Cellebrite launches first standalone UFED User Lock Code Recovery Tool for iOS and Androids

Locked devices have been a longstanding issue for mobile examiners since the evolution of smartphone devices. More than 50% of devices seized by police are locked.*

UFED User Lock Code Recovery Tool provides you with another solution to unlock the device and reveal the password on both iOS and Android operating systems, when no other extraction methods work. Using forensically sound brute force method, this standalone tool reveals the device’s user lock code on screen, and allows users to enter the password and access the evidence on the device, while ensuring that existing data remains intact.

How do I use this tool?

The tool is available for download for UFED users with an Ultimate license at MyCellebrite (the software runs as a standalone tool). Users are supplied with three Cellebrite cables to be connected to USB OTG mobile devices only. A UFED Camera or a Windows-based web camera is required to detect when the device is unlocked. For more information on using the tool, watch the video below to learn how bypass and reveal passwords on iOS and Android devices.

UFED User Lock Code Recovery Tool helps you get the evidence you need quick and at no extra cost.

*Consumer Report 2014

 

 

New UFED release 4.2.2 offers exclusive support, impressive breakthroughs and enhanced decoding

With the release of UFED Physical/Logical Analyzer 4.2.2, Cellebrite offers new decoding features designed to improve investigative efficiency from 1,128 additional device profiles and enriched degree of decoded data from 873 app versions.

Exclusive support for the latest and popular Samsung devices

Samsung contributes to the highly fluid mobile market by introducing ever smaller and lighter mobile device models every few months. The quick adoption of these devices by felons leaves investigators to encounter additional challenges during the investigation. Cellebrite enables access to all data, including deleted data, from the newest Samsung Android devices available in the market today. Cellebrite supports physical extraction while bypassing the user lock using the forensic recovery partition method, and decoding from 33 Samsung Android devices, including Samsung Galaxy S5, S6 and Note 4 family of devices.

Cellebrite’s UFED replaces the device’s original recovery partition with Cellebrite’s custom forensic recovery partition. The original recovery partition on the Android device can be considered as an alternative boot partition that may also change the user data partition, while Cellebrite’s recovery image does not affect any of the user data.

Support for next generation smart watches

Android wear may be a new concept, but with nearly $7M sales just last year, many independent research groups anticipate a huge growth in the wearable space is in the next upcoming years. With the rate of new devices entering the market by Samsung and others, Cellebrite ensures that investigators remain ahead with the most advanced extraction and decoding technology to support these new trending devices.

UFED enables physical extraction while bypassing lock, and decoding support from the most popular next generation smart watches including LG smart watch LG G WATCH R™ (W110) and the previously released Samsung Galaxy Gear SM-V700.

New app decoding and decryption support

Apps provide a rich source of data to investigations. 59% of our users say that 3rd-party apps data matter the most in investigations. Cellebrite provides updated support for 843 app versions in this release, as well as decoding support for new apps, such as Facebook Messenger (decoding of the call logs of the voice calling feature and the new video calling/chatting feature). Additional decryption is also available for UFED 4.2.2, UFED Physical Analyzer is now able to decrypt and decode Android Backup (Android 5.x) with a known password as part of the file system extraction.

Download the release notes to see a full list of apps and version numbers.

Now higher resolution view in offline maps feature

In UFED version 4.2 we introduced the latest offline maps feature which enables you to view extracted locations on a worldwide map without internet connection. This feature has been improved, enabling you to view extracted locations on a regional map, and zoom in at an even higher resolution of 15x to view streets for better indication and view of the location without internet access for the following continents: USA, Canada, Europe, Japan and Korea, Middle East, Africa, London, Los Angeles, New York, Paris, Singapore and Tokyo.

 Untitled

You asked for it, we developed it!

UFED Physical/Logical Analyzer 4.2.2 keeps pace with investigator demand and provides the option to redact the image thumbnail from the PDF, Word and HTML report. You would use this option with cases involving sensitive images, such as child abuse.

Untitled2

3 Reasons to Vote for Cellebrite for a 2015 Forensic 4:Cast Award

For as long as the Forensic 4:cast Awards have existed, Cellebrite’s UFED tools have been named Phone Forensic Tool of the Year. Being nominated among some of the greatest products in the industry, we couldn’t be more proud that the forensic community recognizes our continuing efforts to deliver the best, most innovative and  functional mobile forensic tools for seven years running.

Thanks to you, Cellebrite’s nominations include:

  • UFED Touch for phone forensic hardware of the year
  • UFED 4PC for phone forensic software of the year
  • Digital forensic organization of the year

Will you vote for us this year? Here are a few reminders why Cellebrite deserves the Forensic 4:cast Awards.

1. We’ve got your back.

Cellebrite has always been known for its breadth of support for new devices, but in 2014 we deepened our support for both smartphones and the apps installed on them. We improved our automated decoding, so you can spend more time analyzing data than figuring out how to decode it; brought our device profile support up to more than 14,000; and added decoding support for 25 prepaid Android devices—including Tracfone models that stumped investigators for years.

2. We make data analysis as simple or as complex as you need.

The visual analytics we include in tools like UFED Physical/Logical Analyzer and UFED Link Analysis give you a basic, at-a-glance look at key people, places, and communications via Project Analytics, Timelines, Maps, and Graphs. These help you immediately visualize your data and focus on only that which is most relevant to your case.

When you need to get “into the weeds” with the data—at the device memory level—you can do that too. Locate, carve, and validate data using advanced search functions like regular expressions and searches for strings, dates, codes, numbers, ICCID, SMS formats, etc., and import your JTAG and chip-off extractions into UFED Physical Analyzer for decoding.

3. We give you the tools you need not just to extract and analyze the data, but also to testify about your process with confidence.

Tools with as much functionality as ours deserve investigators who can put them to good use, so in 2014 we stepped up our training and certification program. We are now the first and only digital forensic vendor to deliver courses not only in person, but also online, and more than 4,000 practitioners earned their Cellebrite certifications through the end of 2014.

Vote for us today!

 

Balancing data actionability with forensic soundness

The ability to extend mobile evidence collection capabilities into the field has a great many benefits. Reducing costs associated with overtime, outsourcing, and diminished forensic lab productivity renders a field-based solution an investment rather than an additional cost. Reducing the risk of human error in data analysis is attractive, too, as automated tools help to improve field-level decision-making about cases.

Even so, decentralizing mobile forensics also carries its own risks. Will field personnel handle mobile device evidence the right way, including securing proper legal authority? Will they follow policy and standard operating guidelines when it comes to extracting and preserving mobile device evidence?

The legalities around field-based mobile device extraction have yet to be determined in many countries, but authorities can ensure compliance with organizational policy and overall forensic best practices by using permission management and auditing features. These kinds of capabilities take into account that not everyone needs the same level of access to mobile device evidence, depending on the types of cases they are investigating as well as the offense severity.

With the UFED Field Series, as well as the UFED Pro Series, permission management functionality allows agency administrators to define and configure user authentication settings to ensure that only users with the right credentials can access the application. An encrypted permission management file that contains usernames and profiles can be imported into multiple UFED InField applications.

Not only credentials, but also extraction privileges can be assigned. Certain investigators may be able to have access only to logical and SIM card extractions, while forensic lab examiners can access full physical extractions as well.

In addition, administrators can define content types available from logical extractions. Some investigators may be granted extraction permissions only for images and videos, for example, while others can access messaging in addition to images and videos.

These privileges can be based on user roles and/or training and certification levels. For example, investigators who have received the Cellebrite Certified Logical Operator (CCLO) or the Cellebrite UFED Field Operator (CUFO) certifications, or completed the coursework without receiving the certifications, can be assigned as many or as few extraction privileges as an administrator deems necessary for their role.

On the flip side of granting access to mobile extractions and data is tracking what the logged-in users do once they’re in the system. With UFED InField, an activity log maintains a list of all transactions including extraction start and end times; transaction type, duration, and status; device owner, vendor, model, and name; case ID and crime type; and who seized the device. Administrators can use this log to audit usage and ensure accountability among users.

The UFED Field Series solutions promote the treatment of mobile devices as crime scenes, so that the evidence they contain is fully preserved from seizure all the way through search and analysis. It offers organizations the “technology” component of a three-pronged approach that Cellebrite encourages towards implementing legally defensible field-based extractions for personnel who do not specialize in mobile forensics. By combining the UFED Field Series with training, policy, and standard operating guidelines*, organizations can reduce risk while meeting the need for improved access to actionable mobile device data in the field.  To learn more, download our solution brief today.

Umbrella - blog banner

*We recommend you work with your prosecutors and administrators to develop policy and appropriate training, including processes for obtaining written consent and search warrants (either traditional or electronic, if your jurisdiction allows).

Unifying investigative teams from field to lab

Nearly two-thirds of respondents to Cellebrite’s 2015 mobile forensics trends survey rated “important” the ability to extend mobile evidence collection capabilities into the field. The reasons are many: the costs of overtime, outsourcing, and even human errors are mounting, while lab service delivery times diminish.

Improving investigators’ ability to make decisions about their cases, including whether they need to escalate mobile evidence to a forensic lab at all, is the focus for many organizations in both law enforcement and the private sector. This focus reflects a need for in-field mobile device forensic solutions that span field locations: both stationary kiosks at satellite offices or stations, and mobile data extraction devices.

To this end, they seek solutions that provide basic data analytical capabilities: the ability to identify the who, what, where, and when of any given incident using mobile device data in conjunction with field interviews, witness statements, and other investigative activities undertaken in the first hours or days following an incident.

When evidence escalation is required, the solution must be able to route data immediately over a private network to a digital forensics lab at a headquarters, in another jurisdiction, or even in a different country. In other words, the solution must ensure that investigative teams have the technological ability to transfer data back and forth across a truly unified, secure system that promotes full accountability for their actions.

Without these abilities, the workflow falls apart under two circumstances:

  1. When data recipients have to translate the data into a different format so that it will work with a different system, or when senders have to take extra steps—such as transporting data storage media to the recipients—that adds, rather than saves, time.
  2. When it is difficult for managers to track statistics and integrate reports that give them visibility into how their personnel are using the tool, and therefore, make it more efficient for them to help personnel manage caseloads or adjust expectations.

Cellebrite’s UFED Field Series aims to reduce these problems by using an agency’s encrypted network to enable personnel to share extraction statistics, reports and raw data with other personnel or send to a predefined location.

The right infrastructure: local area network (LAN) and/or virtual private network (VPN)

Whether users are in substations, using UFED Field Series solutions installed on the UFED Kiosk, or are mobile, using UFED IX or ILX on laptops or tablets, the ability to send extraction data to a central location for storage or analysis with a single click is an important distinction.

At a minimum, kiosks in substations or satellite offices can be connected to a LAN using a standard RJ-45 cable and their own IP address. With a VPN, a similar capability can be extended to UFED Field IX deployments in vehicles. That way, a laptop or tablet connected to wifi, or to the cellular network via air card, behaves like other endpoint networked devices with its own IP address.

Organizations that do not have reliable infrastructure, such as those in rural locations without 4G or LTE wireless service, may experience bandwidth challenges because even logical extractions, on many smartphones, could be a couple of gigabytes.

In these cases, workarounds such as storing extractions and performing a daily scheduled batch file upload at end of shift may help. Users could also opt to store extraction data on encrypted portable devices such as USB or hard disk media, although this can add time to the overall process.

Streamlining communication via analytics

It is one thing to extract data to provide to other team members, but another to offer them visual analytics that can help them support particularly time-sensitive scenarios. Two scenarios enable this capability.

  1. Deployed in the field on mobile units, UFED Link Analysis allows investigators to create a project merging data from multiple devices, and then to share that project over the network with other investigators at a central or another mobile location.
  2. Deployed at a satellite location such as a police substation on the UFED Kiosk, UFED Link Analysis appears as a “shell” viewer. This data can be stored on a network drive, DVD, or USB for later transfer to other investigators.

While UFED InField is designed to help first responders improve their investigative efficiency by putting mobile evidence collection solidly in their hands, its optimization for a network-enabled environment allows for a seamless transfer of data to lab practitioners when required. To learn more, download our solution brief.

Umbrella - blog banner

How private social data makes a better crime story

Open source intelligence is an undeniably important source of information in a great many investigations, both civil and criminal. Public-facing posts to Facebook, Twitter, Vine, Pinterest, and other services can provide key evidence in cases involving insurance fraud, child exploitation, organized criminal activity, and harassment in or out of the workplace, among others.

However, open source intelligence is limited. People who act one way on public networks may behave very differently in private posts or messages, and may conceal key details in private messages. That means that without the data, investigators lack important context. In a recent survey of Cellebrite customers, nearly two-thirds reflected that data stored off the device and on the cloud was of critical concern to them.

Perhaps the most well-known example of the gap between public and private social data is the wave of street violence that occurred in north London, England in August 2011. As The Guardian reported, Facebook and Twitter only accounted for a small amount of communications around the unrest. Actively monitoring those services, police managed to deter violence in publicly named locations.

“However,” the news article went on to note, “the most powerful and up-to-the-minute rallying appears to have taken place on a more covert social network: BlackBerry Messenger (BBM)…. unlike Twitter or Facebook, many BBM messages are untraceable by the authorities.”

Social network analysis identifies likely sources of private contact

When an investigator considers the likelihood that s/he will need to obtain private social data, interviews with victims, witnesses and suspects are often a good place to start. Interviews can reflect communication patterns—apps and platforms used, modes of contact, etc.—among people involved in a case, and help narrow down the range of content to look for.

Also consider who is important enough for the victim or suspect to share information with. You can get a sense for this network from analyzing activity by the people they most frequently communicate with: those who like or comment on their posts, how frequently, in what context. Unusual communications from a loose acquaintance, depending on timing, can be as important as regular contact with a typical circle of people.

Social network analysis can also reveal relationship conflicts of interest, which can be important in fraud or insider threat cases. People who are not outwardly connected on social media may be communicating via email or private message, in accounts they don’t use to communicate with anyone else.

Public data can provide private leads

Consider, in addition, what is important enough for a victim or suspect to share information about. Images of material goods can indicate money spending habits or even outright crime. Their page likes and follows—the Guardian reported that initial activity related to the riots began on a public Facebook page—can provide clues about interests and activities which they may discuss privately.

Meanwhile, private content that is opposite to public postings, or to what the victim or witness has told you during interviews, can be used as leverage to find out what really happened. These contradictions can exonerate as well as implicate a suspect. And, if the case goes to trial, the contradicting content can impeach a witness’ credibility.

Understand cloud usage trends in your community

It’s important to maintain a strong sense of technological trends ongoing not just in the nation or the world, but in specific regions as well. The Guardian described in a later article how, in London, BlackBerry’s prepaid model allowed teens and lower-income people to afford the devices they used to coordinate their activities, without using cloud services.

Further, while BlackBerry Messenger communications are encrypted, and iOS and Android devices are heading that way as well, most social media services are not. That means that data unrecoverable from apps on the device, may still be available from cloud services themselves.

Even so, with mobile device manufacturers, third-party app developers, and online service providers taking more drastic measures toward improving their customers’ data security, government agents should take the steps they need to secure proper legal authority before accessing subjects’ private data. That could take the form of a search warrant, consent, or other documentation. It also means understanding the difference between true exigency, and the perception of exigency in a high-pressure situation such as a riot.

Don’t miss out on the critical evidence or intelligence that could help make a case. Download our solution brief to learn more about how the UFED PRO Series improves the context of an investigation.

Umbrella - blog banner

UFED Physical/Logical Analyzer 4.2 offers efficiency improvements, decryption and enhanced decoding

PA42exclusive

 

 

 

 

The new Physical/Logical Analyzer release, version 4.2, is chock full of features and device support. From more efficient location mapping processes to improved decoding, this latest release is designed to accelerate your investigations and enable you to drill more deeply and intuitively into data from more than 15,000 devices.

Deeper location data analysis, more efficient workflows

UFED Physical/Logical Analyzer 4.2 offers a number of new enhancements with regard to location data. These enhancements offer more flexibility and efficiency by allowing you to access highly visual information more easily.

First, new offline map support offers maps view even when an Internet connection is not available or you are analyzing data at a workstation that is required to remain offline. Second, you can also now zoom in to locations in map view and see related event details. When you want to explore deeper relationships between locations, timelines, and analyzed data, you can jump from location information to its source event or timeline and vice versa.

Location information also allows you the ability to examine attached images, videos, audio, text, and other files identified during the data analysis process. The Data Files category in the project tree enables you to view and filter attachments within data files, locate the associated attachment event, and view its metadata and location information.

Do you frequently share your extracted UFDR reports with others using UFED Reader? Now, include the UFED Reader executable within the report output folder. This saves time for report recipients in locating, downloading, and using the UFED Reader application.

New app decoding and analysis functionality

UFED Physical/Logical Analyzer 4.2 also keeps pace with investigator demand for greater visibility into app data. Besides newly added support for apps installed on Android, iOS, and Windows Phone® devices, as well as updated support for 40 Android and 63 iOS app versions, the new release offers additional decoding and some decryption support, as well as improvements in the way app data—particularly chat app data—is displayed.

Added to analytics that show the most frequently used apps, app usage data now includes information about the last time a user launched a particular app, as well as for how long they used it. Also for the first time, view the number of messages per chat, which can help validate chats extracted using other tools that do not thread messages. Additionally, location data for chat messages is now available for export into all report formats.

Other apps-related support includes decryption of KeepSafe and WeChat apps, together with decoding support for WhatsApp VoIP call logs on Android devices. New WhatsApp support also includes the Read, Delivered and Played timestamps of outgoing WhatsApp messages for iOS, Android and BlackBerry® 10 devices. In addition, Twitter group chat messages are now displayed in Chats.

New device support includes physical extractions, decryption, and decoding

Disable the user lock for 159 Samsung Android models using SPR and SPM methods, depending on the device’s firmware version. In addition, Physical extraction with lock bypass and decoding is now supported for 58 LG Android devices released with Android version 4.2.x and above.

Decryption is now possible for physical extractions from generic Android and Samsung devices running Android 4.2 and below using a known password. Similarly, extract BlackBerry device backup data as part of file system extraction, and then decrypt the backup data with known BlackBerry ID credentials you retrieve via UFED Physical Analyzer.

Device information decoding is newly enhanced for all device types. For BlackBerry 10 this includes username, device model, PIN, IMEI, and device name; for Windows Phone devices, the information includes IMEI, IMSI, MEID, mobile operator ID, country, MAC address, and OS version. Device information for Android devices now includes the decoded Tethering ID and password, while iOS device product name and product type information are now included under device information.

Saving time in a death investigation

One Minnesota (US)-based detective working a death investigation used Physical Analyzer 4.2 to unlock a pattern locked Samsung Galaxy S5 (SM-G900V). Facing a lengthy and destructive chip-off extraction because the device did not appear to be supported for JTAG extraction, the investigator was able to run the device against a pre-release copy of Physical Analyzer 4.2. The extraction worked, and the investigator was able to use that evidence to continue building his case.

To learn more about how the new UFED Physical/Logical Analyzer 4.2 can help accelerate your investigations, download our release notes today!

Keep your investigations moving forward with cloud-based data

How many of these scenarios have you encountered as an investigator?

  • The suspect used an app for which there is no mobile forensic support. You could manually carve and decode the data from a physical extraction—assuming it is supported by the mobile forensics tools you use—but you lack time, and/or the forensic lab tells you it will be weeks before they can get the data back to you.
  • You serve a search warrant on a cloud data provider, but they ignore your request, and/or they inform the suspect that you’re investigating.
  • The cloud provider is willing to work with you, but they tell you they can’t comply with your search warrant or court order unless it is submitted a certain way. During the weeks it takes you to negotiate and get new paper signed, your victims recant their statement, and your witnesses are much less forthcoming in follow-up interviews.

A case that stalls or halts altogether, while you wait for time-sensitive webmail and/or social media data, means it’s a lot less likely that you’ll be able to find and apprehend a criminal. You need a way to obtain cloud-based evidence much more quickly, and preferably within the first few hours or days of a victim’s initial statement.

Obtaining private cloud data offers additional context for what was going on in a victim’s or suspect’s life during specific timelines. Having this context enables investigators to make informed decisions about how to proceed with a case, how to plan an interview strategy, and which individuals to focus on.

Restricting a search to these timelines, and to certain content types, not only reduces the amount of data you have to go through; it also protects individual privacy by eliminating the content that has nothing to do with the investigation.

Private cloud data access can also help to reduce the risk that you’ll have missed important artifacts from mobile devices and hard drives, especially when devices or apps are partially supported or unsupported for extraction.

Finally, faster access to important evidence reduces the risk of losing witnesses who lose interest before a provider returns data, or because a provider was resistant to being served or tried to inform the suspect. It can also help to identify victims who might not have come forward on their own.

With the proper legal authority, private cloud data can give you the data you need to make a case without adding too much irrelevant data to have to sift through. Download our solution brief now to learn more about how to leverage this capability within the UFED PRO Series as part of your investigations.

Umbrella - blog banner

Introducing Cellebrite’s new mobile forensics solutions for lab and field

Today we’re excited to launch two new ways for law enforcement, military, and private-sector investigators to approach investigations. Our suite of mobile forensic solutions relies upon tried-and-true, flagship UFED technology together with a couple of newcomers designed to unlock the intelligence of new and disparate mobile data sources and extend investigative capabilities to the field so that actionable information can be qualified and shared quickly.

The new offerings are founded upon insights gleaned in our recent mobile forensics trends and predictions survey. Among them, 60% of respondents indicated that more data stored off the device and on the cloud was of major concern to them, while 80% of respondents reported experiencing some level of device backlog in the last year.

The UFED Pro Series, designed for forensic lab practitioners, and the UFED Field Series, designed for field personnel, each respond to those and other concerns by optimizing data extraction and analysis capabilities by role—and unifying investigative workflows between lab and field.

In other words, field-level investigators now have a way to obtain a simple data preview capability, enabling them to access actionable data without having to wait for a lab, while lab-level investigators can use specialized tools to tackle a larger swath of visible, hidden, deleted, and cloud-based private data, when a situation demands.

The UFED Pro Series comprises Cellebrite’s flagship UFED Ultimate together with UFED Link Analysis and, when appropriate, the all-new UFED Cloud Analyzer in two solution sets: UFED Pro CLX and UFED Pro LX. The integration allows examiners to unify disparate data for easier analysis, helping to bring key insights to the surface quickly.

The UFED Field Series – an integrated software and hardware solution comprised of UFED Field IX and UFED Field ILX — allows field-level personnel to perform simple, efficient, data extractions onsite via in-car workstations, laptops, tablets, or our new secure, self-service UFED InField Kiosks at stations or other locations. This frees forensic specialists to move beyond basic evidence collection and focus on more complex analytical work.

Both solution sets include user and data management controls that forensically preserve evidence, maintain chain of custody through the unified workflow, and promote device owner privacy by filtering data by date, time, and/or content types to focus only on what’s most relevant to an investigation.

Learn more in our press releases about the new UFED Series solutions, including the UFED Pro Series and the UFED Field Series, and be sure to leave us a comment should you have any questions!

Link data in graphs, timelines, and maps to save time and accelerate investigations

Link analysis capabilities continue to grow in importance in a great many investigations, from homicide and sexual assault to property and pattern crimes. Read (and watch!) on — and at the end of the post, download our white paper — to learn how UFED Link Analysis can help you save time and effort in finding leads, establishing patterns, and maximizing the insights available for your investigations.

Construct case timelines from multiple mobile devices

Timelines are one of the most important elements of any investigation. Retrace a victim’s or suspect’s steps through the last hours, days, weeks or even months before an incident. Identify a subject’s patterns of behavior: the days and times s/he regularly visits or calls family members, does business, runs errands, etc. These patterns, as well as deviations from them, can be important in small or large ways.

Learn more about how to quickly visualize timelines in UFED Link Analysis in our video:

Import additional data sources for context

One of UFED Link Analysis’ most important features is the ability to import data from other sources; notably, carrier call detail records (CDRs), which can show the towers to which a suspect or victim device connected over a period of time. This can help establish both travel activity and stationary locations. CDRs can also reveal incoming and outgoing calls and, in some cases, text messages (depending on how long they retain the data).

Watch to learn more about pre-set formats and other features that make CDRs easy to import and analyze alongside device data:

Establish suspects’ and victims’ location behavior

Along with timelines, the maps within UFED Link Analysis can be a good way to narrow down a list of potential leads and establish subjects’ normal and abnormal patterns of behavior. Plot geolocation data from wifi access points, cellular towers, GPS apps, images and video to show two or more suspects in the same location at the same time. You can also do the same to show a suspect’s connection to a victim – or exonerate a suspect accused of wrongdoing.

Learn more about how Map View works in our video:

UFED Link Analysis’ versatility only starts with these features. Download our white paper for additional details about putting it to work for your investigations!

LKA_Banner_Blog