Link data in graphs, timelines, and maps to save time and accelerate investigations

Link analysis capabilities continue to grow in importance in a great many investigations, from homicide and sexual assault to property and pattern crimes. Read (and watch!) on — and at the end of the post, download our white paper — to learn how UFED Link Analysis can help you save time and effort in finding leads, establishing patterns, and maximizing the insights available for your investigations.

Construct case timelines from multiple mobile devices

Timelines are one of the most important elements of any investigation. Retrace a victim’s or suspect’s steps through the last hours, days, weeks or even months before an incident. Identify a subject’s patterns of behavior: the days and times s/he regularly visits or calls family members, does business, runs errands, etc. These patterns, as well as deviations from them, can be important in small or large ways.

Learn more about how to quickly visualize timelines in UFED Link Analysis in our video:

Import additional data sources for context

One of UFED Link Analysis’ most important features is the ability to import data from other sources; notably, carrier call detail records (CDRs), which can show the towers to which a suspect or victim device connected over a period of time. This can help establish both travel activity and stationary locations. CDRs can also reveal incoming and outgoing calls and, in some cases, text messages (depending on how long they retain the data).

Watch to learn more about pre-set formats and other features that make CDRs easy to import and analyze alongside device data:

Establish suspects’ and victims’ location behavior

Along with timelines, the maps within UFED Link Analysis can be a good way to narrow down a list of potential leads and establish subjects’ normal and abnormal patterns of behavior. Plot geolocation data from wifi access points, cellular towers, GPS apps, images and video to show two or more suspects in the same location at the same time. You can also do the same to show a suspect’s connection to a victim – or exonerate a suspect accused of wrongdoing.

Learn more about how Map View works in our video:

UFED Link Analysis’ versatility only starts with these features. Download our white paper for additional details about putting it to work for your investigations!

LKA_Banner_Blog

 

Get hands-on with Cellebrite’s new JTAG Extraction and Decoding (CJED) course

The growing popularity of JTAG forensics is an indicator of its undeniable advantages. These include the ability to access physical memory even when a device is damaged, or when commercial tools don’t support user lock bypass, such as with prepaid devices. Furthermore, the method is non-destructive compared to the chip-off method.

Still, the JTAG process requires significant resources. It can take many hours for an examiner to transform the raw data into human interpretable evidence, and without training, making the wrong connections or pressing the wrong buttons can cause the destruction of evidence. Getting trained, therefore, is one of the top priorities any organization should have for a full investment in JTAG capabilities.

Part of the Advanced Training Pathway courses we announced two weeks ago, the new three-day instructor-led JTAG Extraction and Decoding (CJED) course introduces the techniques and best practices required to perform JTAG extractions and decoding, as well as addressing common challenges in these methods and offering hands-on practice.

Take 30 minutes to watch the video below to learn how to easily integrate and decode JTAG extractions using UFED Physical Analyzer, which newly supports JTAG chains both generic and brand-specific for automated decoding. Get a brief overview of the hardware you will receive in our CJED course, including a Molex adapter kit and a RIFF brand JTAG box, with which you’ll be able to practice fundamental soldering skills.

JTAG skills can help you expedite your investigation and maximize the evidence you can retrieve from damaged, prepaid, and unsupported devices. Once you’ve viewed the webinar, be sure to register at a location near you for the CJED class!

Download training white paper

Advance your forensic expertise with Cellebrite’s new smartphone analysis course

Last week we announced the introduction of a new Advanced Training Pathway designed to enhance professional forensic expertise. The first in this series, the hands-on Cellebrite Advanced Smartphone Analysis (CASA) course, addresses the sometimes complex challenges that come with forensic examination of iOS, Android and Windows Mobile devices.

Those challenges include where and how SQLite databases—whose schemas can vary from device to device—store Android and iOS mobile app data via structures, files and functions; how to defeat passcodes and unlock iOS devices; and how to recover system and user artifacts.

Within the context of smartphones, strategies to obtain the data can include physical or file system extraction with user lock bypass, extracting and decoding device backup files from a synchronized computer, or extraction using JTAG or chip-off methodologies. Over the course of three days (a total of 21 hours), CASA students can expect to learn which of those and other methods work for various device types and families.

The first step in advanced analysis is to get past a device’s user lock. Watch the video below for information on how to do this using UFED solutions—and then be sure to register for the Cellebrite Advanced Smartphone Analysis class at the Cellebrite Learning Center!

Download training white paper

Prepare to tackle smartphones & JTAG with Cellebrite’s new Advanced Training Pathway courses

Smartphone operating and file systems, damaged and prepaid devices, and increasing amounts of data all present conundrums to mobile forensics examiners. It takes time to learn the intricacies of various device and OS versions, and time to sift through the gigabytes of data that each device can contain. These problems are compounded when a device is severely damaged and you have to send it out to a specialist lab to recover the evidence.

To help you build professional expertise to meet those challenges, Cellebrite is pleased to announce the addition of an all-new Advanced Training Pathway. Designed to enhance the forensic expertise you received from the CCPA Core Certification, the courses included in this pathway provide you with the specialized extraction and analysis skills you need to maximize the amount of evidence you can retrieve from smartphones and damaged devices:

  • The 3-day instructor-led Cellebrite Advanced Smartphone Analysis (CASA) course allows students to take an in-depth look at the challenges posed by iOS, Android, and Windows Phone® devices. The course covers the analysis of SQLite databases, issues related to iOS passcodes, and artifacts from the three major smartphone platforms.
  • The 3-day instructor-led Cellebrite JTAG Extraction and Decoding (CJED) class teaches participants about the methodologies, purpose, and origins of the JTAG process. Participants can expect hands-on practice with fundamental soldering skills, as well as with using UFED Physical Analyzer to decode JTAG extraction. A RIFF brand JTAG box, a Molex adapter kit, a class specific tool kit, and a Cellebrite soldering practice board will all be available for participants to take back with them.

Get the skills you need to maximize your mobile device evidence collection and analysis efforts. Register at the Cellebrite Learning Center today to advance your professional expertise!

Physical extraction & decoding, decryption breakthroughs headline UFED 4.1 release

With the release of UFED 4.1 and UFED Physical Analyzer 4.1.1, Cellebrite kicks off 2015 with breakthrough capabilities designed to solve some of investigators’ most challenging problems: Windows Phone 8, Jelly Bean/KitKat, and prepaid device extractions, as well as WhatsApp database encryption.

Physical extraction & decoding for Nokia Lumia, Android 4.2-4.4.3

Investigators who encounter Nokia Lumia devices can now circumvent the need for JTAG processes to bypass user locks and retrieve deleted data. Although Microsoft announced late last year that it will produce all Lumia models going forward, Nokia sold 17 million Lumia devices in 2013, and 90% of Windows Phone users own Lumia devices. With that in mind, UFED now supports user lock bypass, physical extraction and decoding of many of the most popular Lumia models, including 810, 820, 920, and others based on Windows Phone 8.0 and 8.1 operating systems.

New physical and file system extraction and decoding, along with improved password unlocking and extraction, is also available for Android devices running OS 4.2 (Jelly Bean) through 4.4.3 (KitKat). Devices such as the Samsung Galaxy series (S5, Nexus, Note 3, S3 Mini etc.) along with other leading vendors and models including LG, Motorola, and Sony are included in this release.

Prepaid device support for Tracfone, Samsung E1200R

Also solved: prepaid Android devices with locked or damaged ports, in particular Tracfone models popular in North America. Unlike other prepaid models that can be extracted using “paid” profile equivalents, Tracfone models do not have USB ports, and investigators could not get critical evidence. Cellebrite now offers an option to load a client over these devices’ Bluetooth connection, so that investigators can perform logical extractions.

New physical extraction and decoding support is now available for the internationally popular “burner” Samsung E1200R feature phone.

WhatsApp database decryption

Cellebrite’s first-of-the-year breakthroughs aren’t limited to extraction and decoding. We’re also introducing decryption for WhatsApp’s newly encrypted chat history database. For databases using the .crypt8 file extension, UFED Physical Analyzer 4.1.1 decrypts full content from WhatsApp, one of the world’s most popular messaging apps with 700 million monthly active users as of January 2015.

An easier-to-use interface

Rounding out Cellebrite’s update this month is a new, better organized home screen, which now groups extraction tools and other utilities into distinct areas. Users can now opt to extract a mobile device, SIM card, or USB device; operate UFED Camera; or access UFED device tools, rather than have to search for these capabilities within the pool of vendor icons.

Additionally, a new search screen supports three device identification methods: a simpler auto detect, a free text global device search, and a manual device search similar to the previous home screen (selecting vendor followed by model). The new interface offers better accuracy for investigators who need to search on an exact model number rather than, say, “iPhone 5.”

Learn more about UFED 4.1 and UFED Physical Analyzer 4.1.1 – download the release notes here!

New time-saving features arrive in UFED Physical Analyzer 4.1

With the release of UFED Physical/Logical Analyzer 4.1, Cellebrite offers new decoding and reporting features designed to improve investigative efficiency and enrich the degree of decoded data.

New, faster, and enhanced decoding

To start with, decoding extractions that are saved to a network drive is now up to 25% faster. New decoding support is available for a number of device models and data. These include JTAG extractions from seven new devices, as well as chip-off extractions from BlackBerry® devices running OS 10. Decoded BlackBerry 10 data includes several apps in addition to device data.

UFED Physical/Logical Analyzer 4.1 also improves on decoded location data from iOS devices. The device information now includes whether the device location service status is turned on or off, as well as whether location services were enabled for each app (and, if enabled, when it was last used). Additionally, UFED Physical Analyzer now displays recent and frequently visited locations tracked by iOS devices and maintained solely on the device.

New and updated app decoding is also available in UFED Physical/Logical Analyzer 4.1. This includes enhanced data carving from unallocated space for the ooVoo, Skype, VKontakte, and Odnoklassniki apps, and decrypted SnapChat pictures.

Also included is decoding for contacts and chats from the HeyTell and Truecaller Android and iOS apps, as well as bookmarks, web history, and emails from the Firefox app for Android. Updated decoding is available for a total of 34 Android apps and 30 iOS apps, including multiple app versions. Download the release notes to see a full list of apps and version numbers.

Efficiencies in reporting

Reporting also sees an improvement in speed, by up to 50% depending on report content for PDF and UFDR report processing. New reporting functionality allows you to export chat messages in conversation format, within PDF reports. As with previous version, select and unselect specific chats to include. Additionally, you can now include image thumbnails in PDF, Word, and HTML reports.

Another new feature stands to reduce confusion around daylight saving date and time stamps vs. UTC or standard times. UFED Physical/Logical Analyzer 4.1 includes a database containing start/end dates and times for countries that use daylight saving (DST). This data is available through 2018 and takes into account locations that do not adhere to DST. You can set a unified time zone for the project timestamps for the software to automatically adjust for DST.

Remember: End of life announcement for Windows XP

Following the recent announcement that Microsoft has officially ceased support for Windows XP on April 8, 2014, Cellebrite recommends installing UFED Series Software Products on 64-bit versions of Windows 7 and above. By February 28, 2015, the UFED Series will no longer support Windows XP.

IMPORTANT: This does not affect UFED Touch systems running on Windows 2009 Embedded Standard. The Windows Embedded Standard 2009 Operating System End of Life is scheduled for January 8, 2024.

For further information about the Windows XP end of life, please contact support@cellebrite.com.

Download the full release notes for additional details about these decoding and reporting features!

Self-paced training joins instructor-led classes in Cellebrite’s online offerings

The Cellebrite Certified Logical Operator (CCLO) certification course recently joined our Mobile Forensic Fundamentals online class, officially making Cellebrite the first mobile forensics vendor to offer any kind of online certification training.

Online training is valuable when you are unable to travel, can’t take time away from work, or simply prefer online learning. On-demand online training scales for organizations that need to train large teams simultaneously and cost-effectively, because participants can learn without interruption to operations.

Cellebrite’s on-demand, self-paced courses are instructionally equivalent to Cellebrite’s instructor-led training (ILT) courses. In fact, Cellebrite Certified Instructors are integrated “virtually” into the online course. This enables you to receive real-time feedback on your progress through dynamic navigation and regular “learning checks.”

You can also revisit lessons for review and additional practice. This interaction, along with scenario-based conditional logic—which offers different steps for you to follow as part of learning to think critically about mobile forensics—are part of practical exercises that help you to learn forensic techniques and processes hands on.

In other words, this is not a pre-recorded webinar! Complete Cellebrite courses on your own time directly via the Cellebrite Learning Center. Our video describes this in greater detail:

One part of a broader professional training strategy

The new online offering follows the trajectory of Cellebrite’s comprehensive, standardized training curriculum, the first and only to be offered across three different delivery models. The curriculum began last year with classroom-based training and added instructor-led online training, followed by the Cellebrite Certified Mobile Examiner certification test, earlier this year.

The availability of the CCME certification addresses hazards which ProPublica raised in its article “No Forensic Background? No Problem.” Although the article focused on certifications in the physical forensic sciences, it covered very similar issues found in the digital forensics community:

“There are a lot of people practicing, but there’s no assurance that they have the requisite training and board certification to see if they do have the skills to do the practical [work],” said Dr. Marcella Fierro, one of the NAS report’s authors and the former chief medical examiner of Virginia….

“Credentials are often appealing shortcuts,” Michigan circuit court judge Donald Shelton said. Fancy titles can have a disproportionate effect on juries, he added. “Jurors have no way of knowing that this certifying body, whether it’s this one or any other one, exacts scientific standards or is just a diploma mill.”

Cellebrite designed not just the CCLO and CCPA, but the CCME in particular, to address these issues by encouraging full professional proficiency and not just proficiency at using UFED tools.

Enroll now in our online on-demand training as a first step toward certification!

New-banner-for-training-blog-post_Oct2014

Cellebrite will be exhibiting all over the map this October

October is gearing up to be a super busy month for Cellebrite! A wide variety of events are scheduled for Cellebrite all across the globe. Meet us in Prague, Moscow, Miami, Orlando, London, Beijing and Bogota, where we will be presenting the UFED product line, provide live demo’s, and deliver presentations on hot industry topics for e-Discovery, security and law enforcement markets.

e-Discovery

 Mobile users leave behind digital traces on their devices, which can come a long way in any legal proceedings involving criminal or civil matters. Electronically stored information on mobile devices (or mobile ESI) represents an important category of relevant information and is quickly becoming critical for wide variety of investigations and litigations including employment, fraud, intellectual property, securities, and others.

October 19-21: LawTech Europe, Prague, Czech Republic

Cellebirite will kick things off at the Clarion Congress Hotel in Prague for the LawTech (LTECH) Europe Congress. LTech brings together professionals in law, technology, governance, and compliance to address four core areas in digital forensics: Digital evidence, forensic investigations, cyber security and legal technology.  Yuval Ben-Moshe, Cellebrite’s Senior Director, Forensic Technologies, will deliver two presentations during the show:

  • Mobile Devices and Mobile ESI – Facts and Myths, together with Daniel Bican from Ernst & Young
  • Mobile Devices and Mobile ESI – Proactivity Goes a Long Way

(For further details on Cellebrite’s presentations, please see the show’s agenda: http://www.lawtecheuropecongress.com/)

Stop by booth #601 to learn about live demo sessions, where we will that cover current techniques and tools for data search and data collection from mobile devices.

October 23: e-Discovery & e-Investigations Forum, London, United Kingdom

Join us at the Park Plaza Victoria Hotel in London for a one-day e-Discovery and e-Investigations Forum to learn how Cellebrite addresses the challenges that are surfacing the e-Discovery domain for mobile data collection. Yuval Ben-Moshe, Senior Director, Forensic Technologies, will be presenting on ‘Mobile Devices and Mobile ESI – Facts and Myths,’ and enlightening the crowd on the need to retrieve mobile data in cases of litigation, regulation or investigation, and discuss the processes required to obtain information from mobile devices within a litigation process.

Attendees from legal, compliance, finance, HR, investigations and more, are welcome to our booth to learn about our expertise in mobile data retrieval and analysis.

Security

October 21-24: Intepolitex, Moscow, Russia

As LawTech ends, another exciting show begins for Cellebrite in Moscow. The Interpolitex is the largest homeland security exhibition in Russia, taking place, organized by the Ministry of Interior of the Russian Federation, Russian Federal Security Service, and Russian Federal Service for Military-Technical Cooperation.  Drop by booth #1C3-1 to learn about the UFED’s recent developments, and how Cellebrite’s mobile forensics solutions can help solve cybercrime.

October 23-24: Latin America and Caribbean Summit 2014, Miami, Florida

Join our LATAM Forensics Sales Director, Frederico Bonincontro, for a two-day summit in Miami. LATAM & Caribbean event is focused on assessing the current digital security landscape and threats in the Caribbean, Central and South America region. Stop by booth #20 to learn about Cellebrite’s latest product developments and how our solutions can help you tackle your mobile forensic challenges.

October 28-31: 2014 Security China

Cellebrite’s APAC team will head to Beijing to showcase the UFED Series at the China International Exhibition on Public Safety and Security. Cellebrite, a thought leader in mobile forensics, will be presenting the UFED line of products for the security industry in booth # E1F01.

Stop by our booth to meet the Cellebrite team!

October 29-31: Expodefensa, Bogota, Colombia

Cellebrite will end its October events at another prestigious government-level security show, Expodefensa, organized by the Ministry of National Defense of Colombia, and the High-Tech Corporation and the International Business and Exhibition of Bogota. Our LATAM team will head to Bogota, Columbia to showcase the innovative UFED Series.

Drop by booth #439, pavilion 6 to learn about UFED’s accomplishments in security and defense!

Law Enforcement

October 25-28: International Association of Chiefs of Police (IACP), Orlando, Florida

Later in the week in Orlando, Florida, Cellebrite USA representatives will be on hand at the 2014 International Association of Chiefs of Police Conference to demonstrate to police leaders at all levels how they can use a mix of training, policy, and technology to implement mobile forensics strategies in a post-Riley world.

Visit us at Booth #769 to learn more about how Cellebrite’s technical and training solutions accelerate investigations by affording investigators the ability to collaborate more readily with digital forensics examiners, supervisors, and prosecuting attorneys.

New time saving workflow capabilities in UFED 4.0: Translation, automated data carving, and more

UFED Release 4.0Efforts to obtain evidence and intelligence from mobile devices can be stymied by inefficiencies such as extra layers of work process, lack of access to a full range of tools, and other challenges both small and large.

UFED 4.0 continues Cellebrite’s track record of developing features that improve investigative workflows and save you time both in the lab environment and the field. Among the most significant time savers we’ve added to UFED Touch, UFED 4PC, and UFED Physical/Logical Analyzer: better Android data carving, language translation, a UFED Touch data preview capability, and better workflows overall.

Simple, efficient language translation

Reduce challenges associated with foreign language translation, including the need to rely on another person, or to copy/paste into an online tool. Either one takes time you may not have, and errors—especially with short words—can alter the meaning of content.

UFED Physical/Logical Analyzer 4.0 contains an offline translation solution that accurately translates both short and long words. Use it to translate selected content on demand, and to use filters in your language of choice. The translation engine keeps the source language, which you can see in the user interface, and you can include both the translation and the original source text in your report.

The UFED translation engine currently supports 13 languages, including English. Choose five free of charge when you access all the language packs from your my.cellebrite.com account. If you need more than five languages, you can purchase them directly from Cellebrite. Be sure to let us know if you need access to languages apart from what we offer!

Faster, more powerful data carving from Android unallocated space

Enhanced automated carving from Android devices’ unallocated space gives you access to much more—in some cases, double or triple the amount—of deleted data than previous data carving features allowed. Owing to a new algorithm, the carving process is now also faster.

While manual data carving is still an important part of forensic validation processes, Cellebrite redesigned the automatic data carving functionality to achieve more deleted data with greater precision, by dramatically reducing false positive and duplicate results.

Learn more about data carving when you take the Cellebrite Certified Physical Analyst course.

Save time in the field: Preview logical extraction data in UFED Touch

UFED Touch users may find themselves needing to preview evidence to decide whether a mobile device is worthy of deeper examination, or they need intelligence to decide an immediate course of action. UFED Touch now offers the option to view an HTML report that includes general device Information and the logical extraction data on the touch screen—without requiring a laptop.

Newly included in logical extractions, and therefore viewable with UFED Touch, are web history and web bookmarks. From iOS devices, the new UFED 4.0 feature extends logical extraction and preview capabilities to app data.

Balance time savings with process: capture images and snapshots with UFED Camera

Sometimes, taking screenshots of a mobile device is the only way to capture its evidence. This could be because you have no UFED with you in the field, or the device or certain data on the device isn’t supported for extraction with the equipment you have.

With UFED Camera, our new manual evidence collection feature, collect evidence by taking pictures or videos of a device. A single report contains any extracted information together with screenshots or video.

The ability to take screenshots can be important in the field, helping to substantiate a police officer’s, border patrol agent’s, or corporate internal investigator’s documentation of what s/he saw on the device during an initial scroll-through. (Remember to get consent or have another form of legal authority to show for it.)

In the lab, taking screenshots can help you to validate device extraction results – to show that the evidence in an extraction file existed on the evidence device.

For more details on these and other new and enhanced decoding and app support capabilities—including support for iPhone 6, 6Plus, & other Apple devices running iOS 8—download our release notes!

A case study on mobile victimology from #CACC2014

What is mobile victimology? The concept of “victimology” involves in-depth analysis of a victim’s life, including the normal and abnormal patterns of life over the days, weeks, even months leading up to a violent crime.

Mobile devices help this process because they are so intimately tied to an individual’s life that they often help to fill in incomplete or inaccurate witness statements, surveillance video footage, credit card receipts, and other information.

As this February 2014 article in Police Magazine noted:

Smartphones, GPS devices and other mobile media can be good starting points in any investigation, whether the victim is alive or deceased. The existing, deleted, and hidden data stored on them can help you develop leads to focus your investigation and move it forward. The data can also serve as corroborative or exculpatory evidence, along with mobile carrier data.

In a post-Riley world, of course, getting access to this degree of data requires proper legal authority: written consent, a search warrant, or a defensible exception to the search warrant requirement. Once you do identify the device as a nexus to a crime, however, its evidence can make all the difference.

Case study: mobile victimology in action

Last week at the Crimes Against Children Conference, Ronen Engler, senior manager of technology and innovation joined Michael Hall, chief information security officer at DriveSavers Data Recovery, Inc., to present how just this type of analysis helped prove how a rapist had premeditated the murder of his rape victim.

Their session was a corollary to a case study offered by the Dallas County District Attorney’s felony chief, Brandon Birmingham, together with Carrollton Police Det. Dena Williams and the DCDA’s special field bureau chief, Russell Wilson. Over that session, the three detailed how rapist-murderer Franklin Davis Googled the name and location of his victim, Shania Gray, as well as phrases like “Best way to get off a sexual assault charge” and “Gun shows in Mesquite,” after which point he purchased a gun and used social media to harass and intimidate Shania.

Davis also used a mobile app to spoof messages from Shania that appeared to recant her accusations against him, which he then used in his own defense. Our case study, published jointly with DriveSavers, shows how forensic examiners were able to prove definitively that not only had the messages come from his phone, not hers, but also the level of premeditation he engaged in. Davis was sentenced to death in November 2013.

Have a case study you’d like us to feature? Leave us a comment!