Save critical investigation time with UFED Reader: Q&A from Cellebrite’s webinar

In the past several years, cases involving computer hard drive forensics have declined while mobile forensics have risen, increasing demand to analyze digital evidence off mobile devices. Typically, the forensic lab examiner will generate reports with all the extracted data from the device and send it over to the investigator, who has to review all the data in order to find the relevant piece. This may mean sifting through hundreds, even thousands of pages from several devices in order to find the needle in the haystack.  In some cases, the investigator may discover that you need additional data that was not even supplied.

In a recent webinar, we presented the UFED Reader, a free and easy to use digital tool that helps you review the report files generated from analyzed data of a physical, file system, or logical extraction by UFED Physical Analyzer and UFED Logical Analyzer.

blog nov 23

The webinar is available for viewing at the bottom of this post. Meanwhile, participants asked a number of good questions, which we’ve compiled in this blog- including some that we didn’t have time to answer during the webinar.

Q: Can UFED Physical Analyzer create a .ufdr file that contains all the artifacts, including pictures, videos, SMS, MMS, etc.?

A: UFED Reader is able to create massive .ufdr files, even from phone dumps that are over 16 gig.

Q: Where is the UFED Reader file located?

A: UFED Reader executable file can either be forwarded from the forensics lab with a report, or it can easily be downloaded from the customer portal at my.cellebrite.com.

Q: Can I also see shared data between different reports using the reader?

A:  You can open different reports using the reader, it can be different reports of the same device or even reports related to different devices. However, each project is handled separately. You can perform searches on all projects but the views are separated. SMS’s, contacts, locations, all these are presented per project, also the timeline and reports are not shared. If you need to see connections and links, it is recommended to use UFED link Analysis; which enables you to open up to 100 data sources, and see the links between different data extractions.

Q: For multi-jurisdictional investigations how can you import an XRY file for parsing by a UFED?

A: While UFED Reader cannot open XRY reports, UFED Link Analysis has the ability to open external reports, and provides a joint view of both Cellebrite and XRY reports.

Q: Can you generate a report containing only bookmarked items?

A: Yes, UFED Reader provides you with an option to include entity ‘bookmarks only’ which incorporates bookmarked items only in the report output. Bookmarking highlights the evidence that is relevant to the case, and UFED Reader provides the option to include in the report only the artifacts that are important for that investigation. As a result, the report generated is concise, short and protects personal data that is not relevant to the case.

Q: Which mobile device operating systems are supported by the UFED Reader?

A: Cellebrite supports all known and familiar operation systems, and all devices that can be extracted and decoded using the UFED Series (including Touch/4PC/Logical/Physical) Analyzer) can be opened by the UFED Reader- meaning any .ufdr report generated can be opened by the UFED Reader.

Q: Are there chat-threading capabilities within the UFED Reader module?

A: In the Chats view, you will see a list of chat messages extracted from the device, including third-party app, such as Whatsapp or Snapchat messages. This view provides information about the chat, such as start date and time, participants, source and number of messages, which are also listed chronologically on the right pane in full detail (including body of messages and attachments). The conversation view layout option is also available for easier and better tracking over the communication between two or more parties. You can search for messages within a chat, select the messages to include within a report, print, or export the conversation.

Q: Is it possible to see restored deleted information from mobile devices?

A: Cellebrite has the ability to extract and decode deleted information from mobile devices, and these items are included in the.ufdr report, and presented in UFED Reader with a red ‘x’ icon next to the artifact.

Q: Can UFED extract logical and physical data from Windows Phone 8 and new Android-SM using MTP (media transfer protocol) instead of UMS (mass storage)?

A: For Windows Phone 8 using the logical extraction method, you can extract contacts via Bluetooth and Multimedia data via USB (MTP protocol). Physical extraction is available for selective Nokia Lumia (out of the box WP8) models. For Android devices, using logical extraction method, you can extract Multimedia data for newer Android devices, via USB (MTP protocol).

View the full webinar below:

 Leave a comment if you have a question that was not answered above, or in the webinar itself!

Exclusive bootloader method support for the latest Samsung devices headline UFED 4.4 release

Bootloader banner

With the release of UFED 4.4, Cellebrite announces support for 17,638 device profiles and 1,092 app versions. UFED 4.4 introduces the exclusive bootloader method designed to solve some of investigators’ most challenging problems for unlocking and extracting data from leading Samsung Android devices. Also including decoding support for new devices and OS updates, including iPhone 6S/6S Plus, iOS 9.1, and Android Marshmallow.

New unlocking & physical extraction support for Androids using the unique bootloader method

In previous version 4.2.6, we announced the release of the enhanced bootloader method, which enables you to obtain additional data when performing a physical extraction while bypassing user lock from Samsung devices.

As part of our ongoing efforts to provide the best physical extraction capabilities for the latest Android devices, version 4.4 introduces an enhanced bootloader to support newer phone firmware versions, and includes 12 additional Samsung devices. You can now obtain additional data by performing a physical extraction using the enhanced bootloader method for 85 popular Samsung Android devices running Android 5.x. This unique solution supports the following Samsung families: Galaxy S3, S4, S5, Note 3 and Note 4.

What is the bootloader method?

Physical extraction using the boot loader method is the recommended method to recover data from Android devices. When the device is in boot loader mode during extraction, the operating system does not run, and therefore, the device cannot connect to the mobile network. It bypasses any user lock is forensically sound.

New tutorial video is available below.

Cellebrite now supports new iPhone 6S/6S Plus and Android v6.0 Marshmallow

Recent device launches and updated operating system are also supported with UFED 4.4.  Users can now perform file system, logical (including applications data), advanced logical extraction, and decoding from,iPhone 6S and 6S Plus devices and iOS 9.1. UFED 4.4 also provides file system and extraction support for the latest Android v6.0 Marshmallow with limitations. Following recent changes made in Android 3rd party apps, including Facebook, WhatsApp and Snapchat, data from these apps can no longer be extracted when performing file system and logical extractions when using Android backup method. We recommend two options in order to overcome this limitation: Perform a physical extraction (when available), or root the device to extract data.

iPhone6 banner for blog

Extend your investigation capabilities with enhanced support for new apps for iOS and Android

UFED 4.4 keeps pace with investigator demand for more app support, and greater visibility into app data. This version introduces newly added support for some of the most popular apps installed on both Android and iOS, including: Google Drive, Google Tasks, Google Translate, Inbox, One Drive ,Pinterest, Runtastic, Yandex Browser, Yandex Maps; One Note and VIPole are available for Android.

With 300 million active users using Dropbox, 250 million using Microsoft’s OneDrive, 240 million using Google Drive*, and 100 million users on Pinterest, (the third most popular social network in the US)**. We are bound to believe that high number of people using these apps on their devices, may also hold the evidence you need for your investigation.

Updated support is also available for 53 Android and 61 iOS app versions.

New decoding method process for WhatsApp data 

App_whatsappIn UFED 4.2.6, we introduced a new capability to decrypt WhatsApp data. Using a third-party script, you can manually extract the WhatsApp key (on non-rooted Android devices), and use it in UFED Physical Analyzer to decode and decrypt the data. During the process, the WhatsApp version will be temporary downgraded to an earlier version, so that the key can be .extracted and used to decode the WhatsApp database. The current WhatsApp version will be restored at the end .of the extraction process.

A new step-by-step process is now available in MyCellebrite.

Learn more about UFED 4.4– download the release notes here!

* http://expandedramblings.com/index.php/google-app-statistics/

**http://marketingland.com/pinterest-says-it-has-100-million-monthly-active-users-143077

New and improved UFED Faraday bag!

With the evolution of smartphones, cellular networks and infrastructure have also advanced, signals have improved and their reach has expanded, which laid the ground for high-performance wireless access. Modern smartphones also carry other radio transmitters in addition to the network interface (including WiFi signals, Bluetooth, telecommunication systems, and GPS signals).

A fundamental aspect on device preservation at the crime scene is evidence collection on site. When needed, an officer can immediately provide electromagnetic isolation of a seized device to maintain proper chain of evidence, prevent da
ta tempering, and safeguard the existing physical data on the device.UFED Faraday bag

Cellebrite’s UFED Faraday bag has been redesigned and improved to meet the needs for quick investigation, offering better isolation storage for quick investigation.  The new shielding material was tested against the former bag at various frequency rates, and resulted in an increased attenuation of ~25 db.

Frequency (Ghz)Former bag
attenuation (dB)
Redesigned bag
attenuation (dB)
0.853>80
1.85271
2.145>80
2.44277

Click here to purchase your UFED Faraday bag at an affordable price.

Cellebrite launches first standalone UFED User Lock Code Recovery Tool for iOS and Androids

Locked devices have been a longstanding issue for mobile examiners since the evolution of smartphone devices. More than 50% of devices seized by police are locked.*

UFED User Lock Code Recovery Tool provides you with another solution to unlock the device and reveal the password on both iOS and Android operating systems, when no other extraction methods work. Using forensically sound brute force method, this standalone tool reveals the device’s user lock code on screen, and allows users to enter the password and access the evidence on the device, while ensuring that existing data remains intact.

How do I use this tool?

The tool is available for download for UFED users with an Ultimate license at MyCellebrite (the software runs as a standalone tool). Users are supplied with three Cellebrite cables to be connected to USB OTG mobile devices only. A UFED Camera or a Windows-based web camera is required to detect when the device is unlocked. For more information on using the tool, watch the video below to learn how bypass and reveal passwords on iOS and Android devices.

UFED User Lock Code Recovery Tool helps you get the evidence you need quick and at no extra cost.

*Consumer Report 2014

 

 

New UFED release 4.2.2 offers exclusive support, impressive breakthroughs and enhanced decoding

With the release of UFED Physical/Logical Analyzer 4.2.2, Cellebrite offers new decoding features designed to improve investigative efficiency from 1,128 additional device profiles and enriched degree of decoded data from 873 app versions.

Exclusive support for the latest and popular Samsung devices

Samsung contributes to the highly fluid mobile market by introducing ever smaller and lighter mobile device models every few months. The quick adoption of these devices by felons leaves investigators to encounter additional challenges during the investigation. Cellebrite enables access to all data, including deleted data, from the newest Samsung Android devices available in the market today. Cellebrite supports physical extraction while bypassing the user lock using the forensic recovery partition method, and decoding from 33 Samsung Android devices, including Samsung Galaxy S5, S6 and Note 4 family of devices.

Cellebrite’s UFED replaces the device’s original recovery partition with Cellebrite’s custom forensic recovery partition. The original recovery partition on the Android device can be considered as an alternative boot partition that may also change the user data partition, while Cellebrite’s recovery image does not affect any of the user data.

Support for next generation smart watches

Android wear may be a new concept, but with nearly $7M sales just last year, many independent research groups anticipate a huge growth in the wearable space is in the next upcoming years. With the rate of new devices entering the market by Samsung and others, Cellebrite ensures that investigators remain ahead with the most advanced extraction and decoding technology to support these new trending devices.

UFED enables physical extraction while bypassing lock, and decoding support from the most popular next generation smart watches including LG smart watch LG G WATCH R™ (W110) and the previously released Samsung Galaxy Gear SM-V700.

New app decoding and decryption support

Apps provide a rich source of data to investigations. 59% of our users say that 3rd-party apps data matter the most in investigations. Cellebrite provides updated support for 843 app versions in this release, as well as decoding support for new apps, such as Facebook Messenger (decoding of the call logs of the voice calling feature and the new video calling/chatting feature). Additional decryption is also available for UFED 4.2.2, UFED Physical Analyzer is now able to decrypt and decode Android Backup (Android 5.x) with a known password as part of the file system extraction.

Download the release notes to see a full list of apps and version numbers.

Now higher resolution view in offline maps feature

In UFED version 4.2 we introduced the latest offline maps feature which enables you to view extracted locations on a worldwide map without internet connection. This feature has been improved, enabling you to view extracted locations on a regional map, and zoom in at an even higher resolution of 15x to view streets for better indication and view of the location without internet access for the following continents: USA, Canada, Europe, Japan and Korea, Middle East, Africa, London, Los Angeles, New York, Paris, Singapore and Tokyo.

 Untitled

You asked for it, we developed it!

UFED Physical/Logical Analyzer 4.2.2 keeps pace with investigator demand and provides the option to redact the image thumbnail from the PDF, Word and HTML report. You would use this option with cases involving sensitive images, such as child abuse.

Untitled2

3 Reasons to Vote for Cellebrite for a 2015 Forensic 4:Cast Award

For as long as the Forensic 4:cast Awards have existed, Cellebrite’s UFED tools have been named Phone Forensic Tool of the Year. Being nominated among some of the greatest products in the industry, we couldn’t be more proud that the forensic community recognizes our continuing efforts to deliver the best, most innovative and  functional mobile forensic tools for seven years running.

Thanks to you, Cellebrite’s nominations include:

  • UFED Touch for phone forensic hardware of the year
  • UFED 4PC for phone forensic software of the year
  • Digital forensic organization of the year

Will you vote for us this year? Here are a few reminders why Cellebrite deserves the Forensic 4:cast Awards.

1. We’ve got your back.

Cellebrite has always been known for its breadth of support for new devices, but in 2014 we deepened our support for both smartphones and the apps installed on them. We improved our automated decoding, so you can spend more time analyzing data than figuring out how to decode it; brought our device profile support up to more than 14,000; and added decoding support for 25 prepaid Android devices—including Tracfone models that stumped investigators for years.

2. We make data analysis as simple or as complex as you need.

The visual analytics we include in tools like UFED Physical/Logical Analyzer and UFED Link Analysis give you a basic, at-a-glance look at key people, places, and communications via Project Analytics, Timelines, Maps, and Graphs. These help you immediately visualize your data and focus on only that which is most relevant to your case.

When you need to get “into the weeds” with the data—at the device memory level—you can do that too. Locate, carve, and validate data using advanced search functions like regular expressions and searches for strings, dates, codes, numbers, ICCID, SMS formats, etc., and import your JTAG and chip-off extractions into UFED Physical Analyzer for decoding.

3. We give you the tools you need not just to extract and analyze the data, but also to testify about your process with confidence.

Tools with as much functionality as ours deserve investigators who can put them to good use, so in 2014 we stepped up our training and certification program. We are now the first and only digital forensic vendor to deliver courses not only in person, but also online, and more than 4,000 practitioners earned their Cellebrite certifications through the end of 2014.

Vote for us today!

 

Get hands-on with Cellebrite’s new JTAG Extraction and Decoding (CJED) course

The growing popularity of JTAG forensics is an indicator of its undeniable advantages. These include the ability to access physical memory even when a device is damaged, or when commercial tools don’t support user lock bypass, such as with prepaid devices. Furthermore, the method is non-destructive compared to the chip-off method.

Still, the JTAG process requires significant resources. It can take many hours for an examiner to transform the raw data into human interpretable evidence, and without training, making the wrong connections or pressing the wrong buttons can cause the destruction of evidence. Getting trained, therefore, is one of the top priorities any organization should have for a full investment in JTAG capabilities.

Part of the Advanced Training Pathway courses we announced two weeks ago, the new three-day instructor-led JTAG Extraction and Decoding (CJED) course introduces the techniques and best practices required to perform JTAG extractions and decoding, as well as addressing common challenges in these methods and offering hands-on practice.

Take 30 minutes to watch the video below to learn how to easily integrate and decode JTAG extractions using UFED Physical Analyzer, which newly supports JTAG chains both generic and brand-specific for automated decoding. Get a brief overview of the hardware you will receive in our CJED course, including a Molex adapter kit and a RIFF brand JTAG box, with which you’ll be able to practice fundamental soldering skills.

JTAG skills can help you expedite your investigation and maximize the evidence you can retrieve from damaged, prepaid, and unsupported devices. Once you’ve viewed the webinar, be sure to register at a location near you for the CJED class!

Download training white paper

Cellebrite will be exhibiting all over the map this October

October is gearing up to be a super busy month for Cellebrite! A wide variety of events are scheduled for Cellebrite all across the globe. Meet us in Prague, Moscow, Miami, Orlando, London, Beijing and Bogota, where we will be presenting the UFED product line, provide live demo’s, and deliver presentations on hot industry topics for e-Discovery, security and law enforcement markets.

e-Discovery

 Mobile users leave behind digital traces on their devices, which can come a long way in any legal proceedings involving criminal or civil matters. Electronically stored information on mobile devices (or mobile ESI) represents an important category of relevant information and is quickly becoming critical for wide variety of investigations and litigations including employment, fraud, intellectual property, securities, and others.

October 19-21: LawTech Europe, Prague, Czech Republic

Cellebirite will kick things off at the Clarion Congress Hotel in Prague for the LawTech (LTECH) Europe Congress. LTech brings together professionals in law, technology, governance, and compliance to address four core areas in digital forensics: Digital evidence, forensic investigations, cyber security and legal technology.  Yuval Ben-Moshe, Cellebrite’s Senior Director, Forensic Technologies, will deliver two presentations during the show:

  • Mobile Devices and Mobile ESI – Facts and Myths, together with Daniel Bican from Ernst & Young
  • Mobile Devices and Mobile ESI – Proactivity Goes a Long Way

(For further details on Cellebrite’s presentations, please see the show’s agenda: http://www.lawtecheuropecongress.com/)

Stop by booth #601 to learn about live demo sessions, where we will that cover current techniques and tools for data search and data collection from mobile devices.

October 23: e-Discovery & e-Investigations Forum, London, United Kingdom

Join us at the Park Plaza Victoria Hotel in London for a one-day e-Discovery and e-Investigations Forum to learn how Cellebrite addresses the challenges that are surfacing the e-Discovery domain for mobile data collection. Yuval Ben-Moshe, Senior Director, Forensic Technologies, will be presenting on ‘Mobile Devices and Mobile ESI – Facts and Myths,’ and enlightening the crowd on the need to retrieve mobile data in cases of litigation, regulation or investigation, and discuss the processes required to obtain information from mobile devices within a litigation process.

Attendees from legal, compliance, finance, HR, investigations and more, are welcome to our booth to learn about our expertise in mobile data retrieval and analysis.

Security

October 21-24: Intepolitex, Moscow, Russia

As LawTech ends, another exciting show begins for Cellebrite in Moscow. The Interpolitex is the largest homeland security exhibition in Russia, taking place, organized by the Ministry of Interior of the Russian Federation, Russian Federal Security Service, and Russian Federal Service for Military-Technical Cooperation.  Drop by booth #1C3-1 to learn about the UFED’s recent developments, and how Cellebrite’s mobile forensics solutions can help solve cybercrime.

October 23-24: Latin America and Caribbean Summit 2014, Miami, Florida

Join our LATAM Forensics Sales Director, Frederico Bonincontro, for a two-day summit in Miami. LATAM & Caribbean event is focused on assessing the current digital security landscape and threats in the Caribbean, Central and South America region. Stop by booth #20 to learn about Cellebrite’s latest product developments and how our solutions can help you tackle your mobile forensic challenges.

October 28-31: 2014 Security China

Cellebrite’s APAC team will head to Beijing to showcase the UFED Series at the China International Exhibition on Public Safety and Security. Cellebrite, a thought leader in mobile forensics, will be presenting the UFED line of products for the security industry in booth # E1F01.

Stop by our booth to meet the Cellebrite team!

October 29-31: Expodefensa, Bogota, Colombia

Cellebrite will end its October events at another prestigious government-level security show, Expodefensa, organized by the Ministry of National Defense of Colombia, and the High-Tech Corporation and the International Business and Exhibition of Bogota. Our LATAM team will head to Bogota, Columbia to showcase the innovative UFED Series.

Drop by booth #439, pavilion 6 to learn about UFED’s accomplishments in security and defense!

Law Enforcement

October 25-28: International Association of Chiefs of Police (IACP), Orlando, Florida

Later in the week in Orlando, Florida, Cellebrite USA representatives will be on hand at the 2014 International Association of Chiefs of Police Conference to demonstrate to police leaders at all levels how they can use a mix of training, policy, and technology to implement mobile forensics strategies in a post-Riley world.

Visit us at Booth #769 to learn more about how Cellebrite’s technical and training solutions accelerate investigations by affording investigators the ability to collaborate more readily with digital forensics examiners, supervisors, and prosecuting attorneys.

Bypassing Locked Devices: Q&A from Cellebrite’s webinar

{195d00af-385d-48ae-8c04-032a86166edf}_bypassing_webinar_header

Last month we hosted two webinar sessions on “Bypassing Locked Devices”, led by Mr. Yuval Ben-Moshe, Cellebrite’s Senior Director for Forensic Technologies. In these sessions, Yuval presented the challenges and solutions to bypassing locked devices, including Cellebrite’s proprietary boot loaders among other methods used to tackle locked devices.

The webinar is available for viewing at the bottom of this post. Meanwhile, participants asked a number of good questions, which we’ve compiled in this blog—including some that we didn’t have time to answer during the webinar.

Note: If you don’t see your question answered below, please leave a comment at the end of this post!

Basics of mobile device user lock bypass

Q: Using the UFED, can you gain access to the phone where the wrong passcode has been entered too many times and is now locked?

A: This depends on the device and the locking mechanism used by it. If the device is supported by a boot loader or JTAG, than the data can be extracted regardless of any locking mechanism or the number of times a wrong password was used.

Q: How far off is user lock bypass support for iPhone 5 and Blackberry devices?

A: Forensic extraction of data from iPhone 5 is achievable using of the .plist file from the paired computer. With locked Blackberry, at this point in time, examiners must rely mainly on chip-off or JTAG methods for specific models.

Q: If the element file is deleted, will it affect the function of the original pattern passcode?

A: This question refers to a method called disabling. The device will remain in a lock disabled mode until a new password can be configured via the device’s set-up menus.

Q: If an extraction fails or is interrupted, can I still parse the extracted content if it is incomplete?

A: A physical extraction that was interrupted cannot be decoded, because a full binary image is required in order for the decoding to reconstruct the full file system.

Q: Can the UFED bypass iOS 7+ with a user lock and a SIM lock?

A: Bypassing locked devices depends on the device hardware and not the iOS version running on it. That is, if iOS 7 is running on iPhone 4, physical extraction is achievable; however, if iOS 7 is running on iPhone 4s or a newer model, than a .plist file is required to enable data extraction.

Q: If a device employs a biometric lock, how does the UFED tackle the lock?

A: Bypassing a biometric lock depends on the device model. For example, for the iPhone 5, the UFED can bypass the biometric lock using the .plist file.

Sync devices and .plist files

Q: The webinar presents the paired computer method for iOS devices showing the Windows 7 path on a PC. Is there a specific location path for Apple MAC computers?

A: The path for the .plist file on Mac computers is: ~/Library/Application Support/MobileSync/Backup/

Q: Does the .plist appear on the user’s iCloud?

A: The .plist file is used for the communication between the device and the computer; hence, it does not appear in the user’s iCloud data.

Q: How do you employ the .plist file?

A: The process of using the .plist file is very simple: UFED will automatically detect the iOS device as being locked and request the .plist file.

Boot loaders and clients

Q: Will injecting a client or boot loader lead to evidence tampering?

A: The boot loader is uploaded onto the device’s RAM and is then deleted when the device powers off or restarts. Therefore, it is does not tamper with the evidence. In contrast, a client may write some data onto the device’s flash memory, yet it is still considered a forensically sound process if the investigator specifically documents what was written and on which partition/folder.

Q: If an extraction fails, is the client left on the device?

A: In some cases, when the extraction is interrupted abruptly, the UFED may not have enough time to uninstall the client, and some files may be left on the device. In this case, UFED provides a specific function to delete the client. This capability is under the UFED ‘Device Tools’ menu.

Q: Does the UFED Classic include the boot loader function?

A: The UFED Classic is also capable of tackling locked devices. However, it may not support the latest modern devices due to technical limitations with hardware. It is highly recommended to trade up the UFED Classic for a more advanced model, such as the UFED Touch or UFED 4PC.

User locks on prepaid devices

Q: Can the UFED bypass disabled data ports in burner phones?  JTAG/chip-off are options, but unlocking with a manufacturer code is possible. Can you support unlocking burner phones?

A: The UFED is able to bypass the locking mechanism for many low-end phones, a.k.a “burner phones” using a boot loader. While JTAG and chip-off are valid options, we recommend you first try unlocking the device with a UFED, since these methods are more complicated, time-consuming, potentially destructive, and expensive.

Q: How does the UFED bypass a prepaid phone with a locked data port?

A: Bypassing a user lock depends on the device itself.  If the data port is disabled, then the JTAG or chip-off methods are applicable here.

View the full webinar below:

Leave a comment if you have a question that was not answered above, or in the webinar itself!