UFED 4PC and UFED TK join UFED Touch in the UFED Series portfolio

UFED 4PC software runs on any PC platform.This week we’re excited to announce the launch of two brand-new products: UFED 4PC and UFED TK. In addition to our press release that hit the wires this morning, we thought we’d take the opportunity to address a few additional questions about these new products.

What’s new?

First: are UFED 4PC and UFED TK replacing UFED Touch? No. UFED 4PC and UFED TK are extensions of our UFED Series portfolio. Together with the UFED Touch, they are part of an approach that Cellebrite developed to better align the forensics solution with a wide range of customer work flows, environments and other use cases.

20130711121027-b7026a95-meUFED 4PC is designed for customers who wish to simultaneously extract, decode and analyze mobile device data on your choice of Microsoft® Windows®-based PC or a Mac running Microsoft® Boot Camp® software.

UFED TK supports users who seek to extract, decode and analyze mobile forensic data on a pre-configured, ruggedized PC hardware platform (we opted to install it on Panasonic® Toughbook® 53, Toughbook® 19, and Toughpad® G1 platforms) that includes all hardware, software and accessories in a single convenient kit.

We anticipate that many users will still require the ability to perform mobile forensic extractions from a dedicated single purpose device, a closed environment that does not allow installation of additional software. Other benefits, like the ability to perform forensic extractions even after power failure (as this book excerpt in DFI News pointed out), may be an added reason to maintain at least one UFED Touch in a lab.

What’s the same?

UFED Touch continues to be Cellebrite's flagship hardware.Whether you purchase a UFED 4PC or UFED TK to supplement your existing UFED Touch, or upgrade to a UFED Touch, UFED 4PC and/or UFED TK from the UFED Classic, remember: all UFED firmware upgrades will support all three systems. In addition, the same interface across all three solutions means that Cellebrite’s new training curriculum will enable you to use any and all of the three.

UFED 4PC incorporates the most comprehensive extraction and decoding support for the widest range of devices. It is built on the trusted UFED platform with its read-only boot loaders, unified device drivers, and other features designed to save time and deliver the most accurate data.

And, just like UFED Touch, UFED 4PC and UFED TK purchases will—depending on your license—include installations of UFED Physical Analyzer or UFED Logical Analyzer software, along with UFED Reader and UFED Phone Detective.

Which UFED is right for you?

One of the things that excites us the most about expanding the UFED Series is our ability to offer greater flexibility to customers. Some customers may opt to bring UFED Touch into the field and use UFED 4PC in the office or lab environment. Others may prefer exactly the opposite.

A variety of factors—how often you travel into the field, for what purpose, and even how your office or lab environment and work processes are constructed should inform your decision. Contact our sales team to determine the UFED Series product (or mix of products) that may be right for you.

(Almost) everything you wanted to know about Cellebrite’s new training and certification

Cellebrite UFED Certification TrainingOn Monday we announced our brand-new mobile forensics training curriculum and standardized certification, a development we’re quite excited about. The new curriculum means that investigators worldwide will benefit from the same coursework and certifications. This will not only strengthen their individual testimony in court; it will also strengthen the value of a Cellebrite certification. Here’s what you might want to know most about the new training:

When will the new courses become available?

The new training in its instructor-led classroom-based modes has already begun to roll out. Instructor-led web-based training will roll out in the very near future for those classes that lend themselves to live online delivery. Self-paced online training becomes available in December. Be sure to check our training web page for updates!

What do the new courses cover?

The 1-day, entry-level Mobile Forensic Fundamentals course introduces students to baseline concepts to ensure they gain the prerequisite knowledge to understand issues surrounding the handling of mobile devices as evidence.

The 2-day, intermediate-level Cellebrite Certified Logical Operator (CCLO) course exposes students to the basics of mobile device investigations, logical extraction of user data using the UFED Touch, and analysis of mobile devices with a variety of operating systems.

The 3-day, advanced-level Cellebrite Certified Physical Analyst course focuses on the use of the Cellebrite UFED Ultimate to perform file system extractions, physical extractions, password bypass and the advanced analysis of evidentiary items using UFED Physical Analyzer software.

We’re offering these courses within a number of bundles. Contact your regional sales representative, or submit a training inquiry, to learn more about hosting the Cellebrite 5-Day Mobile Device Examiners Course, the Cellebrite 3-Day Fundamental and Logical Bundle, or the Ultimate 6-Day Course Bundle.

Can you opt out of taking the written examinations and practical skill challenges?

The tests and skill challenges included within the CCLO and CCPA courses are optional. However, if you opt not to take the test(s), you will earn a certificate of completion and will not be eligible for the new CCLO or CCPA certificates, both of which are required to take the CCME.

What if you just got certified last year?

All legacy certificates that were issued by approved providers that reported them to Cellebrite will be honored for two years from the date of issue. However, only CCLO and CCPA holders who have completed the prerequisites my take the CCME.

Does certification expire? And how do you recertify?

Your certification will expire in two years from the date of issue. You’ll receive an email reminding you to recertify.

Is UFED Link Analysis a separate training class? When does it become available?

UFED Link Analysis does not require certification, so currently it is not a formal part of our training offerings. However, we regularly offer tutorial webinars that overview the various features. Watch your email and be sure to sign up when you see a UFED Link Analysis webinar offered on a convenient time and date. If you desire some formal training on Link Analysis, please contact the training department to arrange it.

If you’ve never taken a Cellebrite training course, or your certification has expired or is about to expire, now is a great time to sign up for a class—or arrange for a class to be taught in your area. Contact us today for more details!

Decryption, decoding and new functionality for UFED analytical software

UFED Physical Analyzer and UFED Logical Analyzer 3.8 bring a host of new decoding and decryption support, along with new functionality.

Apple and BlackBerry decryption capabilities

Depending on the user’s Apple account type (and not defined or controlled by the user), emails on devices running iOS 5.0 or higher may be encrypted with “elliptic curve.” In previous UFED Physical Analyzer versions, those emails were presented within the analyzed data section with an encrypted body. The new capability, available in file system and physical extractions performed via UFED Physical Analyzer, will present the encrypted email body for current emails.

Decryption of the BlackBerry WhatsApp database provides access to messages that were not previously accessible. The solution is applicable for cases in which the database was stored on the mobile device or SD card.

To decrypt the WhatsApp database, perform a physical or file system extraction from the BlackBerry device. These extractions should be opened using the open advanced function:

  • Click “Select a UFED extraction” and select the .ufd file of the physical extraction
  • Click “Zip file” and select the file system extraction (.zip file)
  • Click Finish

Other new support includes faster decryption and better handling of large encrypted iTunes backup files. With this release we are also offering decryption of BlackBerry’s REMF files.

Decoding support in UFED Physical Analyzer

UFED Physical Analyzer 3.8 adds decoding support for 142 new devices, including HTC, LG, Motorola and Nokia models, in addition to a number of models within the Samsung Galaxy family. Enhanced Android decoding support is also newly available for Samsung M9xx family and Motorola devices with NVidia chipsets.

Full support is also added for both iOS and Android versions of the Google Chrome, ooVoo, QQ, KeepSafe, and Yahoo! Email apps, as well as the iOS apps Facebook Poke, Find My Friends, and vBrowse; and Android apps drug vokrug, Sygic, Snapchat, Navfree, LinkedIn, Vaulty, My People, and the native email app on HTC devices.

UFED Physical Analyzer 3.8 also improves decoding of BlackBerry Messenger (BBM) attachments.

Enhanced Nokia Symbian device decoding includes information about the device, connected Bluetooth devices, cookies, wifi networks, installed apps, notes, WhatsApp and OVI maps apps, and email. The update also improves decoding of SMS, MMS and call logs, and allows for carving of deleted SMS from unallocated areas.

Finally, enhanced decoding is available on a number of feature Samsung and LG phones, including call log decoding from 57 Samsung and 30 supported LG CDMA devices, as well as SMS decoding from select Samsungs.

New functionality for UFED Physical/Logical Analyzer software

A new built-in viewer allows you to view all extracted locations on a map. The map function is based on Bing maps and requires an internet connection. (Note: KML files are still exportable to Google Earth.) The new function requires internet access and is only available to UFED Physical/Logical Analyzer users who have a valid, up-to-date license.

UFED Physical Analyzer now also enables users to verify a list of potential complex passwords from locked Apple devices, rather than entering single passwords one at a time. The verification does not affect Apple’s incorrect password locking mechanism. In addition, both UFED Physical Analyzer and UFED Logical Analyzer enable users to provide a plist file from the lockdown directory available on the suspect PC, instead of unlocking the Apple device before the extraction.

Finally, UFED Physical/Logical Analyzer now features a new “push” notification that will inform you when a new version is waiting for you.  If you are not connected to the internet, the notification will appear every three months.

Download the release notes here!

UFED Physical Analyzer 30-day Trial

Mobile forensics in the #DFIR sphere: SANS survey findings


As part of our ongoing cooperation with the SANS Institute to deliver effective training around mobile device forensic methods, this month we co-sponsored the SANS Survey of Digital Forensics and Incident Response. The survey saw 450+ participants answer questions about what they examine, how they examine it, and what they see as their biggest challenges in those examinations. Among the findings:

The role of different investigative techniques

analysts-programFilesystem and physical data extraction are the most common tools and techniques used to examine mobile devices. However, interviewing the device owner/user and forensic acquisition of logical data are not far behind. The authors felt that this could indicate a few things:

  • An immaturity of tools.
  • Immaturity of investigator access to and experience with mobile forensic tools.
  • The need for old-school “gumshoe” work in law enforcement and regulatory investigations.

Government investigators were much more likely than non-government respondents to acquire physical or filesystem data. They are also nearly twice as likely to perform forensic investigations on mobile devices than non-government respondents. “This seems to indicate that law enforcement personnel—presumably a large portion of the responding investigators who are employed by government—are as likely to encounter mobile devices in their investigations as not,” the authors wrote.

The immediate need for court-ready mobile evidence

Even so, 62% of respondents have used digital forensics to investigate “HR issues/employee misuse or abuse,” and 40% of respondents investigate employee-owned mobile devices. Concurrently, 57% indicate that they were looking for legal evidence that could hold up in court. This is especially salient given that more than a quarter of the respondents indicated that their main challenges regarding mobile devices are legal issues of ownership and privacy.

“This means applying an appropriate degree of rigor in the collection and management of evidence so that the trustworthiness of the evidence can be defended,” concluded the authors, who also believe that “organizations looking to increase forensic investigation capabilities in nontraditional areas should address mobile platforms first.”

Training and policies need regular review and updates

Forensic training appears to fulfill at least some of the need for skills related to mobile device extraction. The authors concluded, “It may be that “dump and image” of mobile devices isn’t a technical challenge for our respondents. Nevertheless, if use of data recovered by such means is a priority for an organization, it should ensure that the policies surrounding the use of such tools keep pace with their technical advancement”—and with the adoption of new practices and technologies.

The full survey will be released on July 18, together with the SANS webcast, “Digital Forensics in Modern Times.” In the webcast, authors Paul Henry, Jake Williams and Benjamin Wright will join Cellebrite global forensic training director Buddy Tidwell, and other vendor representatives, to discuss the findings in depth. Register for the webcast at the SANS website, and join us on July 18!

New Device Support with UFED; New Language Support with UFED Link Analysis 1.8

Following on our release of UFED Physical Analyzer 3.7 just a couple of weeks ago, we’re pleased to release a new firmware version for both UFED Touch and UFED Classic, as well as a new UFED Link Analysis version.

New UFED firmware means new device support

UFED Touch and UFED Classic now offer logical extraction from Samsung Galaxy S4 devices, and from the HTC One, logical along with file system extraction and decoding with user lock bypass. (Watch our video below for details on the HTC One extraction.)

Physical extraction and decoding with user lock bypass is now available for HUAWEI and ZTE devices running any Android OS version. This is possible with proprietary client software. To perform this type of extraction with your UFED Classic, update the EPR file before proceeding.

UFED CHINEX now enables physical extraction with decoding and user lock bypass from additional selected Alcatel devices. Using the UFED Ultimate interface, you can either select the specific model you’re working with, or one of two generic options offered.

Because these options cover different families of devices which are not included in the device list, but can be extracted using the same methods as already-supported devices, you should use the two options in sequential order.

Physical extraction with user lock bypass is now available for selected LG devices; decoding will be added in the future. To perform this extraction, the device boot partition is replaced without affecting the user partition.

UFED Classic Logical extraction enhancement

Cellebrite has improved UFED Classic Logical’s performance by enabling email extraction as part of the logical extraction process. This increases the amount of data available via logical extraction and is therefore beneficial in examinations where time is critical.

Customers who have recently purchased UFED Classic systems, but have not yet budgeted for UFED Touch upgrades, may find this improvement valuable as the number of smartphones they encounter increases.

Multilingual support for UFED Link Analysis

Released May 29, the UFED Link Analysis user interface is now available in 10 different languages besides English: Chinese, Dutch, French, German, Hebrew, Italian, Japanese, Portuguese, Russian and Spanish.

You can select the display language you prefer from the application settings. The language selection will be saved for future sessions as well.

Find our full UFED release notes here.

UFED Physical Analyzer 3.7 closes decoding gap; UFED Logical Analyzer improves logical iOS extractions

What good is a physical extraction without decoding? Well, it will still give you data—if you know how to carve. This can be a time-consuming process, and still may not get you all you need. Preferable is for automatic decoding to streamline the forensic examination, reconstructing the file system so that you can spend more time on analysis.

With the release of UFED Physical Analyzer 3.7, Cellebrite introduces decoding for more than 500 new devices which previously had only physical extraction support. These include:

  • iPhone decoding, now with decryption support for encrypted file systems; new plist and bplist parsers; and deleted apps list recovery, so that these apps are now shown in the installed application table with a “deleted ” attribute .
  • Support for 200 new Android devices with Android ID, Bluetooth MAC, IMEI, time zone and language locale shown in the “device info” section of the extraction summary folder.
  • Full decoding for non-encrypted BlackBerry .bbb backup files, which supports the new Blackberry PC backup format. Decryption is also included for all devices through OS 6.x, together with enhanced string carver options for devices without decoding.
  • New Nokia decoding support includes 30 BB5 devices with Symbian OS and non-Symbian OS. Nokia Symbian support includes an enhanced parser for content databases; decoding existing and deleted contacts, SMS, MMS and call logs; and decoding support for content in multiple languages.
  • More than 40 new Samsung feature devices have been added, along with more than 20 enhanced LG devices and deleted contacts recovery support for Motorola V series devices.
  • 90 new devices with Chinese chipsets can now be decoded, including recovery of the additional format variants of the device passcodes.

New release also includes UFED Logical Analyzer 3.7

The latest version also includes new features in UFED Physical Analyzer and UFED Logical Analyzer, together with new Android and iOS apps decoding. Among the new features: backward compatibility with UFED Report Manager file formats (URP) (as our Analyzer applications replace UFED Report Manager) and the ability to see whether an iPhone is jailbroken or an Android is rooted.

Both UFED Physical Analyzer and UFED Logical Analyzer can now perform advanced logical extraction from iOS devices. Data now includes contacts, SMS, MMS, app information, emails from jailbroken devices, databases and multimedia files.

Both pieces of software are now certified to run on Microsoft Windows 8. And don’t forget the new Android password carver included in UFED Physical Analyzer, courtesy of the CCL Group.

For more information, download our release notes!

Partnership with the CCL Group brings new Android password carver to UFED Physical Analyzer

As useful as our Android pattern/PIN/password lock bypass is to so many of our customers, at times, the password itself is needed. Perhaps a forensics examiner wants to validate extraction results manually, or believes the same password protects a different device.

Still, not all physical extractions are automatically decoded. Without the file system reconstruction that decoding provides, examiners must manually carve the password from wherever it is stored within the device’s operating system. This can add time to the forensic process, especially if the examiner must refer the device to a specialist. It might even be impossible if the examiner lacks carving skills, or the access to an expert who has them.

With our soon-to-be-released UFED Physical Analyzer 3.7, we’re pleased to introduce a new Android password carver—thanks to the efforts of the CCL Group, the United Kingdom’s largest private digital forensics company. Having produced 300 scripts as part of its digital forensics research and development efforts, last year CCL Group’s lab developed a Python code that could carve a numeric password from an Android physical extraction or from third-party image files.

The premise, as they explained in their blog:

As with the pattern lock the code is sensibly not stored in the plain, instead being hashed before it is stored. The hashed data (both SHA-1 and MD5 hash this time) are stored as an ASCII string in a file named passcode.key which can be found in the same location on the file system as our old friend gesture.key, in the /data/system folder.

However, unlike the pattern lock, the data is salted before being stored. This makes a dictionary attack unfeasible – but if we can reliably recover the salt it would still be possible to attempt a brute force attack.

The CCL developers made their code openly available for other researchers to dig into. Cellebrite’s co-CEO and Chief Technology Officer, Ron Serber, believed that the code was a natural fit within the UFED Physical Analyzer platform.

However, the code was written independently of our infrastructure. With CCL’s permission and partnership, we rewrote the Python code so that it could be used within our platform. On its own or as part of a plugin chain, the carver enables recovery of numeric passwords from physical image files extracted by UFED, JTAG, chip-off or other tools.

We’re introducing the carver together with UFED Physical Analyzer 3.7 in just a few days. Current license holders will receive an email with download links; if you’re not a current customer, please download our free UFED Physical Analyzer 30-day demo.

Tackling terrorism with technology: An interview with Cellebrite’s co-CEO

yossi_headshotYossi Carmil, Cellebrite co-CEO, talks to the Jewish Chronicle as part of its series on Israeli companies. In it, he and reporter Sandy Rashty talk about Cellebrite’s forensic and retail businesses, and what it takes to compete in a tight market.

Read more at the Jewish Chronicle here.

Now available for pre-order: UFED Link Analysis 1.7

LA01Pre-order our latest investigative software! UFED Link Analysis is a standalone application that helps rapidly identify connections between multiple devices’ owners. This month, we’ll start shipping the second generation of UFED Link Analysis.

Enhanced and improved based on feedback from customers involved in a limited beta release, the latest version includes an improved user interface along with the following all-new features:

  • Location analytics. See locations associated with people and communications. Where they were while they called or texted one another, or simply whether they have locations in common, can be important to building a case.
  • Multiple timeline view. See how device owners’ communications unfold among multiple people on particular days and times. The graph view visualizes events over time, the distance between them and highlights changes of behavior.
  • Entity analytics. Understand device owners’ relationship to entities (names, monikers or phone numbers) they’re in contact with. Analyze their preferred forms of communication and the frequency of their communications in comparison to one another.

These three capabilities are featured together with UFED Link Analysis’ core features in our video sneak peak:

In the aggregate, these features allow law enforcement, military, private, and corporate investigators and analysts to rapidly visualize key relationships between suspects and identify important patterns and anomalies. Used in the early hours of an investigation, this kind of tactical link analysis could help generate leads, bring about more in-depth analysis, and/or make operational planning faster and more efficient.

Stay tuned—just like with our other UFED Series products, UFED Link Analysis will be regularly updated with the latest tools according to customer requirements. To receive more information, please fill out our form.

Oops! We didn’t mean to cast our email net THAT wide…

Earlier today, we inadvertently emailed a link about our SANS webinar to a wider audience than we intended.

If you were among those who received this communication in error, and/or you discovered that our “Unsubscribe” link wasn’t working either, please accept our apology for the inconvenience.

We have remedied both problems and invite you to stay tuned for exciting new developments that will better meet your mobile forensics needs.