In this post, we want to share some additional steps you may need to perform in order to support additional mobile data collection formats into Cellebrite Inspector.

Types of Cellebrite Device Acquisitions that Cellebrite Inspector Supports

Below is a list of the different types of acquisitions done through Cellebrite products and which ones Cellebrite Inspector currently supports. The ones that are marked with an asterisk (*) are the ones that need additional steps before ingestion.

Format

Supported?

Extension

Cellebrite Physical Analyzer – Adv Logical Method 1

Yes

.tar

Cellebrite Physical Analyzer – Adv Logical Method 1 encrypted

Yes

.tar

Cellebrite Physical Analyzer – Adv Logical Method 2 & 3

Yes

.tar

Cellebrite UFED4PC – Logical

Yes*

Folder + .zip

Cellebrite UFED4PC – Filesystem (iOS)

Yes*

.zip

.zip segmented

Cellebrite UFED4PC – Filesystem (Android)

On the Roadmap

various (.zip, custom .zip, .ab)

Cellebrite UFED4PC – Physical (iOS)

Yes

.img

Cellebrite UFED4PC – Physical (Android)

Yes*

.bin (supported)

.bin segmented (need to cat)

Cellebrite UFED4PC CAIS (iOS)

On the Roadmap

.dar

Cellebrite Premium data collection (iOS)

On the Roadmap

 

* Supported with additional handling of the collected evidence.

NOTE: While most Cellebrite users are used to working with .UFD or .UFDX files, those are specific to Cellebrite’s tools and do not contain the images themselves. Inspector will need the particular image files, which will have file extensions listed in the table above.

Working with Cellebrite files that need additional prep before ingestion

As you can see, several Cellebrite data collections can directly be added to Cellebrite Inspector. Below we will cover the three types of acquisitions listed with an asterisk (*) where additional steps are needed to ensure the information can be read by Cellebrite Inspector. The first two are the most straight-forward, and we will do a walkthrough of the third, more involved, iPhone Filesystem Full image at the end.

Cellebrite UFED4PC Logical (iOS)

To locate the iOS backup from the Logical acquisition from Cellebrite UFED4PC use the following steps:

      1. Unzip the Apple_iPhone.zip archive, where ‘Apple_iPhone’ is the name of your device.

      2. Locate the folder named “Backup” or “Snapshot.” It will have an iOS backup inside of it.

      3. Add the iOS backup to Inspector.

Cellebrite UFED4PC – Physical (Android)

To format the bin file from Android physical extraction to be read by Inspector, use the following steps:

      1. Concatenate the bin files into one bin file:

cat file1 file2 file3 file4 > output.bin

      1. Add the bin file to Inspector

Walkthrough of An iPhone Filesystem (Full) Image

Out of all the data collection types listed in the supported table above, the segmented iOS File system dump is probably the most difficult workaround, so I would like to go into a little more detail as far as the steps involved. In this example, you can see the segments in “File Finder.”:

In following the steps above for Cellebrite UFED4PC – Filesystem (iOS), the segments will be concatenated using the following command within the terminal (slashes are used to ensure spaces and special characters are read correctly. You can also put the file names within double quotes):

zip -FF Apple_iPhone\ 7\ \(A1660\).zip –out Apple_iPhone\ 7\ \(A1660\)-new.zip

You should now see the new zip files in the directory:

To unarchive this new zip file, use the following command:

unzip Apple_iPhone\ 7\ \(A1660\)-new.zip -d Apple_iPhone\ 7\ \(A1660\)-new

The concatenated zip has now been unarchived into a folder.

Next, locate the Snapshot folder to confirm whether or not the status.plist file is there. Assuming your Finder is set to alphabetical order, it would be the last file listed if it exists. In my example, it does not exist, so we will have to add our own.

Add your own status.plist file inside of the “Backup” or “Snapshot” folder.

This file can be created in a text editor with the following information:

<?xml version=”1.0″ encoding=”UTF-8″?>

<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>

<plist version=”1.0″>

<dict>

<key>BackupState</key>

<string>new</string>

</dict>

</plist>

Using the text above, I created a Status.plist file in a text editor.  This file can then be used for any cases where the Status.plist is not included, so keep a copy of it somewhere convenient.

We are now ready to proceed with the ingestion into Inspector! After creating a new case file, we will add the ‘Snapshot’ folder as our evidence item.

You will see right away that if you did the above steps correctly that Inspector will recognize that Snapshot folder as an iOS backup. If it seems only to show it as a folder, then double-check to make sure you did the unarchiving and adding of the status.plist file correctly. In my example, it shows that it is an iOSBackup and that it is password protected.

To provide the password and decrypt the backup, click on the padlock next to the evidence item (in this case ‘Vickie’s 7’).

Once the password is provided, you can proceed to select processing options as usual.

From here, it is Inspector processing and analysis as normal! While there are many different data collection types that may come out of a Cellebrite acquisition, this post is meant to help make it easier to work with the more common data collections that currently need a little massaging before analysis can be done.

Learn more about Cellebrite Inspector.

Share this post