BlackLight – Ingestion of Cellebrite Mobile Extractions
By Stephanie Thompson, Solutions Engineer
With the recent news of BlackBag joining Cellebrite, it seems like the appropriate time to share what we can already do together! Specifically, how to ingest Cellebrite acquisitions into BlackLight. With our latest BlackLight release, BlackBag added additional Cellebrite formats that can be added directly to BlackLight. Our goal is to have Blacklight fully support all Cellebrite extraction types in a future release. In this post, we wanted to share some additional steps you may need to support additional formats and make it as easy as possible until all file formats are fully supported.
Types of Cellebrite Device Acquisitions and Blacklight’s Level of Support
Below is a list of the different types of acquisitions done through Cellebrite products and which ones BlackLight currently supports. The ones that are marked with a * are the ones that need additional steps before ingestion.
|Physical Analyzer – Adv Logical Method 1||Yes||.tar|
|Physical Analyzer – Adv Logical Method 1 encrypted||Yes||.tar|
|Physical Analyzer – Adv Logical Method 2 & 3||Yes||.tar|
|UFED4PC – Logical||Yes*||Folder + .zip|
|UFED4PC – Filesystem (iOS)||Yes*||.zip
|UFED4PC – Filesystem (Android)||On the Roadmap||various (.zip, custom .zip, .ab)|
|UFED4PC – Physical (iOS)||Yes||.img|
|UFED4PC – Physical (Android)||Yes*||.bin (supported)
.bin segmented (need to cat)
|UFED4PC CAIS (iOS)||On the Roadmap||.dar|
|Cellebrite Premium extraction (iOS)||On the Roadmap|
* Supported with additional handling of the extracted evidence
NOTE: While most Cellebrite users are used to working with .UFD or .UFDX files, those are specific to Cellebrite’s tools and do not contain the images themselves. BlackLight will need the particular image files, which will have file extensions listed in the table above.
Working with Cellebrite Files that need additional prep before ingestion
As you can see, several Cellebrite’s extractions can directly be added to BlackLight. Below we will cover the three types of acquisitions listed with an asterisk (*) where additional steps are needed to ensure the information can be read by BlackLight. The first two are the most straight-forward, and we will do a walkthrough of the third more involved iPhone Filesystem Full image at the end.
UFED4PC Logical (iOS)
To locate the iOS backup from the Logical acquisition from UFED4PC use the following steps:
- Unzip the Apple_iPhone.zip archive, where ‘Apple_iPhone’ is the name of your device.
- Locate the folder named “Backup” or “Snapshot.” It will have an iOS backup inside of it.
- Add the iOS backup to BlackLight.
UFED4PC – Physical (Android)
To format the bin file from Android physical extraction to be read by BlackLight, use the following steps:
- Concatenate the bin files into one bin file:
cat file1 file2 file3 file4 > output.bin
- Add the bin file to BlackLight
Walkthrough of an iPhone Filesystem (Full) Image
Out of all the extraction types listed in the supported table above, the segmented iOS Filesystem dump is probably the most difficult workaround, so I would like to go into a little more detail as far as the steps involved. In this example, you can see the segments in File Finder:
In following the steps above for UFED4PC – Filesystem (iOS), the segments will be concatenated using the following command within terminal (slashes are used to make sure spaces and special characters are read correctly, you can also put the filenames within double quotes):
zip -FF Apple_iPhone\ 7\ \(A1660\).zip --out Apple_iPhone\ 7\ \(A1660\)-new.zip
You should now see the new zip files in the directory:
To unarchive this new zip file, use the following command:
unzip Apple_iPhone\ 7\ \(A1660\)-new.zip -d Apple_iPhone\ 7\ \(A1660\)-new
The concatenated zip has now been unarchived into a folder.
Next, locate the Snapshot folder to confirm whether or not the status.plist file is there. Assuming your Finder is set to alphabetical order, it would be the last file listed if it exists. In my example, it does not exist, so we will have to add our own.
Add your own status.plist file inside of the “Backup” or “Snapshot” folder.
This file can be created in a text editor with the following information:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>BackupState</key> <string>new</string> </dict> </plist>
Using the text above, I created a Status.plist file in a text editor. This file can then be used for any cases where the Status.plist is not included, so keep a copy of it somewhere convenient.
We are now ready to proceed with the ingestion into BlackLight! After creating a new case file, we will add the ‘Snapshot’ folder as our evidence item.
You will see right away that if you did the above steps correctly that BlackLight will recognize that Snapshot folder as an iOS backup. If it seems only to show it as a folder, then double-check to make sure you did the unarchiving and adding the status.plist file correctly. In my example, it shows that it is an iOSBackup and that it is password protected.
To provide the password and decrypt the backup, click on the padlock next to the evidence item (in this case ‘Vickie’s 7’).
Once the password is provided, you can proceed to select processing options as usual.
From here, it is BlackLight processing and analysis as normal! While there are many different extraction types that may come out of a Cellebrite acquisition, this post is meant to help make it easier to work with the more common extractions that currently need a little massaging before analysis can be done.