq and Afghanistan, we hit everyone’s houses, dumped their phones, and mapped out their networks. But it killed communication events because we took their phones.”

To avoid a similar problem here, first responders, who come in contact with phones on a daily basis, need to get device data into the law enforcement information cycle faster so that it becomes actionable. How do teams like Sgt. Morrissey’s combat gang threats like these? Take a look at his presentation:

Training, certification and ensuring data accuracy

Joe Church, founder and owner of Digital Shield Inc., raised the related issues of casework and court. When your forensic tool pulls SMS, location information or any other data, do you look at where in the file system the tool is extracting from to verify the data is true and accurate? How do you validate (for example) the 99 SMS messages the tool tells you are there?

Audience members responded that you can look on the device, or else refer to call detail records that can corroborate dates and times. You can also verify with other tools to show due diligence in ensuring that your original tool was correct.

Church pointed out, though, that this process is very time consuming. Cases pile up at the same time that supervisors demand results “today,” which forensic examiners must balance against the eventuality of having to face a defense attorney and expert witness who have had time to mount reasonable doubt as to whether you could have missed information.

Why is this important? “Experts” have gone on the record to testify that they were never properly trained, or else admitting to it on listservs and forums. An untrained, uncertified forensic examiner presents another way for the defense to attack; certification provides a baseline for the court, showing that the expert had to pass a test at one point that says s/he knows how to utilize the tool.

Mahalik raised the point that even if you are certified, you still have to know how tool currently works in its latest version; a UFED certification from 3y ago is outdated. Carney added that if you own 5 tools, you must be able to stay up to date on them all (another argument for mobile forensics as subspecialty).

But the basics are important, too. Some investigators continue to believe that they only need training to learn how to push a button, a matter of policy compliance rather than developing skills. Morrissey noted that even chain of custody can be breached when officers take pictures of evidence with their own phones, forget to isolate a device from its network, or pile evidence devices on an examiner’s desk.

Mr. Church presented at MFW in greater detail about mobile forensic validation. Learn more:

What trends have you spotted in over the past 6 months, and where do you see the industry headed? Leave a comment!

Now available for pre-order: UFED Link Analysis 1.7

LA01Pre-order our latest investigative software! UFED Link Analysis is a standalone application that helps rapidly identify connections between multiple devices’ owners. This month, we’ll start shipping the second generation of UFED Link Analysis.

Enhanced and improved based on feedback from customers involved in a limited beta release, the latest version includes an improved user interface along with the following all-new features:

  • Location analytics. See locations associated with people and communications. Where they were while they called or texted one another, or simply whether they have locations in common, can be important to building a case.
  • Multiple timeline view. See how device owners’ communications unfold among multiple people on particular days and times. The graph view visualizes events over time, the distance between them and highlights changes of behavior.
  • Entity analytics. Understand device owners’ relationship to entities (names, monikers or phone numbers) they’re in contact with. Analyze their preferred forms of communication and the frequency of their communications in comparison to one another.

These three capabilities are featured together with UFED Link Analysis’ core features in our video sneak peak:

In the aggregate, these features allow law enforcement, military, private, and corporate investigators and analysts to rapidly visualize key relationships between suspects and identify important patterns and anomalies. Used in the early hours of an investigation, this kind of tactical link analysis could help generate leads, bring about more in-depth analysis, and/or make operational planning faster and more efficient.

Stay tuned—just like with our other UFED Series products, UFED Link Analysis will be regularly updated with the latest tools according to customer requirements. To receive more information, please fill out our form.