Cellebrite Spotlight: Interview with Director of the Research Group, Shahar Tal, Cellebrite

180020_502158187216_7446504_n

Shahar Tal – Director of the Research Group at Cellebrite –  has built an extensive and impressive career within the realm of R&D. Hailing from an elite military background, Shahar in his current role oversees Cellebrite’s research efforts to provide extraction-enabling solutions – for all devices of interest, including the most complex and challenging.

Read up on his career highlights, opinions on Cellebrite’s future in digital forensics as well as advice to newbies entering this technological sphere.

Have a question for Shahar? Leave us a comment below!

Shahar, you are the Director of the Research Group at Cellebrite. Tell us a bit about your role. What does a day in your life look like? 

In my role, I am responsible for Cellebrite’s research efforts to provide extraction-enabling solutions for all devices of interest. This core role within the company helps define what our products and services can do. Our unmatched research is one of our strongest differentiators, creating high expectations among our customers and colleagues. My job is to ensure that we continue developing unique capabilities to match these expectations. Luckily, I have several research teams made up of top talent that are dedicated to the task in each different research domain. They deserve a lot of the credit for the technical breakthroughs achieved at Cellebrite.

What does a typical day at the office look like?

Hectic – with dozens of ongoing research projects in various stages! One moment, you may hear cheers and excitement from one of the rooms, where researchers successfully discovered a new extraction method for a previously unsolved device; the next moment, you take part in a critical design review for the next UFED version, while simultaneously reviewing open issues and feature requests for five other projects. After lunch, I usually interview several candidates to join the research team, and then round-up the team for a weekly follow-up of progress and status.

The most gratifying moments are when we receive customer feedback – that praise both our technology and efforts, which enable them to solve a critical case, that may happen to appear all over the news that week. This feedback is significantly rewarding, and contributes to the drive and motivation behind our work every day.

Can you tell us a little bit about what first sparked your interest in digital forensics? 

I am still a newcomer to the digital forensics field, and I learn from the experts and my peers at Cellebrite every day. Coming from a research background, my introduction and continued involvement in the digital forensics arena are incredibly interesting. I think it is crucial for a researcher to understand the needs and concerns of the end user, and that is why I personally follow and often respond in community forums and mailing lists.

Shahar, you hail from a military background. I can imagine that this is quite different from work in the private sector. Can tell us how working in the private sector compares with the military life? 

I have a history in elite army R&D units, and in many ways these years have provided the best training possible – by shaping the nature of my work and sharpening my skill sets. Working under tight schedules in an environment where product performance and reliability are absolutely critical, helps you sharpen your instincts and prioritize tasks accordingly. I am also delighted to have had the opportunity to work with some of the best talents in the world on extremely challenging projects.

When comparing, I find that the private sector brings many new aspects into play – where cooperation and outbound communication are legitimate and important facets of your role. I enjoy taking part in and interacting with the research community; I regularly attend and sometimes speak at conferences around the world. I welcome potential collaboration opportunities and keep an eye out for new developments in the field.

This year has been a big year for Cellebrite’s technologies. Which current trends in forensic computing particularly interests you, and what new challenges do you foresee in the future? 

I believe the challenges of encryption are strongly influencing the forensic landscape already, and will continue to do so in the coming years. Full Disk Encryption has easily been the most significant mobile forensics game-changer since last year, in effect rendering chip-off/JTAG/ISP methods useless in all new devices. This landscape shift leaves on-device unlocking capabilities as the only alternative. Fortunately, this is where Cellebrite, as the forensics research leaders, have excelled throughout the years.

I also expect that we will continue to see device manufacturers implementing more layers, mechanisms and obstacles, further challenging evidence extraction. We see this today and witness the difficulty and resources invested per solution – which is increasing steadily.

And, moving forward – what does the future hold for Cellebrite? What can we expect to see over the next year or so? 

Cellebrite is making great strides in providing a complete digital intelligence portfolio. Our dominant extraction capabilities are only where it begins, and I think many law-enforcement and intelligence investigative practitioners will be excited about what’s coming next.

I expect to see us maintain our leadership in device unlocking services – being the first to provide the technology to unlock a newly released device, while simultaneously seeing our analytics platforms integrate into many agencies’ processes and infrastructure.

I think that we definitely have the ability to change people’s perspectives when it comes to mobile forensics. That is, to make people realize that a locked device is not a dead-end road, and that they can turn to Cellebrite – who can help them recover the most available data possible from locked as well as encrypted iOS and Android devices.

As you stated, you are a newbie of sorts to digital forensics. Do you have any advice for individuals who are just starting out in their digital forensics career? 

Be prepared for a rapid rate of change, and understand extraction challenges. Digital forensics is no longer restricted to decoding and analysis of data – examiners and responders from the lab to the field should have a deep understanding of what is possible to extract and under what conditions. Stay involved, read about technology and security research news, be prepared to learn something every day – this will give you an edge in a field where you can never learn enough.

Finally, when you’re not working, what do you like to do in your spare time? 

I enjoy spending time with my family, reading books and playing puzzle games with my young daughter. I am a serious basketball fan and a less-serious, mediocre player – on good days. My favorite team since childhood is Hapoel Jerusalem… and occasionally you may find me waking up at 03:00 AM to watch NBA matches.

Click here to learn how Cellebrite’s mobile forensic solutions meet your investigation needs.

Follow Shahar on Twitter: @jifa

Reason #1 to vote Cellebrite for a 2016 Forensic 4:cast Award

For the eighth consecutive year Cellebrite has been nominated by our dedicated UFED users and the digital forensic community in recognition of our success in delivering the most innovative and functional mobile forensic tools.

Thanks for your nominations in the following categories:

  • UFED Touch for phone forensic hardware of the year
  • UFED Physical Analyzer and UFED4PC for phone forensic software of the year
  • Digital forensic organization of the year

If you haven’t already voted, here is a good reason why Cellebrite deserves the Forensic 4:cast Awards:

Consistently First, Often Unmatched

Cellebrite’s UFED consistently brings critical mobile forensic capabilities first to the lab and field, and many of these capabilities remain unmatched for months or years. Just in our last two releases (4.5 and 5.0) we included 26 industry-first capabilities, and 22 are still exclusive for Cellebrite. Our recently released UFED 5.0 includes industry-first features and functionality that make your life easier, and your investigation more efficient – this includes a new validation capability, and unifying multiple extractions in a single unified report. We were also quick to include support for file system and logical extractions for the recently launched Samsung Galaxy S7 and iPhone SE.

Our innovation timeline will further demonstrate why we are the undisputed pioneer in breakthrough device specific mobile forensic capabilities. With UFED, chances are you will have these critical capabilities when you need them, when they are essential to your investigation, and well before any other tool currently on the market.

So in a nutshell, you can count on us to continue being the first to provide you with the most innovative, extensive and technologically advanced mobile device support in the industry.

Does UFED play an important role in your investigations? If you think so, then vote for us today!  

ForensicFocus_728x90_4cast_Vote_30mar2016

How private social data makes a better crime story

Open source intelligence is an undeniably important source of information in a great many investigations, both civil and criminal. Public-facing posts to Facebook, Twitter, Vine, Pinterest, and other services can provide key evidence in cases involving insurance fraud, child exploitation, organized criminal activity, and harassment in or out of the workplace, among others.

However, open source intelligence is limited. People who act one way on public networks may behave very differently in private posts or messages, and may conceal key details in private messages. That means that without the data, investigators lack important context. In a recent survey of Cellebrite customers, nearly two-thirds reflected that data stored off the device and on the cloud was of critical concern to them.

Perhaps the most well-known example of the gap between public and private social data is the wave of street violence that occurred in north London, England in August 2011. As The Guardian reported, Facebook and Twitter only accounted for a small amount of communications around the unrest. Actively monitoring those services, police managed to deter violence in publicly named locations.

“However,” the news article went on to note, “the most powerful and up-to-the-minute rallying appears to have taken place on a more covert social network: BlackBerry Messenger (BBM)…. unlike Twitter or Facebook, many BBM messages are untraceable by the authorities.”

Social network analysis identifies likely sources of private contact

When an investigator considers the likelihood that s/he will need to obtain private social data, interviews with victims, witnesses and suspects are often a good place to start. Interviews can reflect communication patterns—apps and platforms used, modes of contact, etc.—among people involved in a case, and help narrow down the range of content to look for.

Also consider who is important enough for the victim or suspect to share information with. You can get a sense for this network from analyzing activity by the people they most frequently communicate with: those who like or comment on their posts, how frequently, in what context. Unusual communications from a loose acquaintance, depending on timing, can be as important as regular contact with a typical circle of people.

Social network analysis can also reveal relationship conflicts of interest, which can be important in fraud or insider threat cases. People who are not outwardly connected on social media may be communicating via email or private message, in accounts they don’t use to communicate with anyone else.

Public data can provide private leads

Consider, in addition, what is important enough for a victim or suspect to share information about. Images of material goods can indicate money spending habits or even outright crime. Their page likes and follows—the Guardian reported that initial activity related to the riots began on a public Facebook page—can provide clues about interests and activities which they may discuss privately.

Meanwhile, private content that is opposite to public postings, or to what the victim or witness has told you during interviews, can be used as leverage to find out what really happened. These contradictions can exonerate as well as implicate a suspect. And, if the case goes to trial, the contradicting content can impeach a witness’ credibility.

Understand cloud usage trends in your community

It’s important to maintain a strong sense of technological trends ongoing not just in the nation or the world, but in specific regions as well. The Guardian described in a later article how, in London, BlackBerry’s prepaid model allowed teens and lower-income people to afford the devices they used to coordinate their activities, without using cloud services.

Further, while BlackBerry Messenger communications are encrypted, and iOS and Android devices are heading that way as well, most social media services are not. That means that data unrecoverable from apps on the device, may still be available from cloud services themselves.

Even so, with mobile device manufacturers, third-party app developers, and online service providers taking more drastic measures toward improving their customers’ data security, government agents should take the steps they need to secure proper legal authority before accessing subjects’ private data. That could take the form of a search warrant, consent, or other documentation. It also means understanding the difference between true exigency, and the perception of exigency in a high-pressure situation such as a riot.

Don’t miss out on the critical evidence or intelligence that could help make a case. Download our solution brief to learn more about how the UFED PRO Series improves the context of an investigation.

Umbrella - blog banner

UFED Physical/Logical Analyzer 4.2 offers efficiency improvements, decryption and enhanced decoding

PA42exclusive

 

 

 

 

The new Physical/Logical Analyzer release, version 4.2, is chock full of features and device support. From more efficient location mapping processes to improved decoding, this latest release is designed to accelerate your investigations and enable you to drill more deeply and intuitively into data from more than 15,000 devices.

Deeper location data analysis, more efficient workflows

UFED Physical/Logical Analyzer 4.2 offers a number of new enhancements with regard to location data. These enhancements offer more flexibility and efficiency by allowing you to access highly visual information more easily.

First, new offline map support offers maps view even when an Internet connection is not available or you are analyzing data at a workstation that is required to remain offline. Second, you can also now zoom in to locations in map view and see related event details. When you want to explore deeper relationships between locations, timelines, and analyzed data, you can jump from location information to its source event or timeline and vice versa.

Location information also allows you the ability to examine attached images, videos, audio, text, and other files identified during the data analysis process. The Data Files category in the project tree enables you to view and filter attachments within data files, locate the associated attachment event, and view its metadata and location information.

Do you frequently share your extracted UFDR reports with others using UFED Reader? Now, include the UFED Reader executable within the report output folder. This saves time for report recipients in locating, downloading, and using the UFED Reader application.

New app decoding and analysis functionality

UFED Physical/Logical Analyzer 4.2 also keeps pace with investigator demand for greater visibility into app data. Besides newly added support for apps installed on Android, iOS, and Windows Phone® devices, as well as updated support for 40 Android and 63 iOS app versions, the new release offers additional decoding and some decryption support, as well as improvements in the way app data—particularly chat app data—is displayed.

Added to analytics that show the most frequently used apps, app usage data now includes information about the last time a user launched a particular app, as well as for how long they used it. Also for the first time, view the number of messages per chat, which can help validate chats extracted using other tools that do not thread messages. Additionally, location data for chat messages is now available for export into all report formats.

Other apps-related support includes decryption of KeepSafe and WeChat apps, together with decoding support for WhatsApp VoIP call logs on Android devices. New WhatsApp support also includes the Read, Delivered and Played timestamps of outgoing WhatsApp messages for iOS, Android and BlackBerry® 10 devices. In addition, Twitter group chat messages are now displayed in Chats.

New device support includes physical extractions, decryption, and decoding

Disable the user lock for 159 Samsung Android models using SPR and SPM methods, depending on the device’s firmware version. In addition, Physical extraction with lock bypass and decoding is now supported for 58 LG Android devices released with Android version 4.2.x and above.

Decryption is now possible for physical extractions from generic Android and Samsung devices running Android 4.2 and below using a known password. Similarly, extract BlackBerry device backup data as part of file system extraction, and then decrypt the backup data with known BlackBerry ID credentials you retrieve via UFED Physical Analyzer.

Device information decoding is newly enhanced for all device types. For BlackBerry 10 this includes username, device model, PIN, IMEI, and device name; for Windows Phone devices, the information includes IMEI, IMSI, MEID, mobile operator ID, country, MAC address, and OS version. Device information for Android devices now includes the decoded Tethering ID and password, while iOS device product name and product type information are now included under device information.

Saving time in a death investigation

One Minnesota (US)-based detective working a death investigation used Physical Analyzer 4.2 to unlock a pattern locked Samsung Galaxy S5 (SM-G900V). Facing a lengthy and destructive chip-off extraction because the device did not appear to be supported for JTAG extraction, the investigator was able to run the device against a pre-release copy of Physical Analyzer 4.2. The extraction worked, and the investigator was able to use that evidence to continue building his case.

To learn more about how the new UFED Physical/Logical Analyzer 4.2 can help accelerate your investigations, download our release notes today!

Introducing Cellebrite’s new mobile forensics solutions for lab and field

Today we’re excited to launch two new ways for law enforcement, military, and private-sector investigators to approach investigations. Our suite of mobile forensic solutions relies upon tried-and-true, flagship UFED technology together with a couple of newcomers designed to unlock the intelligence of new and disparate mobile data sources and extend investigative capabilities to the field so that actionable information can be qualified and shared quickly.

The new offerings are founded upon insights gleaned in our recent mobile forensics trends and predictions survey. Among them, 60% of respondents indicated that more data stored off the device and on the cloud was of major concern to them, while 80% of respondents reported experiencing some level of device backlog in the last year.

The UFED Pro Series, designed for forensic lab practitioners, and the UFED Field Series, designed for field personnel, each respond to those and other concerns by optimizing data extraction and analysis capabilities by role—and unifying investigative workflows between lab and field.

In other words, field-level investigators now have a way to obtain a simple data preview capability, enabling them to access actionable data without having to wait for a lab, while lab-level investigators can use specialized tools to tackle a larger swath of visible, hidden, deleted, and cloud-based private data, when a situation demands.

The UFED Pro Series comprises Cellebrite’s flagship UFED Ultimate together with UFED Link Analysis and, when appropriate, the all-new UFED Cloud Analyzer in two solution sets: UFED Pro CLX and UFED Pro LX. The integration allows examiners to unify disparate data for easier analysis, helping to bring key insights to the surface quickly.

The UFED Field Series – an integrated software and hardware solution comprised of UFED Field IX and UFED Field ILX — allows field-level personnel to perform simple, efficient, data extractions onsite via in-car workstations, laptops, tablets, or our new secure, self-service UFED InField Kiosks at stations or other locations. This frees forensic specialists to move beyond basic evidence collection and focus on more complex analytical work.

Both solution sets include user and data management controls that forensically preserve evidence, maintain chain of custody through the unified workflow, and promote device owner privacy by filtering data by date, time, and/or content types to focus only on what’s most relevant to an investigation.

Learn more in our press releases about the new UFED Series solutions, including the UFED Pro Series and the UFED Field Series, and be sure to leave us a comment should you have any questions!

Prepare to tackle smartphones & JTAG with Cellebrite’s new Advanced Training Pathway courses

Smartphone operating and file systems, damaged and prepaid devices, and increasing amounts of data all present conundrums to mobile forensics examiners. It takes time to learn the intricacies of various device and OS versions, and time to sift through the gigabytes of data that each device can contain. These problems are compounded when a device is severely damaged and you have to send it out to a specialist lab to recover the evidence.

To help you build professional expertise to meet those challenges, Cellebrite is pleased to announce the addition of an all-new Advanced Training Pathway. Designed to enhance the forensic expertise you received from the CCPA Core Certification, the courses included in this pathway provide you with the specialized extraction and analysis skills you need to maximize the amount of evidence you can retrieve from smartphones and damaged devices:

  • The 3-day instructor-led Cellebrite Advanced Smartphone Analysis (CASA) course allows students to take an in-depth look at the challenges posed by iOS, Android, and Windows Phone® devices. The course covers the analysis of SQLite databases, issues related to iOS passcodes, and artifacts from the three major smartphone platforms.
  • The 3-day instructor-led Cellebrite JTAG Extraction and Decoding (CJED) class teaches participants about the methodologies, purpose, and origins of the JTAG process. Participants can expect hands-on practice with fundamental soldering skills, as well as with using UFED Physical Analyzer to decode JTAG extraction. A RIFF brand JTAG box, a Molex adapter kit, a class specific tool kit, and a Cellebrite soldering practice board will all be available for participants to take back with them.

Get the skills you need to maximize your mobile device evidence collection and analysis efforts. Register at the Cellebrite Learning Center today to advance your professional expertise!

Physical extraction & decoding, decryption breakthroughs headline UFED 4.1 release

With the release of UFED 4.1 and UFED Physical Analyzer 4.1.1, Cellebrite kicks off 2015 with breakthrough capabilities designed to solve some of investigators’ most challenging problems: Windows Phone 8, Jelly Bean/KitKat, and prepaid device extractions, as well as WhatsApp database encryption.

Physical extraction & decoding for Nokia Lumia, Android 4.2-4.4.3

Investigators who encounter Nokia Lumia devices can now circumvent the need for JTAG processes to bypass user locks and retrieve deleted data. Although Microsoft announced late last year that it will produce all Lumia models going forward, Nokia sold 17 million Lumia devices in 2013, and 90% of Windows Phone users own Lumia devices. With that in mind, UFED now supports user lock bypass, physical extraction and decoding of many of the most popular Lumia models, including 810, 820, 920, and others based on Windows Phone 8.0 and 8.1 operating systems.

New physical and file system extraction and decoding, along with improved password unlocking and extraction, is also available for Android devices running OS 4.2 (Jelly Bean) through 4.4.3 (KitKat). Devices such as the Samsung Galaxy series (S5, Nexus, Note 3, S3 Mini etc.) along with other leading vendors and models including LG, Motorola, and Sony are included in this release.

Prepaid device support for Tracfone, Samsung E1200R

Also solved: prepaid Android devices with locked or damaged ports, in particular Tracfone models popular in North America. Unlike other prepaid models that can be extracted using “paid” profile equivalents, Tracfone models do not have USB ports, and investigators could not get critical evidence. Cellebrite now offers an option to load a client over these devices’ Bluetooth connection, so that investigators can perform logical extractions.

New physical extraction and decoding support is now available for the internationally popular “burner” Samsung E1200R feature phone.

WhatsApp database decryption

Cellebrite’s first-of-the-year breakthroughs aren’t limited to extraction and decoding. We’re also introducing decryption for WhatsApp’s newly encrypted chat history database. For databases using the .crypt8 file extension, UFED Physical Analyzer 4.1.1 decrypts full content from WhatsApp, one of the world’s most popular messaging apps with 700 million monthly active users as of January 2015.

An easier-to-use interface

Rounding out Cellebrite’s update this month is a new, better organized home screen, which now groups extraction tools and other utilities into distinct areas. Users can now opt to extract a mobile device, SIM card, or USB device; operate UFED Camera; or access UFED device tools, rather than have to search for these capabilities within the pool of vendor icons.

Additionally, a new search screen supports three device identification methods: a simpler auto detect, a free text global device search, and a manual device search similar to the previous home screen (selecting vendor followed by model). The new interface offers better accuracy for investigators who need to search on an exact model number rather than, say, “iPhone 5.”

Learn more about UFED 4.1 and UFED Physical Analyzer 4.1.1 – download the release notes here!

Self-paced training joins instructor-led classes in Cellebrite’s online offerings

The Cellebrite Certified Logical Operator (CCLO) certification course recently joined our Mobile Forensic Fundamentals online class, officially making Cellebrite the first mobile forensics vendor to offer any kind of online certification training.

Online training is valuable when you are unable to travel, can’t take time away from work, or simply prefer online learning. On-demand online training scales for organizations that need to train large teams simultaneously and cost-effectively, because participants can learn without interruption to operations.

Cellebrite’s on-demand, self-paced courses are instructionally equivalent to Cellebrite’s instructor-led training (ILT) courses. In fact, Cellebrite Certified Instructors are integrated “virtually” into the online course. This enables you to receive real-time feedback on your progress through dynamic navigation and regular “learning checks.”

You can also revisit lessons for review and additional practice. This interaction, along with scenario-based conditional logic—which offers different steps for you to follow as part of learning to think critically about mobile forensics—are part of practical exercises that help you to learn forensic techniques and processes hands on.

In other words, this is not a pre-recorded webinar! Complete Cellebrite courses on your own time directly via the Cellebrite Learning Center. Our video describes this in greater detail:

One part of a broader professional training strategy

The new online offering follows the trajectory of Cellebrite’s comprehensive, standardized training curriculum, the first and only to be offered across three different delivery models. The curriculum began last year with classroom-based training and added instructor-led online training, followed by the Cellebrite Certified Mobile Examiner certification test, earlier this year.

The availability of the CCME certification addresses hazards which ProPublica raised in its article “No Forensic Background? No Problem.” Although the article focused on certifications in the physical forensic sciences, it covered very similar issues found in the digital forensics community:

“There are a lot of people practicing, but there’s no assurance that they have the requisite training and board certification to see if they do have the skills to do the practical [work],” said Dr. Marcella Fierro, one of the NAS report’s authors and the former chief medical examiner of Virginia….

“Credentials are often appealing shortcuts,” Michigan circuit court judge Donald Shelton said. Fancy titles can have a disproportionate effect on juries, he added. “Jurors have no way of knowing that this certifying body, whether it’s this one or any other one, exacts scientific standards or is just a diploma mill.”

Cellebrite designed not just the CCLO and CCPA, but the CCME in particular, to address these issues by encouraging full professional proficiency and not just proficiency at using UFED tools.

Enroll now in our online on-demand training as a first step toward certification!

New-banner-for-training-blog-post_Oct2014

New UFED release delivers improved workflow, permission management, a new mobile app, and more

The new UFED 3.0 release is designed with front-line investigators in mind. From a new permission management and user authentication capability, to a much more streamlined extraction workflow and a mobile app that’s accessible from any iOS or Android device, the new UFED promises to make your work more efficient by getting you the data you need faster.

New user authentication and permission management

Many labs are struggling with backlog and the need for front-line investigators to get quicker access to information in order to begin or complete an investigation. However, doing so within the “right to know, need to know” boundaries of both legal authority and internal standard operating procedures and policies is important to retain community trust—whether you work in law enforcement or in the corporate environment.

The new UFED Permission Manager standalone application allows an administrator to create profiles and manage user accounts, including usernames and passwords, which enable users to perform specific extraction activities. Each profile contains access permissions, including operation rights per extraction type, content types and more.

Once these are created, the administrator can then export the users and profiles into an encrypted permission management file, and in turn into multiple UFED Touch and UFED 4PC units. This file activates user authentication, ensuring that only users with the right credentials can access the UFED and perform the extraction types they have permission to perform.

New smoother workflow

Customers have been asking for a more efficient extraction workflow, and we’re pleased to deliver it in UFED 3.0! Now start your extraction process in UFED Touch or UFED 4PC by selecting the device vendor, before proceeding to the specific device selection screen. The UFED interface then provides a list of supported actions for that device.

After installing the update, the UFED Touch/4PC application will notify you about the new workflow and provide instructions on first usage.

The new smoother workflow includes an Auto Detect feature. Connect a device and push the AutoDetect button on the main screen; AutoDetect will run automatically on UFED 4PC when the UFED Device Adapter is connected.

autodetect

New UFED Phone Detective mobile app

While in the field, use the UFED Phone Detective mobile application to look up extraction and decoding capabilities—as well as whether lock bypass is supported—for all device profiles supported by UFED hardware and software. Use your my.cellebrite.com credentials to login, then search by vendor and model.

Android_en_generic_rgb_wo_60

 

 

Download_on_the_App_Store_Badge_US-UK_135x40

 

New device, decoding and app support

New device support includes logical extraction for BlackBerry 10, physical extraction for a number of new Samsung devices, and Advanced Logical extraction for iOS 7.0.6/6.1.6.

New decoding support is available for enhanced locations decoding from file system and physical extraction of iPhone 4 running iOS 7.x, along with enhanced decoding of application permission to include permissions to location services. Enhanced decoding of contact list, call log, calendar, and tasks is now supported on Windows Mobile 6/6.5 physical extractions, as well as backup decoding from the latest devices running Android version 4.x.

New Android and iOS apps now supported for decoding include Burner (calls, contacts and SMS messages), WeChat, Badoo, BlackBerry Messenger, and Silent Phone. Additional decoding is also newly available for WhatsApp, Facebook, Gmail (for Android) and the new Line version for iOS.

For more information on these new features and support details, as well as a rundown of new UFED Physical/Logical Analyzer functionality, download our release notes here.

New iPhone 5s/5c, iOS 7 and Samsung Galaxy S4 support with UFED 2.2.0.0 and UFED Physical Analyzer 3.8.5

Cellebrite is proud to be the first and only mobile forensics vendor to support physical extraction, user lock bypass, and decoding on selected Galaxy S4 devices, Galaxy Tab, and Galaxy Note:

This new support already helped to rescue two small children from sexual predators in the US. While still in beta, our UFED 2.2 software enabled investigators to recover and parse text-messaging and other app data located within the Galaxy S4’s file system. The data showed two suspects communicating with one another, and as a result, enabled the investigators to locate both victims, take the suspects into custody, and build a strong case against them for both the assault and production of child pornography.

Extraction and decoding when iTunes backup is enabled

iTunes backup encryption has frustrated mobile forensics examiners for some time. Cellebrite customers would successfully extract an iPhone’s file system, but then find that UFED Physical Analyzer couldn’t parse the data. Without knowing the passcode for iTunes encryption, the data was simply unattainable.

As of today’s release, Cellebrite is now offering two new extraction methods from iOS devices that have iTunes backup encryption enabled, even if you do not know the password. Available with the Advanced Logical extraction option in UFED Physical/Logical Analyzer, the methods for iOS devices are:

  1. With the iTunes backup encryption enabled and without entering the password
  2. When the device is jailbroken

The extraction wizard presents the device model, iOS version, and iTunes backup configuration, and lists which data can be extracted using each method. The application indicates a specific recommended method per iTunes Backup configuration and jailbroken status.

Customers who asked for support around this feature received a beta version of Physical Analyzer 3.8.5. “I recently posted about an encrypted iPhone 5 where the phone did not have a pass code, but it did have the backup files encrypted,” said James Howe, an Ohio detective, on a listserv. “[With the new version of Physical Analyzer], I was able to access the phone’s contents and complete the exam. None of the other software I had access to did anything for me. It was a breeze once it got going.”

New physical extraction and decoding support for devices with Chinese chipsets

An update to UFED CHINEX adds support for physical extraction and decoding with user lock bypass not only for Android devices with MTK chipsets, but also for devices with an Infineon chipset. Added to existing extraction and decoding for MTK and Spreadtrum chipset devices, this means Cellebrite now supports 99 percent of “Chinese devices” currently on the market.

Download our release notes for full details about these versions. If you’re not yet a customer and would like to try the new iOS capabilities, try out UFED Physical Analyzer for 30 days free!

UFED Physical Analyzer 30-day Trial