TomTom Triplog Decryption: Provided by Cellebrite Advanced Investigative Services

Global Positioning Systems (GPS) fall into the category of wireless communications that hold a considerable amount of evidence that can be used in an investigation. People’s whereabouts are recorded in “second-by-second” detail on their TomTom navigation system and retrieving this type of information can provide powerful digital evidence for your case.

In recent years, the law enforcement community has seen a dramatic increase in the use of GPS devices as an instrument of a crime or as a “witness device” collecting and logging positional data while the crime is being carried out. TomTom and Garmin units are by far the most popular devices law enforcement have been encountering. The sales of portable navigation devices are at an all-time high.

Last year, more than forty million portable GPS devices like TomTom’s GO series or Garmin’s Nuvi series were sold worldwide.* In Europe, TomTom is the most widely used navigation system; and the big market share (47%) could be attributed to the TomTom built-in installation in vehicles. Forensic analysis of vehicle movements records can provide evidence of considerable value in crime detection. (While Cellebrite does not provide data extraction from built-in systems, we support decoding of chip-off data extractions from them, and then decryption of the triplogs).

Cellebrite supports a select list of TomTom devices, which can be found here. Aside from extracting timestamped GPS locations from the trip log files using unique decryption technology, Cellebrite also provides decoding support for contacts, calls and locations. Forensic analysis of such records can provide evidence of considerable value in crime detection.

Upon setting up a TomTom device for the first time, it prompts the user for permission to collect information from the navigation device. The information or triplogs shared is used to improve maps and other services offered by TomTom, such as traffic information related to where the user is. (These services are disabled if a user chooses not to share the information).

If the user accepts, his or her TomTom device is set to log all trips in dedicated binary files known as triplogs. These files are saved in the device file system under a directory named STATDATA. The triplogs collected illustrate a breadcrumb trail of where the person travelled to with the navigation system in very high resolution. TomTom triplogs are encrypted in order to protect user privacy, but also accumulate additional encryption obstacles to the ones that already exist.

Cellebrite offers a unique decryption service to our customers, as part of Cellebrite Advanced Investigative Services, that enables the extraction of timestamps and locations from the triplog files that reside in the STATDATA folder. The triplog files hold complete trip GPS information (including latitude and longitude), and thousands of locations, in a resolution of 1 to 5 seconds.

TomTom Triplogs

How can I send Cellebrite these triplogs?

Using UFED Physical Analyzer, open the extraction and then select Tools,TomTom menu, select Export to save the XML file generated from the triplogs, and submit to Cellebrite via CAIS. The decrypted data will be sent back to you within a few days, and ready to be imported into UFED Physical Analyzer- where the triplogs can be viewed in detail (3 second log when device was active). A kml-file can then be generated and viewed in Google Earth and other similar applications.

UFED Physical Analyzer enables TomTom extraction and decoding of the following information: home, favorites, recent, user entered, locations, last journey, location, date & time, routes, GPS fixes (also deleted), deleted locations (of all categories), as well as recovery of geotag visualization of location based data on Google Earth/Maps.

UFED Physical Analyzer has also been equipped with a covert feature that enables silent activation of triplog files, which means that you can connect a TomTom device to the UFED system and activate the logging feature. As soon as this is carried out, the device will start saving triplogs, once TomTom is in use again.

Send us an email to learn how Cellebrite Advanced Investigative Services can help with your encrypted triplog files, along with Google Earth KML files.

Watch the webinar below to learn how you can use UFED Physical Analyzer to extract TomTom files:

References

*http://www.forensicfocus.com/tomtom-gps-device-forensics

Cellebrite launches actionable forensics data in the field

Police work is mostly about solving cases, and this is not a trivial task. Gathering clues and hints is important to achieve the desired outcome. Everyone today has a mobile device on them wherever they go, and these devices are storing a lot of information (calls, chats, locations, pictures, contacts), leveraging this data for investigation is just common logic.

Researchers conducted on investigation process proved that evidence or clues that are gathered within the first 48 hours are imperative to solving cases, and the statistics shows that when there is no real direction the chances to ever solve the case decreases by 50 percent.

So the need for speed is clear, and providing actionable data extracted from mobile devices is a necessity. How can this be done? A mobile forensic examiner would require years of experience to develop the right skill sets to overcome different technical challenges of obtaining forensically sound evidence. How can we speed the process and move mobile data recovery from the forensic labs, where we have the experts, to the field where we have excellent investigators whom ar not experts in mobile forensics?

This is the exact challenge we faced at Cellebrite when we started planning and designing our UFED InField solution. We have consulted with many of our customers (both digital forensic experts and police investigators), and together we defined the criteria and needs of users for field mobile extraction. There were three main obstacles we needed to address:

  1. Extraction duration – it must be quick and effective, as in the field there is no time for long process.
  2. Simplicity – The users are not technical nor forensic experts, and therefore the flow should be as simple as possible.
  3. Deployment management – When you have a wide deployment of devices across the country to enable investigative teams to perform mobile extraction quickly, you must have a tool to manage the deployment and set flows per the need on the agency.

With new release of UFED InField 5.2, we kept the above three challenges as part of our product design guidelines, and indeed, based on the feedback from our beta customers, we gained a lot of progress.

Meeting all the needs for field forensics is a journey, and together with our customers will continue to research and develop new capabilities to make the experience simplified and efficient as possible.

Join the journey and discussion share your ideas and feedback by posting a comment below. Perhaps together we can help build a safer society.

I am hosting a webinar next week, Wed. June 22nd, on how you can simplify mobile data access in the field to speed investigations. Click here to register.

_ARS6348_NewKiosk_22may2016

 

Reason #3 to vote for Cellebrite for a 2016 Forensic 4:cast Award

There is just less than a week left to cast in your votes for the Forensic 4:cast Awards. In our previous blog posts, we mentioned that Cellebrite deserves an award this year for being consistently first, and often unmatched, bringing critical mobile forensic innovations to your work environment, and for also being the first to provide support for the most popular brands and models.

Here is the third reminder why Cellebrite deserves an award:

Forensically Sound Evidence Every Time

Unlike competitors’ “black box” third-party bootloaders, UFED remains the only mobile forensics solution with custom-designed, read-only bootloaders. By controlling every part of the process, Cellebrite ensures that the bootloading is non-intrusive and that nothing is altered on the device, keeping the data forensically sound. This capability is delivered in proprietary bootloaders that support physical extraction while bypassing locks for mobile devices, which have no alternative solutions. Our custom-designed bootloaders contain a code that is specifically designed to only read the memory chips, not write them, and are thus more flexible, generic, and work with a wider variety of devices. Altogether, they make for a solution that lets you overcome barriers and ovoid data loss or overwrite.

In version 4.2.6, released August 2015, we have enhanced the bootloader method to provide physical extraction support for the latest Samsung Android devices, (including firmware SM-G900V, SM-G900A, SM-N900V, SM-N910V, SM-G860P). With the coming release of UFED 5.1, we will be providing lock bypass and physical extraction support using the enhanced bootloader method for 200 Samsung devices.

If you benefit from our unique capability to perform a physical extraction while bypassing lock, then vote for us today!

Cellebrite’s nominations include:

  • UFED Touch for phone forensic hardware of the year
  • UFED Physical Analyzer/ UFED4PC for phone forensic software of the year
  • Digital forensic organization of the year

ForensicFocus_728x90_4cast_Vote_30mar2016

Introducing Cellebrite’s Advanced Digital Analytics Platform

Today we are excited to announce our new UFED Analytics solutions, a cornerstone of the Cellebrite Unified Digital Forensics Platform. Designed in collaboration with our customers, the new UFED Analytics Platform simplifies the complex by automating the manual, time-intensive tasks associated with analyzing and managing data collected from mobile devices, applications, cloud services and CDRs.

Comprised of three offerings, the solutions act as a force multiplier, empowering examiners, analysts, investigators and prosecutors to simultaneously organize, search, map, visualize and manage large sets of digital data to identify patterns and reveal connections between one or more subjects – or cases – quickly and efficiently. Advanced text, image, video, geolocation and link analysis capabilities deliver the deepest, most accurate insights possible, helping to accelerate investigations.

Cellebrite’s Analytics Product Family components include:

UFED Analytics Desktop: Designed to meet the needs of a single forensic practitioner or investigator, this application simplifies and automates analytical tasks, allowing a user to easily identify the critical relationships that can focus investigations.

UFED Analytics Workgroup: Designed for 50 users or less, UFED Analytics Workgroup delivers a client-server solution that efficiently and effectively manages hundreds of digital data sources.

UFED Analytics Enterprise: This scalable platform supports a complete, end-to-end digital forensics workflow, allowing anywhere from tens to hundreds of users to collaborate on a case or perform cross-case analysis simultaneously.

Expanding beyond the mobile landscape

The time has come for our customers to consider a more efficient approach in order to work cases faster. Sifting through data to search for evidence in PDF reports is like going fishing, and the more mobile devices, the more data, the bigger the report. Investigators can no longer waste their time with manual analytical processes. We now enable investigators to move beyond disparate data repositories and manual analytical processes to a unified investigative platform. With intuitive and streamlined digital forensic data management, case stakeholders can collaborate and act on digital data in real-time.

Read our case study to discover how the McLennan County District Attorney’s investigative process is already benefiting from this new approach.

Banner for Interactive tool  

 

Discover Best Practices and Advanced Decoding with UFED Physical Analyzer: Q&A from Cellebrite’s webinar

In a recent webinar, Dan Embury, our CAIS Technical Director, provided participants with tips and tricks, and best practices to help them get the most out of UFED Physical Analyzer. Overviews include Android custom recovery, Android UFS-based device unlocking, BlackBerry 10 backup encryption, Android backup APK downgrade, Apple iOS jailbreaking overview, as well as decrypting and decoding TomTom trip log files.

The webinar is available for viewing at the bottom of this post. During the webinar, participants asked a number of good questions, which we’ve compiled in this blog.

Note: If you don’t see your question answered below, please leave a comment at the end of this post!

Q: Can you confirm that TomTom decryption is not included in UFED Physical Analyzer

A: The decryption itself is not included in UFED Physical Analyzer. It requires offline processing, utilizing a large number of computers and processors. Ultimately, exportation of TomTom decryption in XML format can be forwarded to Cellebrite, and we will do the decryption. The decrypted results are then provided back to you to analyze in UFED Physical Analyzer, using the TomTom import function.  Please contact CAIS@cellebrite.com for more details and to submit your encrypted trip logs.

Q: WhatsApp recently announced that they have encrypted chat and voice chat, can UFED extract WhatsApp data after the WhatsApp upgrade?

A: In general, messages while in-transit are encrypted however this does not affect data-at-rest (forensics) stored in the WhatsApp databases. Cellebrite will release a solution in the coming days to decrypt the new WhatsApp encryption key – crypt9.

Q: When retrieving the BlackBerry encryption key using BlackBerry ID and password, how does this work?

A: Within UFED Physical Analyzer, you may retrieve the key associated with a BlackBerry ID using known credentials and decrypt the backup data from BlackBerry devices.

How to use: Open a file system extraction of a BlackBerry 10 device.  During the decoding process, a window is displayed: Enter the BlackBerry ID credentials and select Get Backup key (to retrieve a key, an Internet connection is required in order to communicate with the BlackBerry company servers).

You can save the key for future usage by selecting the Save button. If an Internet connection is not available, you can retrieve a key on any instance of Physical Analyzer connected to the Internet. Go to Tools and select Retrieve BlackBerry 10 Backup Key.

Enter the BlackBerry ID credentials and select Get Backup key. Click Save and load the key from the UFED Physical Analyzer disconnected from the network to continue with the decoding process.

Q: Are new Android devices encrypting the information in a unique fashion for each device?

A: The results of ongoing research both at Cellebrite and within the forensic community are exposing what sort of evidence can be extracted from these newer devices. The processors that are being integrated into Android, iOS, and BlackBerry devices are very powerful integrated circuits.  Since there has been such a focus on security over the past few years, these chips contain dedicated cryptography functionality to perform background tasks without impacting the user experience, all the while making security easier to implement and stronger against attack.

Q: Do you plan to incorporate jailbreaking into the product?

A: At this point in time, we do not plan on incorporating older jailbreaking methods into the UFED.  The best resource to find viable jailbreaks can be found at http://canijailbreak.com

Q: Are you recommending that we jailbreak all iPhones when possible in order to extract the maximum amount of data?

A: If your agency permits jailbreaking and the investigation warrants the additional effort to jailbreak the exhibit, then by all means, maximal effort should be expended to seek the truth and extract all evidence possible.  You simply don’t know what evidence you may be missing, whether inculpatory or exculpatory.  Major cases, cold case homicides, missing persons, and other exigent circumstances may justify jailbreaking, but always seek permission from stakeholders and test the method on a matching sample device.

Q: In iOS, how did you get emails using Methods 1 and 2 on an iPhone 5S?

A: The test case from the webinar was an iPhone5,2 (A1429) which is an iPhone 5, not an iPhone 5S.  Performing a jailbreak enables a Method 3 extraction to pull protected emails from the file system.  The emails pulled using Method 1 and 2 were from web-based emails that were clearly not protected with the file system.

Q: In your experience what is the success rate for jailbreaking phones?

A: From our research, the jailbreak will either work or not work, depending on a number of factors, including if the user upgraded the iOS firmware in the past using OTA (over-the-air).  The various jailbreaking teams work hard to prevent any adverse effects, but since the “first-to-finish” concept seems to apply for each iOS version, not a lot of effort is put into solving corner cases that would apply to forensics, versus the typical consumer not caring if the device needs to be reset prior to the jailbreak.

Q: Has Cellebrite been able to bypass the iOS pin on iPhones?

A: Cellebrite has the unique unlocking services provided by Cellebrite Advanced Investigative Services (CAIS).  The current offering is for iOS 8 running on the iPhone 4S, 5, and 5c, as well as associated iPad and iPod touch models.  The service helps investigators in important cases for which traditional mobile forensic tools do not have support.  Ongoing efforts by our leading team of researchers is continuing for newer models and those running iOS 9.  Please contact CAIS@cellebrite.com for more details.

Q: Does Cellebrite plan on including Android custom recovery partition flashing in the UFED?

A: The upcoming UFED release will add custom recovery for Samsung Galaxy S6, S6 Edge, and Note 5 to allow physical extraction while bypassing lock for models without locked boot loaders, such as Global models and those offered by Sprint, T-Mobile, and US Cellular.  Cellebrite’s UFED replaces the device’s original recovery partition with Cellebrite’s custom forensic recovery partition based on Team Win Recovery Project (TWRP).  Cellebrite’s recovery image does not affect any user data.  It is recommended to use the Forensic Recovery Partition method when other physical extraction methods (e.g. Bootloader) are not successful, or not available (i.e. if the Android’s firmware version is not supported).  For other carriers, including AT&T, Cricket, and Verizon, please contact CAIS@cellebrite.com for more details.

Q: Couldn’t a backup of the device give you the ability to go back to the starting point if custom recovery fails?

A: Unfortunately, it is not possible to do a backup of the device when there is a user lock code set and Android Debug Bridge (ADB) is disabled.  Cellebrite’s fully tested custom forensic recovery partition methods should not fail or cause any adverse effects (e.g. boot loop, etc.)

Q: Do you know if Windows 10 phones are encrypted at the chip level?

A: Research into less popular handsets can be performed if sufficient demand comes from our customers.  Some previous Lumia Windows 8/8.1 can be analyzed with our unique boot loader physical extraction, while other models can be supported with JTAG, chip-off, or In-System Programming (ISP).  We always welcome feedback via Technical Support for obscure mobile devices that you frequently encounter and we do not support.  Often times, minimal effort from our researchers is required to make the necessary additions to our UFED device coverage, all the while helping you solve more crimes.

Q: How does Android APK Downgrade work within UFED, and are there any risks to this method?

A: UFED downgrades encrypted Android apps in the device itself over Android Debug Bridge, by pushing an APK package to it, since it’s possible to then have an older version of the app do the interpretation of the newer inaccessible data. Within the UFED 4PC/Touch, connect to the device, and downgrade the app to an earlier version to extract the app database. There are some risks to this method since it makes changes to the device, thus, it’s advised to use as a last resort. If you know that a suspect is utilizing an application, and the extraction of all the other databases from the device do not produce any fruitful evidence, this method is recommended.  For example, if you believe that there was communication taking place via WhatsApp, then it’s important to squeeze out every last little bit of evidence from the device.

Click here to start your free trial for UFED Physical Analyzer.

View the full webinar below:

Reason #2 to vote Cellebrite for a 2016 Forensic 4:cast Award

In a previous blog, we mentioned that Cellebrite deserves a Forensic 4:cast Award this year for being consistently first and often unmatched, by bringing critical mobile forensic innovations to your work environment. Just yesterday, we released a solution to decrypt WhatsApp’s new backup database encryption- crypt9, in UFED Physical Analyzer 5.0.2.

We are grateful to the loyal UFED user community and to the digital forensic community for nominating Cellebrite, and would like to ask for your support again by voting for us in the following categories:

  • UFED Touch for phone forensic hardware of the year
  • UFED Physical Analyzer/ UFED4PC for phone forensic software of the year
  • Digital forensic organization of the year

If you haven’t already voted, here is the second reminder why Cellebrite deserves the Forensic 4:cast Awards:

Industry-first support for the most popular brands and models

We get access to more than 100 new handsets per month, which helps us keep pace with device support for the forensic community and capture the next wave of mobile challenges for forensic investigators. UFED 5.0 already supports the new and popular Samsung Galaxy S7 for file system and logical extractions. With approximately 10 releases a year, hundreds of newly supported device profiles are added for each release, including support for new operating system versions, and all supported are tested by Cellebrite’s R & D team. Just recently, with the release of UFED 5.0, we’ve bumped our device profile support up to 19,203.

We continue to innovate the industry, and to expedite your investigation by providing you with unmatched access to case-critical evidence. UFED 5.1, to be released in the coming weeks, is already packed with hot industry-first capabilities, including a new proprietary method to disable user lock for many additional Samsung devices, and lock bypass for popular LG models. Stay tuned!

Does UFED play an important role in your investigations? If you think so, then vote for us today!  

ForensicFocus_728x90_4cast_Vote_30mar2016

 

What’s New in UFED 5.0: Q&A from Cellebrite’s Webinar

Earlier this month we hosted a webinar entitled, “What’s new in UFED Touch, 4PC, Physical Analyzer, Logical Analyzer 5.0?” The webinar provided attendees with insights on the latest features and capabilities introduced in version 5.0, including unique extraction capabilities such as temporary root (ADB) solution for Androids, and detailed demo’s on merging multiple extractions into a single project, removing deduplications, and a new and effective validation process, as well as filtering out common images, and other industry-first capabilities that helps you drill into the data that’s most crucial to your investigation.

During the webinar, we received an array of excellent, intuitive questions from participants. A selection of these questions, with corresponding answers, have been compiled into this blog.

The webinar is available for viewing at the bottom of this post.

Note: If you don’t see your question answered below, please leave a comment at the end of this post and we will try to provide you with an answer ASAP.

Q&A – Let’s begin!

Q: Which fields are used to determine duplicated messages for Chat, MMS and SMS?

A: We have set of rules for deduplication. For the analyzed data (SMS, emails, chats), we identify key values for duplication for each model/content type and based on that we remove duplicates and merge items. For data files (text, images, video and more), duplicates are based on hash value calculation.

Q: After the deduplication process completes, are there any reports or items showing that there was a duplication?

A: You can find an indication of deduplicates in any table in the UI. There is also a filter available to filter this information, and there is also an indication in all report formats.

Q: Sometimes physical extractions of a single project contain duplicate messages due to garbage collection, etc.  Is there a way to detect and remove duplicates from a single project?

A: Indeed. Version 5.0 automatically remove duplicates of a single project/extraction as well.

Q: Is the application able to create a hash of the whole Image or project?

A: UFED Touch/4PC 5.0 creates a hash of the whole Image of any physical extraction. UFED Physical Analyzer 5.0 enables you may review this MD5/Sha-256 value and validate/verify it.

Q: I see that you didn’t include merged data when you were gooing through the reporting feature, is there a reason why you would include this information.

A: By default, the merged items are not included in report as we assume that the main items are the most important. You may change this default values and include the merged items as well.

Q: Is there a way to get a summary of all contacts that are on a phone?  The Contacts area doesn’t always capture the contacts from apps (i.e. Whatsapp, Viber, etc.).  I find that I need to extract SMS/MMS/Chats/CallLog and then combine the logs together for a contacts summary.

A: All contacts recovered are presented under the contacts node in the tree, including contacts recovered from 3rd party apps. We do plan to merge SMS, IM, MMS and chats (all messaging events) into a unified view, it is planned in one of the coming versions of UFED Physical Analyzer.

Q: Using the upgraded UFED Touch and Physical Analyzer, I have noticed that looking at results for a logical extraction for some phones deleted data is shown. Can we actually get some deleted during logical extractions now?

A: Deleted information from apps can be recovered as part of logical extraction.

Q: When you change the name of the extraction, does it change the name of extraction file that is placed in the folder?
A: No, the name change is only for viewing and reporting purposes

Q: Since WhatsApp is now encrypted, can UFED 5.0 extract WhatsApp encrypted data?
A: Messages while in-transit are encrypted however this does not affect data-at-rest (forensics) stored in the WhatsApp databases. On top of that, WhatsApp have recently started using a new encryption key – crypt9. We are working to provide a solution for this encryption.

Q: Can UFED Physical Analyzer 5.0 pull data (pictures and videos) from SnapChat, or only text messages?
A: For both iOS and Android devices, media files are extracted as well.

Q: Is there a specific order as to when you have to do the ADB and APK backup and downgrade?
A: It is recommended to use the APK downgrade as a last resort, after other extraction methods have been exhausted (including JTAG and chip-off), since it’s an intrusive method, which requires APK installation on the device.

Q: Why do some of the recovered passwords display as clear data, while most of them are encoded?

A: In many cases, the passwords are stored as tokens, this is why you can’t see clear data. Private data is stored encrypted as tokens. When the password is first entered, it is sent to the server for storage. Every time the password needs to be checked then the public key encrypted password gets sent to the backend server and decrypted by the private key. In PA, you can see these encrypted values.

Q: If you use the time zone support, does it make any changes to the extraction or is it just for easier viewing?
A: For easier viewing and reporting, no change is done to the original

Q: About the timestamp option, can you explain about the options in the settings? When does it prompt when device time zone is detected?

A: To automatically adjust timestamps to UTC+0. Select the Automatically adjust timestamps to UTC+0 check box. This setting is recommended when working on multiple extractions so that all records will be presented according to the same adjusted time zone offset.

In case a time zone is detected as part of decoding, a pop up window will be presented, suggesting you to automatically adjust the time stamp. Alternatively, you can change it in the general settings. When the Automatically adjust timestamps according to the device’s time zone check box is selected, all timestamps will be adjusted to the mobile device time zone, including report outputs.

View the full webinar below.

 

UFED 5.0 drastically decreases your time to evidence by drilling into the data that’s most crucial

Sifting through data is a very time consuming process- the average US smartphone user takes up 10.8GB of storage capacity on their device*, and taking into account different data recovery options in UFED Physical Analyzer, this process may take up to several hours to complete. UFED 5.0 came out with major time-savers that drastically decrease your investigation time, and lets you focus on the data that is most crucial to your investigation. Version 5.0 brings five crucial industry-first features, and support for 19,203 device profiles and 1,528 app versions.

Merge multiple extractions in a single unified report and avoid deduplicates

You asked for it, we developed it. With UFED Physical Analyzer 5.0, you now have the ability to merge multiple extractions from multiple devices into a single unified project, which can include logical, physical and file system extractions. The extracted data is presented under one project tree, and provides a unified extraction summary with device info per extraction, the ability to drill down to each extraction, and an indication of the original extraction source. If required, you also have the option to combine extractions from different devices. 

merge mult files

 

This powerful feature saves you time not only by combining the extractions, but also by removing deduplications (duplicate or redundant information), and grouping together similar and duplicate records for quick and efficient analysis. The following extraction types may be grouped together: Logical, advanced logical file system, physical, SIM card, JTAG, SD Card, and UFED Camera Evidence.

Here is what one investigator had to say about this new capability: “Being able to instantly navigate to where each piece of data is located in the memory dump is an outstanding feature. This saves hours of time on each complex investigation.”

Validate your data the right way

The latest validation process saves you time and resources by providing you with the most effective and most efficient way to perform a real and accurate validation process, by validating the decoded data with the original source file; Thus, reducing your need to use other mobile forensic tools for additional extractions to compare and validate the results.

Every recovered artifact has a source that it originally derived from, and can be used to later to validate the data. If previously you spent time manually searching for the original source, UFED Physical Analyzer 5.0 now tracks back the automatically decoded content to its source.

Every extracted record now includes the file source information in a table view or in the right pane with device information. Each link points to the offset data and includes the source file name, which can be included in a UFED report when testifying in court. For example, using UFED Physical Analyzer 5.0, an examiner can easily see from the original source file that a recovered SMS was a deleted artifact, since it was recovered from the memory of the device. That SMS is also visible and highlighted in the hex viewer, when clicking on the file source information link. (The db file where the SMS came from is also displayed in the right pane).

2

 

 

 

 

 

 

Focus on relevant media files with the common image filter

An additional time saver added to version 5.0 is the new automatic filter feature. UFED Physical Analyzer 5.0 saves massive investigation time by automatically filtering out common or known images, allowing you focus on the images you need to get to the evidence quick, rather than wasting time reviewing thousands of images that are default device icons, or images that come as part of app installation.

The MD5 hash value is available for every extracted media file, and is visible in the user interface and in the report output, as part of the decoding process.

How would you use this feature? Say you have 200 hash values of indecent images in your own database, you can easily create a watch list for all the hash values from your database, and run the watchlist to find a match search for the same images on the device. In case of a match, a nude photo will be detected on the device. Alternatively, you can export the hash values from the device into excel, and run a match on your database, as well as expand your list with new hash values belonging to suspicious nude photos.

As presented in the image below, if previously you had to review 24998 images, you now have 900 less images to review.

ReviewMediaFiles_Hash_Calculation-Recovered

 

 

 

 

To view all images, click on filter reset or remove the auto-filter option in the Settings.

 

Access blocked application data with file system extraction

Version 5.0 introduces another industry-first capability, providing you access to blocked application data when physical extraction is not available for the specific device. The introduction of new app versions also introduce new challenges, such that they are no longer available for backup using the Android backup method, since they are blocked for backup service. UFED overcomes this limitation with a new option called APK downgrade method, also available via file system extraction. This method temporarily downgrades the app (or .apk file) to an earlier version that is compatible for Android backup. UFED will present the list of apps installed on the device, and the ones available for downgrade. Open the extraction in UFED Physical Analyzer to decode both intact and deleted apps data.

Popular supported apps include WhatsApp, Facebook, Facebook Messenger, Line, Telegram, Gmail, KIK and more.

Extract data using Temporary root (ADB) and enhanced bootloader method

Temporary root (ADB) solution has been enhanced to support 110 Android devices running OS 4.3 – 5.1.1, for file system and physical extraction methods, (when ADB is enabled). Logical extraction of apps data is also available for the listed devices using the temporary root solution. As part of your examination, you need to gain access to all the data stored on a mobile device.  This is achievable via a physical extraction, which is the most comprehensive solution, and provides the richest set of data. As part of our ongoing efforts, you are now able to perform a physical extraction for the selected 110 devices using the ADB method instead of manually rooting the device using an external tool.  Third party tools provide a permanent root, while Cellebrite’s temporary root solution is removed after restart, and assures forensically-sound extractions.

The bootloader method has been further enhanced in version 5.0. This unique lock bypass solution is now available for 27 additional devices (APQ8084 chipset), including Galaxy Note 4, Note Edge, and Note 4 Duos.

Version 5.0 also introduces physical extraction and decoding support for a new family of TomTom devices; as well as file system and logical extraction and decoding is also available for recently launched devices, including iPhone SE, Samsung Galaxy S7, and LG G5.

Watch the video below to learn more about UFED 5.0 release highlights.

Download our release notes for full details about version 5.0 capabilities.

Spring Ahead and See What April Has in Store for Cellebrite: A snapshot of Cellebrite’s April 2016 events

Spring is here and April 2016 is an exciting, action-packed time for Cellebrite. We will be participating in a multitude of events around the world – hitting every one of the globe’s hemispheres. Meet us in Zagreb, Rio de Janeiro, London, Orlando, among other leading international hubs, where our subject-matter experts will present the UFED product line, providing live demos and delivering presentations on hot industry topics for security and law enforcement markets, alike.

Take a look below and see a snapshot of our April events. We hope to see you somewhere around the globe – soon!

April 5, 2016: DATAFOCUS 2016 International Conference on Digital Evidence, Zagreb, Croatia

Cellebrite is springing into April with the DATAFOCUS 2016 International Conference on Digital Evidence in Zagreb, Croatia.  DataFocus is a one-day conference, with two-tracks, aimed towards both lawyers involved in digital cases that include digital evidence and investigators whose everyday jobs entail digital forensic investigations.

Don’t miss the Cellebrite speaking engagement under the umbrella, “UFED Series: Cellebrite Mobile and Cloud Forensic Solutions” – entitled, “Unparalleled Extraction and Analysis Capabilities, Optimized for the Lab and Field.”

April 12-14, 2016: LAAD Security 2016, Rio de Janeiro, Brazil

Next on our April schedule, Cellebrite will be exhibiting at LAAD Security 2016, Riocentro in Rio de Janeiro, Brazil, from April 12 – 14, 2016.  LAAD Security – Public and Corporate Security International Exhibition– brings together Brazilian and international companies in the industry of security, equipment, services and advanced security technologies.

Come by our booth number F.22, Hall 4, where we will be showcasing our many solutions that are sure to accelerate your investigations – anytime, anywhere.

April 19 – 20, 2016: Forensics Europe Expo, London, UK

Moving towards mid-April, Forensics Europe Expo, the only international event dedicated to forensic technology, will bring leading UK and International forensics professionals together to network, learn, and source new products and innovations.

Come and say hi to Cellebrite at booth number 1-C27, and learn about our products and solutions via live demos, among other hands-on sessions.

April 19-22, 2016: National Law Enforcement Training on Child Exploitation (NLETCE), Atlanta, GA, USA

Across the pond, Cellebrite is slated to take part at NLETCE, where subject-matter experts will be providing cutting-edge training on a wide range of trending and important topics. In addition, over 240 lecture and hands-on computer workshops designed specifically for local, state, tribal and federal law enforcement personnel and prosecutors who are responsible for combating child exploitation.  To learn more about Cellebrite’s role in combatting sexual extortion,together with INTERPOL, read our case study here:

April 25-27, 2016: National Cyber Crime Conference, Norwood, MA, USA

Back by popular demand—for its fifth year— the Massachusetts Attorney General’s Office is hosting the 2016 National Cyber Crime Conference to be held  April 25-April 27 in Norwood – and Cellebrite will be there in full-force. The conference will feature three tracks of instruction: a track for prosecutors, a track for investigators and a track for digital evidence forensic examiners. Each track will have multiple breakout sessions featuring instruction from nationally recognized experts in the field of cybercrime. All participants will be provided with an opportunity to receive hands-on instruction.

Drop by our booth number 10, where we will showcaserecent developments and demonstrating how Cellebrite’s mobile forensics solutions can help solve crime.

April 26-28, 2016: IACIS (The International Association of Computer Investigative Specialists), Orlando, FL, USA

Heading into the final stretch of this busy month of April, Cellebrite present at IACIS , a non-profit corporation composed entirely of volunteer computer forensic professionals dedicated to fostering and perpetuating educational excellence in the field of forensic computer science.  The audience will be comprised of professionals from the Federal, State, Local and International Law Enforcement community, as well as the business/commerce and academic communities. Stop by and meet the Cellebrite team!

April 26-28, 2016: Youth Technology and Virtual Communities Conference Bond University, Gold Coast, Australia

With the theme Prevent, Protect, Prosecute, the Youth Technology and Virtual Communities Conference will provide attendees with the latest developments, strategies and challenges across all facets in the collaborative effort to fight crimes against children. The conference is aimed at practitioners in the fields of law enforcement, prosecution, education, child protective services, social work, children’s advocacy and therapy who work directly with child victims of crime. In a testimonial video, hear how Detective Jim Bolt of ASP Security Services used Cellebrite’s UFED Physical Analyzer to recover deleted images as evidence in a case related to child abuse.

Come visit us our booth down under and learn how Cellebrite’s technical and training solutions accelerate investigations.

Visit our website to learn more about our events.