Back in 2009, an anonymous person busted into the Bar No'ar LGBT youth club in Tel Aviv and opened fire. One of the youth instructors and a 16-year-old girl were killed and several others were severely injured. The heinous crime shocked Israeli society and the Israeli Police couldn't find a lead for several years.
In June 2013, the police thought they finally found the perpetrator, thanks largely to witness testimony. The man was arrested and questioned about the crime. However, using technology from a supplier, detectives managed to restore deleted WhatsApp messages found on the suspect's phone which cleared him of suspicion.
The tech used in the case is thought to be that of local security company Cellebrite, though its execs won't be drawn on whether their products were involved.
Cellebrite was formed in 1999, based on a need that emerged at the time among cellular operators — to bulk copy contacts information between different types of cell phones. Cellebrite developed a device for that purpose, called UME, and sold it to large mobile players including AT&T, Verizon, and Nokia.
Cellebrite's copying product is now found in over 150,000 points of sale and service around the world. During its 15 years of existence, Cellebrite has updated its product to be able to copy various types of information, going from just copying contacts to handling photos, files, and messaging data, as in the case above.
Recently, Cellebrite has shifted focus to diagnostics, allowing UME to aid operators and mobile sales outlets to fix problems in users' phones in real time, saving the costs associated with having the customer send in their phone for repairs.
Digital forensics are also a part of its business, thanks to how law authorities are using its product. "In 2005-2006 we noticed that some of the customers who are buying our original product are law enforcement bodies, and that they are actually using it to pull data out of cellular phones," Leeor Ben-Peretz, VP of mobile forensics products and business development at Cellebrite, told ZDNet.
"So in 2007, we launched a dedicated system for them including a hardware solution called UFED (the acronym for Universal Forensics Extraction Device), that ran on Windows CE – and it spread like wildfire. As of today, we have sold 25,000 UFED systems in a hundred countries around the world," Ben-Peretz said.
"Our customers are many bodies that investigate white collar crimes, drug trafficking, customs and borders control, antitrust, SEC oversight bodies, and even prisons. The amount of vertical markets that we are involved in is great."
How does UFED work?
"We started in 2007 with a very basic product that allows for any law enforcement agency to access any device [including tablets, smartphones, and GPS]. We were cross-vendor right from the beginning," Ben-Peretz said
"We use APIs, Obex, and direct access to the operating system, whatever the data is on the SIM card or the onboard memory, while the NAND or NOR contain a whole lot of information. We extract all the logical data that the operating system can give us. Back in 2007, it was a great solution. But in 2009, we went out with a new product that allowed us to go beyond the API and the operating system, down to a level that allowed us to access the entire memory array," the Cellebrite VP said.
"Instead of asking the operating system for record after record, we are asking the entire file system. We created a research department, which finds ways to go past the API and talk to the operating system directly.
"The technological challenge was that that smartphones are simply not designed to allow this action. Our systems allow reaching the unallocated space, where you can find all the files that the operating system deleted. We call that physical extraction," Ben Peretz said.
In order to make the data extracted from the phones usable, Cellebrite employs three teams: extraction, decoding, and analysis.
"When you extract raw data, a binary file which is a copy of the physical memory or the file system, you need to make it usable. That's what our decoding group is doing. If you look at different phones, Android or Nokia [for example], you get different things. The entire decoding process is more complex because there is no one standard. It's a very complex process, and we started out with hundreds of types of file systems... We fiddle with different encryptions and compression levels, and in the end we give our end customer the information in an accessible form, hoping to put the bad guy behind bars."
The third field is analytics. "We are talking about gigabytes of information, almost infinite. For example, take a phone with 120,000 text messages, or go and browse through 30,000 pictures — it would take you forever to find your smoking gun. We develop the analytics capabilities, to use the time constants of an investigation to their fullest. It can find you a keyword in three extractions and get you relevant information in seconds for search a term like 'money'," Ben Peretz said.
"The second element of analytics is connection mapping," Ben Peretz says. The company can find out who is connected to who, how connected they are, conversations they've had, across multiple communication services — be it Facebook, Skype, WhatsApp, text messages and calls — and gather that information a number of different devices. Ben Peretz noted that one of the company's customers once was investigating a particularly cautious suspect with 50 burner phones.
"The mapping of connections shortens investigation times, by using time limits. For example, if you don't want to screen 75,000 messages, but only the ones on 1 July, we are down to 3,000 messages. You apply a keyword watch list and we are down to 10 messages. You can map past events by graphs, vectors, hours, locations and communication cross references."
Ben Peretz says that the average criminal documents his activity in ways he is unaware of, and has one simple tip for a would-be wrongdoer: if you're planning a crime, get rid of all your digital devices right now.