Wednesday, March 13, 2013

Cellebrite File System Dump

Back when I was first figuring out how to acquire the Samsung Galaxy Camera, I did a file system dump using Cellebrite's UFED Logical. Having some time after work, I decided to take a look at what the Cellebrite found using the Physical Analyzer we have at the LCDI. I didn't spend a serious amount of time looking at the data since it was dumped early in the research stage and not much had been done yet.

I never used the Physical Analyzer before today, but from my short interaction with it, I found it to be quite useful and extensive. Below you can see the left panel that provides you with numerous types of data to look at. The first thing I looked at were the SMS messages, since technically the camera isn't a phone. There is no default text message application on the camera, so this text had to of come from either the application Talkatone or Google Voice. Either way, it's very interesting that the Cellebrite picked it up as being a text message and not just some application cache.

Next, I looked at Facebook data. There were many different SQLite databases found, not for just Facebook, but for the entire camera. This was expected and the Physical Analyzer did a great job of parsing the databases, as well as giving me an option to export them. Looking at a database without it being parsed can be tricky to get through, but I wanted to see what data was stored in plain text. Below is the database file for the Facebook friends Sammy Sung has. I used my brother's data for an example. You'll notice that the camera, and many other devices, store pretty personal information:

In yellow we obviously have my brother's name on Facebook, Joe Stamm. Right after that we're given his email address and phone number because it is on his Facebook page. This link includes his Facebook ID, but has been blurred out for privacy reasons. Below that, highlighted in green, we have a link to his profile picture. Upon putting the link into a web browser, I was presented with a picture of my brother. Luckily, he got some of my good looks.

Now, I could struggle through the rest of the ASCII and try to get the same information for all the other Facebook user's that are friends with Sammy Sung, but that would take way too much time. Instead, I used the built in database parser. Just by clicking on the .db file, I automatically got brought to the Database View within the Physical Analyzer. This presented me with an organized list of data, including the Facebook ID and first and last name of every Facebook friend Sammy has, their email address, their phone number, and their birthday. This data is only presented if the users have this information on their Facebook page: 

Lastly, I noticed Physical Analyzer had a Timeline option. A timeline in any forensic software is such a relief and saves an examiner from rummaging through months or even years and years of data. So within this feature, I can jump to whatever date I want to and look for specific things that were occurring on the camera at that time. Below you'll see that on January 30, numerous bookmarks were deleted and on January 31, various emails were sent to the camera:


No comments:

Post a Comment