What’s New in UFED 5.0: Q&A from Cellebrite’s Webinar

Earlier this month we hosted a webinar entitled, “What’s new in UFED Touch, 4PC, Physical Analyzer, Logical Analyzer 5.0?” The webinar provided attendees with insights on the latest features and capabilities introduced in version 5.0, including unique extraction capabilities such as temporary root (ADB) solution for Androids, and detailed demo’s on merging multiple extractions into a single project, removing deduplications, and a new and effective validation process, as well as filtering out common images, and other industry-first capabilities that helps you drill into the data that’s most crucial to your investigation.

During the webinar, we received an array of excellent, intuitive questions from participants. A selection of these questions, with corresponding answers, have been compiled into this blog.

The webinar is available for viewing at the bottom of this post.

Note: If you don’t see your question answered below, please leave a comment at the end of this post and we will try to provide you with an answer ASAP.

Q&A – Let’s begin!

 

Q: Which fields are used to determine duplicated messages for Chat, MMS and SMS?

A: We have set of rules for deduplication. For the analyzed data (SMS, emails, chats), we identify key values for duplication for each model/content type and based on that we remove duplicates and merge items. For data files (text, images, video and more), duplicates are based on hash value calculation.

Q: After the deduplication process completes, are there any reports or items showing that there was a duplication?

A: You can find an indication of deduplicates in any table in the UI. There is also a filter available to filter this information, and there is also an indication in all report formats.

Q: Sometimes physical extractions of a single project contain duplicate messages due to garbage collection, etc.  Is there a way to detect and remove duplicates from a single project?

A: Indeed. Version 5.0 automatically remove duplicates of a single project/extraction as well.

Q: Is the application able to create a hash of the whole Image or project?

A: UFED Touch/4PC 5.0 creates a hash of the whole Image of any physical extraction. UFED Physical Analyzer 5.0 enables you may review this MD5/Sha-256 value and validate/verify it.

Q: I see that you didn’t include merged data when you were gooing through the reporting feature, is there a reason why you would include this information.

A: By default, the merged items are not included in report as we assume that the main items are the most important. You may change this default values and include the merged items as well.

Q: Is there a way to get a summary of all contacts that are on a phone?  The Contacts area doesn’t always capture the contacts from apps (i.e. Whatsapp, Viber, etc.).  I find that I need to extract SMS/MMS/Chats/CallLog and then combine the logs together for a contacts summary.

A: All contacts recovered are presented under the contacts node in the tree, including contacts recovered from 3rd party apps. We do plan to merge SMS, IM, MMS and chats (all messaging events) into a unified view, it is planned in one of the coming versions of UFED Physical Analyzer.

 

Q: Using the upgraded UFED Touch and Physical Analyzer, I have noticed that looking at results for a logical extraction for some phones deleted data is shown. Can we actually get some deleted during logical extractions now?

A: Deleted information from apps can be recovered as part of logical extraction.

Q: When you change the name of the extraction, does it change the name of extraction file that is placed in the folder?
A: No, the name change is only for viewing and reporting purposes

Q: Since WhatsApp is now encrypted, can UFED 5.0 extract WhatsApp encrypted data?
A: Messages while in-transit are encrypted however this does not affect data-at-rest (forensics) stored in the WhatsApp databases. On top of that, WhatsApp have recently started using a new encryption key – crypt9. We are working to provide a solution for this encryption.

Q: Can UFED Physical Analyzer 5.0 pull data (pictures and videos) from SnapChat, or only text messages?
A: For both iOS and Android devices, media files are extracted as well.

Q: Is there a specific order as to when you have to do the ADB and APK backup and downgrade?
A: It is recommended to use the APK downgrade as a last resort, after other extraction methods have been exhausted (including JTAG and chip-off), since it’s an intrusive method, which requires APK installation on the device.

 

Q: Why do some of the recovered passwords display as clear data, while most of them are encoded?

A: In many cases, the passwords are stored as tokens, this is why you can’t see clear data. Private data is stored encrypted as tokens. When the password is first entered, it is sent to the server for storage. Every time the password needs to be checked then the public key encrypted password gets sent to the backend server and decrypted by the private key. In PA, you can see these encrypted values.

Q: If you use the time zone support, does it make any changes to the extraction or is it just for easier viewing?
A: For easier viewing and reporting, no change is done to the original

Q: About the timestamp option, can you explain about the options in the settings? When does it prompt when device time zone is detected?

A: To automatically adjust timestamps to UTC+0. Select the Automatically adjust timestamps to UTC+0 check box. This setting is recommended when working on multiple extractions so that all records will be presented according to the same adjusted time zone offset.

In case a time zone is detected as part of decoding, a pop up window will be presented, suggesting you to automatically adjust the time stamp. Alternatively, you can change it in the general settings. When the Automatically adjust timestamps according to the device’s time zone check box is selected, all timestamps will be adjusted to the mobile device time zone, including report outputs.

View the full webinar below.

 

UFED 5.0 drastically decreases your time to evidence by drilling into the data that’s most crucial

Sifting through data is a very time consuming process- the average US smartphone user takes up 10.8GB of storage capacity on their device*, and taking into account different data recovery options in UFED Physical Analyzer, this process may take up to several hours to complete. UFED 5.0 came out with major time-savers that drastically decrease your investigation time, and lets you focus on the data that is most crucial to your investigation. Version 5.0 brings five crucial industry-first features, and support for 19,203 device profiles and 1,528 app versions.

Merge multiple extractions in a single unified report and avoid deduplicates

You asked for it, we developed it. With UFED Physical Analyzer 5.0, you now have the ability to merge multiple extractions from multiple devices into a single unified project, which can include logical, physical and file system extractions. The extracted data is presented under one project tree, and provides a unified extraction summary with device info per extraction, the ability to drill down to each extraction, and an indication of the original extraction source. If required, you also have the option to combine extractions from different devices. 

merge mult files

 

This powerful feature saves you time not only by combining the extractions, but also by removing deduplications (duplicate or redundant information), and grouping together similar and duplicate records for quick and efficient analysis. The following extraction types may be grouped together: Logical, advanced logical file system, physical, SIM card, JTAG, SD Card, and UFED Camera Evidence.

Here is what one investigator had to say about this new capability: “Being able to instantly navigate to where each piece of data is located in the memory dump is an outstanding feature. This saves hours of time on each complex investigation.”

Validate your data the right way

The latest validation process saves you time and resources by providing you with the most effective and most efficient way to perform a real and accurate validation process, by validating the decoded data with the original source file; Thus, reducing your need to use other mobile forensic tools for additional extractions to compare and validate the results.

Every recovered artifact has a source that it originally derived from, and can be used to later to validate the data. If previously you spent time manually searching for the original source, UFED Physical Analyzer 5.0 now tracks back the automatically decoded content to its source.

Every extracted record now includes the file source information in a table view or in the right pane with device information. Each link points to the offset data and includes the source file name, which can be included in a UFED report when testifying in court. For example, using UFED Physical Analyzer 5.0, an examiner can easily see from the original source file that a recovered SMS was a deleted artifact, since it was recovered from the memory of the device. That SMS is also visible and highlighted in the hex viewer, when clicking on the file source information link. (The db file where the SMS came from is also displayed in the right pane).

2

 

 

 

 

 

 

Focus on relevant media files with the common image filter

An additional time saver added to version 5.0 is the new automatic filter feature. UFED Physical Analyzer 5.0 saves massive investigation time by automatically filtering out common or known images, allowing you focus on the images you need to get to the evidence quick, rather than wasting time reviewing thousands of images that are default device icons, or images that come as part of app installation.

The MD5 hash value is available for every extracted media file, and is visible in the user interface and in the report output, as part of the decoding process.

How would you use this feature? Say you have 200 hash values of indecent images in your own database, you can easily create a watch list for all the hash values from your database, and run the watchlist to find a match search for the same images on the device. In case of a match, a nude photo will be detected on the device. Alternatively, you can export the hash values from the device into excel, and run a match on your database, as well as expand your list with new hash values belonging to suspicious nude photos.

As presented in the image below, if previously you had to review 24998 images, you now have 900 less images to review.

ReviewMediaFiles_Hash_Calculation-Recovered

 

 

 

 

To view all images, click on filter reset or remove the auto-filter option in the Settings.

 

Access blocked application data with file system extraction

Version 5.0 introduces another industry-first capability, providing you access to blocked application data when physical extraction is not available for the specific device. The introduction of new app versions also introduce new challenges, such that they are no longer available for backup using the Android backup method, since they are blocked for backup service. UFED overcomes this limitation with a new option called APK downgrade method, also available via file system extraction. This method temporarily downgrades the app (or .apk file) to an earlier version that is compatible for Android backup. UFED will present the list of apps installed on the device, and the ones available for downgrade. Open the extraction in UFED Physical Analyzer to decode both intact and deleted apps data.

Popular supported apps include WhatsApp, Facebook, Facebook Messenger, Line, Telegram, Gmail, KIK and more.

Extract data using Temporary root (ADB) and enhanced bootloader method

Temporary root (ADB) solution has been enhanced to support 110 Android devices running OS 4.3 – 5.1.1, for file system and physical extraction methods, (when ADB is enabled). Logical extraction of apps data is also available for the listed devices using the temporary root solution. As part of your examination, you need to gain access to all the data stored on a mobile device.  This is achievable via a physical extraction, which is the most comprehensive solution, and provides the richest set of data. As part of our ongoing efforts, you are now able to perform a physical extraction for the selected 110 devices using the ADB method instead of manually rooting the device using an external tool.  Third party tools provide a permanent root, while Cellebrite’s temporary root solution is removed after restart, and assures forensically-sound extractions.

The bootloader method has been further enhanced in version 5.0. This unique lock bypass solution is now available for 27 additional devices (APQ8084 chipset), including Galaxy Note 4, Note Edge, and Note 4 Duos.

Version 5.0 also introduces physical extraction and decoding support for a new family of TomTom devices; as well as file system and logical extraction and decoding is also available for recently launched devices, including iPhone SE, Samsung Galaxy S7, and LG G5.

Watch the video below to learn more about UFED 5.0 release highlights.

Download our release notes for full details about version 5.0 capabilities.

Spring Ahead and See What April Has in Store for Cellebrite: A snapshot of Cellebrite’s April 2016 events

Spring is here and April 2016 is an exciting, action-packed time for Cellebrite. We will be participating in a multitude of events around the world – hitting every one of the globe’s hemispheres. Meet us in Zagreb, Rio de Janeiro, London, Orlando, among other leading international hubs, where our subject-matter experts will present the UFED product line, providing live demos and delivering presentations on hot industry topics for security and law enforcement markets, alike.

Take a look below and see a snapshot of our April events. We hope to see you somewhere around the globe – soon!

April 5, 2016: DATAFOCUS 2016 International Conference on Digital Evidence, Zagreb, Croatia

Cellebrite is springing into April with the DATAFOCUS 2016 International Conference on Digital Evidence in Zagreb, Croatia.  DataFocus is a one-day conference, with two-tracks, aimed towards both lawyers involved in digital cases that include digital evidence and investigators whose everyday jobs entail digital forensic investigations.

Don’t miss the Cellebrite speaking engagement under the umbrella, “UFED Series: Cellebrite Mobile and Cloud Forensic Solutions” – entitled, “Unparalleled Extraction and Analysis Capabilities, Optimized for the Lab and Field.”

April 12-14, 2016: LAAD Security 2016, Rio de Janeiro, Brazil

Next on our April schedule, Cellebrite will be exhibiting at LAAD Security 2016, Riocentro in Rio de Janeiro, Brazil, from April 12 – 14, 2016.  LAAD Security – Public and Corporate Security International Exhibition– brings together Brazilian and international companies in the industry of security, equipment, services and advanced security technologies.

Come by our booth number F.22, Hall 4, where we will be showcasing our many solutions that are sure to accelerate your investigations – anytime, anywhere.

April 19 – 20, 2016: Forensics Europe Expo, London, UK

Moving towards mid-April, Forensics Europe Expo, the only international event dedicated to forensic technology, will bring leading UK and International forensics professionals together to network, learn, and source new products and innovations.

Come and say hi to Cellebrite at booth number 1-C27, and learn about our products and solutions via live demos, among other hands-on sessions.

April 19-22, 2016: National Law Enforcement Training on Child Exploitation (NLETCE), Atlanta, GA, USA

Across the pond, Cellebrite is slated to take part at NLETCE, where subject-matter experts will be providing cutting-edge training on a wide range of trending and important topics. In addition, over 240 lecture and hands-on computer workshops designed specifically for local, state, tribal and federal law enforcement personnel and prosecutors who are responsible for combating child exploitation.  To learn more about Cellebrite’s role in combatting sexual extortion,together with INTERPOL, read our case study here:

April 25-27, 2016: National Cyber Crime Conference, Norwood, MA, USA

Back by popular demand—for its fifth year— the Massachusetts Attorney General’s Office is hosting the 2016 National Cyber Crime Conference to be held  April 25-April 27 in Norwood – and Cellebrite will be there in full-force. The conference will feature three tracks of instruction: a track for prosecutors, a track for investigators and a track for digital evidence forensic examiners. Each track will have multiple breakout sessions featuring instruction from nationally recognized experts in the field of cybercrime. All participants will be provided with an opportunity to receive hands-on instruction.

Drop by our booth number 10, where we will showcaserecent developments and demonstrating how Cellebrite’s mobile forensics solutions can help solve crime.

April 26-28, 2016: IACIS (The International Association of Computer Investigative Specialists), Orlando, FL, USA

Heading into the final stretch of this busy month of April, Cellebrite present at IACIS , a non-profit corporation composed entirely of volunteer computer forensic professionals dedicated to fostering and perpetuating educational excellence in the field of forensic computer science.  The audience will be comprised of professionals from the Federal, State, Local and International Law Enforcement community, as well as the business/commerce and academic communities. Stop by and meet the Cellebrite team!

April 26-28, 2016: Youth Technology and Virtual Communities Conference Bond University, Gold Coast, Australia

With the theme Prevent, Protect, Prosecute, the Youth Technology and Virtual Communities Conference will provide attendees with the latest developments, strategies and challenges across all facets in the collaborative effort to fight crimes against children. The conference is aimed at practitioners in the fields of law enforcement, prosecution, education, child protective services, social work, children’s advocacy and therapy who work directly with child victims of crime. In a testimonial video, hear how Detective Jim Bolt of ASP Security Services used Cellebrite’s UFED Physical Analyzer to recover deleted images as evidence in a case related to child abuse.

Come visit us our booth down under and learn how Cellebrite’s technical and training solutions accelerate investigations.

Visit our website to learn more about our events.

Reason #1 to vote Cellebrite for a 2016 Forensic 4:cast Award

For the eighth consecutive year Cellebrite has been nominated by our dedicated UFED users and the digital forensic community in recognition of our success in delivering the most innovative and functional mobile forensic tools.

Thanks for your nominations in the following categories:

  • UFED Touch for phone forensic hardware of the year
  • UFED Physical Analyzer and UFED4PC for phone forensic software of the year
  • Digital forensic organization of the year

If you haven’t already voted, here is a good reason why Cellebrite deserves the Forensic 4:cast Awards:

Consistently First, Often Unmatched

Cellebrite’s UFED consistently brings critical mobile forensic capabilities first to the lab and field, and many of these capabilities remain unmatched for months or years. Just in our last two releases (4.5 and 5.0) we included 26 industry-first capabilities, and 22 are still exclusive for Cellebrite. Our recently released UFED 5.0 includes industry-first features and functionality that make your life easier, and your investigation more efficient – this includes a new validation capability, and unifying multiple extractions in a single unified report. We were also quick to include support for file system and logical extractions for the recently launched Samsung Galaxy S7 and iPhone SE.

Our innovation timeline will further demonstrate why we are the undisputed pioneer in breakthrough device specific mobile forensic capabilities. With UFED, chances are you will have these critical capabilities when you need them, when they are essential to your investigation, and well before any other tool currently on the market.

So in a nutshell, you can count on us to continue being the first to provide you with the most innovative, extensive and technologically advanced mobile device support in the industry.

Does UFED play an important role in your investigations? If you think so, then vote for us today!  

ForensicFocus_728x90_4cast_Vote_30mar2016

Exclusive support for additional Motorola Androids highlights 4.5 release

Motorolla Exclusive Banner2

With the release of UFED 4.5, Cellebrite announces support for 18,290 device profiles and 1,270 app versions. The recent release brings industry first access to 11 additional Motorola Android devices, logical extraction via Bluetooth from any Android, and enhanced decoding support for the latest versions of all UFED supported applications running on iOS and Android devices.

Logical extraction via Bluetooth

Version 4.5 introduces a quicker and more efficient workflow, providing users with the option to perform a logical extraction via Bluetooth from any Android device. Extracting via Bluetooth is an effective solution to recover data from devices with damaged USB ports, as well as from prepaid devices (such as TracFone Android), which come with locked USB ports.

As illustrated in the image below, to use this option, select Use Bluetooth under Select Content Types.

UseBluetooth (1)

 

 

 

 

                                 Physical ADB method for rooted Android devices

Physical ADB method is now available for pre-rooted Android devices, when the physical extraction method is not supported. Using the ADB method, users can now perform physical extraction from rooted Android devices.                                                A few notes regarding rooted devices and ADB…

What is rooting? To “root” a device means to gain administrative rights on the file system on Android operated devices. A device can be rooted as part of recovery partition or fully rooted following rooting process.

What is ADB and how does it work? ADB, or Android Debugging Bridge, is a built-in protocol within the Android operating system. This protocol enables developers to connect to an Android-based device and perform low-level commands used for development. In UFED, the protocol to perform an extraction of Android Devices.

 Updated app support

Following recent news regarding ISIS terrorists using the Telegram app to carry out their activities, version 4.5 keeps pace with industry demands by providing enhanced decoding support for Telegram’s latest version running on iOS and Android devices. Updated support is also available for 134 Android and 43 iOS app versions.

Improved Functionality for UFED Physical Analyzer and UFED Logical Analyzer

Version 4.5 also introduces improvements for the ruggedized frontline tool, UFED InField Kiosk, enabling users to encrypt mobile forensic reports and UFDR files using a password. Users can open encrypted reports using the password, view the reports with UFED Physical Analyzer and UFED Logical Analyzer. Password-protected reports can also easily be shared with other other investigators over a network using UFED Reader.

Additional enhancements include new offline map packages for the following regions: Minsk, India, Germany, Australia and New Zealand, Scandinavia. (The Offline maps feature was introduced in version 4.2. This feature enables you to view extracted locations on a worldwide map without internet connection).

Learn more about UFED 4.5 – download the release notes here!

Save critical investigation time with UFED Reader: Q&A from Cellebrite’s webinar

In the past several years, cases involving computer hard drive forensics have declined while mobile forensics have risen, increasing demand to analyze digital evidence off mobile devices. Typically, the forensic lab examiner will generate reports with all the extracted data from the device and send it over to the investigator, who has to review all the data in order to find the relevant piece. This may mean sifting through hundreds, even thousands of pages from several devices in order to find the needle in the haystack.  In some cases, the investigator may discover that you need additional data that was not even supplied.

In a recent webinar, we presented the UFED Reader, a free and easy to use digital tool that helps you review the report files generated from analyzed data of a physical, file system, or logical extraction by UFED Physical Analyzer and UFED Logical Analyzer.

blog nov 23

The webinar is available for viewing at the bottom of this post. Meanwhile, participants asked a number of good questions, which we’ve compiled in this blog- including some that we didn’t have time to answer during the webinar.

Q: Can UFED Physical Analyzer create a .ufdr file that contains all the artifacts, including pictures, videos, SMS, MMS, etc.?

A: UFED Reader is able to create massive .ufdr files, even from phone dumps that are over 16 gig.

Q: Where is the UFED Reader file located?

A: UFED Reader executable file can either be forwarded from the forensics lab with a report, or it can easily be downloaded from the customer portal at my.cellebrite.com.

Q: Can I also see shared data between different reports using the reader?

A:  You can open different reports using the reader, it can be different reports of the same device or even reports related to different devices. However, each project is handled separately. You can perform searches on all projects but the views are separated. SMS’s, contacts, locations, all these are presented per project, also the timeline and reports are not shared. If you need to see connections and links, it is recommended to use UFED link Analysis; which enables you to open up to 100 data sources, and see the links between different data extractions.

Q: For multi-jurisdictional investigations how can you import an XRY file for parsing by a UFED?

A: While UFED Reader cannot open XRY reports, UFED Link Analysis has the ability to open external reports, and provides a joint view of both Cellebrite and XRY reports.

Q: Can you generate a report containing only bookmarked items?

A: Yes, UFED Reader provides you with an option to include entity ‘bookmarks only’ which incorporates bookmarked items only in the report output. Bookmarking highlights the evidence that is relevant to the case, and UFED Reader provides the option to include in the report only the artifacts that are important for that investigation. As a result, the report generated is concise, short and protects personal data that is not relevant to the case.

Q: Which mobile device operating systems are supported by the UFED Reader?

A: Cellebrite supports all known and familiar operation systems, and all devices that can be extracted and decoded using the UFED Series (including Touch/4PC/Logical/Physical) Analyzer) can be opened by the UFED Reader- meaning any .ufdr report generated can be opened by the UFED Reader.

Q: Are there chat-threading capabilities within the UFED Reader module?

A: In the Chats view, you will see a list of chat messages extracted from the device, including third-party app, such as Whatsapp or Snapchat messages. This view provides information about the chat, such as start date and time, participants, source and number of messages, which are also listed chronologically on the right pane in full detail (including body of messages and attachments). The conversation view layout option is also available for easier and better tracking over the communication between two or more parties. You can search for messages within a chat, select the messages to include within a report, print, or export the conversation.

Q: Is it possible to see restored deleted information from mobile devices?

A: Cellebrite has the ability to extract and decode deleted information from mobile devices, and these items are included in the.ufdr report, and presented in UFED Reader with a red ‘x’ icon next to the artifact.

Q: Can UFED extract logical and physical data from Windows Phone 8 and new Android-SM using MTP (media transfer protocol) instead of UMS (mass storage)?

A: For Windows Phone 8 using the logical extraction method, you can extract contacts via Bluetooth and Multimedia data via USB (MTP protocol). Physical extraction is available for selective Nokia Lumia (out of the box WP8) models. For Android devices, using logical extraction method, you can extract Multimedia data for newer Android devices, via USB (MTP protocol).

View the full webinar below:

 Leave a comment if you have a question that was not answered above, or in the webinar itself!

Exclusive bootloader method support for the latest Samsung devices headline UFED 4.4 release

Bootloader banner

With the release of UFED 4.4, Cellebrite announces support for 17,638 device profiles and 1,092 app versions. UFED 4.4 introduces the exclusive bootloader method designed to solve some of investigators’ most challenging problems for unlocking and extracting data from leading Samsung Android devices. Also including decoding support for new devices and OS updates, including iPhone 6S/6S Plus, iOS 9.1, and Android Marshmallow.

New unlocking & physical extraction support for Androids using the unique bootloader method

In previous version 4.2.6, we announced the release of the enhanced bootloader method, which enables you to obtain additional data when performing a physical extraction while bypassing user lock from Samsung devices.

As part of our ongoing efforts to provide the best physical extraction capabilities for the latest Android devices, version 4.4 introduces an enhanced bootloader to support newer phone firmware versions, and includes 12 additional Samsung devices. You can now obtain additional data by performing a physical extraction using the enhanced bootloader method for 85 popular Samsung Android devices running Android 5.x. This unique solution supports the following Samsung families: Galaxy S3, S4, S5, Note 3 and Note 4.

What is the bootloader method?

Physical extraction using the boot loader method is the recommended method to recover data from Android devices. When the device is in boot loader mode during extraction, the operating system does not run, and therefore, the device cannot connect to the mobile network. It bypasses any user lock is forensically sound.

New tutorial video is available below.

Cellebrite now supports new iPhone 6S/6S Plus and Android v6.0 Marshmallow

Recent device launches and updated operating system are also supported with UFED 4.4.  Users can now perform file system, logical (including applications data), advanced logical extraction, and decoding from,iPhone 6S and 6S Plus devices and iOS 9.1. UFED 4.4 also provides file system and extraction support for the latest Android v6.0 Marshmallow with limitations. Following recent changes made in Android 3rd party apps, including Facebook, WhatsApp and Snapchat, data from these apps can no longer be extracted when performing file system and logical extractions when using Android backup method. We recommend two options in order to overcome this limitation: Perform a physical extraction (when available), or root the device to extract data.

iPhone6 banner for blog

Extend your investigation capabilities with enhanced support for new apps for iOS and Android

UFED 4.4 keeps pace with investigator demand for more app support, and greater visibility into app data. This version introduces newly added support for some of the most popular apps installed on both Android and iOS, including: Google Drive, Google Tasks, Google Translate, Inbox, One Drive ,Pinterest, Runtastic, Yandex Browser, Yandex Maps; One Note and VIPole are available for Android.

With 300 million active users using Dropbox, 250 million using Microsoft’s OneDrive, 240 million using Google Drive*, and 100 million users on Pinterest, (the third most popular social network in the US)**. We are bound to believe that high number of people using these apps on their devices, may also hold the evidence you need for your investigation.

Updated support is also available for 53 Android and 61 iOS app versions.

New decoding method process for WhatsApp data 

App_whatsappIn UFED 4.2.6, we introduced a new capability to decrypt WhatsApp data. Using a third-party script, you can manually extract the WhatsApp key (on non-rooted Android devices), and use it in UFED Physical Analyzer to decode and decrypt the data. During the process, the WhatsApp version will be temporary downgraded to an earlier version, so that the key can be .extracted and used to decode the WhatsApp database. The current WhatsApp version will be restored at the end .of the extraction process.

A new step-by-step process is now available in MyCellebrite.

Learn more about UFED 4.4– download the release notes here!

* http://expandedramblings.com/index.php/google-app-statistics/

**http://marketingland.com/pinterest-says-it-has-100-million-monthly-active-users-143077

Speed Cloud Data Extractions from Anywhere

In our socially-driven world, it’s not surprising that Facebook, Kik and Instagram posts, as well as other cloud data sources have the power to break criminal cases wide open. The challenge for forensic examiners is getting to that data quickly. Together with mobile device data, these sources often capture the details and critical connections investigators and prosecutors need to solve a wide variety of crimes. UFED Cloud Analyzer, the first tool of its kind, removes the roadblocks and red tape involved in getting access from cloud service providers, reducing valuable time and cost to investigations.

“Social media data is a headache to access from application providers, but is so critical now to forensics investigations,” said Sgt. Andrew Weaver, Hartford, C.T., Police Department. “It can takes months to receive data with a warrant and then we do, it’s challenging to review and uncover pertinent details – not to mention time consuming. UFED Cloud Analyzer gives us access to this data quickly so we don’t lose valuable investigation time waiting.”

Part of the UFED Pro Series exclusive and powerful investigative tool automatically collects both existing cloud data and metadata without the need for credentials, because the tool impersonates the phone in order to perform the extraction. It then packages this data in a forensically sound manner either in the field or the lab. This allows investigators to search, filter and sort data to quickly identify “Who?, When?, Where?” details to speed investigations from anywhere.

Extraction Criteria Definition

UFED Cloud Analyzer Retrieved Google Location Data as Key Evidence for an Investigation

The forensic practitioners already using this new tool are not only reaping its considerable rewards, but singing its praises.

“While assisting a local law enforcement agency with a recent criminal investigation, we were able to utilize Cellebrite UFED Cloud Analyzer to remotely collect Google location data pursuant to a search warrant,” said Jim KempVanEe, Director of Digital Forensics.

LogicForce Consulting, Nashville, Tenn. “Within minutes of collecting the location data, we were able to confirm for the investigators that the suspect’s phone was within feet of the 12 year old victim’s home and we was able to trace the suspect’s movements after he left the scene.  All of this while another search warrant for location data sat idle at Google waiting to be processed.  Great tool – thank you Cellebrite!”

Cloud Analyzer with Google Maps icon2

Extract Insights Faster with New, Faster Capabilities

In the latest release of this tool, the capability to decode a cloud data account package from an Android device via a logical extraction just got even faster and more actionable. Investigators can now decide upfront which data should be extracted, selecting specific files and directories from cloud storage services including Google Drive and Dropbox. You can also now select a specific portion of email messages to access – headers only, headers and body without attachments, etc., helping to reduce investigative cycles.

Other key enhancements include the ability to:

  • Extract detailed location information from a suspect or victim’s private Google Location History, stored on Google cloud servers, allowing investigators to track all timestamped movements minute by minute
  • Track and analyze a suspect’s Facebook Likes and Events to get a better understanding of a suspect or victim’s interests, opinions and daily activities
  • Gain access to more Twitter connections, including pending requests either requested or received, to dive deeper into a suspect’s relationships
  • Reveal changes and/or discrepancies in images, videos and files stored in Google Drive and Dropbox

To learn more about how the UFED Cloud Analyzer and the UFED PRO Series can help you solve more cases quickly and accelerate investigations by gaining instant access to cloud data, contact your Cellebrite sales representative or visit http://www.cellebrite.com/Mobile-Forensics/Applications/ufed-cloud-analyzer

banner1

 

New and improved UFED Faraday bag!

With the evolution of smartphones, cellular networks and infrastructure have also advanced, signals have improved and their reach has expanded, which laid the ground for high-performance wireless access. Modern smartphones also carry other radio transmitters in addition to the network interface (including WiFi signals, Bluetooth, telecommunication systems, and GPS signals).

A fundamental aspect on device preservation at the crime scene is evidence collection on site. When needed, an officer can immediately provide electromagnetic isolation of a seized device to maintain proper chain of evidence, prevent da
ta tempering, and safeguard the existing physical data on the device.UFED Faraday bag

Cellebrite’s UFED Faraday bag has been redesigned and improved to meet the needs for quick investigation, offering better isolation storage for quick investigation.  The new shielding material was tested against the former bag at various frequency rates, and resulted in an increased attenuation of ~25 db.

Frequency (Ghz)Former bag
attenuation (dB)
Redesigned bag
attenuation (dB)
0.853>80
1.85271
2.145>80
2.44277

Click here to purchase your UFED Faraday bag at an affordable price.

Are you REALLY certified by Cellebrite?

Danny GarciaAre you REALLY certified by Cellebrite?  If you have attended an official Cellebrite training course, you will have an account within our Cellebrite Learning Center, where you were able to download your certificates.

The Cellebrite Forensic Training System (CFTS) officially launched in June, 2013.  The first official Cellebrite certification class was taught at the 2013 Mobile Forensic World conference in Myrtle Beach, South Carolina. The CFTS established a standardized,
relevant and current curriculum to deliver the appropriate level of knowledge and practical experience by Cellebrite Certified Instructors (CCI) around the world.

Students attending our certification courses must complete the course and pass appropriate examinations prior to achieving Cellebrite Certified Logical Operator (CCLO) and/or Cellebrite Certified Physical Analyst (CCPA) credentials. Upon completion of a course, participants receive certifications, making them eligible to move to the next stage in the curriculum.

The CFTS is designed to offer a progressive certification system, allowing those students who achieve a higher-level certification, to maintain lower level certificates.  For example, someone who earns the CCLO credential will renew that certification by achieving CCPA.  In addition, individuals who earn CCLO and CCPA, may renew both of those certifications by earning our capstone certification, Cellebrite Certified Mobile Examiner (CCME).

The CCME certifies that the recipient has attained a level of mastery in the discipline of mobile device forensic investigation methodology and a high level of proficiency with Cellebrite’s Physical Analyzer software as well as working and practical knowledge regarding Cellebrite’s UFED technology. The CCME test measures the practitioner’s skill using three popular mobile device operating systems including Android, iOS, and Blackberry. CCME certification indicates that an investigator is a skilled mobile device examiner.  The CCME is available to applicants who have completed the Cellebrite Mobile Forensic Fundamentals (CMFF) course, and hold current official CCLO and CCPA certifications.  Examiners wishing to earn their CCME certification must complete the process within two years of earning their CCPA credential.

Have questions about Cellebrite certification and our recertification process? We have published information and an FAQ at https://www.cellebritelearningcenter.com/mod/page/view.php?id=4625.