Over the years Cellebrite has been a pioneer in mobile device forensics. However, their long-term roadmap always has included the concept of end-to-end digital investigation. This is investigation that begins with the slightest digital breadcrumb and fans out to include all relevant evidence and it inter-relationships. In a small investigation that's pretty straightforward to accomplish. The company has developed a suite of products such as the cloud analyzer and their link analysis tool that, taken individually, are very strong. From the UFED Ultimate to the Cloud Analyzer and the other UFED products, for Cellebrite it's all about collecting the data - without which there is no analysis - and which they do more comprehensively than any other product suite we've seen.
But there have remained some stumbling blocks to successfully concluding today's cyber investigations. First, the amount of data in a typical investigation is massive. We have conducted trivial investigations on phones used by students that contained over 100,000 images, for example.
Additionally, there is the challenge of unification of workflow and data. When you have a large investigation with lots of data and multiple investigators, analysts and attorneys - as might be the case in a federal drug investigation - matching workflows appropriately while preserving privacy restrictions when necessary - a victim device, for example - can be a serious issue.
Finally, how do you maximize your technology investment. It has become axiomatic that a well-equipped lab will have multiple examples of tools from different vendors. How do you take advantage of those tools in ways that actually make sense and get you the most coverage for your investment?
All of these issues suggest some sort of unified analysis platform that can consume data and help the investigator make the necessary connections. This is especially important for larger organizations. The Cellebrite UFED Analytics Enterprise Platform does exactly that. It consumes digital forensic data collected - at the moment - by Cellebrite devices and ties the pieces together in a wide variety of ways. Obvious is the usual tabular listing. Like any digital forensic tool, Analytics allows for listing the data in a variety of formats - by caller, device, time, etc.
However, it also includes link analysis and the ability to extract social media data from the cloud. Given data on the device and data in the cloud, coupled with similar data on other devices - that may or may not be related - the link analyzer automatically makes the connections starting with the big picture and drilling down to the relationships between a single actor and others with whom he or she has been in contact. All of that can be geolocated.
Searches by owner, locale, sources, entities and several others allow focusing in on the useful information. You can set watch lists so that as you comb through piles of data only those things with which you are concerned directly come up in your search. More important, perhaps, is the ability to search for unknown unknowns. For example, you may have no idea where your bad guys are located so you do a location view that shows anomalous activity in Charlotte, N.C. You are in San Francisco, so North Carolina really wasn't in your scope, but your search shows a conversation between a suspect in San Francisco and a person - unknown at the moment - in L.A. Your suspect asks, "What about our guy in Charlotte?" You just uncovered a lead that you might have otherwise missed or, at least, missed for a long time.
