Collecting and Analyzing E-mail from a MacBook
Web shells are commonly used in cyber-attacks and can have a variety of malicious purposes. They can also be difficult to detect. Most private consulting firms performing forensic analysis use the same tools year after year. The digital forensic community has used and relied on some of these tools for decades.
Working with corporate clients, digital forensic analysts tend to encounter the same type of data, typically on Windows systems, over and over again. Consultants become very familiar with where the data is stored, the format it is stored in, and how to extract the data for use in litigation. The use of specific protocols and procedures to identify the data, with their forensic tool(s) of choice, all works out fine – until one day it doesn’t.
An attorney for a corporation hired Contact Discovery Services, a private consulting firm, requesting e-mails stored on a MacBook. An employee had left the corporation, and the e-mails stored on the MacBook used were needed; the e-mails had to be recovered as quickly as possible.
The first hurdle to jump was imaging. There was simply no way to easily remove the internal storage from the MacBook and duplicate it. The answer to this dilemma was a tool the firm already had, Cellebrite Digital Collector. Cellebrite Digital Collector, created to image Apple computers, was used to create a full disk image of the MacBook. The image was forensically sound and no data was altered.
The digital forensic analyst assigned to the case was knowledgeable, he had about 10 years of digital forensic analysis experience. Knowing the priority in this exam was to locate the e-mails as quickly as possible, the digital forensic analyst loaded the forensic image of the MacBook with traditional forensic analysis tools and began the search for the e-mail files. The typical filters designed to locate e-mails and e-mail stores were unsuccessful in locating the requested data; no e-mails were found.
What should have been a quick and easy extraction of data, quickly turned into what could potentially be a long research project. The digital forensic analyst began researching and discovered the e-mail files were stored in a format created by Outlook for Mac 2011.
This was not a format the digital forensic analyst was familiar with. The file extensions and folder locations were not family. Worse yet, the forensic tools in use could not interpret the data. The digital forensic analyst was unsure what his next steps should be; the industry-standard tools he used for years were not helpful and he was no closer to finding the e-mail message content.
At this point, the digital forensic analyst turned to Cellebrite Inspector. The image of the MacBook was processed, and Cellebrite Inspector extracted the data contained in the image. E-mail files were parsed during initial evidence processing and displayed in the Communications tab. Though the digital forensic analyst had no previous experience using Cellebrite Inspector or performing analysis on macOS systems, the intuitive interface made locating the e-mail messages easy.
The digital forensic analyst was then able to export the messages into a format the client could easily read. The Export status in Cellebrite Inspector was used by the digital forensic analyst to provide the client with a realistic and accurate timeline for case completion.
Overall, Cellebrite Digital Collector was able to capture a forensically sound image of the data on the MacBook, and Cellebrite Inspector automatically located the e-mails the client needed. The user-friendly interface of Cellebrite Inspector allowed the digital forensic analyst to quickly find and export the e-mails without having to perform extensive research. The client’s expectation for a timely extraction of the e-mails stored on the device was fulfilled.
While there are many forensic tools available, Cellebrite Inspector was chosen for this analysis because it allows a number of large data sets to be processed.
Cellebrite Inspector made the entire process easy. All investigative activity was tagged and Cellebrite Inspector automatically located the e-mails the client needed. The interface is intuitive, making search functions, filtering, and pivoting extremely easy for the user. The client’s expectation for a timely extraction of the e-mails stored on the device was fulfilled.
“A client identified a subset of important e-mails missing from a cloud-hosted e-mail account which were not in the review population. During the analysis of the MacBook image acquired using Cellebrite Digital Collector, we were able to easily identify the missing e-mails with Cellebrite Inspector which were locally stored on the laptop.” – Balal Abouelenein, Digital Forensic Analyst, Contact Discovery Services
Cellebrite Inspector Capabilities
Cellebrite Inspector computer forensic software enables digital forensic analysts to quickly analyze computer volumes and mobile devices to shed light on user actions. This solution allows investigators to easily search, filter, and sift through large data sets to perform smart, comprehensive analysis of data generated by either Mac- or Windows-based computers.
- An unrivaled, easy-to-use interface.
- Supports the latest systems including T2 chip
- Fusion and encrypted devices
- Review history in APFS snapshots and Time Machine backups
- Display and search Spotlight metadata
- Review network connections, recent documents, and user activity
- The trusted tool for smarter analysis
- Review device history from Microsoft Volume
- Shadow Copies
- Built-in Windows Memory and Windows Registry analysis
- Automatically parse account information, recent documents, downloads, recycle bin, and USB connections
Cellebrite Inspector Now Part of the Cellebrite Family
Cellebrite recently acquired BlackBag, the parent company of Cellebrite Inspector, to expand support of digital sources and allow the inclusion of computer data into the investigation flow.
This natural fit strengthens Cellebrite’s commitment to providing a digital intelligence platform that is unmatched in the industry to access, manage, and analyze digital data across multiple sources and orchestrate the entire digital intelligence operation.
By taking advantage of the company’s combined solutions, agency managers can now:
- Support data access for Mac- and Windows-based platforms
- Simplify live-data acquisition
- Triage devices prior to extractions
- Perform selective data extractions
Adding Cellebrite Inspector to Cellebrite’s powerful lineup of digital intelligence solutions is helping to reach Cellebrite’s goal of empowering customers with the best tools to support their needs today and in the future.
- Cellebrite Digital Collector was used to create a forensically sound image of the MacBook.
- Traditional tools and methods, used by an experienced digital forensic analyst, were unable to locate the request e-mails.
- Cellebrite Inspector automatically processed the e-mail files stored in the MacBook image and displayed them in the Communications tab.
- While the digital forensic analyst had no previous experience examining macOS or using Cellebrite Inspector, the user-friendly interface made locating and extracting the requested e-mails easy.
Learn more about how Cellebrite’s computer access and analysis solutions can help your organization, here.