Dont Forget The Filesystem

Lets talk about phones!

Of course the first step should be ALWAYS to isolate the handset from the cellular network but most important step when EXAMING the cellular device. FILESYSTEM, FILESYSTEM, FILESYSTEM.

Did I say filesystem. The filesystem, if available, should always be the first extraction you as an examiner should attempt. Time and time again, I am contacted and asked to consult on a phone that a logical tool will not extract a portion of the user data. The first question I always have is, “Could you find the data in the filesystem?” 90 percent of the time I am answered, “I did not try that yet.” We know as examiners user data cannot always be parsed from the filesystem for a number of reasons. But the filesystem can be extracted far more efficiently and 90 percent of the time the userdata is easily located using FTK,Encase and XWays (and of course others) when searching manually.

The best part: YOU the examiner can testify to the actual file location of that particular user nugget!

Another bonus of ALWAYS attempting to acquire the filesystem of a phone, particularly a CDMA phone, is the recovery of DELETED data. We have long searched over and over for tools to obtain a PHYSICAL acquisition of a CDMA device when deleted data has been under our noses. CDMA handsets store cached data and files that are not logically accessible to the handset (or many tools for that matter). They may have been marked as “non existent” by the phone, but they still reside in the filesystem. I have personally recovered over 800 SMS messages that were nowhere to be found when looking commando style via the handset, but were in the open when I backed the filesystem up and used FTK to parse the recovered data. Did I say OVER 800 damaging SMS messages! Other nuggets are HTML pages, URLs, email and more that are missed by skimping on the exam.

Don’t neglect the filesystem of the cellphone and go for just a logical extraction. If you do you could be missing over half of the data sitting on the phone.

There are many tools out there for extracting the filesystem from Cellebrite UFED to Bitpim, you choose, but don’t leave it out of your total forensic exam.

Good Luck!

Lee Reiber

