Cellebrite CCO/CCPA

the_Grinch

For the next week I am attending the Cellebrite courses for the CCO and CCPA certifications. The CCO course covers performing extractions with either UFED4PC or UFED Touch. CCPA covers analyzing the data with Cellebrite's Physical Analyzer after you've performed the extraction.

Day one of CCO was pretty standard. Started with intros of the instructors and students. Then we dove right into the meat and potatoes of terms used by Cellebrite. Overall it was pretty easy and a bit boring, though I've used Cellebrite for several months and have been through a gauntlet of training with MSAB for their XRY product. On the basics of forensics there is a lot of overlap.

One thing I will say is that if you have no cell phone forensic background you definitely should take the Cellebrite Mobile Forensic Fundamentals (CMFF) course or some how obtain that knowledge from that course. Cellebrite offers an option to test out of the CMFF course. I actually just took the exam about an hour ago and scored an 86% (need an 80% to pass). If you are going to pursue the CMFF test out option, I'd recommend reading Mobile Forensic Investigations: A Guide to Evidence Collection, Analysis, and Presentation by Lee Reiber. Prior to my MSAB training I read through this book and it definitely covered everything one would need for getting a start in mobile forensics (with some advanced stuff). There was some specific Cellebrite knowledge (obviously), but I'm pretty sure some open source research will cover the knowledge you would need. You only get one shot at taking the CMFF test out ($39) and if you fail then you have to take the CMFF course (I think it's $649).

Now you might be wondering why I took the CMFF? As I was reading through the course material, I noticed that Cellebrite's highest certification is the Cellebrite Certified Mobile Examiner. Of course, being a member of this forum, I want the highest cert they have and in my job it would carry a lot of weight should I be called into court. I looked and you are required to have the CMFF, CCO and CCPA before you can attempt the CCME. Thus I had to do the test out as my agency hadn't purchased the CMFF course (which they obviously didn't need too because we've covered most of it in our MSAB courses).

I'll continue to update this thread as I go through the courses. Tomorrow is class and then the CCO exam.

stryder144

Following

the_Grinch

Today we finally did some actual hands on work. Performed three extractions and bypassed the security on an old Android phone. I took and passed the CCO so I am now a Certified Cellebrite Operator! Exam was very straight forward and everything needed was covered in the course. I'd also add that if you take the CCO course you'll have no issue then taking the CMFF.

I expect a lot from the CCPA course as it covers a lot more and not so much fluff. I will add that my view of the course is skewed due to having other training. CCO covered a lot of the basics of forensics and thus is boring if you already have those. I did learn a couple of things I was unaware of so it was definitely worth it.

the_Grinch

Finished up the first day of CCPA. It is a very slow moving course, but a large part of me tends to believe it is because of all the training I already have. Today was a lot of going over the software settings and thus far I have definitely learned a couple of tidbits that have made all of it worth it. They covered a good bit of analysis related items which was very helpful. Part of my job involves previewing and one item I learned about hashing might really help with that. Overall I am happy with the training thus far and if you are trying to get into mobile forensics I'd definitely recommend the training.

PJ_Sneakers

The physical class was pretty decent. The curriculum is not monumentally difficult, especially for a guy like you. But it is really interesting diving into the more useful aspects of Physical Analyzer. It was one of the better mobile forensics classes I’ve taken (nothing against the MSAB guys at all).

the_Grinch

PJ_Sneakers your assessment is spot on! Today was definitely better then any of the others and we went fully into the analysis of extractions. The pace is still an issue, but I tend to think for beginners you would want that. They covered Android and iOS info, which introduced some tidbits that I was not fully aware of (these little details in my opinion make the courses worth it). We then performed analysis on two extractions, one for each OS. As this is something I do daily I had a foundation in about 50% of what was covered, but there were a ton of options that I hadn't really known about or explored. Thus I saw a lot of things that I could speed up with the information learned in the course.

Comparing it to MSAB training I think it honestly comes down to instructors. My two instructors in this course without a doubt know their stuff, but I felt like my MSAB instructor knew how to better energize the training. This is definitely more of a critique on presentation style and not in course content per say. I will say that MSAB didn't speak to a number of things that would have been pretty important to know.

My presentation style and my MSAB instructor was that which made the class as entertaining as it can be. I recently had to present an introduction to mobile forensics to a group of analysts and lawyers. Based on reviews, they found it enlightening and entertaining. Again, overall I love the training and it has definitely been worth it.

PJ_Sneakers

To be fair, they are all good instructors with a wealth of real world knowledge. I do feel that Cellebrite has a better product and their devs implement exploits at a much faster rate than MSAB does. Hands down, Cellebrite is my go to platform for mobile extraction, even on phones that aren't technically on the list. One caveat is that doing a carve on a physical using Physical Analyzer will only pull JPEG files. MSAB does a much better job with its automatic carving, especially on storage cards.

the_Grinch

Agreed in Cellebrite is my go to. I've found that MSAB typically does not support the device I need for extraction. Having both has definitely proved to be helpful in that if one doesn't support a phone the other probably does. But I do believe that MSAB's Kiosk product is much further ahead and network/management wise they appear to do things better (or at the very least as well, but for cheaper) than Cellebrite. I ultimately luck out in that I have both products and my agency is training some of us all the way up. I'll be attending Cellebrite's Repair course and Advanced Smartphone Analysis. They recommend CASA if you want the CCME and while my agency isn't covering the CCME I figure with all they spent I could shell out the $300 for that.

Last day of the course was my favorite out of all of them. Most of the info was decent and fairly detailed, the hands on was good and I actually really enjoyed the test. The test was actually almost a challenge and I felt it was very true to the real world. It was a mix of knowledge based questions and practical hands on analysis. It shows they truly know what it's like in the real world of forensics as the questions definitely reflected items I am typically looking for. Scored a 97.4 on the exam so I am now a CCPA!

Again I very much recommend attending the training if you can and it will definitely set a great foundation for getting into cell phone forensics. That said I will warn you that training alone does not a forensic investigator make. The real world is dirty and nothing is easy (typically ever). Devices are very difficult to get into and often you have to rethink your method. I will provide a very good example:

I was given a phone for a case that is typically very easy to get into. One thing I have learned is to set realistic expectations and I told the Detective to expect it possibly by the end of the day. I get my pictures, note all the info on the device, get it charged and isolated from the network. Nothing went right after that. For, at the time, whatever reason I could not get the computer or kiosk to recognize the device. Followed all the procedures to the letter and still nothing. Finally, as a last resort, I had to perform a bluetooth extraction which was successful. I ultimately found out that (should note it was an older device) the last Android update it got tended to break the ability to put the phone into MTP mode. Lots of complaints and no means in a forensically sound manner to fix it.

That is what happens in the field. It's never simple and there are always a host of problems you will face. Also training cannot prepare you for the things you will encounter on a device. Some things you will laugh about, but others you can never unsee. I luck out in that while phone forensics is my primary duty I get phones in waves typically. The other unit I support does computer and phone forensics 100% of the time (mainly computer) and they are bombarded by images that would keep most people up at night. I can tell some truly horrible stories that had I not been involved I would never believe to be true and yet they are.