Join Cellebrite at these 4 August events!

Cellebrite will be present at four events in the United States during the month of August. Visit us in San Diego, Calif., Santa Clara, Calif., Dallas, Tex., and/or Austin, Tex., to see our latest products demonstrated and to hear our subject matter experts talk about the latest issues and trends in mobile forensics.

August 5-7, 2014: San Diego and Santa Clara

Cellebrite will be at two California-based shows this week: National Technical Investigators Association (NATIA) and the Flash Memory Summit.

At NATIA, held in San Diego, senior trainer Keith Daniels will instruct a hands-on lab, “Extracting and Decoding Mobile Device Evidence with UFED Technology,” on Thursday, August 7 from  3:00-5:00 PM. Here, learn about timeline, analytics, mapping, and other analytical capabilities of the Cellebrite UFED Series, along with how best to preserve the evidence.

We’ll be exhibiting the UFED Series at Booth #417. Stop by with your NATIA “Bingo” card and ask one of our booth staff to stamp our logo on your card.  Once you have collected stamps from all the exhibitors featured on your card, turn the card in to event managers to be eligible for special prizes. These include, among others, a 2015 paid conference fee package!

The same week will see us in Santa Clara for the Flash Memory Summit, being held at the Santa Clara Convention Center. There, Ronen Engler, senior manager of technology and innovation, will present “Micro Storage, Macro Crimes” on Wednesday, August 6 from 8:30-9:35 AM.

In this session, understand how developments in data protection, prepaid and unsupported devices, and app proliferation challenge investigators, and what workarounds are available. Learn not only what can be retrieved, but also how examiners analyze it once they have the raw data—and what it all means for criminal cases both now and into the future.

August 11-14, 2014: Dallas

The week following will see Cellebrite exhibiting at the Crimes Against Children Conference (CACC) in Dallas, Texas at Booth #5. Michael Hall, chief information security officer at DriveSavers Data Recovery, Inc., will join Ronen Engler to present a workshop on “Mobile Victimology: How Mobile Data Can Help Focus Investigations.”

The workshop will take place Tuesday, August 12 from 10:00-11:30. Hall will be bringing to bear a case study on how DriveSavers forensic examiners used UFED Physical Analyzer to help prosecutors build a capital murder case against a rape and murder suspect in Texas. The case demonstrates what mobile device usage can reveal about victims, suspects, and where their paths cross via carrier call detail records, social media graphs, and other data sources.

CACC is sponsoring a tablet giveaway! Participants in this workshop will receive one entry for a chance to win this giveaway. To win, you must be present Wednesday evening at the social event. See the CACC’s final program for more details.

August 25-27, 2014: Austin

Cellebrite is proud to be a Gold Sponsor of the High Tech Crime Investigation Association (HTCIA)’s annual conference, held this year in Austin, Texas. In addition to exhibiting at Booth #201, we’re pleased to offer all conference participants the opportunity to attend our five lectures and hands-on labs.

Tuesday at 3:30PM, we’ll present a lecture, “Mobile Devices: Extraction Methods and Advanced Decoding,” covering forensic workarounds for recent advancements in mobile device hardware and operating systems, developments in data protection, prepaid and unsupported devices, and app proliferation. Learn not only what can be retrieved, but how to analyze it once you have the raw data.

Each hands-on lab, “Basic Mobile Device Extraction with Cellebrite UFED4PC” and “Introduction to UFED Physical Analyzer,” will be presented twice on Wednesday for a total of four sessions that day. Join Cellebrite Forensic Training staff to learn how to get the most from UFED extraction and analysis software.

Whether you’re new to Cellebrite or a long-time customer, we look forward to seeing you and hearing about your mobile forensics experiences!

Mark your calendar and join Cellebrite at US, India, or South Africa events this July

Cellebrite will be hosting three consecutive law enforcement/security-oriented events across the globe this July. Join us in the United States, India or South Africa, and experience a live demo of the UFED product line with all its latest features.

Palm Springs: National Association of School Resource Officer Conference (NASRO)

NASRO is dedicated to providing the highest quality of training to school-based law enforcement officers in order to promote safer schools and safer kids in the US.

From July 13 – 15 Cellebrite will be at NASRO’s annual conference in southern California, presenting the UFED Series to school resource officers, law enforcement personnel, and other school security/safety professionals.

Cellebrite staff will also be highlighting success stories of where our leading mobile forensics tool was used to help solve school related crime and violence. Look for us at Booth #11.

Johannesburg: Intelligence Support Systems (ISS) World 2014

As NASRO ends, the ISS World event begins in South Africa on July 15 – 17. ISS is a place where law enforcement, public safety, telecoms and the intelligence community turn for technical training and product selection. Cellebrite will be exhibiting at Booth #204.

As part of the ISS World Programs, Roy Shamir, Cellebrite’s Director of Sales, EMEA, will be providing a presentation on Trends in Mobile Forensics, including the UFED portfolio, during the ISS for Mobile Location, Surveillance and Signal Intercept track on Wednesday, July 16 from 14:00-14:30.

New Delhi: India International Police Expo 2014

Cellebrite will be showcasing its mobile forensics solutions at the International Police Expo in India on July 17 – 19. An exhibition focused on policing equipment, the Expo provides vendors and visitors with the opportunity to learn about new technologies and solutions that are shaping the mobile forensics industry, among other technologies related to safety and protection.

Visit with Cellebrite representatives there at Booth #60, and be sure to see Cellebrite APAC’s Jeremy Chua present on “International Trends of Mobile Device Forensics and Their Impact on Law Enforcement” July 19!

We hope to meet and greet with you at one of these upcoming shows!

New UFED release broadens decoding for extractions from prepaid, damaged devices

With the release of UFED Physical Analyzer 3.9.7, Cellebrite now offers improved decoding for the binary files resulting from JTAG extractions. This means that rather than have to carve or manually decode the image file, examiners can now save time with an automated process.*

JTAG (Joint Test Action Group) forensics is an advanced method of mobile data extraction. By taking advantage of a device’s test access ports (TAPs)—included in every mobile device model to aid in manufacturers’ quality assurance processes—examiners can unlock the device in order to gain access to raw data stored on the memory chip, and can thus obtain a full physical image of the memory.

Because it is non-destructive and affords the opportunity to access data from devices that have been altered or damaged in some way that makes them inaccessible using conventional mobile forensic extraction tools the JTAG technique is growing in popularity, with a number of examiners undergoing training to become proficient in the procedure.

The additional decoding support, made possible with generic chains, is now available for 110 tested devices, including Samsung, HTC, LG, ZTE, Nokia, Huawei, Casio, Pantech, and Kyocera models. Examiners can gain access to a rich set of data such as call logs, SMS, MMS, emails, media files, apps data, and locations.

Access the JTAG binary extraction files in UFED Physical Analyzer by using the “Open (Advanced)” feature and selecting the extraction and the appropriate JTAG chain. You can find step by step guidance, in Chapter 3, section 3.4.2.3 of the UFED Physical Analyzer manual.

JTag2

*Manual decoding is still valuable as a validation method for forensic examinations.

Convert GPS coordinates to physical addresses

See where your subjects are visiting, and how often they’re visiting, without having to manually convert GPS coordinates to physical locations. UFED Logical/Physical Analyzer now enables you to convert single or multiple latitude/longitude coordinates, in bulk, to their corresponding nearest address. It also allows you to search based on that information, using an advanced search capability.

Additional device and decoding support

The new UFED release, 3.0.7, includes physical extraction with lock bypass from an additional 40 devices including: Samsung Galaxy S4 and Note III families, and HTC devices. Additional device extraction support using the Android backup method is included, along with file system and logical extractions from Nokia Asha devices.

The new UFED Physical Analyzer release includes additional decoding support for physical extractions from 26 new devices, file system extractions from 25 new devices, usernames and passwords from the browser on Android devices, locations in deleted photo metadata from iOS devices running iOS 7 and above, and deleted call log, contact and calendar content from Microsoft® EDB embedded database within Windows® Phone devices. In addition, decryption support is now available for the WhatsApp backup database, identifiable by the .crypt7 backup file extension, which contains chat messages.

The Telegram and Instagram apps are newly supported for both Android and iOS devices. Decoding support for the Waze app is new for Android and updated for iOS devices; Facebook Messenger, Line, QQ, Skype, Twitter, WeChat, and Vkontakte, along with other apps, have been updated for Android and iOS as well.

For a full rundown of device and app support, view our release notes. Cellebrite is also offering a webinar on JTAG decoding and analysis in July. Register for the webinar here!

 

JTAG decoding, bypassing device locks, and link analysis in Cellebrite’s July webinars

webinar_header

Link Analysis: Identify connections between suspects, victims, and others in less time

On July 1, learn how field investigators use UFED Link Analysis to rapidly visualize key relationships between entities and identify the connections and communication methods between multiple mobile devices. Join Cellebrite Forensics Solutions Specialist Lee Papathanasiou for a 60-minute live webinar that details how link analysis methodology:

  • Helps you visualize communication links using multiple mobile devices’ rich data sets, including mutual contacts, calls, SMSs, MMS, emails, chats, application transactions, Bluetooth devices, locations, and more.
  • Filters data by time, date, number of contact times, and categories, and drills down to specific events.
  • Pinpoints whether entities were at the same place at the same time.
  • Allows you to share findings with colleagues and other investigators.

The webinar, including a Q&A session, will present real world use case scenarios from a wide range of crime categories. The session will also touch on key practical features of UFED Link Analysis, including timelines, advanced filters, and much more.

Register here for the July 1 webinar on UFED Link Analysis!

Bypassing Locked Devices: Learn How to Tackle One of the Biggest Challenges in Mobile Forensics

Pattern locks and passwords are becoming increasingly sophisticated and hard to crack, even for forensic examiners. Attempting to gain access to a locked device, especially with a complex pattern lock or passcode, is often only possible by using advanced forensic tools and techniques.

Don’t remain locked out from your evidence. Join Cellebrite’s forensic technical director, Yuval Ben-Moshe, for this 45-minute live webinar to learn about the UFED’s unrivaled ability to bypass locked phones without jailbreaking, rooting or flashing. You will learn:

  • Various methods to bypass locked devices, and a live demo of password extractions using the UFED.
  • How to use the extracted password to bypass other devices owned by the same person.
  • Physical extraction while bypassing any type of lock from 470 Android devices, including Cellebrite’s first to market capabilities for Samsung Galaxy S4 family.
  • Bypassing locks from counterfeit devices and phones manufactured in China.
  • How to run a plug-in that reveals pattern locks in Physical Analyzer.

Register here for the July 10 webinar on user lock bypass and extraction!

Automated JTAG Extraction Decoding with UFED Physical Analyzer

The growing popularity of JTAG forensics requires a great deal of resources and investment to obtain raw data stored on the device’s memory chip. It can take many hours for an examiner to transform the raw data into human interpretable evidence.

Cellebrite’s newly introduced decoding capabilities reduce the amount of time examiners have to spend on manually decoding, or carving, the large volume of extracted data. Join Cellebrite’s engineering product manager, Ronen Engler, for a 45-minute session on how you can take advantage of the UFED for JTAG decoding:

  • Easily import the binary file from a JTAG extraction into the UFED Physical Analyzer to draw accurate conclusions and report data.
  • Access this rich set of data to discover common artifacts, such as call logs, SMS, media files, e-mails, chats and locations.
  • Drill down into the binary file’s hex code through advanced search capabilities for finer grained information.
  • Decode the extractions from the widest range of devices, including popular Samsung, HTC, and LG, using a series of automated plug-ins and chains.

Register for the July 24 webinar to learn about Cellebrite’s efficient and cost-effective solution to decode and obtain forensically sound data from previously inaccessible devices.

DIY app forensics: What does it take?

Digital evidence from the millions of apps currently available in the Google Play Store is frequently material to criminal and civil cases and investigations. Yet app evidence is time consuming and costly to decode, analyze, and produce while facing deadlines and a backlog of cases.

What’s in app support? At Mobile Forensics World this year, you have a chance to find out. On Tuesday, June 3, John Carney and Don Huettl, of Minneapolis (Minnesota, US)-based Carney Forensics, are presenting a two-part lecture and live demo on what it took for them to develop plugin support for the Burner Android app. We took the time to sit down with John and get the story behind the lectures.

Cellebrite: What first drove you to start developing plug-ins to support third party apps?

John Carney: We’ve seen a dramatic change in mobile phone architecture in recent years as smart phone and tablet makers rely on apps as basic building blocks.

This makes for an industry challenge faced by tools vendors and examiners alike.  Over one million iOS apps and one million Android apps are available today through app stores, but automated forensic analysis is supported for only a few hundred.

And, even though scripting capabilities exist for examiners to develop their own forensic app support, very few are decoding apps and writing the scripts and plug-ins to probe their device evidence.  We wanted to attempt to show examiners a path forward and how to get involved.

CB: How did you come to choose this particular app?

JC: Mobile messaging apps are an extremely interesting family of mobile apps that phone users are shifting to in great numbers all over the world as they abandon traditional text messaging offered through the service providers.

We noticed examples of these apps that support message deletion and user-specified retention periods after which they are deleted.  Snapchat is perhaps the best example.  TigerText is another.  We chose to support Burner.

We wanted to see if we could find message evidence after the message was deleted or “burned”, and to support a new app that the tools vendors did not support.  Cellebrite now supports Burner on iOS, but ours is the only Burner plug-in or script available for Android.

CB: What challenges did you face at the outset?

JC: We had to choose a reasonably interesting app that was supportable and an app platform that made sense for us. We made our determination using three criteria:

  1. We wanted to add something of value to existing app support. For example, because GoSMSPro uses the same core data structures that UFED already supports to decode other SMS, we found there was really no work to be done.
  2. The app data couldn’t be too difficult to acquire. It would be fruitless to try to support an app whose data is encrypted.
  3. Along similar lines, we wanted to support an app that would give us plenty of artifacts to uncover. Some app developers, who are experienced with writing secure apps, do a lot of garbage collection and data wiping along the way. They don’t leave much behind as a result.

Burner, as it turned out, gave us an almost “Sherlock Holmesian” opportunity—after the phone number is burned, we found we had a shot at finding artifacts left behind, and we did!

Then, we had to construct a development environment that gave us about half a dozen features that would make our research, development and testing flow more easily. Basically, we built a “nest” for doing productive work: in the short term, nimble, fast, cost effective results, and for the long term, investment in future development.

For example, virtual phone support—Android emulators—allowed for experimentation across makes and models without a significant cost outlay. We could then create two virtual phones and have them call and text each other from a single platform.

For another example, platform virtualization allows us to take advantage of various computing architectures. Developers can use Mac, Windows or Linux platforms for full flexibility in the development environment.

Another challenge was that we had to learn how to decode mobile apps evidence, which proved to be one of our most critical challenges. We also had to learn how Cellebrite encodes phone evidence for reporting our results, and advanced analytic options like timelines, maps, and activity analytics.

On the other hand, having looked at other plug-in writing environments, we can say that UFED Physical Analyzer offers the best support for developers. It is equipped with advanced SQLite and plist decoding, highly modular decoding chains, and it provides an excellent debugger. We don’t have to worry about flash translation layers, reconstructing file systems, or parsing common phone data structures.

We wanted to be 80% done with plug-in development from the moment we started, and UFED gave us that level of advanced and broad-based support in a way that many other tools do not.

CB: What did you find you needed in terms of resources (time, team members, etc.)?

JC: We needed a skilled software engineer with digital forensics training who understood object-oriented development and who could quickly learn Python.  Don Huettl had those skills and was also a clever designer who constructed a highly innovative development environment. Don came to us as part of an internship with a degree program from a nearby academic institution, where I serve on the advisory board. In addition to the right people, we needed time to decode our app, and write and test our Python code.  We also had to learn how to present our project so that examiners could understand and appreciate what we had done.

This took several iterations of slide decks, including a comprehensive live demo of our development environment. Don shows how we decode the app, take the script and turn it into a plug-in, put it on a decoding chain, perform the examination, and then create a report—all in a way that anyone could understand, even if they don’t have a background in scripting.

Documentation is key to this process. It’s good scientific practice anyway, but in this case, it provides the framework for learning how to do this. Besides documentation of our own methods, we found that the Iron Python libraries and .NET libraries were critical to our success, and important for sharing with the community. Finally, we found that we needed more than one UFED Physical Analyzer license to support the decoding, development, and testing of our plug-in.

CB: What skills did you and your team members already have, and what skills needed to be developed or sourced?

JC: We had software architecture, design, and engineering skills.  I was a software engineer and architect in a former life and an experienced mobile device forensics examiner for the past five years.

Don was an experienced software engineer who learned computer and mobile forensics and got certified during his degree program.  He was looking for a challenging internship.  We didn’t need any more skills than that.

CB: What technical challenges did you face at various stages in the project?

JC: We had to learn how to decode mobile apps including SQLite app databases and how to expose other artifacts and files in our mobile app.

We had to find phone emulators for Android phone models and learn how they worked and what didn’t work. The quality of the emulators and how many features they support or don’t support figured into this research.

For example, creating two different virtual devices—different makes and models—with a full range of functionality might mean that different VOIP apps, or forwarding rather than simply sending and receiving text messages, crash the emulator. We had to figure out how to work around the bugs.

We also had to learn how UFED Physical Analyzer organizes and structures phone data for presentation to examiners. In other words, we had to figure out how to plug the examination results back into UFED PA so that reporting and analytics would work on the back end.

We had to learn and develop debugging techniques for perfecting our Python script and plug-in. Even for a software engineer with plenty of experience, the debugger, which provides an atomic level look at code execution and data, is important to figure out why something isn’t working.

Fortunately, the UFED’s support for the debugging environment in Python shell made this trial and error process much easier.

CB: What have you learned thus far about the plug-in development process?

JC: We’ve learned that the process is very dependent on the specific mobile app that we have targeted to support.  We have to become experts on our app. This involves understanding the app’s user model, what the app’s purpose is, what it does and doesn’t do, and so forth.

Decoding the app, in turn, requires understanding the connection between the user model and the data model. You can’t have just a passing knowledge of the app and expect to be able to write a plug-in; you need to understand the app at the same level as its own developer.

We’ve learned that encryption and cleansed data are not our friends as we attempt to acquire and report phone evidence.

We’ve learned that leveraging UFED in our work is like standing on the shoulders of a giant.  Physical Analyzer helps us with decoding, reporting, and debugging.  And all of the various pre-existing UFED plug-ins acquire, translate, reconstruct, and prepare mobile app data for us so that we can do our best work.

We’ve learned that we have to document our process and our code so that we can remain nimble, grow our team, and develop quality plug-ins.

CB: What will you be exploring in future research and development?

JC: Many app families are interesting to us including personal navigation, spyware and malware, and also payment. We want to explore additional mobile apps that have not been decoded and automated by any of the tools vendors yet, but that are desperately needed by examiners.

Because we’ve only developed one plug-in, we don’t yet have a quantitative idea what kind of time commitment is required for different kinds of apps.

However, understanding that mobile examiners are busy people, it may become possible and necessary for people to plug in to the process at different points and share their skills and aptitudes. Rather than developing “cradle to grave” plug-ins, in other words, one person might focus on decoding, another on script testing, etc.

We also want to construct a development environment for iOS including iDevice emulators so that we can develop multi-platform app plug-ins.

Join John and Don for their two-part presentation in Oleander A on Tuesday, June 3. From 11:00 – 11:50 a.m., John will present “A Case Study in Mobile App Forensics Plug-in Development – Examiners/Developers to the Rescue (Part 1). From 4:30 – 5:20 PM, Don will present “A Case Study in Mobile App Forensics Plug-in Development – Build Your Own Plug-ins (Part 2). We hope to see you there!

Setting the stage for mobile device e-discovery

Electronically stored information on mobile devices—mobile ESI—is quickly becoming relevant, if not critical, in a wide variety of corporate investigations and litigation including employment, intellectual property and trade secrets, securities, and other areas. Even so, many organizations face a number of challenges in obtaining mobile ESI, not least of which is the blurry and sometimes shifting line between personal and corporate data.

Scott-Giordano-255x300Scott Giordano, Exterro’s Corporate Technology Counsel, applies legal, business, and technical skills to problem-solving in corporate ethics and compliance, information security, and electronic discovery. Together with Cellebrite’s forensic technical director Yuval Ben Moshe, Scott will present during Exterro and Cellebrite’s complimentary webcast, Step Up Your ECA Game Plan with Mobile Device Data Collection.

I took the opportunity to speak with Scott about the need for mobile forensics as part of a holistic e-discovery approach, how privacy laws affect mobile e-discovery globally, and the need for strong policy as a result—no matter the size of an organization.

Christa Miller: Many companies resist collecting mobile device evidence because they see it as redundant, especially when their burden of proof is only preponderance of the evidence, and they must take proportionality and cost into account. What’s the tipping point between collecting enough, and being thorough in building a case?

Scott Giordano: While there is a fair amount of redundancy between what’s already on the network and what’s on mobile devices, much of the information likely to resolve a matter can only be found on the latter—geolocation information, for example.

I can tell you that the first time I saw a Cellebrite presentation, I was made a believer.  The best way to meet the preponderance standard is to identify those few “documents” – pieces of information, really, that succinctly demonstrate to a jury a particular chain of events and merit only one conclusion.

Christa Miller: You’re a Certified Information Privacy Professional (CIPP) in both the US and Europe. How do privacy laws in each region affect mobile devices in the workplace? How do they overlap, and how are they different, especially with regard to BYOD? What might US corporations take away from European corporate compliance, particularly around concepts like “the right to be forgotten”?

Scott Giordano: Employee-owned mobile devices are rapidly being woven into the fabric of U.S. corporate operations via BYOD, but in the EU they’re still considered completely separate and off limits.

As a result, if U.S. multinationals want to use the same model, they’re going to have to take into account regulations at both the EU- and local levels, build policies that adhere to them (including the right to be forgotten to the extent it’s implemented) and deploy if allowable, which is not always a given.

Christa Miller: Some corporate counselors recommend that companies audit mobile devices upon employees’ exits and at other designated intervals. Others shy from collecting BYOD data because they don’t want to be liable for access to deeply private data such as personal health information. Can you give examples of how companies can address the need to protect their own data, vs. the need to protect employees’ privacy?

Scott Giordano: All of this has to be addressed via policy from the introduction of the mobile device into the corporate firewall, otherwise you’ll potentially face different outcomes in every jurisdiction and even then it will likely vary from case to case.  This lack of policy clarity is essentially the reason for the result in the Cotton v. Costco opinion that was handed down this year.

Christa Miller: Smaller companies, including SMBs, may perceive that corporate compliance is only for the Fortune 500. From an infosec and employee privacy standpoint, what steps can these firms take to protect themselves in the event of BYOD-related litigation?

Scott Giordano: SMBs have to take these issues seriously and, again, it goes back to developing policies and setting expectations for both the employer and employee.  Employees often fail to understand that employer data that’s on their devices is still the employer’s property and litigation over privacy and intellectual property can (and often does) get ugly.  Moreover, those devices broaden the corporate attack surface and have to be addressed from that standpoint.  Better to prevent or mitigate it in the first place.

Christa Miller: You are speaking on Exterro and Cellebrite’s upcoming webcast (May 14), Step Up Your ECA Game Plan with Mobile Device Data Collection. What do you hope viewers come away with from the presentation?

Scott Giordano: I hope that they’ll come away with the following:

  1. Mobile devices are rapidly become part of the larger e-discovery universe
  2. Early data- and early case assessment for mobile devices are crucial tasks for litigation success
  3. The time to prepare is now.

Read more about Cellebrite’s perspective in Exterro’s interview with Yuval. To learn more from Scott and Yuval about the necessary policies to defensibly collect mobile data and best practices for speeding up the mobile data collection process, register for Exterro and Cellebrite’s complimentary webcast, Step Up Your ECA Game Plan with Mobile Device Data Collection, airing on May 14.

Cellebrite adds first-to-market support for Galaxy S5, Galaxy Note 3, iOS 7.1.1

New UFED versions are out and with them, the first forensic support for two popular Samsung devices and the latest iOS version.

{5e356dfa-56ec-4394-a6ce-36556209b5b6}_Samsung-Galaxy-S5Launched April 11, Samsung’s Galaxy S5 accounted for 23 percent of mobile device sales in the United States and 18 percent of sales in Canada during its first weekend. Just one month later, Cellebrite is now offering logical and Android backup extractions and decoding from five S5 models.

{9a77d570-36c7-4529-8da2-42a7ea686e76}_Samsung-Galaxy-Note-3

UFED 3.0.6 also newly offers physical extraction with lock bypass and decoding from eight Galaxy Note 3 devices—a model which earned distinction in December last year for selling 10 million units in just 60 days—as well as logical extraction from three Galaxy S4 devices.

 

Finally, UFED 3.0.6 now supports logical and file system extractions and decoding from Apple devices running iOS 7.1.1, released just April 22. UFED Physical (or Logical) Analyzer 3.9.6 additionally offers advanced logical extraction from devices running this latest iOS, as well as file system and physical extractions and decoding from iPhone 4 running iOS 7.1.1.

For more information on the device models, read our release notes. To update your UFED, visit my.cellebrite.com today!

 

Better data organization through tagging in UFED Link Analysis 2.1

Our previous release of UFED Link Analysis introduced two major new features: the ability to import call detail records, and the ability to merge data sources.

As important to casework as these features are, managing data from two or more sources can quickly become unwieldy. Filters can help, but still may result in dozens of calls, chats, and other events. When you’ve done all the filtering you can and are at the stage where the only thing left to do is manually assess the data, you need another way to organize it.

UFED Link Analysis 2.1 introduces tagging, the ability to assign keywords or “tags” to each event or person. Tag data by whether it’s relevant or irrelevant to your case, whether it counts as evidence or intelligence, and/or whether it requires further follow-up—you can assign multiple tags to a single item. Tags are customizable according to your work process, and can be used to filter data further.

Also new with UFED Link Analysis 2.1: the timeline now contains locations, images, and audio and video files, presented based on logged or captured date and time. These data types add context to enable a better view of the sequence of events performed by subjects under investigation.

Additional data now available for viewing in UFED Link Analysis includes both sent and received attachments from MMS, emails and notes, application usage and installation (including date last used and usage frequency), user dictionary, searched items, maps and data files.

Read UFED Link Analysis 2.1 release notes here. For more on how to merge, or deduplicate, data from multiple data sources, watch our video:

Join Cellebrite at US, UK events next week

Cellebrite's booth at LAAD 2014Cellebrite will be busy during the last week in April, as four events start almost simultaneously! In the United States, join us in greater Boston, Washington D.C., or Orlando; across the pond, we’ll also be in London, England.

Boston: the National Cybercrime Conference

April 28-30 will see us just south of Boston, in Norwood (Massachusetts), for the third annual National Cybercrime Conference. Join us at the Four Points Sheraton, where you’ll find us in Booth 11&12. We’ll also offer two speaking slots and, for the first time, we’re sponsoring a Mock Trial around mobile forensics testimony.

The Mock Trial will happen on Tuesday, April 29th from 2:00pm – 3:15pm. Mobile device evidence will be presented and challenged, as prosecutors examine and cross-examine an expert witness. Learn how to present your case if you’re a prosecutor, or if you’re in law enforcement, how to be a good witness.

Immediately following the Mock Trial, from 3:30 – 4:45pm senior manager of technology and innovation Ronen Engler will speak on “Dealing with Persistent Smartphone Forensic Challenges.” The session will discuss forensic workarounds for the latest data protection, prepaid and unsupported devices, and apps.

Tuesday night from 5:00 – 7:00pm, Cellebrite is hosting a networking reception in Zachariah’s at the Four Points Sheraton. Enjoy complimentary cocktails and hors d’oeuvres while also being entered into a raffle, and network with law enforcement, prosecutors and Cellebrite staff.

Wednesday, April 30th from 9:50am – 11:00am, Ronen will offer a live demonstration on “Using Intelligence Methods in Mobile Forensic Exams.” This will show what mobile device usage can reveal about victims, suspects, where their paths cross, and how this information proactively and reactively helps your investigations.

Orlando: International Association of Computer Investigative Specialists (IACIS)

Also starting April 28, and running through May 9, will be IACIS’ annual training convention in Maitland, part of Metro Orlando (Florida). In addition to having a table at the event from May 5-7, Cellebrite internal training staff members, Buddy Tidwell and Joe Duke – both of whom hold the IACIS CFCE certification – will serve as IACIS Instructional Staff for its Advanced Smartphone Training.

In addition, we’re hosting a vendor night with giveaways! Join us on Wednesday, May 7 at 6pm, where we’ll serve refreshments from the Margaritaville menu.

London: Forensic Europe Expo 2014

Join us at Upper West Hall, Olympia, London (United Kingdom) for the two-day Forensic Europe Expo starting April 29, where Cellebrite is exhibiting in Booth 1-B25. As part of the Digital Forensics Conference stream, Yuval Ben-Moshe, Cellebrite’s senior forensics technical director, will present “When a Phone is not a Phone” in the Mobile Forensics track on Wednesday, April 30 from 11:55am – 12:20pm. This presentation will cover mobile devices as an integral part of people’s daily lives, as lockboxes for vast chunks of personal data, and as evidence or containers of evidence after a crime. Participants will get global perspective and an opportunity to share your own views and opinions.

Washington, D.C.: US Cybercrime

Also starting April 29, but running through May 2, will be the US Cybercrime Conference in Dulles (Virginia). Cellebrite is exhibiting in Booth # 401, and will offer lecture tracks in addition to pre-conference training and certification.

Sunday and Monday, April 27-28, Buddy Tidwell, director of global training at Cellebrite, will take students through the Certified Logical Operator (CCLO) course. Designed for first responders and basic to intermediate investigator / examiners, this course exposes students to the fundamentals of mobile device investigations, logical extraction of user data, and analysis of mobile devices. Participants will have the option to become certified as a Cellebrite Certified Logical Operator.

On Thursday, May 1 we’ll be offering two sessions. From 11:10am – 12:00pm, Ronen Engler will reprise the live “Using Intelligence Methods in Mobile Forensic Exams” demonstration. After lunch, from 1:30 – 2:20pm, Ronen will join Cindy Murphy and Heather Mahalik for a presentation on “Mobile Malware.” In this session, learn the difference between malicious targeting and inadvertent mobile malware installation, what to look for in mobile forensic exams, and how to examine malware to learn its purpose.

Whichever side of the pond you’re on, we hope to meet you soon!