Cell Light, Cellebrite, First Cell Phone Search I See Tonight . . .

February 28, 2017
By Hanging Out with Carl Gunn

BLOG BULLETS:

  • There’s a software program named Cellebrite that law enforcement commonly uses to search cell phones and that helps it recover not only the things an ordinary user can see on the cell phone, but also hidden information like metadata and deleted text messages, call records, and contacts.
  • A publication entitled “Preparing Testimony about Cellebrite UFED in a Daubert or Frye Hearing,” that’s prepared by the company itself acknowledges studies with error rates of 5% to 10% and recommends that examiners not rely on Cellebrite alone.
  • The publication also provides recommendations on things like certification and training of examiners and how to validate results.

 

NOW THE BLOG:

I ran into a cell phone search technology recently that I hadn’t run into before and that I had to learn a little bit about.  It’s a forensic search program for cell phones called Cellebrite, which can download information from cell phones in a somewhat similar fashion to the forensic software for searching computers that I’m more familiar with, things like Encase and FTK.  Like Encase and FTK, this Cellebrite software will create reports about what it finds on the cell phone, and, again like Encase and FTK, it can uncover not just the things an ordinary user could view on the cell phone but also hidden information like “metadata” and deleted text messages, call records, and contacts.

I discovered several things about this Cellebrite software that I thought I’d share with you in case you want to watch out for them in your cases.  First, despite the fact that this software seems to be commonly used for searching cell phones, there’s a dearth of case law out there, so there’s multiple legal issues that are ripe to be litigated.  Those include both issues about whether and when testimony about the software is expert testimony that has to satisfy Daubert, what qualifications a witness needs to testify about what the software produces, and whether and under what circumstances the software and what it produces satisfy Daubert.  There’s no published federal circuit court cases I could find and relatively few published state cases.  About the best that’s out there is a fairly in-depth opinion by the Vermont Supreme Court – State v. Pratt, 128 A.3d 883 (2015) – which does have a fairly decent, in-depth discussion of some of the issues, but may not be the first place federal practitioners look for precedent.

Second, I found a publication on the internet – attached here – in which the Cellebrite company itself recognizes there are Daubert issues that have to be addressed in considering testimony about the software’s results.  It’s specifically titled “Preparing Testimony about Cellebrite UFED in a Daubert or Frye Hearing,” and it goes through the Daubert factors.  And it suggests potential problems even though it’s prepared by the company that sells the software and presumably has an interest in seeing it used and approved in court.  One example – which you can find at page 5 of the linked publication – is a recognition of several studies showing error rates of 5 to 10 percent, which is more than I’d expect from a technical product like computer software.  Another is an interesting recommendation in the publication that the software shouldn’t be used by itself in conducting a forensic analysis of a cell phone.  At page 7 of the linked document, the company makes the following recommendation:

As with any digital forensic tool or technique, it is not recommended that a mobile device examiner rely on a single UFED tool to interpret the data.  Examiners should be trained and qualified to validate what is on the device and where it is located, especially after performing a physical extraction.  (Footnote omitted.)

The publication then goes on to make five suggestions about the examiner and what he or she should do to accomplish this, including (1) that there be “current certification” of the examiner, which the company recommends should include training that’s “refreshed” every two years; (2) that the examiner’s tools be regularly updated and that he or she be using the most current version of the software; (3) that the examiner “validate the tool using a test version of device(s) relevant to their case”; (4) that the examiner validate and authenticate the results with other tools and resources, including other mobile forensic tools; and (5) that the examiner followed their organization’s standard operating procedure and “digital forensics best practices.”

If even the producer of the software recognizes problems and/or suggests checks like this, it would be interesting to see what a more objective defense expert might think or find in reviewing this software, either generally or in your particular case.  Alternatively, perhaps this publication and/or the information in it could be used in a cross examination.  Cellebrite may be a dimmer star than you think, and the information it produces – and maybe the information other forensic software produces – may be more open to attack than you thought.