Mobile forensics in the #DFIR sphere: SANS survey findings


As part of our ongoing cooperation with the SANS Institute to deliver effective training around mobile device forensic methods, this month we co-sponsored the SANS Survey of Digital Forensics and Incident Response. The survey saw 450+ participants answer questions about what they examine, how they examine it, and what they see as their biggest challenges in those examinations. Among the findings:

The role of different investigative techniques

analysts-programFilesystem and physical data extraction are the most common tools and techniques used to examine mobile devices. However, interviewing the device owner/user and forensic acquisition of logical data are not far behind. The authors felt that this could indicate a few things:

  • An immaturity of tools.
  • Immaturity of investigator access to and experience with mobile forensic tools.
  • The need for old-school “gumshoe” work in law enforcement and regulatory investigations.

Government investigators were much more likely than non-government respondents to acquire physical or filesystem data. They are also nearly twice as likely to perform forensic investigations on mobile devices than non-government respondents. “This seems to indicate that law enforcement personnel—presumably a large portion of the responding investigators who are employed by government—are as likely to encounter mobile devices in their investigations as not,” the authors wrote.

The immediate need for court-ready mobile evidence

Even so, 62% of respondents have used digital forensics to investigate “HR issues/employee misuse or abuse,” and 40% of respondents investigate employee-owned mobile devices. Concurrently, 57% indicate that they were looking for legal evidence that could hold up in court. This is especially salient given that more than a quarter of the respondents indicated that their main challenges regarding mobile devices are legal issues of ownership and privacy.

“This means applying an appropriate degree of rigor in the collection and management of evidence so that the trustworthiness of the evidence can be defended,” concluded the authors, who also believe that “organizations looking to increase forensic investigation capabilities in nontraditional areas should address mobile platforms first.”

Training and policies need regular review and updates

Forensic training appears to fulfill at least some of the need for skills related to mobile device extraction. The authors concluded, “It may be that “dump and image” of mobile devices isn’t a technical challenge for our respondents. Nevertheless, if use of data recovered by such means is a priority for an organization, it should ensure that the policies surrounding the use of such tools keep pace with their technical advancement”—and with the adoption of new practices and technologies.

The full survey will be released on July 18, together with the SANS webcast, “Digital Forensics in Modern Times.” In the webcast, authors Paul Henry, Jake Williams and Benjamin Wright will join Cellebrite global forensic training director Buddy Tidwell, and other vendor representatives, to discuss the findings in depth. Register for the webcast at the SANS website, and join us on July 18!

New Device Support with UFED; New Language Support with UFED Link Analysis 1.8

Following on our release of UFED Physical Analyzer 3.7 just a couple of weeks ago, we’re pleased to release a new firmware version for both UFED Touch and UFED Classic, as well as a new UFED Link Analysis version.

New UFED firmware means new device support

UFED Touch and UFED Classic now offer logical extraction from Samsung Galaxy S4 devices, and from the HTC One, logical along with file system extraction and decoding with user lock bypass. (Watch our video below for details on the HTC One extraction.)

Physical extraction and decoding with user lock bypass is now available for HUAWEI and ZTE devices running any Android OS version. This is possible with proprietary client software. To perform this type of extraction with your UFED Classic, update the EPR file before proceeding.

UFED CHINEX now enables physical extraction with decoding and user lock bypass from additional selected Alcatel devices. Using the UFED Ultimate interface, you can either select the specific model you’re working with, or one of two generic options offered.

Because these options cover different families of devices which are not included in the device list, but can be extracted using the same methods as already-supported devices, you should use the two options in sequential order.

Physical extraction with user lock bypass is now available for selected LG devices; decoding will be added in the future. To perform this extraction, the device boot partition is replaced without affecting the user partition.

UFED Classic Logical extraction enhancement

Cellebrite has improved UFED Classic Logical’s performance by enabling email extraction as part of the logical extraction process. This increases the amount of data available via logical extraction and is therefore beneficial in examinations where time is critical.

Customers who have recently purchased UFED Classic systems, but have not yet budgeted for UFED Touch upgrades, may find this improvement valuable as the number of smartphones they encounter increases.

Multilingual support for UFED Link Analysis

Released May 29, the UFED Link Analysis user interface is now available in 10 different languages besides English: Chinese, Dutch, French, German, Hebrew, Italian, Japanese, Portuguese, Russian and Spanish.

You can select the display language you prefer from the application settings. The language selection will be saved for future sessions as well.

Find our full UFED release notes here.

UFED Physical Analyzer 3.7 closes decoding gap; UFED Logical Analyzer improves logical iOS extractions

What good is a physical extraction without decoding? Well, it will still give you data—if you know how to carve. This can be a time-consuming process, and still may not get you all you need. Preferable is for automatic decoding to streamline the forensic examination, reconstructing the file system so that you can spend more time on analysis.

With the release of UFED Physical Analyzer 3.7, Cellebrite introduces decoding for more than 500 new devices which previously had only physical extraction support. These include:

  • iPhone decoding, now with decryption support for encrypted file systems; new plist and bplist parsers; and deleted apps list recovery, so that these apps are now shown in the installed application table with a “deleted ” attribute .
  • Support for 200 new Android devices with Android ID, Bluetooth MAC, IMEI, time zone and language locale shown in the “device info” section of the extraction summary folder.
  • Full decoding for non-encrypted BlackBerry .bbb backup files, which supports the new Blackberry PC backup format. Decryption is also included for all devices through OS 6.x, together with enhanced string carver options for devices without decoding.
  • New Nokia decoding support includes 30 BB5 devices with Symbian OS and non-Symbian OS. Nokia Symbian support includes an enhanced parser for content databases; decoding existing and deleted contacts, SMS, MMS and call logs; and decoding support for content in multiple languages.
  • More than 40 new Samsung feature devices have been added, along with more than 20 enhanced LG devices and deleted contacts recovery support for Motorola V series devices.
  • 90 new devices with Chinese chipsets can now be decoded, including recovery of the additional format variants of the device passcodes.

New release also includes UFED Logical Analyzer 3.7

The latest version also includes new features in UFED Physical Analyzer and UFED Logical Analyzer, together with new Android and iOS apps decoding. Among the new features: backward compatibility with UFED Report Manager file formats (URP) (as our Analyzer applications replace UFED Report Manager) and the ability to see whether an iPhone is jailbroken or an Android is rooted.

Both UFED Physical Analyzer and UFED Logical Analyzer can now perform advanced logical extraction from iOS devices. Data now includes contacts, SMS, MMS, app information, emails from jailbroken devices, databases and multimedia files.

Both pieces of software are now certified to run on Microsoft Windows 8. And don’t forget the new Android password carver included in UFED Physical Analyzer, courtesy of the CCL Group.

For more information, download our release notes!

Partnership with the CCL Group brings new Android password carver to UFED Physical Analyzer

As useful as our Android pattern/PIN/password lock bypass is to so many of our customers, at times, the password itself is needed. Perhaps a forensics examiner wants to validate extraction results manually, or believes the same password protects a different device.

Still, not all physical extractions are automatically decoded. Without the file system reconstruction that decoding provides, examiners must manually carve the password from wherever it is stored within the device’s operating system. This can add time to the forensic process, especially if the examiner must refer the device to a specialist. It might even be impossible if the examiner lacks carving skills, or the access to an expert who has them.

With our soon-to-be-released UFED Physical Analyzer 3.7, we’re pleased to introduce a new Android password carver—thanks to the efforts of the CCL Group, the United Kingdom’s largest private digital forensics company. Having produced 300 scripts as part of its digital forensics research and development efforts, last year CCL Group’s lab developed a Python code that could carve a numeric password from an Android physical extraction or from third-party image files.

The premise, as they explained in their blog:

As with the pattern lock the code is sensibly not stored in the plain, instead being hashed before it is stored. The hashed data (both SHA-1 and MD5 hash this time) are stored as an ASCII string in a file named passcode.key which can be found in the same location on the file system as our old friend gesture.key, in the /data/system folder.

However, unlike the pattern lock, the data is salted before being stored. This makes a dictionary attack unfeasible – but if we can reliably recover the salt it would still be possible to attempt a brute force attack.

The CCL developers made their code openly available for other researchers to dig into. Cellebrite’s co-CEO and Chief Technology Officer, Ron Serber, believed that the code was a natural fit within the UFED Physical Analyzer platform.

However, the code was written independently of our infrastructure. With CCL’s permission and partnership, we rewrote the Python code so that it could be used within our platform. On its own or as part of a plugin chain, the carver enables recovery of numeric passwords from physical image files extracted by UFED, JTAG, chip-off or other tools.

We’re introducing the carver together with UFED Physical Analyzer 3.7 in just a few days. Current license holders will receive an email with download links; if you’re not a current customer, please download our free UFED Physical Analyzer 30-day demo.

Tackling terrorism with technology: An interview with Cellebrite’s co-CEO

yossi_headshotYossi Carmil, Cellebrite co-CEO, talks to the Jewish Chronicle as part of its series on Israeli companies. In it, he and reporter Sandy Rashty talk about Cellebrite’s forensic and retail businesses, and what it takes to compete in a tight market.

Read more at the Jewish Chronicle here.

Now available for pre-order: UFED Link Analysis 1.7

LA01Pre-order our latest investigative software! UFED Link Analysis is a standalone application that helps rapidly identify connections between multiple devices’ owners. This month, we’ll start shipping the second generation of UFED Link Analysis.

Enhanced and improved based on feedback from customers involved in a limited beta release, the latest version includes an improved user interface along with the following all-new features:

  • Location analytics. See locations associated with people and communications. Where they were while they called or texted one another, or simply whether they have locations in common, can be important to building a case.
  • Multiple timeline view. See how device owners’ communications unfold among multiple people on particular days and times. The graph view visualizes events over time, the distance between them and highlights changes of behavior.
  • Entity analytics. Understand device owners’ relationship to entities (names, monikers or phone numbers) they’re in contact with. Analyze their preferred forms of communication and the frequency of their communications in comparison to one another.

These three capabilities are featured together with UFED Link Analysis’ core features in our video sneak peak:

In the aggregate, these features allow law enforcement, military, private, and corporate investigators and analysts to rapidly visualize key relationships between suspects and identify important patterns and anomalies. Used in the early hours of an investigation, this kind of tactical link analysis could help generate leads, bring about more in-depth analysis, and/or make operational planning faster and more efficient.

Stay tuned—just like with our other UFED Series products, UFED Link Analysis will be regularly updated with the latest tools according to customer requirements. To receive more information, please fill out our form.

Oops! We didn’t mean to cast our email net THAT wide…

Earlier today, we inadvertently emailed a link about our SANS webinar to a wider audience than we intended.

If you were among those who received this communication in error, and/or you discovered that our “Unsubscribe” link wasn’t working either, please accept our apology for the inconvenience.

We have remedied both problems and invite you to stay tuned for exciting new developments that will better meet your mobile forensics needs.

Mobile device forensics vs. organized crime

Two days ago the New York Times ran a story about a major Europol operation that took down a Spain-based cybercrime network. The Russian-led network, which also comprised Georgian and Ukrainian nationals and extended as far as Dubai, used ransomware to extort money for “abusive” internet use.

What does this have to do with us? As part of its news release, Spanish National Police provided a video of the arrests taking place. Between minutes 1:55 and 2:43, the video shows two Cellebrite UFEDs in use.

While we have no details on the cell phones’ relevance to the investigation — it is, after all, still ongoing — we do think it’s a good bet that police imaged the devices on-site as part of their effort to root out other criminal cells. Indeed, cell phones’ relevance to organized crime in general is a topic we recently wrote about for Digital Forensics Magazine.

Criminal enterprises like this one have complex networks and ranging levels of hierarchies that use the latest mobile technology to thrive. These networks, whether regional or global, are run like sophisticated businesses. As the United Kingdom’s Daily Telegraph also recently pointed out, international gun and cigarette smuggling, money laundering, fraud, and human trafficking cost that country more than 100 million pounds per day.

This calls for authorities to be equally, if not more coordinated and sophisticated. Yet many law enforcement agencies struggle to respond to this relatively new form of crime. We’re pleased that Europol and the Spanish National Police  have not only factored in the latest digital technology trends as part of their strategies, but have also recognized our products as integral to their response.

UFED Double the Android devices supported for physical extraction

Our first update of 2013 offers something a lot of our clients have been awaiting for a long time: user lock bypass enabling physical extraction on HTC and Motorola devices. The new capability adds 109 Android™ models to our list—more than double what we previously offered via bypass methods.

To be more precise, we’ve added this capability to 66 HTC and 35 Motorola devices, including HTC’s Evo, Incredible, Wildfire and Desire models along with Motorola’s Milestone, Droid Razr and Razr Maxx. (A full listing is available in our release notes, downloadable here.)

We’ve also extended our Samsung Galaxy series user lock bypass method from the Galaxy S and S2 to the Galaxy S3 (international model GT-i9300) and Galaxy Note II. This capability is available on the UFED Touch Ultimate, although the UFED Classic still supports physical and file system extraction on unlocked Galaxy S3 and Note II.

The new support relies on our well-known proprietary user lock bypass methods, which work even when USB debugging is disabled. These methods provide the deep access to mobile devices that forensic examiners need to complete their extractions of existing, hidden and deleted data. User lock bypass is now supported on a total of 229 Android smartphone models.

Additional extraction support

We’re also pleased to report that we now support physical, file system and logical extraction for Apple devices running iOS 6.1, which was released only last week. Our physical and file system extractions support iPhone 3GS/4 and iPod Touch 4G devices, and include decoding, simple and complex passcode bypass, simple passcode recovery, and real-time decryption. (Note: To get this capability, you must update the new EPR via the UFED Physical Analyzer.)

Our file system and logical extractions support iPhone 3GS/4/4S/5, iPad2/3/4/mini, and iPod Touch 4G/5G.

Finally, we now support file system extraction from any device—Nokia, HTC, Samsung, Huawei and ZTE—running Windows Phone 7.5 and 8. Extract existing and deleted data from these devices via the “File system > smartphones” in the UFED menu.

Get your UFED update at! (Not a user? Visit us at to learn more!)