Exploring the Cellebrite Universal Forensic Evidence Device (UFED) File System Extraction Process
Primary Investigator:
Marcus Rogers
Kaitlyn Gurule, Marcus Thompson
Abstract
Extracting data from a mobile device from Cellebrite’s UFED can be done using three different methods: physical, file system, and logical. The physical and logical extraction methods are commonly used among law enforcement digital forensic examiners. The terminology of file system extraction was created by Cellebrite. It is not as understood as the other methods. To better understand this method, a logical and file system extraction were obtained from a user populated, jailbroken iPhone 5s with iOS 8.4, and the reports from the two extractions were compared. Upon analyzing the reports, it was determined the file system extraction obtained more data than the logical extraction. It also obtained some of the deleted data Cellebrite stated only the physical extraction could obtain. This may be an effect of the device being jailbroken.