Transcription

Sept. 09U.S. Department of JusticeOffice of Justice ProgramsNational Institute of JusticeSpecialRepoRtTest Results for Mobile Device Acquisition Tool:Cellebrite UFED 1.1.05www.ojp.usdoj.gov/nijOffice of Justice ProgramsInnovation Partnerships Safer Neighborhoodswww.ojp.usdoj.gov

U.S. Department of JusticeOffice of Justice Programs810 Seventh Street N.W.Washington, DC 20531Eric H. Holder, Jr.Attorney GeneralLaurie O. RobinsonActing Assistant Attorney GeneralKristina RoseActing Director, National Institute of JusticeThis and other publications and products of the National Instituteof Justice can be found at:National Institute of Justicewww.ojp.usdoj.gov/nijOffice of Justice ProgramsInnovation Partnerships Safer Neighborhoodswww.ojp.usdoj.gov

sept. 09Test Results for Mobile Device Acquisition Tool:Cellebrite UFED 1.1.05NCJ 228220

Kristina RoseActing Director, National Institute of JusticeThis report was prepared for the National Institute of Justice, U.S. Department of Justice, bythe Office of Law Enforcement Standards of the National Institute of Standards and Technologyunder Interagency Agreement 2003–IJ–R–029.The National Institute of Justice is a component of the Office of Justice Programs, whichalso includes the Bureau of Justice Assistance, the Bureau of Justice Statistics, the Office ofJuvenile Justice and Delinquency Prevention, and the Office for Victims of Crime.

January 2009Test Results for Mobile Device Acquisition Tool:Cellebrite UFED 1.1.0.5

January 2009iiResults of Cellebrite UFED 1.1.0.5

Contents123Results Summary . 2Test Case Selection . 3Results by Test Assertion. 83.1 Connectivity Disruption . 233.2 Acquisition of MSISDN . 233.3 Acquisition of Missed Calls. 233.4 Acquisition of text messages . 234 Testing Environment . 244.1 Test Computers . 245 Test Results . 255.1 Test Results Report Key . 255.2 Test Details . 265.2.1 CFT-IM-01 (LG VX5400) . 265.2.2 CFT-IM-02 (LG VX5400) . 285.2.3 CFT-IM-03 (LG VX5400) . 305.2.4 CFT-IM-04 (LG VX5400) . 325.2.5 CFT-IM-05 (LG VX5400) . 345.2.6 CFT-IM-06 (LG VX5400) . 365.2.7 CFT-IM-10 (LG VX5400). 385.2.8 CFT-IMO-01 (LG VX5400) . 405.2.9 CFT-IMO-02 (LG VX5400) . 425.2.10 CFT-IMO-03 (LG VX5400) . 445.2.11 CFT-IMO-04 (LG VX5400) . 465.2.12 CFT-IMO-08 (LG VX5400) . 485.2.13 CFT-IMO-09 (LG VX5400) . 505.2.14 CFT-IM-01 (LG VX6100) . 525.2.15 CFT-IM-02 (LG VX6100) . 545.2.16 CFT-IM-03 (LG VX6100) . 565.2.17 CFT-IM-04 (LG VX6100) . 585.2.18 CFT-IM-05 (LG VX6100) . 605.2.19 CFT-IM-06 (LG VX6100) . 625.2.20 CFT-IM-10 (LG VX6100) . 645.2.21 CFT-IMO-01 (LG VX6100) . 665.2.22 CFT-IMO-02 (LG VX6100) . 685.2.23 CFT-IMO-03 (LG VX6100) . 705.2.24 CFT-IMO-04 (LG VX6100) . 725.2.25 CFT-IMO-08 (LG VX6100) . 745.2.26 CFT-IMO-09 (LG VX6100) . 765.2.27 CFT-IM-01 (MOTO V710) . 785.2.28 CFT-IM-02 (MOTO V710) . 805.2.29 CFT-IM-03 (MOTO V710) . 825.2.30 CFT-IM-04 (MOTO V710) . 845.2.31 CFT-IM-05 (MOTO V710) . 86January 2009iiiResults of Cellebrite UFED 1.1.0.5

735.2.745.2.755.2.765.2.77January 2009CFT-IM-06 (MOTO V710) . 88CFT-IM-07 (MOTO V710) . 90CFT-IM-08 (MOTO V710) . 92CFT-IM-09 (MOTO V710) . 94CFT-IM-10 (MOTO V710) . 96CFT-IMO-01 (MOTO V710) . 98CFT-IMO-02 (MOTO V710) . 100CFT-IMO-03 (MOTO V710) . 102CFT-IMO-04 (MOTO V710) . 104CFT-IMO-08 (MOTO V710) . 106CFT-IMO-09 (MOTO V710) . 108CFT-IM-01 (SCH u410) . 110CFT-IM-02 (SCH u410) . 112CFT-IM-03 (SCH u410) . 114CFT-IM-04 (SCH u410) . 116CFT-IM-05 (SCH u410) . 118CFT-IM-10 (SCH u410) . 120CFT-IMO-01 (SCH u410) . 122CFT-IMO-02 (SCH u410) . 124CFT-IMO-03 (SCH u410) . 126CFT-IMO-04 (SCH u410) . 128CFT-IMO-08 (SCH u410) . 130CFT-IMO-09 (SCH u410) . 132CFT-IM-01 (SCH u740) . 134CFT-IM-02 (SCH u740) . 136CFT-IM-03 (SCH u740) . 138CFT-IM-04 (SCH u740) . 140CFT-IM-05 (SCH u740) . 142CFT-IM-07 (SCH u740) . 144CFT-IM-10 (SCH u740) . 146CFT-IMO-01 (SCH u740) . 148CFT-IMO-02 (SCH u740) . 150CFT-IMO-03 (SCH u740) . 152CFT-IMO-04 (SCH u740) . 154CFT-IMO-08 (SCH u740) . 156CFT-IMO-09 (SCH u740) . 158CFT-IM-01 (SPH a660) . 160CFT-IM-02 (SPH a660) . 162CFT-IM-03 (SPH a660) . 164CFT-IM-04 (SPH a660) . 166CFT-IM-05 (SPH a660) . 168CFT-IM-06 (SPH a660) . 170CFT-IMO-01 (SPH a660) . 172CFT-IMO-02 (SPH a660) . 174CFT-IMO-03 (SPH a660) . 176CFT-IMO-04 (SPH a660) . 178ivResults of Cellebrite UFED 1.1.0.5

5.2.785.2.79January 2009CFT-IMO-08 (SPH a660) . 180CFT-IMO-09 (SPH a660) . 182vResults of Cellebrite UFED 1.1.0.5

IntroductionThe Computer Forensics Tool Testing (CFTT) program is a joint project of the NationalInstitute of Justice (NIJ), the research and development organization of the U.S.Department of Justice (DOJ), and the National Institute of Standards and Technology’s(NIST’s) Office of Law Enforcement Standards, and Information Technology Laboratory.CFTT is supported by other organizations, including the Federal Bureau of Investigation ,the U.S. Department of Defense Cyber Crime Center, U.S. Internal Revenue ServiceCriminal Investigation Division Electronic Crimes Program, and the U.S. Department ofHomeland Security’s Bureau of Immigration and Customs Enforcement, U.S. Customsand Border Protection, and U.S. Secret Service. The objective of the CFTT program is toprovide measurable assurance to practitioners, researchers, and other applicable users thatthe tools used in computer forensics investigations provide accurate results.Accomplishing this requires the development of specifications and test methods forcomputer forensics tools and subsequent testing of specific tools against thosespecifications.Test results provide the information necessary for developers to improve tools, users tomake informed choices, and the legal community and others to understand the tools’capabilities. This approach to testing computer forensic tools is based on well-recognizedmethodologies for conformance and quality testing. The specifications and test methodsposted on the CFTT Web site (http://www.cftt.nist.gov/) are available for review andcomment by the computer forensics community.This document reports the results from testing Cellebrite’s UFED, version 1.1.0.5, againstthe Non-GSM Mobile Device and Associated Media Tool Test Assertions and Test PlanVersion 1.1, available at the CFTT Web site (www.cftt.nist.gov/mobile devices.htm).Test results from other software packages and the CFTT tool methodology can be foundon NIJ’s computer forensics tool testing Webpage, ctronic-crime/cftt.htm.

Test Results for Mobile Device Data Acquisition ToolTool Tested:Version:Run Environments:Cellebrite UFED1.1.0.5Windows XP Service Pack 2Supplier:Cellebrite USA Corp.Address:266 Harristown Rd.Ste. 105Glen Rock, NJ llebrite.com/Tel:Fax:WWW:1 Results SummaryExcept for the following test cases: CFT–IM–03 (LG VX6100), CFT–IM–05 (SCH–u410,SCH–u740, SPH–a660), CFT–IM–07 (MOTO V710), CFT–IM–08 (MOTO V710), thetested tool acquired all supported data objects completely and accurately from theselected test mobile devices (i.e., LG VX5400, LG VX6100, Motorola V710, SamsungSCH–u410, Samsung SCH–u740, Samsung SPH–a660). The exceptions are thefollowing:1. Connectivity disruptions between the mobile device (i.e., LG VX6100) andinterface were not adequately presented to the examiner. Test Case: CFT–IM–03(LG VX6100)2. The MIN was extracted instead of the MSISDN for the following Samsungdevices: SCH–u410, SCH–u740, SPH–a660. Test Case: CFT–IM–05 (SCH–u410,SCH–u740,SPH–a660)3. Missed calls are reported as both Incoming and Missed, representing two callsrather than one. Test Case: CFT–IM–07 (MOTO V710)4. Text messages with a status of UNREAD were altered to READ. Test Case:CFT–IM–08 (MOTO V710)5. Outgoing text messages did not contain the outgoing date/time stamp. Test Case:CFT–IM–08 (MOTO V710)6. All outgoing text messages present in internal memory were not reported. TestCase: CFT–IM–08 (MOTO V710)January 20092 of 183Results of Cellebrite UFED 1.1.0.5

2 Test Case SelectionNot all test cases or test assertions are appropriate for all tools. In addition to the base testcases, each remaining test case is linked to optional tool features needed for the test case.If a given tool implements a given feature then the test cases linked to that feature are run.Tables (1a–1e) list the features available in Cellbrite’s UFED and the linked test cases.Tables (2a–2e) list the features not available in Cellebrite’s UFED.Table 1a: Selected Test Cases (LG VX5400, LG VX6100)Supported Optional FeatureBase CasesAcquire mobile device internal memory and review datavia supported generated report formats.Acquire mobile device internal memory and reviewreported data via the preview pane.Acquire mobile device internal memory and comparereported data via the preview pane and supportedgenerated report formats.After a successful mobile device internal memoryacquisition, alter the case file via third party means andattempt to reopen the case.Acquire mobile device internal memory and review datacontaining foreign language characters.Acquire mobile device internal memory and review hashvalues for vendor supported data objects.Cases selected for executionCFT–IM–(01–06, IMO–04CFT–IMO–08CFT–IMO–09Table 2a: Omitted Test Cases (LG VX5400, LG VX6100)Unsupported Optional FeatureAcquire mobile device internal memory and reviewreported call logs.Acquire mobile device internal memory and reviewreported text messages.Acquire mobile device internal memory and reviewreported MMS multimedia related data (i.e., text, audio,graphics, video).Perform a physical acquisition and review data outputfor readability.Perform a physical acquisition and review reports forrecoverable deleted data.Acquire mobile device internal memory and reviewgenerated log files.Acquire mobile device internal memory and review theoverall case file hash.January 20093 of 183Cases omitted (not 10Results of Cellebrite UFED 1.1.0.5

Table 1b: Selected Test Cases (Motorola V710)Supported Optional FeatureBase CasesAcquire mobile device internal memory and review datavia supported generated report formats.Acquire mobile device internal memory and reviewreported data via the preview pane.Acquire mobile device internal memory and comparereported data via the preview pane and supportedgenerated report formats.After a successful mobile device internal memoryacquisition, alter the case file via third party means, andattempt to reopen the case.Acquire mobile device internal memory and review datacontaining foreign language characters.Acquire mobile device internal memory and review hashvalues for vendor supported data objects.Cases selected for FT–IMO–09Table 2b: Omitted Test Cases (Motorola V710)Unsupported Optional FeaturePerform a physical acquisition and review data outputfor readability.Perform a physical acquisition and review reports forrecoverable deleted data.Acquire mobile device internal memory and reviewgenerated log files.Acquire mobile device internal memory and review theoverall case file hash.Cases omitted (not 7CFT–IMO–10Table 1c: Selected Test Cases (Samsung SCH–u410)Supported Optional FeatureBase CasesAcquire mobile device internal memory and review datavia supported generated report formats.Acquire mobile device internal memory and reviewreported data via the preview pane.Acquire mobile device internal memory and comparereported data via the preview pane and supportedgenerated report formats.After a successful mobile device internal memoryacquisition, alter the case file via third party means andattempt to reopen the case.Acquire mobile device internal memory and review datacontaining foreign language characters.January 20094 of 183Cases selected for executionCFT–IM–(01–05, IMO–04CFT–IMO–08Results of Cellebrite UFED 1.1.0.5

Acquire mobile device internal memory and review hash CFT–IMO–09values for vendor supported data objects.Table 2c: Omitted Test Cases (Samsung SCH–u410)Unsupported Optional FeatureAcquire mobile device internal memory and reviewreported PIM related data.Acquire mobile device internal memory and reviewreported call logs.Acquire mobile device internal memory and reviewreported text messages.Acquire mobile device internal memory and reviewreported MMS multimedia related data (i.e., text, audio,graphics, video).Perform a physical acquisition and review data outputfor readability.Perform a physical acquisition and review reports forrecoverable deleted data.Acquire mobile device internal memory and reviewgenerated log files.Acquire mobile device internal memory and review theoverall case file hash.Cases omitted (not 07CFT–IMO–10Table 1d: Selected Test Cases (Samsung SCH–u740)Supported Optional FeatureBase CasesAcquire mobile device internal memory and review datavia supported generated report formats.Acquire mobile device internal memory and reviewreported data via the preview pane.Acquire mobile device internal memory and comparereported data via the preview pane and supportedgenerated report formats.After a successful mobile device internal memoryacquisition, alter the case file via third party means andattempt to reopen the case.Acquire mobile device internal memory and review datacontaining foreign language characters.Acquire mobile device internal memory and review hashvalues for vendor supported data objects.January 20095 of 183Cases selected for executionCFT–IM–(01–05, T–IMO–04CFT–IMO–08CFT–IMO–09Results of Cellebrite UFED 1.1.0.5

Table 2d: Omitted Test Cases (Samsung SCH–u740)Unsupported Optional FeatureAcquire mobile device internal memory and reviewreported call logs.Acquire mobile device internal memory and reviewreported text messages.Acquire mobile device internal memory and reviewreported MMS multimedia related data (i.e., text, audio,graphics, video).Perform a physical acquisition and review data outputfor readability.Perform a physical acquisition and review reports forrecoverable deleted data.Acquire mobile device internal memory and reviewgenerated log files.Acquire mobile device internal memory and review theoverall case file hash.Cases omitted (not 10Table 1e: Selected Test Cases (Samsung SPH–a660)Supported Optional FeatureBase CasesAcquire mobile device internal memory and review datavia supported generated report formats.Acquire mobile device internal memory and reviewreported data via the preview pane.Acquire mobile device internal memory and comparereported data via the preview pane and supportedgenerated report formats.After a successful mobile device internal memoryacquisition, alter the case file via third party means andattempt to reopen the case.Acquire mobile device internal memory and review datacontaining foreign language characters.Acquire mobile device internal memory and review hashvalues for vendor supported data objects.Cases selected for FT–IMO–09Table 2e: Omitted Test Cases (Samsung SPH–a660)Unsupported Optional FeatureAcquire mobile device internal memory and reviewreported call logs.Acquire mobile device internal memory and reviewreported text messages.January 20096 of 183Cases omitted (not executed)CFT–IM–07CFT–IM–08Results of Cellebrite UFED 1.1.0.5

Acquire mobile device internal memory and reviewreported MMS multimedia related data (i.e., text, audio,graphics, video).Acquire mobile device internal memory and reviewreported stand-alone multimedia data (i.e., audio,graphics, video).Perform a physical acquisition and review data outputfor readability.Perform a physical acquisition and review reports forrecoverable deleted data.Acquire mobile device internal memory and reviewgenerated log files.Acquire mobile device internal memory and review theoverall case file hash.January 20097 of MO–06CFT–IMO–07CFT–IMO–10Results of Cellebrite UFED 1.1.0.5

3 Results by Test AssertionTables 3a–3e summarize the test results by assertion. The column labeled AssertionTested gives the text of each assertion. The column labeled Tests gives the number oftest cases that use the given assertion. The column labeled Anomaly gives the sectionnumber in this report where the anomaly is discussed.Table 3a: Assertions Tested: (LG VX5400, LG VX6100)Assertions TestedTestsA IM–01 If a cellular forensic tool provides support forconnectivity of the target device then the tool shall successfullyrecognize the target device via all vendor supported interfaces (e.g.,cable, Bluetooth, IrDA).A IM–02 If a cellular forensic tool attempts to connect to anonsupported device then the tool shall have the ability to identifythat the device is not supported.A IM–03 If a cellular forensic tool encounters disengagementbetween the device and application then the application shall notifythe user that connectivity has been disrupted.A IM–04 If a cellular forensic tool successfully completesacquisition of the target device then the tool shall have the ability topresent acquired data elements in a human-readable format via eithera preview pane or generated report.A IM–05 If a cellular forensic tool successfully completesacquisition of the target device then subscriber related informationshall be presented in a human-readable format without modification.A IM–06 If a cellular forensic tool successfully completesacquisition of the target device then equipment related informationshall be presented in a human-readable format without modification.A IM–07 If a cellular forensic tool successfully completesacquisition of the target device then all known address book entriesshall be presented in a human-readable format without modification.A IM–08 If a cellular forensic tool successfully completesacquisition of the target device then all known maximum lengthaddress book entries shall be presented in a human-readable formatwithout modification.A IM–09 If a cellular forensic tool successfully completesacquisition of the target device then all known address book entriescontaining special characters shall be presented in a human-readableformat without modification.A IM–10 If a cellular forensic tool successfully completesacquisition of the target device then all known address book entriescontaining blank names shall be presented in a human-readableformat without modification.A IM–11 If a cellular forensic tool successfully completesJanuary 20098 of 183Anomaly6113.1 (LGVX6100)41111111Results of Cellebrite UFED 1.1.0.5

acquisition of the target device then all known e-mail addressesassociated with address book entries shall be presented in a humanreadable format without modification.A IM–12 If a cellular forensic tool successfully completesacquisition of the target device then all known graphics associatedwith address book entries shall be presented in a human-readableformat without modification.A IM–13 If a cellular forensic tool successfully completesacquisition of the target device then all known datebook, calendar,note entries shall be presented in a human-readable format withoutmodification.A IM–14 If a cellular forensic tool successfully completesacquisition of the target device then all maximum length datebook,calendar, note entries shall be presented in a human readable formatwithout modification.A IM–20 If a cellular forensic tool successfully completesacquisition of the target device then all stand-alone audio files shallbe playable via either an internal application or suggested third-partyapplication without modification.A IM–21 If a cellular forensic tool successfully completesacquisition of the target device then all stand-alone image files shallbe viewable via either an internal application or suggested thirdparty application without modification.A IM–22 If a cellular forensic tool successfully completesacquisition of the target device then all stand-alone video files shallbe viewable via either an internal application or suggested thirdparty application without modification.A IMO–23 If a cellular forensic tool successfully completesacquisition of the target device then the tool shall present theacquired data without modification via supported generated reportformats.A IMO–24 If a cellular forensic tool successfully completesacquisition of the target device then the tool shall present theacquired data without modification in a preview-pane view.A IMO–25 If a cellular forensic tool provides a preview-pane viewand a generated report of the acquired data then the reports shallmaintain consistency of all reported data elements.A IMO–26 If modification is attempted to the case file or individualdata elements via third-party means then the tool shall provideprotection mechanisms disallowing or reporting data modification.A IMO–37 If the cellular forensic tool supports proper display offoreign language character sets then the application should presentaddress book entries containing foreign language characters in theirnative format without modification.A IMO–38 If the cellular forensic tool supports proper display offoreign language character sets then the application should presentJanuary 20099 of 183111111441111Results of Cellebrite UFED 1.1.0.5

text messages containing foreign language characters in their nativeformat without modification.A IMO–39 If the cellular forensic tool supports hashing forindividual data objects then the tool shall present the user with ahash value for each supported data object.1Table 3b: Assertions Tested (Motorola V710)Assertions TestedTe

tested tool acquired all supported data objects completely and accurately from the selected test mobile devices (i.e., LG VX5400, LG VX6100, Motorola V710, Samsung SCH–u410, Samsung SCH–u740, Samsung SPH–a660). The exceptions are the following: 1. Connectivity di