Exclusive bootloader method support for the latest Samsung devices headline UFED 4.4 release


Bootloader banner

With the release of UFED 4.4, Cellebrite announces support for 17,638 device profiles and 1,092 app versions. UFED 4.4 introduces the exclusive bootloader method designed to solve some of investigators’ most challenging problems for unlocking and extracting data from leading Samsung Android devices. Also including decoding support for new devices and OS updates, including iPhone 6S/6S Plus, iOS 9.1, and Android Marshmallow.

New unlocking & physical extraction support for Androids using the unique bootloader method

In previous version 4.2.6, we announced the release of the enhanced bootloader method, which enables you to obtain additional data when performing a physical extraction while bypassing user lock from Samsung devices.

As part of our ongoing efforts to provide the best physical extraction capabilities for the latest Android devices, version 4.4 introduces an enhanced bootloader to support newer phone firmware versions, and includes 12 additional Samsung devices. You can now obtain additional data by performing a physical extraction using the enhanced bootloader method for 85 popular Samsung Android devices running Android 5.x. This unique solution supports the following Samsung families: Galaxy S3, S4, S5, Note 3 and Note 4.

What is the bootloader method?

Physical extraction using the boot loader method is the recommended method to recover data from Android devices. When the device is in boot loader mode during extraction, the operating system does not run, and therefore, the device cannot connect to the mobile network. It bypasses any user lock is forensically sound.

New tutorial video is available below.

Cellebrite now supports new iPhone 6S/6S Plus and Android v6.0 Marshmallow

Recent device launches and updated operating system are also supported with UFED 4.4.  Users can now perform file system, logical (including applications data), advanced logical extraction, and decoding from,iPhone 6S and 6S Plus devices and iOS 9.1. UFED 4.4 also provides file system and extraction support for the latest Android v6.0 Marshmallow with limitations. Following recent changes made in Android 3rd party apps, including Facebook, WhatsApp and Snapchat, data from these apps can no longer be extracted when performing file system and logical extractions when using Android backup method. We recommend two options in order to overcome this limitation: Perform a physical extraction (when available), or root the device to extract data.

iPhone6 banner for blog

Extend your investigation capabilities with enhanced support for new apps for iOS and Android

UFED 4.4 keeps pace with investigator demand for more app support, and greater visibility into app data. This version introduces newly added support for some of the most popular apps installed on both Android and iOS, including: Google Drive, Google Tasks, Google Translate, Inbox, One Drive ,Pinterest, Runtastic, Yandex Browser, Yandex Maps; One Note and VIPole are available for Android.

With 300 million active users using Dropbox, 250 million using Microsoft’s OneDrive, 240 million using Google Drive*, and 100 million users on Pinterest, (the third most popular social network in the US)**. We are bound to believe that high number of people using these apps on their devices, may also hold the evidence you need for your investigation.

Updated support is also available for 53 Android and 61 iOS app versions.

New decoding method process for WhatsApp data 

App_whatsappIn UFED 4.2.6, we introduced a new capability to decrypt WhatsApp data. Using a third-party script, you can manually extract the WhatsApp key (on non-rooted Android devices), and use it in UFED Physical Analyzer to decode and decrypt the data. During the process, the WhatsApp version will be temporary downgraded to an earlier version, so that the key can be .extracted and used to decode the WhatsApp database. The current WhatsApp version will be restored at the end .of the extraction process.

A new step-by-step process is now available in MyCellebrite.

Learn more about UFED 4.4– download the release notes here!

* http://expandedramblings.com/index.php/google-app-statistics/


Speed Cloud Data Extractions from Anywhere

In our socially-driven world, it’s not surprising that Facebook, Kik and Instagram posts, as well as other cloud data sources have the power to break criminal cases wide open. The challenge for forensic examiners is getting to that data quickly. Together with mobile device data, these sources often capture the details and critical connections investigators and prosecutors need to solve a wide variety of crimes. UFED Cloud Analyzer, the first tool of its kind, removes the roadblocks and red tape involved in getting access from cloud service providers, reducing valuable time and cost to investigations.

“Social media data is a headache to access from application providers, but is so critical now to forensics investigations,” said Sgt. Andrew Weaver, Hartford, C.T., Police Department. “It can takes months to receive data with a warrant and then we do, it’s challenging to review and uncover pertinent details – not to mention time consuming. UFED Cloud Analyzer gives us access to this data quickly so we don’t lose valuable investigation time waiting.”

Part of the UFED Pro Series exclusive and powerful investigative tool automatically collects both existing cloud data and metadata without the need for credentials, because the tool impersonates the phone in order to perform the extraction. It then packages this data in a forensically sound manner either in the field or the lab. This allows investigators to search, filter and sort data to quickly identify “Who?, When?, Where?” details to speed investigations from anywhere.

Extraction Criteria Definition

UFED Cloud Analyzer Retrieved Google Location Data as Key Evidence for an Investigation

The forensic practitioners already using this new tool are not only reaping its considerable rewards, but singing its praises.

“While assisting a local law enforcement agency with a recent criminal investigation, we were able to utilize Cellebrite UFED Cloud Analyzer to remotely collect Google location data pursuant to a search warrant,” said Jim KempVanEe, Director of Digital Forensics.

LogicForce Consulting, Nashville, Tenn. “Within minutes of collecting the location data, we were able to confirm for the investigators that the suspect’s phone was within feet of the 12 year old victim’s home and we was able to trace the suspect’s movements after he left the scene.  All of this while another search warrant for location data sat idle at Google waiting to be processed.  Great tool – thank you Cellebrite!”

Cloud Analyzer with Google Maps icon2

Extract Insights Faster with New, Faster Capabilities

In the latest release of this tool, the capability to decode a cloud data account package from an Android device via a logical extraction just got even faster and more actionable. Investigators can now decide upfront which data should be extracted, selecting specific files and directories from cloud storage services including Google Drive and Dropbox. You can also now select a specific portion of email messages to access – headers only, headers and body without attachments, etc., helping to reduce investigative cycles.

Other key enhancements include the ability to:

  • Extract detailed location information from a suspect or victim’s private Google Location History, stored on Google cloud servers, allowing investigators to track all timestamped movements minute by minute
  • Track and analyze a suspect’s Facebook Likes and Events to get a better understanding of a suspect or victim’s interests, opinions and daily activities
  • Gain access to more Twitter connections, including pending requests either requested or received, to dive deeper into a suspect’s relationships
  • Reveal changes and/or discrepancies in images, videos and files stored in Google Drive and Dropbox

To learn more about how the UFED Cloud Analyzer and the UFED PRO Series can help you solve more cases quickly and accelerate investigations by gaining instant access to cloud data, contact your Cellebrite sales representative or visit http://www.cellebrite.com/Mobile-Forensics/Applications/ufed-cloud-analyzer



New and improved UFED Faraday bag!

With the evolution of smartphones, cellular networks and infrastructure have also advanced, signals have improved and their reach has expanded, which laid the ground for high-performance wireless access. Modern smartphones also carry other radio transmitters in addition to the network interface (including WiFi signals, Bluetooth, telecommunication systems, and GPS signals).

A fundamental aspect on device preservation at the crime scene is evidence collection on site. When needed, an officer can immediately provide electromagnetic isolation of a seized device to maintain proper chain of evidence, prevent da
ta tempering, and safeguard the existing physical data on the device.UFED Faraday bag

Cellebrite’s UFED Faraday bag has been redesigned and improved to meet the needs for quick investigation, offering better isolation storage for quick investigation.  The new shielding material was tested against the former bag at various frequency rates, and resulted in an increased attenuation of ~25 db.

Frequency (Ghz)Former bag
attenuation (dB)
Redesigned bag
attenuation (dB)

Click here to purchase your UFED Faraday bag at an affordable price.

Are you REALLY certified by Cellebrite?

Danny GarciaAre you REALLY certified by Cellebrite?  If you have attended an official Cellebrite training course, you will have an account within our Cellebrite Learning Center, where you were able to download your certificates.

The Cellebrite Forensic Training System (CFTS) officially launched in June, 2013.  The first official Cellebrite certification class was taught at the 2013 Mobile Forensic World conference in Myrtle Beach, South Carolina. The CFTS established a standardized,
relevant and current curriculum to deliver the appropriate level of knowledge and practical experience by Cellebrite Certified Instructors (CCI) around the world.

Students attending our certification courses must complete the course and pass appropriate examinations prior to achieving Cellebrite Certified Logical Operator (CCLO) and/or Cellebrite Certified Physical Analyst (CCPA) credentials. Upon completion of a course, participants receive certifications, making them eligible to move to the next stage in the curriculum.

The CFTS is designed to offer a progressive certification system, allowing those students who achieve a higher-level certification, to maintain lower level certificates.  For example, someone who earns the CCLO credential will renew that certification by achieving CCPA.  In addition, individuals who earn CCLO and CCPA, may renew both of those certifications by earning our capstone certification, Cellebrite Certified Mobile Examiner (CCME).

The CCME certifies that the recipient has attained a level of mastery in the discipline of mobile device forensic investigation methodology and a high level of proficiency with Cellebrite’s Physical Analyzer software as well as working and practical knowledge regarding Cellebrite’s UFED technology. The CCME test measures the practitioner’s skill using three popular mobile device operating systems including Android, iOS, and Blackberry. CCME certification indicates that an investigator is a skilled mobile device examiner.  The CCME is available to applicants who have completed the Cellebrite Mobile Forensic Fundamentals (CMFF) course, and hold current official CCLO and CCPA certifications.  Examiners wishing to earn their CCME certification must complete the process within two years of earning their CCPA credential.

Have questions about Cellebrite certification and our recertification process? We have published information and an FAQ at https://www.cellebritelearningcenter.com/mod/page/view.php?id=4625.

Cellebrite launches first standalone UFED User Lock Code Recovery Tool for iOS and Androids

Locked devices have been a longstanding issue for mobile examiners since the evolution of smartphone devices. More than 50% of devices seized by police are locked.*

UFED User Lock Code Recovery Tool provides you with another solution to unlock the device and reveal the password on both iOS and Android operating systems, when no other extraction methods work. Using forensically sound brute force method, this standalone tool reveals the device’s user lock code on screen, and allows users to enter the password and access the evidence on the device, while ensuring that existing data remains intact.

How do I use this tool?

The tool is available for download for UFED users with an Ultimate license at MyCellebrite (the software runs as a standalone tool). Users are supplied with three Cellebrite cables to be connected to USB OTG mobile devices only. A UFED Camera or a Windows-based web camera is required to detect when the device is unlocked. For more information on using the tool, watch the video below to learn how bypass and reveal passwords on iOS and Android devices.

UFED User Lock Code Recovery Tool helps you get the evidence you need quick and at no extra cost.

*Consumer Report 2014



New UFED release 4.2.2 offers exclusive support, impressive breakthroughs and enhanced decoding

With the release of UFED Physical/Logical Analyzer 4.2.2, Cellebrite offers new decoding features designed to improve investigative efficiency from 1,128 additional device profiles and enriched degree of decoded data from 873 app versions.

Exclusive support for the latest and popular Samsung devices

Samsung contributes to the highly fluid mobile market by introducing ever smaller and lighter mobile device models every few months. The quick adoption of these devices by felons leaves investigators to encounter additional challenges during the investigation. Cellebrite enables access to all data, including deleted data, from the newest Samsung Android devices available in the market today. Cellebrite supports physical extraction while bypassing the user lock using the forensic recovery partition method, and decoding from 33 Samsung Android devices, including Samsung Galaxy S5, S6 and Note 4 family of devices.

Cellebrite’s UFED replaces the device’s original recovery partition with Cellebrite’s custom forensic recovery partition. The original recovery partition on the Android device can be considered as an alternative boot partition that may also change the user data partition, while Cellebrite’s recovery image does not affect any of the user data.

Support for next generation smart watches

Android wear may be a new concept, but with nearly $7M sales just last year, many independent research groups anticipate a huge growth in the wearable space is in the next upcoming years. With the rate of new devices entering the market by Samsung and others, Cellebrite ensures that investigators remain ahead with the most advanced extraction and decoding technology to support these new trending devices.

UFED enables physical extraction while bypassing lock, and decoding support from the most popular next generation smart watches including LG smart watch LG G WATCH R™ (W110) and the previously released Samsung Galaxy Gear SM-V700.

New app decoding and decryption support

Apps provide a rich source of data to investigations. 59% of our users say that 3rd-party apps data matter the most in investigations. Cellebrite provides updated support for 843 app versions in this release, as well as decoding support for new apps, such as Facebook Messenger (decoding of the call logs of the voice calling feature and the new video calling/chatting feature). Additional decryption is also available for UFED 4.2.2, UFED Physical Analyzer is now able to decrypt and decode Android Backup (Android 5.x) with a known password as part of the file system extraction.

Download the release notes to see a full list of apps and version numbers.

Now higher resolution view in offline maps feature

In UFED version 4.2 we introduced the latest offline maps feature which enables you to view extracted locations on a worldwide map without internet connection. This feature has been improved, enabling you to view extracted locations on a regional map, and zoom in at an even higher resolution of 15x to view streets for better indication and view of the location without internet access for the following continents: USA, Canada, Europe, Japan and Korea, Middle East, Africa, London, Los Angeles, New York, Paris, Singapore and Tokyo.


You asked for it, we developed it!

UFED Physical/Logical Analyzer 4.2.2 keeps pace with investigator demand and provides the option to redact the image thumbnail from the PDF, Word and HTML report. You would use this option with cases involving sensitive images, such as child abuse.


3 Reasons to Vote for Cellebrite for a 2015 Forensic 4:Cast Award

For as long as the Forensic 4:cast Awards have existed, Cellebrite’s UFED tools have been named Phone Forensic Tool of the Year. Being nominated among some of the greatest products in the industry, we couldn’t be more proud that the forensic community recognizes our continuing efforts to deliver the best, most innovative and  functional mobile forensic tools for seven years running.

Thanks to you, Cellebrite’s nominations include:

  • UFED Touch for phone forensic hardware of the year
  • UFED 4PC for phone forensic software of the year
  • Digital forensic organization of the year

Will you vote for us this year? Here are a few reminders why Cellebrite deserves the Forensic 4:cast Awards.

1. We’ve got your back.

Cellebrite has always been known for its breadth of support for new devices, but in 2014 we deepened our support for both smartphones and the apps installed on them. We improved our automated decoding, so you can spend more time analyzing data than figuring out how to decode it; brought our device profile support up to more than 14,000; and added decoding support for 25 prepaid Android devices—including Tracfone models that stumped investigators for years.

2. We make data analysis as simple or as complex as you need.

The visual analytics we include in tools like UFED Physical/Logical Analyzer and UFED Link Analysis give you a basic, at-a-glance look at key people, places, and communications via Project Analytics, Timelines, Maps, and Graphs. These help you immediately visualize your data and focus on only that which is most relevant to your case.

When you need to get “into the weeds” with the data—at the device memory level—you can do that too. Locate, carve, and validate data using advanced search functions like regular expressions and searches for strings, dates, codes, numbers, ICCID, SMS formats, etc., and import your JTAG and chip-off extractions into UFED Physical Analyzer for decoding.

3. We give you the tools you need not just to extract and analyze the data, but also to testify about your process with confidence.

Tools with as much functionality as ours deserve investigators who can put them to good use, so in 2014 we stepped up our training and certification program. We are now the first and only digital forensic vendor to deliver courses not only in person, but also online, and more than 4,000 practitioners earned their Cellebrite certifications through the end of 2014.

Vote for us today!


Balancing data actionability with forensic soundness

The ability to extend mobile evidence collection capabilities into the field has a great many benefits. Reducing costs associated with overtime, outsourcing, and diminished forensic lab productivity renders a field-based solution an investment rather than an additional cost. Reducing the risk of human error in data analysis is attractive, too, as automated tools help to improve field-level decision-making about cases.

Even so, decentralizing mobile forensics also carries its own risks. Will field personnel handle mobile device evidence the right way, including securing proper legal authority? Will they follow policy and standard operating guidelines when it comes to extracting and preserving mobile device evidence?

The legalities around field-based mobile device extraction have yet to be determined in many countries, but authorities can ensure compliance with organizational policy and overall forensic best practices by using permission management and auditing features. These kinds of capabilities take into account that not everyone needs the same level of access to mobile device evidence, depending on the types of cases they are investigating as well as the offense severity.

With the UFED Field Series, as well as the UFED Pro Series, permission management functionality allows agency administrators to define and configure user authentication settings to ensure that only users with the right credentials can access the application. An encrypted permission management file that contains usernames and profiles can be imported into multiple UFED InField applications.

Not only credentials, but also extraction privileges can be assigned. Certain investigators may be able to have access only to logical and SIM card extractions, while forensic lab examiners can access full physical extractions as well.

In addition, administrators can define content types available from logical extractions. Some investigators may be granted extraction permissions only for images and videos, for example, while others can access messaging in addition to images and videos.

These privileges can be based on user roles and/or training and certification levels. For example, investigators who have received the Cellebrite Certified Logical Operator (CCLO) or the Cellebrite UFED Field Operator (CUFO) certifications, or completed the coursework without receiving the certifications, can be assigned as many or as few extraction privileges as an administrator deems necessary for their role.

On the flip side of granting access to mobile extractions and data is tracking what the logged-in users do once they’re in the system. With UFED InField, an activity log maintains a list of all transactions including extraction start and end times; transaction type, duration, and status; device owner, vendor, model, and name; case ID and crime type; and who seized the device. Administrators can use this log to audit usage and ensure accountability among users.

The UFED Field Series solutions promote the treatment of mobile devices as crime scenes, so that the evidence they contain is fully preserved from seizure all the way through search and analysis. It offers organizations the “technology” component of a three-pronged approach that Cellebrite encourages towards implementing legally defensible field-based extractions for personnel who do not specialize in mobile forensics. By combining the UFED Field Series with training, policy, and standard operating guidelines*, organizations can reduce risk while meeting the need for improved access to actionable mobile device data in the field.  To learn more, download our solution brief today.

Umbrella - blog banner

*We recommend you work with your prosecutors and administrators to develop policy and appropriate training, including processes for obtaining written consent and search warrants (either traditional or electronic, if your jurisdiction allows).

Unifying investigative teams from field to lab

Nearly two-thirds of respondents to Cellebrite’s 2015 mobile forensics trends survey rated “important” the ability to extend mobile evidence collection capabilities into the field. The reasons are many: the costs of overtime, outsourcing, and even human errors are mounting, while lab service delivery times diminish.

Improving investigators’ ability to make decisions about their cases, including whether they need to escalate mobile evidence to a forensic lab at all, is the focus for many organizations in both law enforcement and the private sector. This focus reflects a need for in-field mobile device forensic solutions that span field locations: both stationary kiosks at satellite offices or stations, and mobile data extraction devices.

To this end, they seek solutions that provide basic data analytical capabilities: the ability to identify the who, what, where, and when of any given incident using mobile device data in conjunction with field interviews, witness statements, and other investigative activities undertaken in the first hours or days following an incident.

When evidence escalation is required, the solution must be able to route data immediately over a private network to a digital forensics lab at a headquarters, in another jurisdiction, or even in a different country. In other words, the solution must ensure that investigative teams have the technological ability to transfer data back and forth across a truly unified, secure system that promotes full accountability for their actions.

Without these abilities, the workflow falls apart under two circumstances:

  1. When data recipients have to translate the data into a different format so that it will work with a different system, or when senders have to take extra steps—such as transporting data storage media to the recipients—that adds, rather than saves, time.
  2. When it is difficult for managers to track statistics and integrate reports that give them visibility into how their personnel are using the tool, and therefore, make it more efficient for them to help personnel manage caseloads or adjust expectations.

Cellebrite’s UFED Field Series aims to reduce these problems by using an agency’s encrypted network to enable personnel to share extraction statistics, reports and raw data with other personnel or send to a predefined location.

The right infrastructure: local area network (LAN) and/or virtual private network (VPN)

Whether users are in substations, using UFED Field Series solutions installed on the UFED Kiosk, or are mobile, using UFED IX or ILX on laptops or tablets, the ability to send extraction data to a central location for storage or analysis with a single click is an important distinction.

At a minimum, kiosks in substations or satellite offices can be connected to a LAN using a standard RJ-45 cable and their own IP address. With a VPN, a similar capability can be extended to UFED Field IX deployments in vehicles. That way, a laptop or tablet connected to wifi, or to the cellular network via air card, behaves like other endpoint networked devices with its own IP address.

Organizations that do not have reliable infrastructure, such as those in rural locations without 4G or LTE wireless service, may experience bandwidth challenges because even logical extractions, on many smartphones, could be a couple of gigabytes.

In these cases, workarounds such as storing extractions and performing a daily scheduled batch file upload at end of shift may help. Users could also opt to store extraction data on encrypted portable devices such as USB or hard disk media, although this can add time to the overall process.

Streamlining communication via analytics

It is one thing to extract data to provide to other team members, but another to offer them visual analytics that can help them support particularly time-sensitive scenarios. Two scenarios enable this capability.

  1. Deployed in the field on mobile units, UFED Link Analysis allows investigators to create a project merging data from multiple devices, and then to share that project over the network with other investigators at a central or another mobile location.
  2. Deployed at a satellite location such as a police substation on the UFED Kiosk, UFED Link Analysis appears as a “shell” viewer. This data can be stored on a network drive, DVD, or USB for later transfer to other investigators.

While UFED InField is designed to help first responders improve their investigative efficiency by putting mobile evidence collection solidly in their hands, its optimization for a network-enabled environment allows for a seamless transfer of data to lab practitioners when required. To learn more, download our solution brief.

Umbrella - blog banner

How private social data makes a better crime story

Open source intelligence is an undeniably important source of information in a great many investigations, both civil and criminal. Public-facing posts to Facebook, Twitter, Vine, Pinterest, and other services can provide key evidence in cases involving insurance fraud, child exploitation, organized criminal activity, and harassment in or out of the workplace, among others.

However, open source intelligence is limited. People who act one way on public networks may behave very differently in private posts or messages, and may conceal key details in private messages. That means that without the data, investigators lack important context. In a recent survey of Cellebrite customers, nearly two-thirds reflected that data stored off the device and on the cloud was of critical concern to them.

Perhaps the most well-known example of the gap between public and private social data is the wave of street violence that occurred in north London, England in August 2011. As The Guardian reported, Facebook and Twitter only accounted for a small amount of communications around the unrest. Actively monitoring those services, police managed to deter violence in publicly named locations.

“However,” the news article went on to note, “the most powerful and up-to-the-minute rallying appears to have taken place on a more covert social network: BlackBerry Messenger (BBM)…. unlike Twitter or Facebook, many BBM messages are untraceable by the authorities.”

Social network analysis identifies likely sources of private contact

When an investigator considers the likelihood that s/he will need to obtain private social data, interviews with victims, witnesses and suspects are often a good place to start. Interviews can reflect communication patterns—apps and platforms used, modes of contact, etc.—among people involved in a case, and help narrow down the range of content to look for.

Also consider who is important enough for the victim or suspect to share information with. You can get a sense for this network from analyzing activity by the people they most frequently communicate with: those who like or comment on their posts, how frequently, in what context. Unusual communications from a loose acquaintance, depending on timing, can be as important as regular contact with a typical circle of people.

Social network analysis can also reveal relationship conflicts of interest, which can be important in fraud or insider threat cases. People who are not outwardly connected on social media may be communicating via email or private message, in accounts they don’t use to communicate with anyone else.

Public data can provide private leads

Consider, in addition, what is important enough for a victim or suspect to share information about. Images of material goods can indicate money spending habits or even outright crime. Their page likes and follows—the Guardian reported that initial activity related to the riots began on a public Facebook page—can provide clues about interests and activities which they may discuss privately.

Meanwhile, private content that is opposite to public postings, or to what the victim or witness has told you during interviews, can be used as leverage to find out what really happened. These contradictions can exonerate as well as implicate a suspect. And, if the case goes to trial, the contradicting content can impeach a witness’ credibility.

Understand cloud usage trends in your community

It’s important to maintain a strong sense of technological trends ongoing not just in the nation or the world, but in specific regions as well. The Guardian described in a later article how, in London, BlackBerry’s prepaid model allowed teens and lower-income people to afford the devices they used to coordinate their activities, without using cloud services.

Further, while BlackBerry Messenger communications are encrypted, and iOS and Android devices are heading that way as well, most social media services are not. That means that data unrecoverable from apps on the device, may still be available from cloud services themselves.

Even so, with mobile device manufacturers, third-party app developers, and online service providers taking more drastic measures toward improving their customers’ data security, government agents should take the steps they need to secure proper legal authority before accessing subjects’ private data. That could take the form of a search warrant, consent, or other documentation. It also means understanding the difference between true exigency, and the perception of exigency in a high-pressure situation such as a riot.

Don’t miss out on the critical evidence or intelligence that could help make a case. Download our solution brief to learn more about how the UFED PRO Series improves the context of an investigation.

Umbrella - blog banner