In this piece we examine mobile phone extraction, relying on publicly available information and Privacy International’s experience from conducting mobile phone extraction using a Cellebrite UFED Touch 2. We welcome input from experts in the field. This is a rapidly developing area. Just as new security features are announced for phones, so too new methods to extract data are found. Show
[All references can be found in the pdf version below.] General explanation of mobile phone extractionMobile Phone Extraction technologies, known also as mobile forensics, entails the physical connection of the mobile device that is to be analysed and a device that extracts, analyses and presents the data contained on the phone. Whilst forensics experts, hackers and those selling spyware may be able to access and extract data, we look at a number of the most well-known commercial companies who sell their products to law enforcement, such as Cellebrite, Oxygen Forensic Detective, and MSAB. Android and iOSOur analysis focuses on Android and iOS when looking at extractive technologies. Android is the leading operating system for phones worldwide. “According to IDC, in the first quarter of 2017, Android dominated the industry with an 85% market share.” iOS leads the way in relation to security and presents the biggest forensic challenge. “...without the passcode we can hardly extract anything from the modern iOS device.” For example iOS’s USB restricted mode, which first appeared in iOS 11.4.1, disabled USB communications after one hour of the last unlock which causes issues of those conducting an extraction. As USB restricted mode develops with iOS releases, for many in the world of forensics it is simply a challenge to overcome. Mobile phone extraction could be characterised as an arms race, where vendors are constantly seeking to overcome obstacles of increased phone security.
An important differentiator between iOS and Android in terms of forensics capabilities is that whilst Apple can push updates directly to their users, patching vulnerabilities and exploits, Android users are predominantly reliant on the manufacturer and carrier to provide update. This causes many Android phones to be running older versions of the operating systems which means various forms of extraction are viable. “The variety of the operating system versions and the hardware platforms on which they are used provide a wide range of data extraction methods. ” VulnerabilitiesIn evaluating MPE technologies, this project looks at some of the vulnerabilities used to obtain data, particularly for Android phones, such as the use of Emergency Download Mode for devices with the Qualcomm chipset. What current technologies are used to access, extract and analyse data from mobile phones?
Accessing and extracting data from phones is nothing new. However, as the volume of data on phones explodes and “the mobile landscape is changing each passing day” the ability to access, extract and analyse this data is increasingly difficult and complex. Techniques vary depending on the hardware and software of a phone, from the chipset (Qualcomm, MediaTek) to the operating system version. “Extracting data from a mobile device is half the battle. The operating system, security features, and type of smartphone will determine the amount of access you have to the data.” Encryption and other security measures present significant challenges.
There are three generic types of extraction: logical, file system and physical, which provide a framework to consider extraction technologies. No one technology can access and extract all data from all phones, and no one type of extraction is guaranteed to be successful. As acknowledged by MobilEdit, a phone forensics company, when commenting on the US National Institute of Standards and Technology (NIST) test results for mobile device acquisition:
Physical acquisition is generally the preferred method. As it extracts the raw data at a binary level, from the devices storage. Even if this is possible there is a view that “A logical acquisition should always be obtained as it may contain only the parsed data and provide pointers to examine the raw memory image.” Factors such as the status of the mobile device will determine whether logical or physical extraction is attempted. “The type of examination is contingent on the device’s power status and whether the device is locked, password protected, or disabled (disassembled or broken) ...Not all mobile devices can be collected physically. An iPhone 5 to X, for example, cannot be collected physically using non-invasive methods.” The reality of carrying out mobile phone extraction is that you will often have to try all types of extraction that the tool you have offers. However, the ability to do this will be limited by time, resources and expertise. A developing area is Cloud extraction which we look at in more detail in a separate article. This development makes for disturbing reading, as we grasp how much is held in remote servers and accessible to those with no forensic skill but the money to pay for push button technologies that can grab it all. Cloud extraction, a leap from what is on the phone to what is accessible from it, is a reaction to encryption and device locks that make traditional mobile phone forensics hard if not impossible and a response to the volume of information stored in the Cloud.
Once data is extracted there are some impressive products on offer to read and analyse extracted data. Increasingly these are marketed with artificial intelligence capabilities to assist investigators. Analysis: Access & extraction: physical, logical, file systemFirst an analysis of the three main types of extraction: logical, file system and physical and the tools used to carry these out. These methods vary in technicality and the type and volume of data they can extract. Summary of types of data that can be extracted using logical, file system and physical extraction. Source: Cellebrite articleUnder each generic method, companies may differ on the way they achieve the extraction. As set out in a slide from Magnet Forensics (below), a logical extraction can be achieved via iTunes/ADB backup or installing an agent to pull additional data; a File System using privileged access such as root or jailbreak; and Physical using recovery or bootloader methods. Common Acquisition Methods. Source: Magnet ForensicsThere are other invasive methods to extract data from phones. JTAG (Joint Test Action Group), ISP (In System Programming) and Chip-off (or any associated hardware forensic methodology, such as inter-chip communication interception - If you are dismantling the device, you may be able to intercept the data as it travels from one microcontroller to another/processor, for example I2C or SPI, bypassing a software defined security model) are more reliant on forensics skill as opposed to the newest technology and thus are mentioned briefly. JTAG is a method named after the industry standard for verifying designs and testing printed circuit boards after manufacture. It involves connecting to the Standard Test Port to transfer raw data from memory chips. “The JTAG technique involves probing the JTAG Test Access Ports and soldering connectors to the JTAG ports in order to read data from the device memory.” ISP “is the practice of connecting to an eMMC or eMCP flash memory chip for the purpose of downloading a device’s complete memory content”. Chip-off is a destructive method, which is based on the removing of memory chip from system board and a chip reader is used to extract data stored. Finally, manual extraction which does not require sophisticated tools and: Cellebrite UFED Touch 2. Source: Privacy International Cellebrite UFED Touch 2 options. Source: Privacy International Logical extraction
What is it?Out of the three types of extraction, logical is seen as the quickest, least intrusive, but most limited. It creates a copy of the user accessible files such as phonebook, calls, messages, some app data and other data you might expect from an iTunes or Android backup. i.e. what you can see if you manually examine each screen on the device. MSAB, which describes itself as ‘a pioneer in forensic technology for mobile device examination” markets their XRY Logical as “our entry-level solution for forensic investigators and the starting point for our license options”. “XRY Logical enables the user to conduct quick extractions (of iTunes backup, Android backup, Android Agent) and is geared toward “pump-and-dump” examinations.” Logical extraction may exclude data from certain apps if those apps do not backup into the files which form part of the extraction e.g. the default folder. To access these apps you would need access to the file system. Magnet Forensics Webinar. Source: Magnet Forensics
Thus, you obtain only that which is available through a vendor’s API. i.e. the phone can restrict what you can access. However, for Android phones, it may be possible to obtain app data by downgrading the target app to an older version where adb backup is allowed. The ability to do this is reportedly blocked in newer versions of Android. Although Cellebrite UFED 7.16 update on APK Downgrade method states it “enables access to file system data from more than 40 applications on Android device running version 6.0 and above.” Logical extractions typically do not include a full bit-by-bit copy of the data or recover deleted data. However, it may be possible to recover deleted records including SMS, chats and browsing history if SQLite databases are used to store the data using for example Cellebrite’s SQLite Wizard. As noted by Reiber (2019:159), “within a subset of devices such as iOS and Android devices, a logical file extraction can often contain deleted data.” How does it work?Logical extraction involves “connecting the mobile device to forensic hardware or to a forensic workstation via a USB cable, a RJ-45 cable, infrared or Bluetooth”. Once the phone is connected, the forensic tool “initiates a command and sends it to the device, which is then interpreted by the device processor.” i.e. the forensic tools communicate with the operating system of the mobile device. The data requested as a result of the use of proprietary protocols and queries is: “…received from the device’s memory and sent back to the forensic workstation. Later, the examiner can review the data. Most of the forensic tools currently available work at this level of the classification system.” Using the Application Programming Interface (“API”), is one way to carry out logical extraction. Cellebrite, a leading forensics company popular with government agencies, states “From a technical standpoint, API-based logical extraction is straightforward to implement, and the results are provided in a readable format.” Cellebrite’s UFED Touch (hardware with UFED software) and UFED 4PC (software installed on a computer) work by communicating with the operating system of a device using the API.
Logical extraction on an iPhone using a Cellebrite UFED Touch 2 works similarly to how iTunes or iCloud might take a backup, it displays on the phone screen the various prompts for the data being extracted, for example ‘Backup Call Data” (Yes/No). Some forensics tools install an App or agent onto the device to try and pull additional data.
As noted by Reiber (2019:57) MobileEdit Forensics, scans the connected device and if an Android device is detected, it uploads an agent program Forensic Connector and using this agent, it extracts data from the device.
Logical extraction is not guaranteed for all devices, even if unlocked. Cellebrite’s Product Updates for example lists supported phones. Cellebrite Product Update. Source: Cellebrite websiteUsing vulnerabilitiesAs with all forms of extraction, there are several components which will influence whether it is possible. First is the operating system. If it’s Android, if USB debugging has been enabled, which enables the ADB server on the device and the RSA keys (security prompt) has been accepted and the personal computer (“PC”) and phone paired, then a logical extraction can be performed. As noted, this is typically an ADB backup combined with pushing an Android APK to the device and using available commands to extract active records like SMS/MMS, Call Logs and Contacts. Mikhaylov (2017:39) states that different steps are required to activate USB debugging mode depending on what version of Android is being used. To enable USB debugging the passcode will be required. Although some devices running Android, like the Innotab Max, which Privacy International tested in 2016-17, appear to ship from the factory with debugging enabled by default. Research by Pen Test Partners confirmed that the Vtech Innotab Max is rooted by default with ADB (auto debugging) enabled from the outset. USB debugging mode is a developer mode in Android phones that allows newly programmed apps to be copied via USB to the device for testing. It allows an Android device to receive commands, files and the like from a computer and allows the computer to pull crucial information like log files from the Android device. Enabling USB debugging leaves the device exposed. The ADB, Android Debug Bridge is a command-line utility included with Google’s Android SDK. ADB can control your device over USB from a computer. Without USB debugging logical extraction is unlikely to be possible, unless a vulnerability could be used. A logical extraction may be available depending on factors such as phone type, vulnerability used, software version and so on. Another way of looking at this is to consider whether user data is stored on the internal flash memory, and if so, whether it is protected and requires root access to read. An example of a vulnerability used for logical extraction, since it can only target a specific area of the file system is described by Christopher Vance of Magnet Forensics.
Extracting an encrypted and damaged Samsung Galaxy S7, SM-G930V (could not enter the passcode or turn on USB debugging), using Media Transfer Protocol (“MTP”) was one option to get around passcodes and authorization. However, whilst available for some Android phones, Samsung v.6 “has changed the default connection type to “Charge Only” when it is plugged into a computer, so we would have to enable MTP which isn’t going to be possible without our [damaged] screen”. Magnet AXIOM have an ‘Advanced MTP bypass method’:
Locked iPhonesWhilst“...a logical acquisition can be obtained if the iPhone is unlocked,” a locked iPhone is problematic since there are two separate prompts to deal with. One activates pairing mode with the computer and allows for an iTunes backup and one allows for media transfer if the standard iTunes provided driver cannot be found and it defaults back to MTP (Media Transfer Protocol) mode. If the device has a valid pairing record on the PC where the extraction is occurring, then a logical (iTunes style backup) can be obtained from a locked iPhone. Without that unfortunately it cannot be obtained. In older iOS versions it was possible to gain just MTP extractions from an iPhone that was locked but this has since been patched and is the reason for the second prompt. Without accepting that prompt (hidden by the lock screen) you won’t be able to get an MTP extraction from the device. File system extractionWhat is itFile system extraction is often technically seen as a type of logical extraction. As with all forms of extraction, the capabilities of a file system extraction will be device-specific. File System Extraction is slightly more data rich than a logical extraction, in file system extraction the entire filesystem is taken off of the phone.
It includes files not directly accessible to the user via the device interface and require specialised tools to access file system artefacts. It does not extract unallocated space.
File System Extraction is usually done by a root user so requires (generally soft) rooting the phone. A root user is a superuser, in that a superuser has permission to do anything to any files anywhere in the phone’s system. i.e. privileged control over the phone. Rooting a phone is the process to attain root access. Cellebrite UFED ‘advanced logical extraction’ combines the logical and file system extractions for iOS and Android devices and is an alternative to where physical extraction is not possible.
How does it work?File system extraction is less identified as a distinct form of extraction by companies. Almost uniquely Cellebrite promotes UFED’s file system extraction and is amongst the few who refer to the method:
MSAB does not have a specific file system product, simply XRY Logical and XRY Physical. Oxygen Forensics refer to obtaining a file system collection as part of ‘classic logical’. Magnet’s Acquire tool allows you to choose an extraction process, offering a ‘quick extraction’ from all iOS and Android devices or ‘full extraction through a physical image of rooted Android devices or file system logical images of jailbroken iOS devices.'
File system acquisition is however an alternative where physical extraction of iOS devices is no longer possible. Unfortunately, the passcode is required. “Since iOS 8, removing the passcode is pointless even on 32-bit devices. The cryptographic key that’s needed to decrypt the data partition is calculated dynamically based on user input (the passcode) and keys from Secure Enclave. Without the correct passcode, the iPhone will remain encrypted; there’s simply no way around it.” Secure Enclave “is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security.” The consequence is that encryption keys are protected by Secure Enclave and are no longer accessible even if the device is jailbroken. However, a file system extraction can be obtained if you jailbreak the device. To do this you need to boot and unlock the device using the passcode. “In other words, the passcode must be known in order to perform the (limited) physical acquisition of all iPhone devices starting with iPhone 5s.”
Unlike a logical extraction, once the file system has been obtained it will need to be decoded.
Using vulnerabilitiesCellebrite claims its full file system extraction of an iOS device using their in-house labs ‘Cellebrite Advanced Services’, can obtain 21GB from a 32GB Flash Memory. Cellebrite promotes its ‘Advances Services’ instead of releasing valuable vulnerabilities into the UFED, as this will, for example, give Apple a chance to patch exploits. Thus, what vulnerabilities are used to carry out a full file system extraction of an iOS device are not publicly disclosed. Cellebrite Advanced Services. Source: Cellebrite webinar
I.e. A full file system extraction can obtain third party apps excluded from an iTunes backup. It can also identify device locations of interest, reveal system logs and application log data. Cellebrite comparison between iOS advanced logical and full file system extraction. Source: Cellebrite webinarThe use of Cellebrite Advanced Services has not been without controversy. In June it was reported that UK digital evidence lab Sytech lost its accreditation after a former employee reported concerns about the handling of evidence at the business. This included phones being ‘sent abroad to be decrypted without the knowledge of the police’. One former employee said that ‘a police force, understood to be Greater Manchester police, raised concerns with Sytech last year after learning that phones had been sent abroad to be unlocked by the Israeli-founded, Japanese owned company Cellebrite.’ Magnet Forensics also states that it can obtain a full file system. It has partnered with GrayKey to offer “the most advanced solution to recover data from an iOS device including the full file system, decrypted keychain and process memory whereas other tools are limited to an iTunes backup only.” GrayKey can reportedly unlock iOS devices and get around USB Restricted mode. Magnet Forensics report that they can then get third-party application data unlike an iTunes backup, aspects of Apple Mail data, web cache and app cache, operating system data, location data, keychain data and some deleted messages:
There is little information around file system extraction, perhaps given the value of iPhone vulnerabilities. There is also not much about other operating systems such as Android, perhaps because it is still possible to carry out the preferred physical extraction. Physical extractionWhat is it?Physical extraction can obtain “service data, applications, and user’s data. Deleted files can be restored from the physical dump.” Physical extraction is a bit-by-bit copy of the physical storage / entire filesystem / device memory or as a hex-dump. It usually requires specific cabling, and involves booting the phone into a custom OS, or recovery. Physical Extraction generally takes a long time, because it brings over free space too, however freespace can contain deleted information so may be worthwhile from an investigators point of view.
It is the most comprehensive and invasive of all the extractions and includes all unallocated space on the phone which is why it may include deleted files. “Cellebrite’s physical extraction capability accesses the additional data layers, in both allocated and unallocated space, that construct the phone’s physical memory. These layers include three different groups of content pertinent to investigators: “Logical” content unavailable through API (e.g. call logs on smartphones and feature phones) Deleted content Content that the phone collects without any user action (and sometimes without user knowledge). For example: wi-fi networks, GPS locations, web history, email headers and EXIF data on images and system data.” How does it work
MSAB state that their XRY Physical product accesses the data through bypassing the operating system to access all system and deleted data. They can overcome security and encryption challenges on (certain) locked devices.
On an Android phone, this method usually requires the removal of the battery and the turning off of the phone, also the cable is usually specific for this method, rather than using the standard charging cable. The Cellebrite directs throughout what steps must be undertaken and when, including which buttons need to be held at startup to enable FastBoot, Bootloader, Recovery, Factory Reset etc, depending on which devices are being extracted. Once the device is in fastboot, the Cellebrite works fairly automatedly, it may prompt you at times to select options on the phone screen or restart the phone. The physical extraction, which we did on a iPhone 4, uses a bug in the iOS bootstrap process which allows for unsigned code to executed (its a technique used to jailbreak older iDevices) the Cellebrite then runs its own OS instead of iOS and extracts the data from the phone. Physical extraction might use a phone’s rescue mode or download mode. “Operating in this mode, mobile phones are designed to allow the insertion of a small piece of code, called bootloaders, into the RAM during start-up.” The bootloader will read the contents of the device’s memory and send it back to extraction device. Cellebrite states that: “… During the initial stage of the device’s booting, the UFED sends the boot loader to the device’s RAM memory. The device will start running the boot loader, but will not continue its regular booting procedure into the OS. The Cellebrite boot loaders then execute “read only” actions that extract evidence from mobile devices and leave no artifacts behind.” Physical extraction using a bootloader. Source: Cellebrite articleCellebrite’s bootloaders are designed in-house around each individual device platform taking into account the varieties in chipsets, peripherals, memory chip interfaces and USB controllers. Customers will need to send certain phones to Cellebrite. “UFED has obtained the permission to access operating system internals after the data is already decrypted. It can then extract the raw, block-level reading in decrypted form. This is done, again, by exploiting vulnerabilities identified by Cellebrite. These vulnerabilities are rarely available to the public after they are discovered. Quite often, Cellebrite’s Security Research Labs have exclusive knowledge of vulnerabilities and the opportunities they afford. This knowledge will only become more valuable; as iOS & Android software progresses and privacy protections, sandbox isolation mechanisms and security mitigations advance.” The iOS challengeApple’s iOS presents the biggest hurdle for physical extractions. Before the iPhone 4S you could carry out a physical extraction on an iPhone. But since iPhone 4S and indeed for other devices that have entered the market, it is extremely difficult if not impossible to get into the device due to hardware encryption. Although a number of vendors’ state they can.
Elcomsoft iOS Forensic Toolkit 5.0 states that it can achieve iOS 12 physical extraction. This sounds similar to Cellebrite’s full file system extraction described above. It can extract the content of the file system and decrypt passwords and authentication credentials stored in the iOS keychain. It is possible on devices supported by the ‘rootless jailbreak’. “Elcomsoft iOS Forensic Toolkit supports all possible options for extracting and decrypting data from both jailbroken and non-jailbroken 64-bit devices, including the last generations of Apple hardware and software. Without a jailbreak, experts can perform logical extraction though iOS system backups, extract shared app data and media files. In certain cases, logical extraction is even possible if the iPhone is locked. If a jailbreak can be installed, experts can image the file system of 64-bit iPhones, extract protected application data and working datasets.” “Physical acquisition offers numerous benefits compared to all other acquisition options by enabling access to protected parts of the file system and extracting data that is not synced with iCloud or included in local backups: In particular, physical acquisition is the only method for decrypting keychain items targeting the highest protection class. File system extraction gains full access to application sandboxes and all system areas, extract secret chats and recover deleted messages. Downloaded email messages, chat databases and secrets from two-factor authentication apps, system logs and detailed location data are just a few things that are exclusively available with file system extraction.” “...public jail breaks to gain access to the device’s file system, circumvent iOS security measures and access device secrets allowing us to decrypt the entire content of the keychain including keychain items protected with the highest protection class.” Indeed, Reiber (2019 : 342) states that:
Physical acquisition of iOS 11 devices by Elcomsoft iOS Forensics Toolkit uses classic jailbreak. “Forensic experts use jailbreaks for much different reasons compared to enthusiastic users. A wide-open security vulnerability is exactly what they want to expose the device’s file system, circumvent iOS sandbox protection and access protected data. Jailbreaking extracts the largest set of data from the device. During jailbreaking, many software restrictions imposed by iOS are removed through the use of software exploits. In addition to sandboxed app data (which includes conversation histories and downloaded mail) experts can also extract and decrypt the keychain, a system - wide storage for online passwords, authentication tokens and encryption keys. Unlike keychain items obtained from a password-protected local backup, physical extraction of a jailbroken device gains access to keychain items secured with the highest protection class.” Android - Using vulnerabilities: Emergency Download Mode“It may seem unusual, but it is possible to make a physical dump of an Android device without rooting and it does not require JTAG and Chip-off methods.” Emergency Download (EDL) mode is a vulnerability used by a number of vendors to carry out physical extractions. It works on some but not all devices that have the Qualcomm chipset. EDL is Qualcomm’s rescue mode for phone diagnostics and repair, which is exposed through various triggers or when a device cannot boot. It “is designed to allow low level access to chipset for device analysis, repair or re-thrashing.” Cellebrite has a wide range of ready ‘programmers’ which are “pieces of software containing raw flash read/write functionality”. Programmers can be digitally signed with a vendor signature that is verified by the device, so for EDL to accept and verify a programmer it must match but the hardware and signature requirement. When Cellebrite’s UFED starts EDL extraction flow, it will automatically attempt to match an existing programmer it has to the hardware and signature requirement. If there is a match, then it will have flash read access. If there is not signature requirement for a particular phone, then it will match the hardware. According to Cellebrite, UFED has a proprietary exploit to bypass the signature requirement for several chipsets. In addition, raw flash access will enable access to encrypted content, however, without access to encryption keys. To address this problem, Cellebrite UFED will attempt to fully boot the device before the extraction begins. The way you put a device in EDL mode will differ depending on the phone and ranges from techniques that various technologies such as Cellebrite’s UFED can support, to more invasive techniques that require forensic skill. If EDL is supported by Cellebrite, the UFED can guide you through what you need to do, for example, hold vol up and down. Using EDL Mode. Source: Cellebrite webinarCellebrite’s UFED has both a decrypting and non-decrypting EDL extraction option. Both work on pattern or passcode locked devices (if the device is supported), if the device is encrypted. The decryption extraction for encrypted devices will require the device to boot so that the UFED can apply the decrypting bootloader, which is not required for non-decrypting EDL extraction. For both options, when using the UFED, the user will be able to choose placing the device in DFU (handset diagnostic interface) FTM (factory test mode). These both use EDL methods. An example of using EDL mode, bootloader option is Cellebrite’s EDL physical bypass solution for certain Samsung devices with the Qualcomm chipset. Most modern phones running Android are encrypted out of the box. In this method Cellebrite uses specified cables for devices with a specific data port connection. When the device is running in bootloader mode, the operating system does not run. It bypasses any user lock. When you select the phone you want to download, the UFED will ask you to do a number of things to get the phone into download mode and enable the extraction. Other methods to achieve EDL mode include the use of cable 523, ‘abd reboot edl’, ‘fastboot oem edl’, test point and eMMC fault injection (shorting). The last two require experience with ISP and Chip Off. Cellebrite are not the only vendor extracting a physical image for devices with Qualcomm chipsets via EDL mode. Magnet Forensics and Oxygen Forensics do this using the ADB method. Both note that ADB access has to be enabled. To do this the phone must be unlocked and USB debugging turned on “so that you’re able to send and received ADB commands to the phone … the method does work quite well in scenarios where the phone is already unlocked and you just want to get a better acquisition.” Oxygen Forensics also use ‘fastboot’ and describe getting devices into this mode using key combinations e.g. holding Power and Vol- at the same time. Cellebrite also promotes its ability to use ‘smart’ ADB:
Oxygen Forensic Detective states that use of EDL mode “allows investigators to utilize this non-invasive physical acquisition technique and screen lock bypass on more than 400 unique devices when the phone can be successfully placed into EDL mode.” How to get a device into EDL mode. Source: Cellebrite webinarPhysical extraction of author’s HTC Desire using Cellebrite UFED. Source: Privacy InternationalAnalysis: Analytics on extracted dataA number of tools with impressive analytical capabilities are on offer to help investigators deal with extracted data.
Cellebrite’s Physical Analyzer is a user-friendly piece of software that is designed to organise data extracted in different file types from XML, CSV, TXT to CDR, media and text. It can bring together datasets from different devices, recognise and categorise digital media. Physical Analyzer can display all the information that was extracted. It also has considerable data diving and visualisation capabilities.
Link analysis is used to analyze phone calls, emails text messages and location data in order to discover associations between individuals via different types of data. As noted by Professor Peter Sommer in evidence to the UK Parliament:
Police in the UK are trialling Cellebrite’s machine learning tools to interpret images, match faces and analyse patterns of communication. Cellebrite states that:
Magnet AXIOM is also utilising machine learning techniques:
In August 2017 Cellebrite introduced what it called “advanced machine learning technology” for its analytics platform, which can be used to analyse data extracted from the cloud and which included face recognition and matching. From July 2019, Oxygen Forensics JetEngine module, built into Oxygen Forensic Detective, provides the ability to categorise human faces using their own technology. Not only do they provide the categorisation and matching of faces within extract data, facial analytics is included gender, race and emotion recognition. Lee Reiber, Oxygen’s chief operating officer said the tool can “search for a specific face in an evidence trove, or cluster images of the same person together. They can also filter faces by race or age group, and emotions such as “joy” and “anger”.” Oxygen Forensics. Source: Oxygen ForensicsConclusionAs the use of mobile phone extraction proliferates, whether it is used by law enforcement or border security, the data from these devices will be used to challenge an individual whether in criminal, civil or immigration proceedings and procedures. There is little technical information available to individuals, to those who may represent them and those who campaign on these issues. Whilst mobile forensics is a rapidly changing field, this is an attempt to look at what is going on when those who use powerful extraction tools seek data from devices. The use of mobile forensics raises issues complex issues relating to the reliability of the extracted data as a form of evidence, particularly if it is used by unskilled individuals who rely on the push button technologies but are not digital forensic analysts.
The delivery of justice depends on the integrity and accuracy of evidence and trust that society has in it. We hope that in starting to unpick some of the complexities in this field, we can inform the debate on this topic. |