Sorry I have not been able to post items these past few months, work case loads; summer holidays and R&D has kept me away from my Blog. What has brought me back sooner than later is an update to my previous Blog about Cellebrite’s P.A.’s software…………

Well, I was impressed with the Cellebrite P.A. 1.9x in my previous testing, I am even more impressed by the newest edition of Cellebrite’s Physical Analyzer version 2.2. The crew at Cellebrite have overcome annoying barriers that we as cell phone forensic examiners have been challenged with this past year. One of the main problems for us was the ability to bypass the user lock on iPhone cell phone (resolved with version 1.9x) and then the encryption we faced even when we were able to obtain a physical dump. This is no longer the case; Cellebrite has overcome both these obstacles with more to come.

In my previous posting (Cellebrite Physical Analyzer Beta Testing June 2011) I examined my personal iPhone 4 CDMA (Model: MC605C) running iOS 4.3.3. At that time, I was able to get a file system and physical acquisition from the locked phone. I was not able to view much from the physical acquisition as the data was encrypted but the file system dump was successful. A great feat considering this data was not obtainable a few weeks due to the user lock code. Now it is possible to recover the data from the physical acquisition in version 2.2 as they have been able to decrypt this data with new processes.

In this testing, I am using the same iPhone (iOS 4.3.3) and will test a new feature of version 2.2, obtaining the user passcode and displaying it. The steps remain the same, enter into Recovery and DFU modes to prepare the phone for analysis only this time you have a new option to run with, “Device Password Recovery” as seen below:

Image 1

P.A. 2.2 Options


The software ran for about 5 minutes and then it came up with the passcode (white’d out in this case):

Image 2

Passcode Recovered



You now have the option to continue and get either a file system or physical data dump from the phone, or shut it down and access the phone with the newly discovered user passcode. With this passcode, you now have the option to acquire the iPhone again using other forensics tools, an excellent capability when you want to validate your Cellebrite dumps and/or just use other tools like XRY Complete; MPE+; Oxygen Suite; and Lantern that have options for acquiring user data from iPhones.

Next, I wanted to see if the newest iOS version available to iPhone users would be a challenge for P.A. 2.2. I ran the iTunes software and upgraded the newest iOS on the iPhone to 4.3.5. This was no challenge at all for P.A. 2.2, the user passcode recovery was no issue and it took no more time than it did for iOS 4.3.3. I then ran the new Physical Extraction and Decryption which took about 40 minutes to complete on this 32 GB iPhone. I open the acquisition and was amazed at the number of items it was able to decrypt for us, it was pretty much what we saw in my June 2011 File System dump but more, the added data is obviously deleted items obtained from the physical acquisition.

Image 3

Physical Acquisition


To see the difference, I then ran the File System dump (I noted a disclaimer indicating that some emails are not obtainable) on the iPhone and compared the finding from the two acquisitions:


Image 4

File Sysytem Acquisition

I did note that the Physical acquisition recovered 704 emails and the File System acquisition recovered 446. One main item that file system dump cannot get and only physical with decryption is the emails.The Mail folder is locked for file system dump and even has its own encryption keys. Only physical with decryption can get that. Other artefact differences included images P-16790 FS-11732; audio P-1847 FS-1845; and text 324 FS-244.

As with most of my important acquisitions, I like to validate my finding with a second or third tool, in this case I used another software kit and did a file system dump with their software. There are some notable differences that one can see and supports the need for examiners to run multiple tools against your cell phones exhibits. In some cases (file system comparison) Cellebrite recovered more items; in some cases the other software recovered more; and in some cases they both recovered the same amount. 

In the end, Cellebrite P.A. 2.2 is a resourceful option for forensic examiners faced with iPhone exhibits that require the bypassing of the user passcode and/or for physical acquisition of the user data to recover deleted items. The interface is very easy to use; the instructions are very simple to follow; the data dump and reporting of this acquired data is visually easy on the eye; and the ability to search for artefacts not recovered by the physical acquisition process (yup, there is more evidence in there, you just have to work the P.A. search features to find them) is simple.

During the testing of this software, I spoke with the team at Cellebrite and they are working feverously on the newest challenge facing cell phone examiners these days, the Android OS cell phones. They are having success with some Andoid phones now and hope to release a new update in the near future that will allow us to bypass the user code and obtain physical acquisitions from these devices.

Another challenge for cell phone examiners is the user lock code found on Blackberry’s; well, Cellebrite is also working on a solution to decode the data dumps from the chipoff process of the NAND flash memory from these devices as well. They have been able to decode the data dumps from some versions of the Balckberry chipoff dumps and are looking for anyone that has chipoff dumps to help them with developing this part of their tool. If you can help, send an email to Ron Serber

Coming up in future postings:

JTAG vs. cell phones

Chipoff progress