Earlier this month we hosted a webinar entitled, “What’s new in UFED Touch, 4PC, Physical Analyzer, Logical Analyzer 5.0?” The webinar provided attendees with insights on the latest features and capabilities introduced in version 5.0, including unique extraction capabilities such as temporary root (ADB) solution for Androids, and detailed demo’s on merging multiple extractions into a single project, removing deduplications, and a new and effective validation process, as well as filtering out common images, and other industry-first capabilities that helps you drill into the data that’s most crucial to your investigation.
During the webinar, we received an array of excellent, intuitive questions from participants. A selection of these questions, with corresponding answers, have been compiled into this blog.
The webinar is available for viewing at the bottom of this post.
Note: If you don’t see your question answered below, please leave a comment at the end of this post and we will try to provide you with an answer ASAP.
Q&A – Let’s begin!
Q: Which fields are used to determine duplicated messages for Chat, MMS and SMS?
A: We have set of rules for deduplication. For the analyzed data (SMS, emails, chats), we identify key values for duplication for each model/content type and based on that we remove duplicates and merge items. For data files (text, images, video and more), duplicates are based on hash value calculation.
Q: After the deduplication process completes, are there any reports or items showing that there was a duplication?
A: You can find an indication of deduplicates in any table in the UI. There is also a filter available to filter this information, and there is also an indication in all report formats.
Q: Sometimes physical extractions of a single project contain duplicate messages due to garbage collection, etc. Is there a way to detect and remove duplicates from a single project?
A: Indeed. Version 5.0 automatically remove duplicates of a single project/extraction as well.
Q: Is the application able to create a hash of the whole Image or project?
A: UFED Touch/4PC 5.0 creates a hash of the whole Image of any physical extraction. UFED Physical Analyzer 5.0 enables you may review this MD5/Sha-256 value and validate/verify it.
Q: I see that you didn’t include merged data when you were gooing through the reporting feature, is there a reason why you would include this information.
A: By default, the merged items are not included in report as we assume that the main items are the most important. You may change this default values and include the merged items as well.
Q: Is there a way to get a summary of all contacts that are on a phone? The Contacts area doesn’t always capture the contacts from apps (i.e. Whatsapp, Viber, etc.). I find that I need to extract SMS/MMS/Chats/CallLog and then combine the logs together for a contacts summary.
A: All contacts recovered are presented under the contacts node in the tree, including contacts recovered from 3rd party apps. We do plan to merge SMS, IM, MMS and chats (all messaging events) into a unified view, it is planned in one of the coming versions of UFED Physical Analyzer.
Q: Using the upgraded UFED Touch and Physical Analyzer, I have noticed that looking at results for a logical extraction for some phones deleted data is shown. Can we actually get some deleted during logical extractions now?
A: Deleted information from apps can be recovered as part of logical extraction.
Q: When you change the name of the extraction, does it change the name of extraction file that is placed in the folder?
A: No, the name change is only for viewing and reporting purposes
Q: Since WhatsApp is now encrypted, can UFED 5.0 extract WhatsApp encrypted data?
A: Messages while in-transit are encrypted however this does not affect data-at-rest (forensics) stored in the WhatsApp databases. On top of that, WhatsApp have recently started using a new encryption key – crypt9. We are working to provide a solution for this encryption.
Q: Can UFED Physical Analyzer 5.0 pull data (pictures and videos) from SnapChat, or only text messages?
A: For both iOS and Android devices, media files are extracted as well.
Q: Is there a specific order as to when you have to do the ADB and APK backup and downgrade?
A: It is recommended to use the APK downgrade as a last resort, after other extraction methods have been exhausted (including JTAG and chip-off), since it’s an intrusive method, which requires APK installation on the device.
Q: Why do some of the recovered passwords display as clear data, while most of them are encoded?
A: In many cases, the passwords are stored as tokens, this is why you can’t see clear data. Private data is stored encrypted as tokens. When the password is first entered, it is sent to the server for storage. Every time the password needs to be checked then the public key encrypted password gets sent to the backend server and decrypted by the private key. In PA, you can see these encrypted values.
Q: If you use the time zone support, does it make any changes to the extraction or is it just for easier viewing?
A: For easier viewing and reporting, no change is done to the original
Q: About the timestamp option, can you explain about the options in the settings? When does it prompt when device time zone is detected?
A: To automatically adjust timestamps to UTC+0. Select the Automatically adjust timestamps to UTC+0 check box. This setting is recommended when working on multiple extractions so that all records will be presented according to the same adjusted time zone offset.
In case a time zone is detected as part of decoding, a pop up window will be presented, suggesting you to automatically adjust the time stamp. Alternatively, you can change it in the general settings. When the Automatically adjust timestamps according to the device’s time zone check box is selected, all timestamps will be adjusted to the mobile device time zone, including report outputs.
View the full webinar below.