Professional Documents
Culture Documents
How To Choose A Computer Access and Analysis Solution With Confidence
How To Choose A Computer Access and Analysis Solution With Confidence
a Computer Access
and Analysis Solution
with Confidence
Eight Essential Capabilities to Look for in a Solution
CONTENTS
Introduction 03
Key Considerations 05
The Top Eight Important Capabilities 07
1. Windows Evidence Support 07
2. Mac Support 08
3. Forensic Imaging: Boot Acquisition and Live Data Acquisition 09
4. Collection: Full-Disk, Targeted 10
5. Reporting, Preferences, Tags, and Exporting 14
6. Powerful Analysis 15
7. Decryption: During Collection, During Analysis 17
8. Triage Granularity and Search Capabilities 19
Why Cellebrite Computer Forensic Solutions 20
2
INTRODUCTION
Not All Computer Forensics Solutions Are Created Equal
Today we’re seeing amazing advances in digital technologies and the wide-
spread adoption of Digital Intelligence (DI)—the data that is extracted from
digital sources and data types (smartphones, computers, and the Cloud) and
the process by which agencies access, manage, and leverage data to more
efficiently run their operations. At the same time, we’re also witnessing a
swift rise in computer-related crimes and cybercrime attacks. To meet to-
day’s computer challenges and become “DI ready” for policing in the future,
agency managers need to make smart decisions when investing in computer
forensics solutions.
Between budget constraints and the need to address a growing backlog of
cases, many agencies find themselves caught between a host of technolo-
gy vendors making lots of promises. From delivering powerful tools to fulfill
their mission, to ensuring digital evidence is collected in a forensically sound
manner and making sure digital evidence is maximized to build a strong case,
it can be overwhelming.
This guide is meant to remove any uncertainty in the vetting process by arm-
ing you with the knowledge to make informed decisions about purchasing
computer forensics technology.
3
THE IMPORTANT
QUESTIONS
Selecting the right solution means knowing what to look for and
how it might help your agency achieve its DI readiness goals.
You may be required to handle different types of cases and support triage and
acquisition scenarios on-scene or in the lab. You may be looking into solutions
that integrate well with other tools that have already been implemented. You
may be looking to adopt a solution that complements what you already have.
Whatever the reasoning may be, it is critical to get answers to the questions
that follow when deciding whether to move forward in conversations with a
vendor.
Across the spectrum of available forensics solutions, there may be little ob-
vious variation among their capabilities. However, once the full extent of a
solution’s capabilities is known, a proper evaluation can be conducted with
relevant stakeholders.
4
KEY CONSIDERATIONS WHEN
DECIDING ON A SOLUTION
There are several considerations to keep in mind when trying to determine the
best computer forensics solution for your workflow. While it is always good to
have multiple toolsets in your toolbox, as each may have its unique strengths.
Below are some basic questions that you may want to evaluate when choosing
a computer solution:
Understanding that you have a trusted partner that will address your current
needs and continue to innovate as you foresee future obstacles is another
critical element in that evaluation.
5
KEY CONSIDERATIONS WHEN
DECIDING ON A SOLUTION
How to Select the Right Solution for You
Know your budget
Determine the type of cases you normally process
Determine what your workflow consists of
• Triaging media
• Identifying patterns in communications,
building out connections or networks
• Application and database analysis
• Geolocation
• Encryption
• Documents
• Foreign language translation
6
1. WINDOWS EVIDENCE SUPPORT
When examining a Windows machine, it’s important to have robust support for Windows® file sys-
tems and Registry, operating systems, user and application artifacts, and more. This could mean the
difference between solving a case or leaving a criminal on the streets. Although some may resort to
open source forensics tools, you need a solution you can trust to maintain the integrity of the data.
Below is a list of some Windows evidence items we think are worth evaluating:
7
2. MAC SUPPORT: ADVANCED
APPLE TECHNOLOGIES
Apple devices are more popular than ever, which is why it’s critical for ex-
aminers and investigators to have access to the tools and skills necessary to
work with them. To perform a comprehensive analysis on an Apple device you
may have encountered, you first need to ask yourself:
9
4. COLLECTION:
FULL DISK, TARGETED
When on-scene and time is of the essence, you need a solution that shortens your collection
time and gives you control on the data to be collected. Consider a solution that supports both
full-disk and targeted acquisitions and allows you to select certain categories of interest, tar-
geted files, or directories to acquire.
Cellebrite Digital collector recognizes physical disks, volumes, and APFS containers on a ma-
chine, and allows you to choose which items to acquire.
10
4. COLLECTION:
FULL DISK, TARGETED
Data collection in Digital Collector
includes these evidence items:
System data
User files
User directories
Files (for each user)
System files
OSX volumes
Files (for each volume)
Additional files
11
4. COLLECTION:
FULL DISK, TARGETED
12
4. COLLECTION:
FULL DISK, TARGETED
The “Additional System Files” catego-
ry lets you collect items you find with
the Browser and Search views and
then manually select, such as deleted
user data, logs, and other items.
13
5. REPORTING, PREFERENCES,
TAGS, AND EXPORTING
14
6. POWERFUL ANALYSIS
The most important part of any investigation is your ability to per-
form a quick and comprehensive analysis of the evidence, sur-
facing key insights to close cases faster. Having a solution that
supports a wide range of evidence types from the most common
platforms within a single tool, minimizes the learning curve and
can save you time and money. To shed light on a suspect’s actions
and surface leads, you need the ability to perform in-depth analy-
sis or triage, with advanced searching and filtering capabilities to
sift through large data sets quickly.
15
6. POWERFUL ANALYSIS
Cellebrite Inspector has powerful
media analysis capabilities.
Display media types, views,
pictures, videos, thumbnail
or combined
Categorize with Lace®, C4All®,
Project Vic®, and S21®
Advanced filtering
16
7. DECRYPTION: DURING COLLECTION,
DURING ANALYSIS
The ability to decrypt data at time of col-
lection for the purpose of triage, or to
conduct a deep-dive analysis, is import-
ant, when you need real-time insights.
Below are some formats that you may
want to validate if supported:
17
7. DECRYPTION: DURING COLLECTION,
DURING ANALYSIS
18
8. TRIAGE GRANULARITY
AND SEARCH CAPABILITIES
The goal of digital triage is to perform rapid review of
specific information to prioritize the computer for subse-
quent analysis, or to further an investigation as early as
possible. Having an easy-to-operate solution that allows
comprehensive search on live or booted systems, filter-
ing for file metadata or keywords, and review content
capabilities is a must
19
CONFIDENTLY CHOOSE
CELLEBRITE COLLECTION
SOLUTIONS
20
CONFIDENTLY CHOOSE
CELLEBRITE COLLECTION
SOLUTIONS
User friendly
Cellebrite Inspector is a great tool for both junior and expert forensic exam-
iners. The user interface is built to be intuitive and user-friendly. The view is
consistent whether you are looking at data from Windows, Mac, or mobile.
Inspector can run on Windows or Mac forensic workstations. Most common
forensic image files can be ingested, such as E01, DD, AFF4, and DMG. Having
all types of devices in one case file makes full-case examination easier.
21
CONFIDENTLY CHOOSE
CELLEBRITE COLLECTION
SOLUTIONS
22
CONFIDENTLY CHOOSE
CELLEBRITE COLLECTION
SOLUTIONS
23
Our Consultants
are Here to Help
SCHEDULE A CALL TO LEARN MORE
Cellebrite is the global leader of Digital Intelligence solutions for law enforcement, government, and enterprise organizations.
Cellebrite delivers an extensive suite of innovative software solutions, analytic tools, and training designed to accelerate digital
investigations and address the growing complexity of handling crime and security challenges in the digital era. Trusted by thousands
of leading agencies and companies in more than 150 countries, Cellebrite is helping fulfill the joint mission of creating a safer world.