Python Script to Map Cell Tower Locations from an Android Device Report in Cellebrite

Recently Ed Michael showed me that Cellebrite now parses cell tower locations from several models of Android phones. He said that this information has been useful a few times but manually finding and mapping the cell tower locations by hand has been a pain in the butt. I figured that it should be easy enough to automate and Anaximander was born.

Anaximander consists of two python 2.7 scripts. One you only need to run once to dump the cell tower location information into a SQLite database and the second script you run each time to generate a Google Earth KML file with all of the cell tower locations on it. As an added bonus, the KML file also respects the timestamps in the file so modern versions of Google Earth will have a time slider bar across the top to let you create animated movies or only view results between a specific start and end time.

Step one is to acquire the cell tower location. For this we go to http://opencellid.org/ and sign up for a free API. Once we get the API key (instantly) we can download the latest repository of cell phone towers.

mappic

Currently the tower data is around 2.2 GB and contained in a CSV file. Once that file downloads you can unzip it to a directory and run the dbFill.py script from Anaximander. The short and simple script creates a SQLite database named “cellTowers.sqlite” and inserts all of the records into that database. The process should take 3-4 minutes and the resulting database will be around 2.6 GB.

Once the database is populated, the next time you dump an Android device with Cellebrite and it extracts the cell towers from the phone, you’ll be ready to generate a map.

From The “Cell Towers” section of your Cellebrite results, export the results in “XML”. Place that xml file and the Anaximander.py file in the same directory as your cellTowers.sqlite database and then run Anaximander.py –t <YourCellebriteExport.xml> . The script will start parsing through the XML file to extract cell towers and query the SQLite database for the location of the tower. Due to the size of the database the queries can take a second or two each so the script can take a while to run if the report contains a large number of towers.

output

Ed was kind enough to provide two reports from different Android devices and both parsed with no issues. Once the script is finished it will let you know how many records it parsed and that it generated a KML file.

done

This is what the end results look like.

mapresults

The script can be downloaded from: https://github.com/azmatt/Anaximander

This is the first version and there are several improvements to make but I wanted to get a working script out to the community to alleviate the need for examiners to map the towers one at a time. Special thanks again to Ed Michael for the idea for this (and one other) script as well as for providing test data to validate the script.

Follow my blog for up to date digital forensics news and tips: http://digitalforensicstips.com/

About Matt:

Matt performs technical duties for the U.S. government and is a Principal at Argelius Labs, where he performs security assessments and consulting work. Matt’s extensive experience with digital forensics includes conducting numerous examinations and testifying as an expert witness on multiple occasions.

A recognized expert in his field with a knack for communicating complicated technical issues to non-technical personnel, Matt routinely provides cyber security instruction to individuals from the Department of Defense, Department of Justice, Department of Homeland Security, Department of Interior, as well as other agencies, and has spoken frequently at information security conferences and meetings. Matt is a member of the SANS Advisory Board and holds 11 GIAC certifications. Among them: GREM, GCFA, GPEN, GCIH, GWAPT, GMOB and GCIA.

 

 

Reason #2 to vote Cellebrite for a 2016 Forensic 4:cast Award

In a previous blog, we mentioned that Cellebrite deserves a Forensic 4:cast Award this year for being consistently first and often unmatched, by bringing critical mobile forensic innovations to your work environment. Just yesterday, we released a solution to decrypt WhatsApp’s new backup database encryption- crypt9, in UFED Physical Analyzer 5.0.2.

We are grateful to the loyal UFED user community and to the digital forensic community for nominating Cellebrite, and would like to ask for your support again by voting for us in the following categories:

  • UFED Touch for phone forensic hardware of the year
  • UFED Physical Analyzer/ UFED4PC for phone forensic software of the year
  • Digital forensic organization of the year

If you haven’t already voted, here is the second reminder why Cellebrite deserves the Forensic 4:cast Awards:

Industry-first support for the most popular brands and models

We get access to more than 100 new handsets per month, which helps us keep pace with device support for the forensic community and capture the next wave of mobile challenges for forensic investigators. UFED 5.0 already supports the new and popular Samsung Galaxy S7 for file system and logical extractions. With approximately 10 releases a year, hundreds of newly supported device profiles are added for each release, including support for new operating system versions, and all supported are tested by Cellebrite’s R & D team. Just recently, with the release of UFED 5.0, we’ve bumped our device profile support up to 19,203.

We continue to innovate the industry, and to expedite your investigation by providing you with unmatched access to case-critical evidence. UFED 5.1, to be released in the coming weeks, is already packed with hot industry-first capabilities, including a new proprietary method to disable user lock for many additional Samsung devices, and lock bypass for popular LG models. Stay tuned!

Does UFED play an important role in your investigations? If you think so, then vote for us today!  

ForensicFocus_728x90_4cast_Vote_30mar2016

 

UFED 5.0 drastically decreases your time to evidence by drilling into the data that’s most crucial

Sifting through data is a very time consuming process- the average US smartphone user takes up 10.8GB of storage capacity on their device*, and taking into account different data recovery options in UFED Physical Analyzer, this process may take up to several hours to complete. UFED 5.0 came out with major time-savers that drastically decrease your investigation time, and lets you focus on the data that is most crucial to your investigation. Version 5.0 brings five crucial industry-first features, and support for 19,203 device profiles and 1,528 app versions.

Merge multiple extractions in a single unified report and avoid deduplicates

You asked for it, we developed it. With UFED Physical Analyzer 5.0, you now have the ability to merge multiple extractions from multiple devices into a single unified project, which can include logical, physical and file system extractions. The extracted data is presented under one project tree, and provides a unified extraction summary with device info per extraction, the ability to drill down to each extraction, and an indication of the original extraction source. If required, you also have the option to combine extractions from different devices. 

merge mult files

 

This powerful feature saves you time not only by combining the extractions, but also by removing deduplications (duplicate or redundant information), and grouping together similar and duplicate records for quick and efficient analysis. The following extraction types may be grouped together: Logical, advanced logical file system, physical, SIM card, JTAG, SD Card, and UFED Camera Evidence.

Here is what one investigator had to say about this new capability: “Being able to instantly navigate to where each piece of data is located in the memory dump is an outstanding feature. This saves hours of time on each complex investigation.”

Validate your data the right way

The latest validation process saves you time and resources by providing you with the most effective and most efficient way to perform a real and accurate validation process, by validating the decoded data with the original source file; Thus, reducing your need to use other mobile forensic tools for additional extractions to compare and validate the results.

Every recovered artifact has a source that it originally derived from, and can be used to later to validate the data. If previously you spent time manually searching for the original source, UFED Physical Analyzer 5.0 now tracks back the automatically decoded content to its source.

Every extracted record now includes the file source information in a table view or in the right pane with device information. Each link points to the offset data and includes the source file name, which can be included in a UFED report when testifying in court. For example, using UFED Physical Analyzer 5.0, an examiner can easily see from the original source file that a recovered SMS was a deleted artifact, since it was recovered from the memory of the device. That SMS is also visible and highlighted in the hex viewer, when clicking on the file source information link. (The db file where the SMS came from is also displayed in the right pane).

2

 

 

 

 

 

 

Focus on relevant media files with the common image filter

An additional time saver added to version 5.0 is the new automatic filter feature. UFED Physical Analyzer 5.0 saves massive investigation time by automatically filtering out common or known images, allowing you focus on the images you need to get to the evidence quick, rather than wasting time reviewing thousands of images that are default device icons, or images that come as part of app installation.

The MD5 hash value is available for every extracted media file, and is visible in the user interface and in the report output, as part of the decoding process.

How would you use this feature? Say you have 200 hash values of indecent images in your own database, you can easily create a watch list for all the hash values from your database, and run the watchlist to find a match search for the same images on the device. In case of a match, a nude photo will be detected on the device. Alternatively, you can export the hash values from the device into excel, and run a match on your database, as well as expand your list with new hash values belonging to suspicious nude photos.

As presented in the image below, if previously you had to review 24998 images, you now have 900 less images to review.

ReviewMediaFiles_Hash_Calculation-Recovered

 

 

 

 

To view all images, click on filter reset or remove the auto-filter option in the Settings.

 

Access blocked application data with file system extraction

Version 5.0 introduces another industry-first capability, providing you access to blocked application data when physical extraction is not available for the specific device. The introduction of new app versions also introduce new challenges, such that they are no longer available for backup using the Android backup method, since they are blocked for backup service. UFED overcomes this limitation with a new option called APK downgrade method, also available via file system extraction. This method temporarily downgrades the app (or .apk file) to an earlier version that is compatible for Android backup. UFED will present the list of apps installed on the device, and the ones available for downgrade. Open the extraction in UFED Physical Analyzer to decode both intact and deleted apps data.

Popular supported apps include WhatsApp, Facebook, Facebook Messenger, Line, Telegram, Gmail, KIK and more.

Extract data using Temporary root (ADB) and enhanced bootloader method

Temporary root (ADB) solution has been enhanced to support 110 Android devices running OS 4.3 – 5.1.1, for file system and physical extraction methods, (when ADB is enabled). Logical extraction of apps data is also available for the listed devices using the temporary root solution. As part of your examination, you need to gain access to all the data stored on a mobile device.  This is achievable via a physical extraction, which is the most comprehensive solution, and provides the richest set of data. As part of our ongoing efforts, you are now able to perform a physical extraction for the selected 110 devices using the ADB method instead of manually rooting the device using an external tool.  Third party tools provide a permanent root, while Cellebrite’s temporary root solution is removed after restart, and assures forensically-sound extractions.

The bootloader method has been further enhanced in version 5.0. This unique lock bypass solution is now available for 27 additional devices (APQ8084 chipset), including Galaxy Note 4, Note Edge, and Note 4 Duos.

Version 5.0 also introduces physical extraction and decoding support for a new family of TomTom devices; as well as file system and logical extraction and decoding is also available for recently launched devices, including iPhone SE, Samsung Galaxy S7, and LG G5.

Watch the video below to learn more about UFED 5.0 release highlights.

Download our release notes for full details about version 5.0 capabilities.

Exclusive support for additional Motorola Androids highlights 4.5 release

Motorolla Exclusive Banner2

With the release of UFED 4.5, Cellebrite announces support for 18,290 device profiles and 1,270 app versions. The recent release brings industry first access to 11 additional Motorola Android devices, logical extraction via Bluetooth from any Android, and enhanced decoding support for the latest versions of all UFED supported applications running on iOS and Android devices.

Logical extraction via Bluetooth

Version 4.5 introduces a quicker and more efficient workflow, providing users with the option to perform a logical extraction via Bluetooth from any Android device. Extracting via Bluetooth is an effective solution to recover data from devices with damaged USB ports, as well as from prepaid devices (such as TracFone Android), which come with locked USB ports.

As illustrated in the image below, to use this option, select Use Bluetooth under Select Content Types.

UseBluetooth (1)

 

 

 

 

                                 Physical ADB method for rooted Android devices

Physical ADB method is now available for pre-rooted Android devices, when the physical extraction method is not supported. Using the ADB method, users can now perform physical extraction from rooted Android devices.                                                A few notes regarding rooted devices and ADB…

What is rooting? To “root” a device means to gain administrative rights on the file system on Android operated devices. A device can be rooted as part of recovery partition or fully rooted following rooting process.

What is ADB and how does it work? ADB, or Android Debugging Bridge, is a built-in protocol within the Android operating system. This protocol enables developers to connect to an Android-based device and perform low-level commands used for development. In UFED, the protocol to perform an extraction of Android Devices.

 Updated app support

Following recent news regarding ISIS terrorists using the Telegram app to carry out their activities, version 4.5 keeps pace with industry demands by providing enhanced decoding support for Telegram’s latest version running on iOS and Android devices. Updated support is also available for 134 Android and 43 iOS app versions.

Improved Functionality for UFED Physical Analyzer and UFED Logical Analyzer

Version 4.5 also introduces improvements for the ruggedized frontline tool, UFED InField Kiosk, enabling users to encrypt mobile forensic reports and UFDR files using a password. Users can open encrypted reports using the password, view the reports with UFED Physical Analyzer and UFED Logical Analyzer. Password-protected reports can also easily be shared with other other investigators over a network using UFED Reader.

Additional enhancements include new offline map packages for the following regions: Minsk, India, Germany, Australia and New Zealand, Scandinavia. (The Offline maps feature was introduced in version 4.2. This feature enables you to view extracted locations on a worldwide map without internet connection).

Learn more about UFED 4.5 – download the release notes here!

New and improved UFED Faraday bag!

With the evolution of smartphones, cellular networks and infrastructure have also advanced, signals have improved and their reach has expanded, which laid the ground for high-performance wireless access. Modern smartphones also carry other radio transmitters in addition to the network interface (including WiFi signals, Bluetooth, telecommunication systems, and GPS signals).

A fundamental aspect on device preservation at the crime scene is evidence collection on site. When needed, an officer can immediately provide electromagnetic isolation of a seized device to maintain proper chain of evidence, prevent da
ta tempering, and safeguard the existing physical data on the device.UFED Faraday bag

Cellebrite’s UFED Faraday bag has been redesigned and improved to meet the needs for quick investigation, offering better isolation storage for quick investigation.  The new shielding material was tested against the former bag at various frequency rates, and resulted in an increased attenuation of ~25 db.

Frequency (Ghz)Former bag
attenuation (dB)
Redesigned bag
attenuation (dB)
0.853>80
1.85271
2.145>80
2.44277

Click here to purchase your UFED Faraday bag at an affordable price.

Cellebrite launches first standalone UFED User Lock Code Recovery Tool for iOS and Androids

Locked devices have been a longstanding issue for mobile examiners since the evolution of smartphone devices. More than 50% of devices seized by police are locked.*

UFED User Lock Code Recovery Tool provides you with another solution to unlock the device and reveal the password on both iOS and Android operating systems, when no other extraction methods work. Using forensically sound brute force method, this standalone tool reveals the device’s user lock code on screen, and allows users to enter the password and access the evidence on the device, while ensuring that existing data remains intact.

How do I use this tool?

The tool is available for download for UFED users with an Ultimate license at MyCellebrite (the software runs as a standalone tool). Users are supplied with three Cellebrite cables to be connected to USB OTG mobile devices only. A UFED Camera or a Windows-based web camera is required to detect when the device is unlocked. For more information on using the tool, watch the video below to learn how bypass and reveal passwords on iOS and Android devices.

UFED User Lock Code Recovery Tool helps you get the evidence you need quick and at no extra cost.

*Consumer Report 2014

 

 

New UFED release 4.2.2 offers exclusive support, impressive breakthroughs and enhanced decoding

With the release of UFED Physical/Logical Analyzer 4.2.2, Cellebrite offers new decoding features designed to improve investigative efficiency from 1,128 additional device profiles and enriched degree of decoded data from 873 app versions.

Exclusive support for the latest and popular Samsung devices

Samsung contributes to the highly fluid mobile market by introducing ever smaller and lighter mobile device models every few months. The quick adoption of these devices by felons leaves investigators to encounter additional challenges during the investigation. Cellebrite enables access to all data, including deleted data, from the newest Samsung Android devices available in the market today. Cellebrite supports physical extraction while bypassing the user lock using the forensic recovery partition method, and decoding from 33 Samsung Android devices, including Samsung Galaxy S5, S6 and Note 4 family of devices.

Cellebrite’s UFED replaces the device’s original recovery partition with Cellebrite’s custom forensic recovery partition. The original recovery partition on the Android device can be considered as an alternative boot partition that may also change the user data partition, while Cellebrite’s recovery image does not affect any of the user data.

Support for next generation smart watches

Android wear may be a new concept, but with nearly $7M sales just last year, many independent research groups anticipate a huge growth in the wearable space is in the next upcoming years. With the rate of new devices entering the market by Samsung and others, Cellebrite ensures that investigators remain ahead with the most advanced extraction and decoding technology to support these new trending devices.

UFED enables physical extraction while bypassing lock, and decoding support from the most popular next generation smart watches including LG smart watch LG G WATCH R™ (W110) and the previously released Samsung Galaxy Gear SM-V700.

New app decoding and decryption support

Apps provide a rich source of data to investigations. 59% of our users say that 3rd-party apps data matter the most in investigations. Cellebrite provides updated support for 843 app versions in this release, as well as decoding support for new apps, such as Facebook Messenger (decoding of the call logs of the voice calling feature and the new video calling/chatting feature). Additional decryption is also available for UFED 4.2.2, UFED Physical Analyzer is now able to decrypt and decode Android Backup (Android 5.x) with a known password as part of the file system extraction.

Download the release notes to see a full list of apps and version numbers.

Now higher resolution view in offline maps feature

In UFED version 4.2 we introduced the latest offline maps feature which enables you to view extracted locations on a worldwide map without internet connection. This feature has been improved, enabling you to view extracted locations on a regional map, and zoom in at an even higher resolution of 15x to view streets for better indication and view of the location without internet access for the following continents: USA, Canada, Europe, Japan and Korea, Middle East, Africa, London, Los Angeles, New York, Paris, Singapore and Tokyo.

 Untitled

You asked for it, we developed it!

UFED Physical/Logical Analyzer 4.2.2 keeps pace with investigator demand and provides the option to redact the image thumbnail from the PDF, Word and HTML report. You would use this option with cases involving sensitive images, such as child abuse.

Untitled2

3 Reasons to Vote for Cellebrite for a 2015 Forensic 4:Cast Award

For as long as the Forensic 4:cast Awards have existed, Cellebrite’s UFED tools have been named Phone Forensic Tool of the Year. Being nominated among some of the greatest products in the industry, we couldn’t be more proud that the forensic community recognizes our continuing efforts to deliver the best, most innovative and  functional mobile forensic tools for seven years running.

Thanks to you, Cellebrite’s nominations include:

  • UFED Touch for phone forensic hardware of the year
  • UFED 4PC for phone forensic software of the year
  • Digital forensic organization of the year

Will you vote for us this year? Here are a few reminders why Cellebrite deserves the Forensic 4:cast Awards.

1. We’ve got your back.

Cellebrite has always been known for its breadth of support for new devices, but in 2014 we deepened our support for both smartphones and the apps installed on them. We improved our automated decoding, so you can spend more time analyzing data than figuring out how to decode it; brought our device profile support up to more than 14,000; and added decoding support for 25 prepaid Android devices—including Tracfone models that stumped investigators for years.

2. We make data analysis as simple or as complex as you need.

The visual analytics we include in tools like UFED Physical/Logical Analyzer and UFED Link Analysis give you a basic, at-a-glance look at key people, places, and communications via Project Analytics, Timelines, Maps, and Graphs. These help you immediately visualize your data and focus on only that which is most relevant to your case.

When you need to get “into the weeds” with the data—at the device memory level—you can do that too. Locate, carve, and validate data using advanced search functions like regular expressions and searches for strings, dates, codes, numbers, ICCID, SMS formats, etc., and import your JTAG and chip-off extractions into UFED Physical Analyzer for decoding.

3. We give you the tools you need not just to extract and analyze the data, but also to testify about your process with confidence.

Tools with as much functionality as ours deserve investigators who can put them to good use, so in 2014 we stepped up our training and certification program. We are now the first and only digital forensic vendor to deliver courses not only in person, but also online, and more than 4,000 practitioners earned their Cellebrite certifications through the end of 2014.

Vote for us today!

 

5 Reasons to Nominate Cellebrite for a Forensic 4Cast Award

Forensic 4cast AwardsForensic 4cast’s nominations process closes in less than a month! In case you haven’t yet made your nominations, we encourage you to head over to the Forensic 4cast website to do so. (Don’t forget, you might win a 4cast t-shirt!) While you’re there, remember to nominate Cellebrite UFED and UFED Physical Analyzer for Phone Forensic Hardware and Phone Forensic Software of the Year. Here’s why:

1. Breadth and depth in device support.

There’s extracting mobile device data—and then there’s interpreting it. Our decoding matches our physical and file system extractions virtually in parallel, so you can spend more time actually analyzing data than figuring out how to decode it.

2. Versatility in your data-crunching.

While you’re spending more time analyzing data, UFED Physical Analyzer makes it worth your while by adding layers of useful functionality.

  • Search functions like regular expressions and searches for strings, dates, codes, numbers, ICCID, SMS formats, etc. give you the ability to locate user data you might otherwise miss.
  • Filters such as watch lists and entity bookmarks help you cull relevant from less relevant data as your investigation moves along.
  • Timeline and Project Analytics help you visualize your data and drill down to that which is most relevant to your case.
  • Python scripting allows you to add functionality and get even more data from, say, user apps.
  • Malware analysis helps you determine whether spyware or malware was an instrument of stalking, fraud, theft of proprietary information, or other illicit activity.
  • Advanced image carving allows you to retrieve and rebuild corrupted or incomplete image files and fragments.
  • Multiple report formats let you share data with other investigators, supervisors, or attorneys—or put your mobile evidence together with other digital data in review platforms like Palantir, Exterro Fusion, and others.

3. Industry-first support for the most popular brands and models.

You may know that we get access to mobile devices sooner than any other vendor as a result of our relationships with 150+ wireless carriers and OEMs. But did you realize that this means we can extend logical support almost immediately upon a new device’s launch—and that physical extractions are rarely far behind?

4. Ongoing research and development that supports your needs.

User locks, encryption and apps are just some of the forensic challenges we’ve tackled in the recent past. Our support, whether for devices or for issues within them, is always based on requests and feedback we get from customers.

5. Technology that speeds your extractions—and your investigations.

Last year we released the UFED Touch, which we found to be up to 10 times faster than UFED Classic in performing physical and file system extractions on smartphones.

But don’t forget our unified driver technology, our “unsung hero” that prevents software conflicts and crashes, and our custom boot loaders, which can bypass user locks and thus provide forensically sound physical extractions on many devices. Altogether, they make for a solution that lets you focus on building your case—not sitting around waiting.

Nominate us today!