Introduction

As an attorney in today's digital age, you're probably no stranger to cases involving electronic evidence. But are you familiar with the critical difference between Cellebrite UFED and UFDR files? If not, buckle up – this knowledge could be the game-changer in your next digital forensics case.

Cellebrite is a globally recognized leader in the field of digital forensics, particularly known for its expertise in mobile device forensics. When it comes to investigating digital evidence on cell phones, Cellebrite offers a suite of advanced tools and solutions that enable forensic experts to extract, decode, and analyze data from a wide range of mobile devices.

This capability is crucial in modern legal investigations, where mobile devices often hold key evidence. Cellebrite’s flagship tool, the Universal Forensic Extraction Device (UFED), is designed to perform comprehensive data extraction from mobile devices. UFED can access and retrieve data from various smartphones, tablets, and feature phones, regardless of the operating system. This includes iOS, Android, Windows Mobile, and more.

Let's start with the basics. UFED stands for Universal Forensic Extraction Device, while UFDR is short for UFED Reader. Sounds similar, right? Well, that's where the similarities end. Think of UFED as a master key that unlocks every nook and cranny of a mobile device. When forensic experts use UFED, they're not just peeking through the keyhole – they're swinging the door wide open. This tool extracts a wealth of data.

Enter UFDR. It's like the Cliff Notes version of the UFED file. User-friendly? Absolutely. Comprehensive? Not so much. UFDR is designed for quick reviews. It's perfect for when you need a high-level overview of the extracted data without diving into the technical deep end. But remember, convenience comes at a cost. UFDR reports often omit significant portions of data – and in the world of digital forensics, what you don't see can hurt your case.

The Cellebrite Extraction Process: From Device to Data

To truly understand the difference between UFED files and UFDR (UFED Reader) files, let's walk through the Cellebrite extraction process. This will show how these two file types are created and why they differ significantly.

Step 1: Data Extraction with UFED

The process begins with the Cellebrite Universal Forensic Extraction Device (UFED). This hardware tool connects to the mobile device and performs the initial data extraction. Here's what happens:

1. The UFED establishes a connection with the target device.
   

2. It bypasses the device's security measures (if any).
   

3. The tool then extracts all accessible data from the device, including active and deleted data.
   

4. This raw extracted data is saved in a proprietary Cellebrite format, often with a .ufd file extension.

This .ufd file is known as the "UFED file." It contains the complete, unprocessed dataset extracted from the device.

Step 2: Data Processing with Physical Analyzer

The raw UFED file is then typically opened using Cellebrite's Physical Analyzer software. This is where the data review and analysis happens:

1. The software decodes and interprets the raw data.
   

2. It organizes the information into categories (e.g., messages, call logs, photos).
   

3. It attempts to recover deleted data and piece together fragmented information.
   

4. The software can perform advanced analyses like timeline creation or link analysis.
   

At this stage, an examiner can access the full breadth and depth of extracted data.

Step 3: Generating the UFDR File

Here's where the paths diverge. From the Physical Analyzer, an examiner can generate a UFDR (UFED Reader) file:

1. The examiner selects which data categories to include in the UFDR.
   

2. They may apply filters or search terms to refine the included data further.
   

3. The software packages the selected data into a more accessible format.
   

4. This new package is saved as a UFDR file, which can be opened with the free UFED Reader software.
   

5. The UFDR file is essentially a curated subset of the full dataset, optimized for easier viewing and sharing.
   

UFDR: Is Your Cell Phone Forensic Report Missing Data?

While we've discussed the limitations of UFDR files in terms of the depth and breadth of data they contain, there's another crucial aspect that deserves our attention: the potential for selective data export, or as it's sometimes less charitably called, "cherry-picking."

When creating a UFDR report, the examiner operating the UFED software can choose which data elements to include. This selection process might seem convenient, especially when dealing with devices containing vast amounts of data. After all, why include irrelevant information, right?

However, this seemingly helpful feature can be a double-edged sword. Here's why:

• Incomplete Picture: By selecting only certain data points, the UFDR report might present an incomplete or even misleading picture of the evidence.
  

• Bias Introduction: Whether intentional or not, the selection process can introduce bias into the evidence presentation. Various factors, including the case theory or personal biases, could influence the operator's judgment on what's relevant.
  

• Missing Context: Important contextual data might be omitted if it's not recognized as significant by the person creating the report.
  

• Potential for Abuse: In worst-case scenarios, this feature could be misused to present only data that supports a particular narrative, potentially obscuring exculpatory evidence.
  

What Attorneys Should Be Asking About UFDR Files

Understanding this difference is crucial for legal professionals. When you receive a UFDR report, it's important to remember that you're looking at a curated set of data. Always ask:

• Who created this report?
  

• What criteria were used to select the included data?
  

• What might be missing from this report?
  

UFED Files: The Unfiltered Complete Data Set

In contrast, UFED files present the entire extracted dataset. There's no picking and choosing – you get everything. This comprehensive approach offers several advantages:

• Complete Data Set: All extracted data is included, ensuring nothing is overlooked.
  

• Objective Presentation: The data is presented as-is without human intervention in selecting what's "important."
  

• Preservation of Context: All contextual information is retained, allowing for a more nuanced and accurate analysis.
  

• Transparency: Both sides have access to the same complete dataset, promoting fairness in the legal process.
  

Why Your Expert Needs the Full UFED File

• Comprehensive Analysis: A forensic expert requires the full UFED file to conduct a meticulous and exhaustive analysis. The UFED file contains raw data that can be parsed, filtered, and examined using specialized forensic tools. This allows experts to uncover hidden evidence, perform timeline analysis, and correlate data from different sources.
  

• Contextual Information: The full UFED file includes contextual information that is often stripped away in the UFDR report. For example, system logs and application data can provide insights into user actions and device usage patterns that are not visible in the simplified report.
  

• Verification and Validation: In digital forensics, the ability to verify and validate findings is crucial. The full UFED file allows forensic experts to cross-check data and ensure its integrity. This level of scrutiny is not possible with the UFDR report alone.
  

• Advanced Recovery Techniques: Experts can employ advanced recovery techniques on the UFED file to retrieve deleted or hidden data. These techniques are essential in cases where the opposing party may have attempted to conceal or destroy evidence.
  

Case Examples

Criminal Case Example: Wrongly Accused

I was working on a criminal defense case involving a suspect accused of involvement in a serious assault. The prosecution's case heavily relied on the suspect's cell phone data, which included call logs and text messages summarised in a UFDR report.

According to the UFDR report, the suspect had exchanged several messages with a known accomplice around the time of the assault.

However, I was skeptical about the completeness of the UFDR report and insisted on obtaining the full UFED file for a comprehensive review. Upon analyzing the UFED file, we discovered several critical pieces of evidence that were not apparent in the UFDR report:

• Deleted Messages: The UFED file revealed deleted messages between the suspect and another individual that provided an alibi. At the time of the assault, the suspect was making plans to meet this individual in a different part of the city.
  

• Location Data: Detailed location data extracted from the UFED file showed that the suspect’s phone was miles away from the crime scene during the time the assault took place. This included GPS coordinates from various applications and system logs.
  

This additional evidence demonstrated that the suspect was not present at the crime scene and had a valid alibi. The prosecution’s case collapsed, and the charges against my client were dropped, highlighting the importance of a thorough analysis using the full UFED file.

Civil Case Example: Proving Distraction in a Trucking Accident

In a civil litigation case involving a trucking accident, I was retained by the attorney representing a trucking company that was being sued by a plaintiff driver who claimed that the truck driver was negligent and caused the accident. The plaintiff’s attorney's expert produced a UFDR report, which was shared with me during the discovery process. According to the plaintiff expert, it showed the truck driver was using their phone around the time of the accident, implying distraction and negligence.

Recognizing the need for a detailed examination, I performed my own extraction of the data. Now, working with the full data set from the truck driver's mobile device in a UFED file, I was able to gain a comprehensive understanding of the phone’s usage. Through an in-depth analysis of the UFED file, several critical findings emerged:

• Application Usage Data: The UFED file revealed that the phone was running a navigation app at the time of the accident, which was not captured in the UFDR report. This indicated that the truck driver was using the phone for legitimate purposes related to their job, not for personal communication.
  

• Call and Message Logs: Detailed call logs and message data showed that while the phone was active, it was not being used for calls or text messages. This contradicted the plaintiff’s claim that the driver was distracted by personal phone use.
  

• Browser and App History: The UFED file also contained detailed browser history and app usage logs, showing that the driver had been consistently using the navigation app and had no history of engaging in distracting activities while driving.
  

By presenting this comprehensive evidence, we demonstrated that the truck driver used the phone solely for navigation purposes and was not distracted by personal use. This information was pivotal in countering the plaintiff's claims and significantly strengthened the defense, leading to a favorable settlement.

These case examples underscore the critical importance of using the full UFED file in digital forensics examinations. The detailed and comprehensive data provided by the UFED file can reveal crucial evidence that may be overlooked in a simplified UFDR report, ultimately making a significant difference in the outcome of legal cases.

Recap: Key Differences In Output Between UFED vs UFDR

• Comprehensiveness:

• UFED file: Contains all extracted data, processed and unprocessed.

• UFDR file: Contains only selected data, usually focused on common categories like messages and media.
  

• File Size:

• UFED file: Typically much larger, often gigabytes in size.

• UFDR file: Significantly smaller, making it easier to share and open on standard computers.
  

• Accessibility:

• UFED file: Requires specialized software (Physical Analyzer) to view and analyze.

• UFDR file: This can be viewed using the free UFED Reader software.
  

• Analysis Capabilities:

• UFED file: Allows for deep, comprehensive analysis and data recovery.

• UFDR file: This file is limited to viewing and basic searching of included data.
  

• Data Selection:

• UFED file: No human selection is involved; it's a complete dump of extracted data.

• UFDR file: Involves human decision-making in selecting which data to include.
  

Conclusion

By insisting on access to the full UFED file, you ensure that your team can conduct an independent, comprehensive analysis of all available data. This approach not only strengthens your case but also upholds the principles of thorough and unbiased investigation.

While Cellebrite Reader offers a convenient glimpse into digital evidence, it's crucial to remember that it's just that – a glimpse. In the high-stakes world of legal proceedings, relying on partial information can be risky at best and catastrophic at worst.

As a digital forensic practitioner, my advice to attorneys is straightforward: Always opt for the full extraction and expert analysis. In the realm of digital evidence, what you don't know can absolutely hurt your case.

Don't let the convenience of Cellebrite Reader lull you into a false sense of security. Your case and your client deserve the complete picture. The full UFED file gives you the complete digital picture, allowing you and your experts to make informed decisions about what's relevant to your case.

Ask yourself: "Can I afford to base my strategy on potentially incomplete information?"

It can be challenging to schedule regular lab work or checkups. The doctor's availability, location of labs, costs, and the general whirlwind of life all contribute to this complexity.

Personal health is one of the most important aspects of our lives, and in a perfect world, it would always be a top priority. Unfortunately, sometimes your to-do list fills up and the most important tests, like blood pressure readings, don't get done.

Technology is solving the problem of needing to actively keep tabs on your health data. Recent advances in broadband-enabled sensor technology offer more convenient, less costly, and less invasive solutions for collecting health-related information.

In the healthcare industry, the devices revolutionizing how medicine is practiced are commonly referred to as medical wearables, ingestibles, and embeddables.

These new medical devices also collect patient data, often generating much more data than what has been available in the past using traditional methods of collection.

It is difficult to estimate the value of data in the healthcare industry. Real-time biometric data about a patient can be the difference between life and death, and the ability to collect tremendous amounts of data over a long period of time, with millions of potential subjects for study, is a researcher's dream.

While data from medical wearables, ingestibles, and embeddables is often shared with a patient's healthcare providers, digital forensic experts have also been able to access this data, which is then used in investigations and litigation.

Wearable Medical Devices

Wearables include watches, rings, and patches that people wear to monitor their health, track exercise, and even stay safe. These innovative devices gather data through skin contact and transmit information wirelessly to smartphone applications and remote diagnostic facilities, giving wearers a non-invasive way to better understand their bodies and how they are feeling.

Those devices are often low-commitment items that demonstrate how one's body reacts to external stimuli, tracking track activity, sleep, and heart rate. They can also provide information on vital health indicators, such as heart rate, blood pressure, and blood glucose levels.

Because wearable technology sends a large volume of data back to a user's phone, computer, or another device, that data may become available during a digital forensic examination of that device and be used as part of an investigation.

Case Example: Wearable Device Reveals Cause of Distracted Driving

One recent instance of wearable data being used during a legal case was when a truck driver was in a serious accident with another vehicle. The plaintiff's theory was that the truck driver had been distracted by their cell phone at the time of the accident, resulting in the crash.

A forensic examination of the driver's cell phone showed that there was an Apple Watch connected to the phone. During the examination process, the biometric data from the Apple Watch revealed that the driver had experienced a serious incident of atrial fibrillation, or rapid and irregular heartbeat, at the time of the accident.

The conclusion from the Apple Watch data was that the crash didn't happen because the truck driver's eyes had landed on a recent message containing a hilarious meme, but rather because the truck driver had suffered a stroke while driving. [1]

Ingestible Medical Devices

Ingestibles put a sensor inside the user's body that allows for the monitoring of internal processes. An example of an ingestible sensor is the "Smart Pill," which uses wireless technology to help monitor internal reactions to medication.

Other ingestible sensors use RFID to track drug levels in a patient's body and alert physicians when optimal dosing is achieved. These sensors can also use wireless technology to send information about medication levels from the stomach to the doctor's office or hospital where the patient may be staying. [2]

Another recent ingestible trend is the "capsule endoscopy," where the patient swallows a miniature pill-shaped camera that travels the length of the digestive tract and transmits images along the way. This new diagnostic tool could eventually replace traditional colonoscopies or endoscopies. [3]

Ingestible technology data related to medication use could become an important source of data in certain court cases.

Case Example: Incompetent Due to Non-Compliance

A defendant is accused of a crime. The defendant admits to the crime, but the defense's theory of the case is that their mental illness was the primary factor in his commission of the felony.

An examination of the defendant's cell phone reveals an application that monitors the patient's compliance in taking their medication.

This examination reveals that the defendant was non-compliant, failing to take his medication for days leading up to the incident.

If the scenario above sounds far-fetched, it is not. The FDA has already approved a drug called Abilify MyCite, which is an aripiprazole tablet with a sensor, used to treat schizophrenia and manic and mixed episodes for patients with bipolar I disorder.

After the pill is ingested, its digital ingestion tracking system sends a signal to a patch and then to an app, which allows the data to be shared with the patient's care team. [4]

It is certainly possible that data from pills with tracking sensors could be recovered by a digital forensics expert and used in trials or litigation in the future.

Embeddable Medical Devices

Miniature devices that are inserted under the skin or deeper into the body are called embeddables. One commonly known device that can be embedded is a heart pacemaker.

In the future, embeddables may be so small that doctors would be able to inject them into our bodies. Further advancements in embeddable technology open the door for promising applications like helping diabetes patients monitor their blood sugar levels reliably and automatically without needing to draw blood.

As with ingestibles and wearables, data from embeddable medical devices can be recovered through digital forensic techniques and used as evidence in legal matters.

Case Example: Fire, Fraud, and a Pacemaker

The case of Ross Compton shows how valuable data from embeddables can be during litigation. Though Compton claimed that a fire woke him up in the middle of the night, the incident was investigated as a potential case of arson.

Law enforcement got a search warrant for Mr. Compton's pacemaker data. A cardiologist reviewed the data and gave the opinion that, "It is highly improbable Mr. Compton would have been able to collect, pack, and remove the number of items from the house, exit his bedroom window, and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated, due to his medical conditions."

Because the data from his pacemaker revealed that he may have known about the fire before it happened, which gave him enough time to remove valuable items from his house, Mr. Compton was convicted of arson, with the alleged motive being insurance fraud. [5]

Conclusion

Medical devices, whether worn by a patient or ingested or inserted into the patient's body, are becoming more prevalent as technology improves. These devices generate data that is collected and stored via applications on cell phones, computers, and in the cloud.

This information can then be shared with the health practitioners, the patient's family, and the patients themselves in real or near real-time.

The primary reasons many use these devices include patient compliance and risk management. However, it is important to remember that data from these devices can be recovered by digital forensics professionals and used as evidence in investigations and litigation.

Sources:

1. Heart Health Notifications on Your Apple Watch (Apple Support)

2. Edible RFID Microchip Monitors if Patients Taking Medication (rfidworld.ca)

3. Capsule Endoscopy (Mayo Clinic)

4. FDA Approves 'Smart' Pill That Tracks Adherence (pharmacytimes.com)

5. A man's pacemaker data will be used against him in court (slate.com)

With the current and developing technologies developed for in-vehicle infotainment system forensics, digital forensics experts can access digital evidence from many of today's vehicles. This evidence can include location history, connected devices, and operating system data including hard braking events, gear shifts, speed of the wheel, and hard acceleration. 

An infotainment system is formally defined as, "A factory original or aftermarket console system that uses some form of connectivity to provide drivers and passengers with vehicle-specific information, navigation, and standalone or integrated applications and/or multimedia entertainment including audio and video." [1]

In other words, an infotainment system is a combination of capabilities, including GPS, satellite radio, Bluetooth, or Wi-Fi, the ability to pair and interact with a mobile phone, and the ability to play audio and video. These capabilities are represented to the user on the screen with a Graphical User Interface (GUI), which makes the functionality of the infotainment system accessible to non-technical consumers. 

The forensic artifacts recovered from vehicle infotainment systems can also allow examiners to determine where the driver’s hands were in a vehicle at a particular point in time; for example, if someone used the controls on the steering wheel to change the volume or reached across to the center console to turn the volume knob, the vehicle infotainment system would store this information.  

The digital evidence that an examiner can recover from vehicles is not relegated to vehicle accident cases, though. Imagine the following scenario: a defendant allegedly drove to a location and committed a crime. According to the state's theory, the defendant traveled there and committed the crime alone.

However, upon analysis of the infotainment system data from the vehicle, it is determined that three doors opened simultaneously upon arrival at the incident location, the front driver door and the two rear passenger doors. This action is an interesting trick, an impressive physical feat, or, most reasonably, the defendant was not alone. 

Event Data Recorders (EDR) vs In-Vehicle Infotainment (IvI)

The primary function of the Infotainment system in a vehicle is to enhance the driver’s experience, and therefore it connects to their phone and applications. An Event Data Recorder (EDR), commonly called the vehicle’s “black box”, stores limited and specific pre-and post-crash data.

The resulting data from an EDR extraction applies primarily to accident reconstruction alone, which produces more robust crash evidence than the infotainment system. Still, it does not produce as much of the types of evidence as the data collected in infotainment forensics analysis.

Further, some accident events are too small for an EDR to record, including a low-impact collision with a bicycle or pedestrian. In these situations, the methods by which an infotainment system records vehicle event data, with less total data but over a long period, may be the best or sole source of crash data evidence.  

Except in a vehicle crash event, infotainment system data is superior in answering the who, what, when, where, and why questions. This is especially true when a person connects their phone to the vehicle infotainment system. When this connection occurs, data from the phone is synced to the vehicle.

The data contained in the infotainment system falls into one of three primary categories, vehicle event data, navigation data, and user data.

Vehicle Event Data Records Forensics

Vehicle event data includes evidence related to braking, gear shifts, wheel speed, and hard acceleration, and can also record Wi-Fi and Bluetooth connections or disconnections. While this information may seem useless outside of an accident investigation, this is not the case.

If it is critical in a case to determine if someone was impaired in some way, the vehicle event data around the time the person is believed to be impaired could be compared to the entirety of the vehicle event data to see if it is different.

In other words, if they historically drive responsibly, but during the period of interest, these data points paint a picture of erratic and unusual driving, the data could be utilized with other evidence to bolster or refute the claim of impairment, even if that impairment does not lead to a vehicle accident.  

For example, a defendant is accused of burglarizing a business.

The vehicle event data shows that they usually drive safely, within normal parameters. However, the driving was erratic and unusual on the day in question. This information is provided to counsel.

Holistically looking at their case, counsel connects the erratic driving to the fact the defendant had changed from one medication to another as instructed by their doctor the day before.

Recoverable Navigation from Infotainment System

The navigation data recoverable from an infotainment system includes saved locations, recent locations, and track points, among other forensic artifacts. It is not uncommon for several thousand data points related to navigation to be recovered from the vehicle.

This data allows an examiner to determine where that vehicle has been historically, potentially going back to the car's genesis, resulting in potentially years of location data.

This data is exceptionally well utilized when conjoined with other forms of location evidence in the same case. Not only is the infotainment system in your car tracking where you go, but your mobile phone is also recording your location activity to act as a personal assistant, predicting when you're about to leave for work and informing you that traffic will be heavy.

Your digital camera includes geolocation coordinates in the metadata of the pictures you take. Call detail records, or CDRs, which can be subpoenaed from a cellular provider, also record the cell tower and sector utilized when a phone makes a call or SMS/MMS text message. 

If the reliability of the navigation data is called into question or is, in fact, questionable, utilizing other forms of location from different devices can assist in the verification or dismissal of the evidence.  

IVI Systems Store Mobile Phone Data

User data is where it gets interesting. When you connect your phone to a vehicle, it syncs much of the data contained on your phone onto the internal storage of the car itself. The result is that an examiner can collect mobile phone data without even possessing the phone.

User data, including messages, emails, social media content, call logs, and application data, are all recoverable from vehicles, and the list continues to expand as time passes and technology advances.

Previously reserved only for luxury vehicles, infotainment systems are seen in almost every vehicle being produced today. The widespread distribution of this technology and its rapid advancement create an environment of both innovation and customer demand. 

This demand is for cars to do more. Ever-increasing connectivity and functionality with a mobile phone, more conveniences, and more features require the infotainment system to record more information about you.

For your car to do helpful things, it needs to know how to personalize the experience just for you. To do that means that the vehicle must collect as much information as possible from your mobile phone and the interactions with the infotainment system itself. Of course, this all leads to more digital evidence.

What Is Next for the Investigation of Infotainment Systems?

Hyper-connectivity is the future with connected vehicles, smart devices, wearable technology, and even entire smart cities. This type of future will mean that more data than ever will be collected concerning our habits, location, activities, health, and financial information.

Virtues and vices will be stored electronically, and when that data is collected and stored, it can often be recovered using forensic tools and methodology.

We are not far off from a world whereby almost every device and app send information and “communicates” to every other device and app we own. This is apparent if we look at the relationship between wearable technology and phones.

Ultimately, we will see biometric data, sleep patterns, markers of healthiness and disease, physical activity, and heart rate contained in the infotainment data. If that sounds far-fetched, consider the following scenario, which happens every day.

First, you sync your fitness watch to your phone. Then you connect your phone to your car, which syncs your phone data to the infotainment system. It would now be possible for biometric data collected from your fitness watch to be contained in the infotainment system of your car. It's a brave new world.

Vehicles are increasingly becoming digital environments. Just like a cell phone is not really a phone anymore, but a portal to an entire digital world, your vehicle will be transformed from a mode of transportation to an entire digital portfolio of entertainment, social media, and more; and this is especially true as vehicles continue to become more autonomous.

Just image what it will be like when vehicles can truly drive themselves. Your car will become an internet connected room on wheels with the ability to do just about everything you do at the office or at home. While this sounds awesome (to me at least), it will result in even more digital evidence that can be used in litigation and investigations.

[1] TIBCO Software. The connected car: finding the intersection of opportunity and consumer demand. Palo Alto (CA): 2016