Facetime Extraction in Cellebrite - Records not visible on phone?

Jose B.

New Member
Nov 21, 2018
6
1
#1
Did extraction using Cellebrite.

Facetime call log in Cellebrite not showing on phone except for the last call in the day.

Looks like iPhone only shows the last FaceTime call history on any day.

EXAMPLE:
3 calls on July 21st.
- 9:34 PM
- 10:10 PM
- 11:03 PM

Only the 11:03 PM is showing on the phone.

Anybody able to confirm this?
 

Lids

New Member
Experienced Member
Oct 23, 2018
26
Ratings
24
3
#2
Whilst I can't answer this specific question, I would validate what you're seeing with another tool -- some examples are XRY and Oxygen, or if you can parse out the call log databases and validate manually. Cellebrite is certainly one of the best tools on the market but even it has its flaws ... I watched a webinar from an investigator in the Virginia State Forensic Lab who showed how she was able to recover private DM messages from Twitter off a cellphone that Cellebrite was not able to extract / indicated no information was present.
 

Jose B.

New Member
Nov 21, 2018
6
1
#3
Checked the database CallHistory.storedata. All the records viewed in Cellebrite are in database. Want to make sure that Cellebrite not missing a display flag. I checked other Facetime calls on phone and none show more calls then one on a single day. So going to test on another phone to confirm if I can find one active.
 

twicesafe

Administrator
Staff member
Sep 4, 2018
88
Ratings
21
8
Vancouver, Canada
www.computerforensicsworld.com
Twitter
Forensic_Notes
#4
@Jose B.

Were you able to test on another phone?

... Cellebrite is certainly one of the best tools on the market but even it has its flaws ... I watched a webinar from an investigator in the Virginia State Forensic Lab who showed how she was able to recover private DM messages from Twitter off a cellphone that Cellebrite was not able to extract / indicated no information was present.
if that doesn't help prove your theory, then check with other tools. @Lids makes an excellent point in that different tools will find different data due to their different capabilities. Each tool will parse and carve the hard to find data differently, so be sure to always validate with multiple tools if the data is important to the case.

It isn't that one tool will display the same data differently, it is just that some tools will be able to interpret the data while others won't. Each tool can dig deeper into data that the other tool can't due to how they process the data.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu