Attorneys: Is Your Cell Phone Report Missing Data?
Monday, August 5, 2024
by: Lars Daniel EnCE, CCO, CCPA, CTNS, CTA, CIPTS, CWA Practice Leader - Digital Forensics / Envista Forensics

Section: Summer 2024




Introduction

As an attorney in today's digital age, you're probably no stranger to cases involving electronic evidence. But are you familiar with the critical difference between Cellebrite UFED and UFDR files? If not, buckle up – this knowledge could be the game-changer in your next digital forensics case.

Cellebrite is a globally recognized leader in the field of digital forensics, particularly known for its expertise in mobile device forensics. When it comes to investigating digital evidence on cell phones, Cellebrite offers a suite of advanced tools and solutions that enable forensic experts to extract, decode, and analyze data from a wide range of mobile devices.

This capability is crucial in modern legal investigations, where mobile devices often hold key evidence. Cellebrite’s flagship tool, the Universal Forensic Extraction Device (UFED), is designed to perform comprehensive data extraction from mobile devices. UFED can access and retrieve data from various smartphones, tablets, and feature phones, regardless of the operating system. This includes iOS, Android, Windows Mobile, and more.

Let's start with the basics. UFED stands for Universal Forensic Extraction Device, while UFDR is short for UFED Reader. Sounds similar, right? Well, that's where the similarities end. Think of UFED as a master key that unlocks every nook and cranny of a mobile device. When forensic experts use UFED, they're not just peeking through the keyhole – they're swinging the door wide open. This tool extracts a wealth of data.

Enter UFDR. It's like the Cliff Notes version of the UFED file. User-friendly? Absolutely. Comprehensive? Not so much. UFDR is designed for quick reviews. It's perfect for when you need a high-level overview of the extracted data without diving into the technical deep end. But remember, convenience comes at a cost. UFDR reports often omit significant portions of data – and in the world of digital forensics, what you don't see can hurt your case.

The Cellebrite Extraction Process: From Device to Data

To truly understand the difference between UFED files and UFDR (UFED Reader) files, let's walk through the Cellebrite extraction process. This will show how these two file types are created and why they differ significantly.
 

Step 1: Data Extraction with UFED

The process begins with the Cellebrite Universal Forensic Extraction Device (UFED). This hardware tool connects to the mobile device and performs the initial data extraction. Here's what happens:
 
  1. The UFED establishes a connection with the target device.
  2. It bypasses the device's security measures (if any).
  3. The tool then extracts all accessible data from the device, including active and deleted data.
  4. This raw extracted data is saved in a proprietary Cellebrite format, often with a .ufd file extension.
This .ufd file is known as the "UFED file." It contains the complete, unprocessed dataset extracted from the device.


Step 2: Data Processing with Physical Analyzer

The raw UFED file is then typically opened using Cellebrite's Physical Analyzer software. This is where the data review and analysis happens:
  1. The software decodes and interprets the raw data.
  2. It organizes the information into categories (e.g., messages, call logs, photos).
  3. It attempts to recover deleted data and piece together fragmented information.
  4. The software can perform advanced analyses like timeline creation or link analysis.
At this stage, an examiner can access the full breadth and depth of extracted data.
 

Step 3: Generating the UFDR File

Here's where the paths diverge. From the Physical Analyzer, an examiner can generate a UFDR (UFED Reader) file:
  1. The examiner selects which data categories to include in the UFDR.
  2. They may apply filters or search terms to refine the included data further.
  3. The software packages the selected data into a more accessible format.
  4. This new package is saved as a UFDR file, which can be opened with the free UFED Reader software.
  5. The UFDR file is essentially a curated subset of the full dataset, optimized for easier viewing and sharing.

UFDR: Is Your Cell Phone Forensic Report Missing Data?

While we've discussed the limitations of UFDR files in terms of the depth and breadth of data they contain, there's another crucial aspect that deserves our attention: the potential for selective data export, or as it's sometimes less charitably called, "cherry-picking."
When creating a UFDR report, the examiner operating the UFED software can choose which data elements to include. This selection process might seem convenient, especially when dealing with devices containing vast amounts of data. After all, why include irrelevant information, right?
However, this seemingly helpful feature can be a double-edged sword. Here's why:
  • Incomplete Picture: By selecting only certain data points, the UFDR report might present an incomplete or even misleading picture of the evidence.
  • Bias Introduction: Whether intentional or not, the selection process can introduce bias into the evidence presentation. Various factors, including the case theory or personal biases could influence the operator's judgment on what's relevant.
  • Missing Context: Important contextual data might be omitted if it's not recognized as significant by the person creating the report.
  • Potential for Abuse: In worst-case scenarios, this feature could be misused to present only data that supports a particular narrative, potentially obscuring exculpatory evidence.

What Attorneys Should Be Asking About UFDR Files

Understanding this difference is crucial for legal professionals. When you receive a UFDR report, it's important to remember that you're looking at a curated set of data. Always ask:
  • Who created this report?
  • What criteria were used to select the included data?
  • What might be missing from this report?

UFED Files: The Unfiltered Complete Data Set

In contrast, UFED files present the entire extracted dataset. There's no picking and choosing – you get everything. This comprehensive approach offers several advantages:
  • Complete Data Set: All extracted data is included, ensuring nothing is overlooked.
  • Objective Presentation: The data is presented as-is without human intervention in selecting what's "important."
  • Preservation of Context: All contextual information is retained, allowing for a more nuanced and accurate analysis.
  • Transparency: Both sides have access to the same complete dataset, promoting fairness in the legal process.

Why Your Expert Needs the Full UFED File

  • Comprehensive Analysis: A forensic expert requires the full UFED file to conduct a meticulous and exhaustive analysis. The UFED file contains raw data that can be parsed, filtered, and examined using specialized forensic tools. This allows experts to uncover hidden evidence, perform timeline analysis, and correlate data from different sources.
  • Contextual Information: The full UFED file includes contextual information that is often stripped away in the UFDR report. For example, system logs and application data can provide insights into user actions and device usage patterns that are not visible in the simplified report.
  • Verification and Validation: In digital forensics, the ability to verify and validate findings is crucial. The full UFED file allows forensic experts to cross-check data and ensure its integrity. This level of scrutiny is not possible with the UFDR report alone.
  • Advanced Recovery Techniques: Experts can employ advanced recovery techniques on the UFED file to retrieve deleted or hidden data. These techniques are essential in cases where the opposing party may have attempted to conceal or destroy evidence.

Case Examples

Criminal Case Example: Wrongly Accused

I was working on a criminal defense case involving a suspect accused of involvement in a serious assault. The prosecution's case heavily relied on the suspect's cell phone data, which included call logs and text messages summarised in a UFDR report.
According to the UFDR report, the suspect had exchanged several messages with a known accomplice around the time of the assault.
However, I was skeptical about the completeness of the UFDR report and insisted on obtaining the full UFED file for a comprehensive review. Upon analyzing the UFED file, we discovered several critical pieces of evidence that were not apparent in the UFDR report:
  • Deleted Messages: The UFED file revealed deleted messages between the suspect and another individual that provided an alibi. At the time of the assault, the suspect was making plans to meet this individual in a different part of the city.
  • Location Data: Detailed location data extracted from the UFED file showed that the suspect’s phone was miles away from the crime scene during the time the assault took place. This included GPS coordinates from various applications and system logs.
This additional evidence demonstrated that the suspect was not present at the crime scene and had a valid alibi. The prosecution’s case collapsed, and the charges against my client were dropped, highlighting the importance of a thorough analysis using the full UFED file.

Civil Case Example: Proving Distraction in a Trucking Accident

In a civil litigation case involving a trucking accident, I was retained by the attorney representing a trucking company that was being sued by a plaintiff driver who claimed that the truck driver was negligent and caused the accident. The plaintiff’s attorney's expert produced a UFDR report, which was shared with me during the discovery process. According to the plaintiff expert, it showed the truck driver was using their phone around the time of the accident, implying distraction and negligence.
Recognizing the need for a detailed examination, I performed my own extraction of the data. Now, working with the full data set from the truck driver's mobile device in a UFED file, I was able to gain a comprehensive understanding of the phone’s usage. Through an in-depth analysis of the UFED file, several critical findings emerged:
  • Application Usage Data: The UFED file revealed that the phone was running a navigation app at the time of the accident, which was not captured in the UFDR report. This indicated that the truck driver was using the phone for legitimate purposes related to their job, not for personal communication.
  • Call and Message Logs: Detailed call logs and message data showed that while the phone was active, it was not being used for calls or text messages. This contradicted the plaintiff’s claim that the driver was distracted by personal phone use.
  • Browser and App History: The UFED file also contained detailed browser history and app usage logs, showing that the driver had been consistently using the navigation app and had no history of engaging in distracting activities while driving.
By presenting this comprehensive evidence, we demonstrated that the truck driver used the phone solely for navigation purposes and was not distracted by personal use. This information was pivotal in countering the plaintiff's claims and significantly strengthened the defense, leading to a favorable settlement.

These case examples underscore the critical importance of using the full UFED file in digital forensics examinations. The detailed and comprehensive data provided by the UFED file can reveal crucial evidence that may be overlooked in a simplified UFDR report, ultimately making a significant difference in the outcome of legal cases.

Conclusion

By insisting on access to the full UFED file, you ensure that your team can conduct an independent, comprehensive analysis of all available data. This approach not only strengthens your case but also upholds the principles of thorough and unbiased investigation.

While Cellebrite Reader offers a convenient glimpse into digital evidence, it's crucial to remember that it's just that – a glimpse. In the high-stakes world of legal proceedings, relying on partial information can be risky at best and catastrophic at worst.

As a digital forensic practitioner, my advice to attorneys is straightforward: Always opt for the full extraction and expert analysis. In the realm of digital evidence, what you don't know can absolutely hurt your case.

Don't let the convenience of Cellebrite Reader lull you into a false sense of security. Your case and your client deserve the complete picture. The full UFED file gives you the complete digital picture, allowing you and your experts to make informed decisions about what's relevant to your case.
Ask yourself: "Can I afford to base my strategy on potentially incomplete information?"