Performing Mobile Device Forensics with Cellebrite When to Use - When extracting evidence from smartphones or tablets during an investigation - For recovering deleted messages, call logs, and location data from mobile devices - During investigations involving communications via messaging apps - When analyzing mobile application data for evidence of criminal activity - For corporate investigations involving employee mobile device misuse Prerequisites - Cellebrite UFED Touch/4PC or UFED Physical Analyzer (licensed) - Alternative open-source tools: ALEAPP, iLEAPP, MEAT, libimobiledevice - Approp…

)\n\n\nclass MobileForensicsAgent:\n \"\"\"Parses mobile device extraction data for forensic analysis.\"\"\"\n\n def __init__(self, extraction_dir, output_dir, platform=\"android\"):\n self.extraction_dir = Path(extraction_dir)\n self.output_dir = Path(output_dir)\n self.output_dir.mkdir(parents=True, exist_ok=True)\n self.platform = platform\n\n def _query_db(self, db_path, query, params=None):\n \"\"\"Execute a query against a SQLite database.\"\"\"\n if not Path(db_path).exists():\n return []\n try:\n conn = sqlite3.connect(db_path)\n conn.row_factory = sqlite3.Row\n cursor = conn.cursor()\n cursor.execute(query, params or [])\n results = [dict(row) for row in cursor.fetchall()]\n conn.close()\n return results\n except sqlite3.Error as e:\n return [{\"error\": str(e), \"db\": str(db_path)}]\n\n def extract_sms_android(self):\n \"\"\"Extract SMS/MMS messages from Android mmssms.db.\"\"\"\n db_path = self.extraction_dir / \"data/data/com.android.providers.telephony/databases/mmssms.db\"\n return self._query_db(str(db_path), \"\"\"\n SELECT address, body, type,\n datetime(date/1000, 'unixepoch') AS msg_time,\n read, seen\n FROM sms ORDER BY date DESC LIMIT 5000\n \"\"\")\n\n def extract_sms_ios(self):\n \"\"\"Extract iMessage/SMS from iOS sms.db.\"\"\"\n db_path = self.extraction_dir / \"HomeDomain/Library/SMS/sms.db\"\n return self._query_db(str(db_path), \"\"\"\n SELECT h.id AS phone_number,\n CASE WHEN m.is_from_me = 1 THEN 'SENT' ELSE 'RECEIVED' END AS direction,\n m.text,\n datetime(m.date/1000000000 + 978307200, 'unixepoch') AS msg_time,\n m.service\n FROM message m\n JOIN handle h ON m.handle_id = h.ROWID\n ORDER BY m.date DESC LIMIT 5000\n \"\"\")\n\n def extract_call_log_android(self):\n \"\"\"Extract call logs from Android contacts2.db.\"\"\"\n db_path = self.extraction_dir / \"data/data/com.android.providers.contacts/databases/calllog.db\"\n return self._query_db(str(db_path), \"\"\"\n SELECT number, name,\n CASE type WHEN 1 THEN 'INCOMING' WHEN 2 THEN 'OUTGOING'\n WHEN 3 THEN 'MISSED' ELSE 'UNKNOWN' END AS call_type,\n duration,\n datetime(date/1000, 'unixepoch') AS call_time\n FROM calls ORDER BY date DESC LIMIT 2000\n \"\"\")\n\n def extract_contacts_android(self):\n \"\"\"Extract contacts from Android contacts database.\"\"\"\n db_path = self.extraction_dir / \"data/data/com.android.providers.contacts/databases/contacts2.db\"\n return self._query_db(str(db_path), \"\"\"\n SELECT display_name, data1 AS phone_or_email, mimetype\n FROM raw_contacts rc\n JOIN data d ON rc._id = d.raw_contact_id\n WHERE mimetype IN (\n 'vnd.android.cursor.item/phone_v2',\n 'vnd.android.cursor.item/email_v2'\n ) ORDER BY display_name LIMIT 5000\n \"\"\")\n\n def extract_whatsapp_messages(self):\n \"\"\"Extract WhatsApp messages from msgstore.db.\"\"\"\n db_path = self.extraction_dir / \"data/data/com.whatsapp/databases/msgstore.db\"\n return self._query_db(str(db_path), \"\"\"\n SELECT key_remote_jid AS contact,\n CASE WHEN key_from_me = 1 THEN 'SENT' ELSE 'RECEIVED' END AS direction,\n data AS message_text,\n datetime(timestamp/1000, 'unixepoch') AS msg_time,\n media_mime_type,\n media_size\n FROM messages\n WHERE data IS NOT NULL\n ORDER BY timestamp DESC LIMIT 5000\n \"\"\")\n\n def extract_browser_history_android(self):\n \"\"\"Extract Chrome browser history from Android.\"\"\"\n db_path = self.extraction_dir / \"data/data/com.android.chrome/app_chrome/Default/History\"\n return self._query_db(str(db_path), \"\"\"\n SELECT url, title, visit_count,\n datetime(last_visit_time/1000000 - 11644473600, 'unixepoch') AS visit_time\n FROM urls ORDER BY last_visit_time DESC LIMIT 2000\n \"\"\")\n\n def extract_wifi_history(self):\n \"\"\"Extract saved WiFi networks.\"\"\"\n if self.platform == \"android\":\n wifi_conf = self.extraction_dir / \"data/misc/wifi/WifiConfigStore.xml\"\n if wifi_conf.exists():\n content = wifi_conf.read_text(errors=\"ignore\")\n import re\n ssids = re.findall(r'\"SSID\"[^>]*>([^\u003c]+)', content)\n return [{\"ssid\": s} for s in ssids]\n return []\n\n def extract_installed_apps(self):\n \"\"\"List installed applications.\"\"\"\n apps = []\n if self.platform == \"android\":\n app_dir = self.extraction_dir / \"data/data\"\n if app_dir.exists():\n for pkg in sorted(app_dir.iterdir()):\n if pkg.is_dir():\n apps.append({\n \"package\": pkg.name,\n \"has_databases\": (pkg / \"databases\").exists(),\n })\n return apps\n\n def search_keyword(self, keyword):\n \"\"\"Search across extracted databases for a keyword.\"\"\"\n hits = []\n for db_file in self.extraction_dir.rglob(\"*.db\"):\n try:\n conn = sqlite3.connect(str(db_file))\n cursor = conn.cursor()\n cursor.execute(\"SELECT name FROM sqlite_master WHERE type='table'\")\n tables = [row[0] for row in cursor.fetchall()]\n for table in tables:\n if not _SAFE_TABLE_RE.match(table):\n continue\n try:\n cursor.execute(f\"SELECT * FROM [{table}] LIMIT 1\")\n columns = [desc[0] for desc in cursor.description]\n for col in columns:\n if not _SAFE_TABLE_RE.match(col):\n continue\n cursor.execute(\n f\"SELECT [{col}] FROM [{table}] WHERE [{col}] LIKE ?\",\n [f\"%{keyword}%\"]\n )\n matches = cursor.fetchall()\n if matches:\n hits.append({\n \"database\": str(db_file.relative_to(self.extraction_dir)),\n \"table\": table,\n \"column\": col,\n \"match_count\": len(matches),\n })\n except sqlite3.Error:\n continue\n conn.close()\n except sqlite3.Error:\n continue\n return hits\n\n def generate_report(self):\n \"\"\"Generate comprehensive mobile forensics report.\"\"\"\n report = {\n \"extraction_dir\": str(self.extraction_dir),\n \"platform\": self.platform,\n \"report_date\": datetime.utcnow().isoformat(),\n }\n\n if self.platform == \"android\":\n report[\"sms\"] = {\"count\": len(self.extract_sms_android())}\n report[\"call_log\"] = {\"count\": len(self.extract_call_log_android())}\n report[\"contacts\"] = {\"count\": len(self.extract_contacts_android())}\n report[\"whatsapp\"] = {\"count\": len(self.extract_whatsapp_messages())}\n report[\"browser_history\"] = {\"count\": len(self.extract_browser_history_android())}\n elif self.platform == \"ios\":\n report[\"imessage_sms\"] = {\"count\": len(self.extract_sms_ios())}\n\n report[\"wifi_networks\"] = self.extract_wifi_history()\n report[\"installed_apps\"] = {\"count\": len(self.extract_installed_apps())}\n\n report_path = self.output_dir / \"mobile_forensics_report.json\"\n with open(report_path, \"w\") as f:\n json.dump(report, f, indent=2)\n\n print(json.dumps(report, indent=2))\n return report\n\n\ndef main():\n if len(sys.argv) \u003c 3:\n print(\"Usage: agent.py \u003cextraction_dir> \u003coutput_dir> [android|ios]\")\n sys.exit(1)\n\n extraction_dir = sys.argv[1]\n output_dir = sys.argv[2]\n platform = sys.argv[3] if len(sys.argv) > 3 else \"android\"\n\n agent = MobileForensicsAgent(extraction_dir, output_dir, platform)\n agent.generate_report()\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":9047,"content_sha256":"c5db6e0d341988db16f7983d0ecbc84e818491dfa336b0248e13ebf6eaeafd49"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Performing Mobile Device Forensics with Cellebrite","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When extracting evidence from smartphones or tablets during an investigation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"For recovering deleted messages, call logs, and location data from mobile devices","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"During investigations involving communications via messaging apps","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When analyzing mobile application data for evidence of criminal activity","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"For corporate investigations involving employee mobile device misuse","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cellebrite UFED Touch/4PC or UFED Physical Analyzer (licensed)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Alternative open-source tools: ALEAPP, iLEAPP, MEAT, libimobiledevice","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Appropriate cables and adapters for target device","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Faraday bag to isolate the device from network signals","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Legal authorization (warrant, consent, or corporate policy)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Knowledge of iOS and Android file system structures","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Prepare the Device and Isolation","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# CRITICAL: Immediately place device in airplane mode or Faraday bag\n# This prevents remote wipe commands and additional data changes\n\n# Document device state before acquisition\n# Record: make, model, IMEI, serial number, OS version, screen lock status\n# Photograph the device from all angles\n\n# For Android - Enable USB debugging if accessible\n# Settings > Developer Options > USB Debugging > Enable\n\n# For iOS - Trust the forensic workstation\n# When prompted on device, tap \"Trust This Computer\"\n\n# If device is locked, document lock type (PIN, pattern, biometric)\n# Cellebrite UFED can bypass certain lock types depending on device model\n\n# Install open-source tools as alternatives\npip install aleapp # Android Logs Events And Protobuf Parser\npip install ileapp # iOS Logs Events And Properties Parser\nsudo apt-get install libimobiledevice-utils # iOS acquisition on Linux","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Perform Device Acquisition","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# === Cellebrite UFED Acquisition ===\n# 1. Launch UFED 4PC or connect UFED Touch\n# 2. Select Device > Identify device model automatically\n# 3. Choose extraction type:\n# - Logical: App data, contacts, messages, call logs (fastest, least data)\n# - File System: Full file system access including databases\n# - Physical: Bit-for-bit image including deleted data (most complete)\n# - Advanced (Checkm8/GrayKey): For locked iOS devices (specific models)\n# 4. Select output format and destination\n# 5. Begin extraction\n\n# === Open-source iOS acquisition with libimobiledevice ===\n# List connected iOS devices\nidevice_id -l\n\n# Get device information\nideviceinfo -u \u003cUDID>\n\n# Create iOS backup (logical acquisition)\nidevicebackup2 backup --full /cases/case-2024-001/mobile/ios_backup/\n\n# For encrypted backups (contains more data including passwords)\nidevicebackup2 backup --full --password /cases/case-2024-001/mobile/ios_backup/\n\n# === Android acquisition with ADB ===\n# List connected devices\nadb devices\n\n# Full backup (requires screen unlock)\nadb backup -apk -shared -all -f /cases/case-2024-001/mobile/android_backup.ab\n\n# Extract specific app data\nadb shell pm list packages | grep -i \"whatsapp\\|telegram\\|signal\"\nadb pull /data/data/com.whatsapp/ /cases/case-2024-001/mobile/whatsapp/\n\n# For rooted Android devices - full filesystem\nadb shell \"su -c 'dd if=/dev/block/mmcblk0 bs=4096'\" | \\\n dd of=/cases/case-2024-001/mobile/android_physical.dd\n\n# Hash the acquisition\nsha256sum /cases/case-2024-001/mobile/*.dd > /cases/case-2024-001/mobile/acquisition_hashes.txt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Analyze with ALEAPP (Android) or iLEAPP (iOS)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# === Android analysis with ALEAPP ===\n# ALEAPP processes Android file system extractions\npython3 -m aleapp \\\n -t fs \\\n -i /cases/case-2024-001/mobile/android_extraction/ \\\n -o /cases/case-2024-001/analysis/aleapp_report/\n\n# ALEAPP extracts and reports on:\n# - Call logs, SMS/MMS messages\n# - Chrome browser history and searches\n# - WiFi connection history\n# - Installed applications\n# - Google account activity\n# - Location data (Google Maps, Photos)\n# - WhatsApp, Telegram, Signal messages\n# - App usage statistics\n# - Device settings and accounts\n\n# === iOS analysis with iLEAPP ===\npython3 -m ileapp \\\n -t tar \\\n -i /cases/case-2024-001/mobile/ios_backup.tar \\\n -o /cases/case-2024-001/analysis/ileapp_report/\n\n# iLEAPP extracts and reports on:\n# - iMessage and SMS messages\n# - Safari browsing history\n# - WiFi and Bluetooth connections\n# - Health data and location history\n# - App usage (KnowledgeC)\n# - Photos with EXIF/GPS data\n# - Notes, Calendar, Reminders\n# - Keychain data (if decryptable)\n# - Screen time data","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Extract Communications and Messaging Data","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Extract WhatsApp messages from Android\npython3 \u003c\u003c 'PYEOF'\nimport sqlite3\nimport os\n\n# WhatsApp database location\ndb_path = \"/cases/case-2024-001/mobile/android_extraction/data/data/com.whatsapp/databases/msgstore.db\"\n\nif os.path.exists(db_path):\n conn = sqlite3.connect(db_path)\n cursor = conn.cursor()\n\n # Extract messages\n cursor.execute(\"\"\"\n SELECT\n key_remote_jid AS contact,\n CASE WHEN key_from_me = 1 THEN 'SENT' ELSE 'RECEIVED' END AS direction,\n data AS message_text,\n datetime(timestamp/1000, 'unixepoch') AS msg_time,\n media_mime_type,\n media_size\n FROM messages\n WHERE data IS NOT NULL\n ORDER BY timestamp DESC\n LIMIT 1000\n \"\"\")\n\n with open('/cases/case-2024-001/analysis/whatsapp_messages.csv', 'w') as f:\n f.write(\"contact,direction,message,timestamp,media_type,media_size\\n\")\n for row in cursor.fetchall():\n f.write(','.join(str(x) for x in row) + '\\n')\n\n conn.close()\n print(\"WhatsApp messages extracted successfully\")\nPYEOF\n\n# Extract iOS iMessage/SMS from sms.db\npython3 \u003c\u003c 'PYEOF'\nimport sqlite3\n\ndb_path = \"/cases/case-2024-001/mobile/ios_extraction/HomeDomain/Library/SMS/sms.db\"\n\nconn = sqlite3.connect(db_path)\ncursor = conn.cursor()\n\ncursor.execute(\"\"\"\n SELECT\n h.id AS phone_number,\n CASE WHEN m.is_from_me = 1 THEN 'SENT' ELSE 'RECEIVED' END AS direction,\n m.text,\n datetime(m.date/1000000000 + 978307200, 'unixepoch') AS msg_time,\n m.service\n FROM message m\n JOIN handle h ON m.handle_id = h.ROWID\n ORDER BY m.date DESC\n\"\"\")\n\nwith open('/cases/case-2024-001/analysis/imessage_sms.csv', 'w') as f:\n f.write(\"phone,direction,text,timestamp,service\\n\")\n for row in cursor.fetchall():\n f.write(','.join(str(x) for x in row) + '\\n')\n\nconn.close()\nPYEOF","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Extract Location Data and Generate Report","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Extract GPS data from photos\npip install pillow\npython3 \u003c\u003c 'PYEOF'\nfrom PIL import Image\nfrom PIL.ExifTags import TAGS, GPSTAGS\nimport os, json\n\ndef get_gps(exif_data):\n gps_info = {}\n for key, val in exif_data.items():\n decoded = GPSTAGS.get(key, key)\n gps_info[decoded] = val\n\n if 'GPSLatitude' in gps_info and 'GPSLongitude' in gps_info:\n lat = gps_info['GPSLatitude']\n lon = gps_info['GPSLongitude']\n lat_val = lat[0] + lat[1]/60 + lat[2]/3600\n lon_val = lon[0] + lon[1]/60 + lon[2]/3600\n if gps_info.get('GPSLatitudeRef') == 'S': lat_val = -lat_val\n if gps_info.get('GPSLongitudeRef') == 'W': lon_val = -lon_val\n return lat_val, lon_val\n return None\n\nlocations = []\nphoto_dir = \"/cases/case-2024-001/mobile/ios_extraction/CameraRollDomain/Media/DCIM/\"\nfor root, dirs, files in os.walk(photo_dir):\n for fname in files:\n if fname.lower().endswith(('.jpg', '.jpeg', '.heic')):\n try:\n img = Image.open(os.path.join(root, fname))\n exif = img._getexif()\n if exif and 34853 in exif:\n coords = get_gps(exif[34853])\n if coords:\n locations.append({'file': fname, 'lat': coords[0], 'lon': coords[1]})\n except Exception:\n pass\n\nwith open('/cases/case-2024-001/analysis/photo_locations.json', 'w') as f:\n json.dump(locations, f, indent=2)\nprint(f\"Found {len(locations)} geotagged photos\")\nPYEOF\n\n# Extract location history from Google Location History (Android)\n# File: /data/data/com.google.android.gms/databases/lbs.db\n# or exported Google Takeout location data","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Key Concepts","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Concept","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Logical extraction","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Extracts accessible user data through device APIs (contacts, messages, photos)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"File system extraction","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Full access to the device file system including app databases","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Physical extraction","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Bit-for-bit copy of device storage including deleted and unallocated data","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"UFED","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Universal Forensic Extraction Device - Cellebrite's flagship acquisition platform","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ADB","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Android Debug Bridge for communicating with Android devices","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"KnowledgeC","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"iOS database tracking detailed app and device usage patterns","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SQLite databases","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Primary storage format for mobile app data (messages, contacts, history)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Checkm8","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Hardware-based iOS exploit enabling extraction on A5-A11 devices","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tools & Systems","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tool","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Purpose","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cellebrite UFED","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Commercial mobile device acquisition and analysis platform","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cellebrite Physical Analyzer","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Deep analysis of mobile device extractions","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ALEAPP","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Open-source Android artifact parser and report generator","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"iLEAPP","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Open-source iOS artifact parser and report generator","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"libimobiledevice","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Open-source iOS communication library","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Magnet AXIOM","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Commercial mobile and computer forensics platform","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MEAT","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Mobile Evidence Acquisition Toolkit","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ADB","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Android Debug Bridge for device interaction and data extraction","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Common Scenarios","type":"text"}]},{"type":"paragraph","content":[{"text":"Scenario 1: Criminal Communications Investigation","type":"text","marks":[{"type":"strong"}]},{"text":" Acquire device with UFED physical extraction, decrypt messaging databases, extract WhatsApp/Telegram/Signal conversations, recover deleted messages from WAL files, build communication timeline, export for legal proceedings.","type":"text"}]},{"type":"paragraph","content":[{"text":"Scenario 2: Employee Data Theft via Personal Phone","type":"text","marks":[{"type":"strong"}]},{"text":" Perform logical extraction with employee consent, analyze corporate email and cloud storage app data, check for screenshots of confidential documents, review file transfer app activity, examine browser history for cloud uploads.","type":"text"}]},{"type":"paragraph","content":[{"text":"Scenario 3: Missing Person Location Tracking","type":"text","marks":[{"type":"strong"}]},{"text":" Extract location data from Google Location History, parse GPS data from photos, analyze WiFi connection history for last known locations, check fitness app data for movement patterns, examine messaging apps for last communications.","type":"text"}]},{"type":"paragraph","content":[{"text":"Scenario 4: Child Exploitation Investigation","type":"text","marks":[{"type":"strong"}]},{"text":" Physical extraction preserving all data including deleted content, hash all images against NCMEC/ICSE databases, extract communication records, recover deleted media from unallocated space, document chain of custody meticulously for prosecution.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Output Format","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Mobile Forensics Summary:\n Device: Samsung Galaxy S23 Ultra (SM-S918B)\n OS: Android 14, One UI 6.0\n IMEI: 353456789012345\n Extraction: Physical (via Cellebrite UFED)\n Duration: 45 minutes\n\n Extracted Data:\n Contacts: 1,234\n Call Logs: 5,678\n SMS/MMS: 3,456\n WhatsApp Msgs: 12,345 (234 deleted, recovered)\n Telegram Msgs: 2,345\n Photos/Videos: 4,567 (345 geotagged)\n Browser History: 2,345 URLs\n WiFi Networks: 67 saved connections\n Installed Apps: 145\n\n Key Findings:\n - Deleted WhatsApp conversation with suspect recovered\n - 23 geotagged photos at crime scene location\n - Browser searches related to investigation subject\n - Signal app used during incident timeframe (encrypted, partial recovery)\n\n Reports:\n ALEAPP Report: /analysis/aleapp_report/index.html\n Messages Export: /analysis/whatsapp_messages.csv\n Locations: /analysis/photo_locations.json","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"performing-mobile-device-forensics-with-cellebrite","tags":["forensics","mobile-forensics","cellebrite","smartphone-analysis","ios-forensics","android-forensics"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/performing-mobile-device-forensics-with-cellebrite/SKILL.md","repo_owner":"mukul975","body_sha256":"5590a94439c14e32a152690d24ffdd54184863f79fef4150e452e1322d780871","cluster_key":"1e19d9b29a09df6a0dc3495b992a0ad8f8e53906bf1d6ca14b3cf15b1e45314d","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/performing-mobile-device-forensics-with-cellebrite/SKILL.md","attachments":[{"id":"f8aff602-bf84-5630-aab8-8a3cb32f49ee","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/f8aff602-bf84-5630-aab8-8a3cb32f49ee/attachment.md","path":"references/api-reference.md","size":1964,"sha256":"765804b66da557c4e205e0fd42aa3355b6c71273b51c6d6ad84629bedab0e1cb","contentType":"text/markdown; charset=utf-8"},{"id":"eb538450-c682-57df-ac37-a47d77389a4e","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/eb538450-c682-57df-ac37-a47d77389a4e/attachment.py","path":"scripts/agent.py","size":9047,"sha256":"c5db6e0d341988db16f7983d0ecbc84e818491dfa336b0248e13ebf6eaeafd49","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"44cfabeb1f3108278a7c3d61f9708daa8ac4ec80698af19872dff4b0dc504d07","attachment_count":2,"text_attachments":2,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":2,"skill_md_path":"skills/performing-mobile-device-forensics-with-cellebrite/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":1},"license":"Apache-2.0","version":"v1","category":"security","nist_csf":["RS.AN-01","RS.AN-03","DE.AE-02","RS.MA-01"],"subdomain":"digital-forensics","import_tag":"clean-skills-v1","description":"Acquire and analyze mobile device data using Cellebrite UFED and open-source tools to extract communications, location data, and application artifacts."}},"renderedAt":1782981256162}

Performing Mobile Device Forensics with Cellebrite When to Use - When extracting evidence from smartphones or tablets during an investigation - For recovering deleted messages, call logs, and location data from mobile devices - During investigations involving communications via messaging apps - When analyzing mobile application data for evidence of criminal activity - For corporate investigations involving employee mobile device misuse Prerequisites - Cellebrite UFED Touch/4PC or UFED Physical Analyzer (licensed) - Alternative open-source tools: ALEAPP, iLEAPP, MEAT, libimobiledevice - Approp…