Understanding how criminals communicate is key to counterterrorism and law enforcement operations. Today, the world is growing interconnected with the prevalence and popularity of smartphones, tablets, and other digital devices. In turn, industry has had to keep pace by developing technologies to access and analyze the vast amount of information at our fingertips.
Cellebrite, a leading mobile forensic extraction and analytics company with over 50 percent of the market share in North America and just under 50 percent of the global share, produces technology that gives law enforcement digital forensics tools to access a wealth of data available from mobile devices.
Before mobile phones, there was only computer forensics, which can be defined as the extraction of data from computers for digital purposes. However, the emergence of the first mobile phones complicated the digital forensics process, with their different algorithms and complex, highly specialized operating systems. Suddenly, law enforcement found that computer forensics was not specialized enough and a new field with its own experts and specialists was necessary.
Cellebrite, established in 1999 as a manufacturer of various data extraction, transfer and analysis devices, expanded in 2007 to add mobile forensics to its vast repertoire. It currently has access to over 15,000 devices.
The mobile forensics procedure has three parts: seizure, acquisition, and examination and analysis. Cellebrite aids in the latter two processes. During the acquisition process, the company is able to extract common information from e-mail, texts, SMS, various applications, GPS, and geolocation data.
Jeremy Nazarian, Cellebrite’s Senior VP of Marketing, explained to Homeland Security Today that the extraction process has two types, logical and physical. Logical extraction is the visible data or information that anyone with access to the phone can sift through. Physical extraction involves data that has been previously deleted on the device.
“All of that information that can be gleaned from a device as part of an investigation can be used to uncover hidden pieces of information or evidence that can break a case,” said Nazarian. “Certainly in the counterterrorism example, when time is inherently of the essence, being able to access that information and then analyze it intuitively gives law enforcement valuable information needed for potential operations and, in the unfortunate event where a terrorist incident occurs, pursue persons of interest and suspects, bring them to justice and prevent future incidents from occurring.”
Ronen Engler, Senior Manager of Technology and Innovation at Cellebrite, added, “When we get devices, we do work on different levels of accessing the data. The logical is the somewhat easy part. However, in order to access the logical data the phone needs to be unlocked… We provide other mechanisms in order to bypass the lock and get the data out.”
Cellebrite has long-possessed the tools necessary to defeat passcodes and unlock devices in order to preform both kinds of extractions. It also has the analyzing capabilities to understand the data uncovered.
“We do this in a non-intrusive way,” said Nazarian, “It’s extremely important for making evidence stand up in court that we don’t do anything to alter the device while gaining access to the data. So it’s very important we access data in a forensically sound way. It’s something we have taken great care, over the years, to perfect.”
Today, when law enforcement officials, with probable cause, obtain a warrant to request records from a cloud provider, such as Google or Facebook, they can use Cellebrite’s Universal Forensic Extraction Device Cloud Analyzer to gain log-in credentials far faster than the six months it usually takes to fill the request.
“A lot of data is no longer being stored on the device and while we are still able to get some bread crumbs from the device, the cloud…is where they store a lot more information that we can readily access,” Engler explained.
Forensic labs have not been able to add enough human resource to keep pace with law enforcement’s demand for the extraction and analysis of devices. “When time is of the essence and lives are on the line, reducing that backlog is critical for law enforcement. Both the extraction and analytic capabilities that we are delivering are critical to reducing that backlog,” said Nazarian.
One of the strategies used to combat backlog and develop earlier leads in cases is moving extraction closer to the field (i.e. anywhere that is not in the lab). Ultimately, the goal is to provide first responders with the ability to perform extractions in a timely way. It is becoming a major trend in mobile forensics going forward.
Cellebrite has also introduced the industry’s first formal training program. They have already trained thousands of people and plan to train many more. Nazarian explained an important distinction in the company’s program versus its competitors programs, “The training is isn’t training on our tools but training on the best practices using our tools.”
The training process is unique because Cellebrite’s trainers are real-world practitioners from the industry with years of experience in their fields. Coming from law enforcement backgrounds, they understand the different aspects of mobile forensics. Courses are developed in-house utilizing professional knowledge. The entire program is growing and creating professionals who are certified to stand in court and testify and validate their findings.
The mobile forensics process is about making data actionable, maintains Nazarian. To stay on top of the rapidly changing and diversifying technological market, Cellebrite works to foster strong relationships with carriers so that they are able to gain access to devices before they are released into the market and provide almost real time support for said devices, which is critical.
“It is a business,” acknowledges Nazarian, “but it is also a public trust.”