Discover Best Practices and Advanced Decoding with UFED Physical Analyzer: Q&A from Cellebrite’s webinar

In a recent webinar, Dan Embury, our CAIS Technical Director, provided participants with tips and tricks, and best practices to help them get the most out of UFED Physical Analyzer. Overviews include Android custom recovery, Android UFS-based device unlocking, BlackBerry 10 backup encryption, Android backup APK downgrade, Apple iOS jailbreaking overview, as well as decrypting and decoding TomTom trip log files.

The webinar is available for viewing at the bottom of this post. During the webinar, participants asked a number of good questions, which we’ve compiled in this blog.

Note: If you don’t see your question answered below, please leave a comment at the end of this post!

Q: Can you confirm that TomTom decryption is not included in UFED Physical Analyzer

A: The decryption itself is not included in UFED Physical Analyzer. It requires offline processing, utilizing a large number of computers and processors. Ultimately, exportation of TomTom decryption in XML format can be forwarded to Cellebrite, and we will do the decryption. The decrypted results are then provided back to you to analyze in UFED Physical Analyzer, using the TomTom import function.  Please contact CAIS@cellebrite.com for more details and to submit your encrypted trip logs.

Q: WhatsApp recently announced that they have encrypted chat and voice chat, can UFED extract WhatsApp data after the WhatsApp upgrade?

A: In general, messages while in-transit are encrypted however this does not affect data-at-rest (forensics) stored in the WhatsApp databases. Cellebrite will release a solution in the coming days to decrypt the new WhatsApp encryption key – crypt9.

Q: When retrieving the BlackBerry encryption key using BlackBerry ID and password, how does this work?

A: Within UFED Physical Analyzer, you may retrieve the key associated with a BlackBerry ID using known credentials and decrypt the backup data from BlackBerry devices.

How to use: Open a file system extraction of a BlackBerry 10 device.  During the decoding process, a window is displayed: Enter the BlackBerry ID credentials and select Get Backup key (to retrieve a key, an Internet connection is required in order to communicate with the BlackBerry company servers).

You can save the key for future usage by selecting the Save button. If an Internet connection is not available, you can retrieve a key on any instance of Physical Analyzer connected to the Internet. Go to Tools and select Retrieve BlackBerry 10 Backup Key.

Enter the BlackBerry ID credentials and select Get Backup key. Click Save and load the key from the UFED Physical Analyzer disconnected from the network to continue with the decoding process.

Q: Are new Android devices encrypting the information in a unique fashion for each device?

A: The results of ongoing research both at Cellebrite and within the forensic community are exposing what sort of evidence can be extracted from these newer devices. The processors that are being integrated into Android, iOS, and BlackBerry devices are very powerful integrated circuits.  Since there has been such a focus on security over the past few years, these chips contain dedicated cryptography functionality to perform background tasks without impacting the user experience, all the while making security easier to implement and stronger against attack.

Q: Do you plan to incorporate jailbreaking into the product?

A: At this point in time, we do not plan on incorporating older jailbreaking methods into the UFED.  The best resource to find viable jailbreaks can be found at http://canijailbreak.com

Q: Are you recommending that we jailbreak all iPhones when possible in order to extract the maximum amount of data?

A: If your agency permits jailbreaking and the investigation warrants the additional effort to jailbreak the exhibit, then by all means, maximal effort should be expended to seek the truth and extract all evidence possible.  You simply don’t know what evidence you may be missing, whether inculpatory or exculpatory.  Major cases, cold case homicides, missing persons, and other exigent circumstances may justify jailbreaking, but always seek permission from stakeholders and test the method on a matching sample device.

Q: In iOS, how did you get emails using Methods 1 and 2 on an iPhone 5S?

A: The test case from the webinar was an iPhone5,2 (A1429) which is an iPhone 5, not an iPhone 5S.  Performing a jailbreak enables a Method 3 extraction to pull protected emails from the file system.  The emails pulled using Method 1 and 2 were from web-based emails that were clearly not protected with the file system.

Q: In your experience what is the success rate for jailbreaking phones?

A: From our research, the jailbreak will either work or not work, depending on a number of factors, including if the user upgraded the iOS firmware in the past using OTA (over-the-air).  The various jailbreaking teams work hard to prevent any adverse effects, but since the “first-to-finish” concept seems to apply for each iOS version, not a lot of effort is put into solving corner cases that would apply to forensics, versus the typical consumer not caring if the device needs to be reset prior to the jailbreak.

Q: Has Cellebrite been able to bypass the iOS pin on iPhones?

A: Cellebrite has the unique unlocking services provided by Cellebrite Advanced Investigative Services (CAIS).  The current offering is for iOS 8 running on the iPhone 4S, 5, and 5c, as well as associated iPad and iPod touch models.  The service helps investigators in important cases for which traditional mobile forensic tools do not have support.  Ongoing efforts by our leading team of researchers is continuing for newer models and those running iOS 9.  Please contact CAIS@cellebrite.com for more details.

Q: Does Cellebrite plan on including Android custom recovery partition flashing in the UFED?

A: The upcoming UFED release will add custom recovery for Samsung Galaxy S6, S6 Edge, and Note 5 to allow physical extraction while bypassing lock for models without locked boot loaders, such as Global models and those offered by Sprint, T-Mobile, and US Cellular.  Cellebrite’s UFED replaces the device’s original recovery partition with Cellebrite’s custom forensic recovery partition based on Team Win Recovery Project (TWRP).  Cellebrite’s recovery image does not affect any user data.  It is recommended to use the Forensic Recovery Partition method when other physical extraction methods (e.g. Bootloader) are not successful, or not available (i.e. if the Android’s firmware version is not supported).  For other carriers, including AT&T, Cricket, and Verizon, please contact CAIS@cellebrite.com for more details.

Q: Couldn’t a backup of the device give you the ability to go back to the starting point if custom recovery fails?

A: Unfortunately, it is not possible to do a backup of the device when there is a user lock code set and Android Debug Bridge (ADB) is disabled.  Cellebrite’s fully tested custom forensic recovery partition methods should not fail or cause any adverse effects (e.g. boot loop, etc.)

Q: Do you know if Windows 10 phones are encrypted at the chip level?

A: Research into less popular handsets can be performed if sufficient demand comes from our customers.  Some previous Lumia Windows 8/8.1 can be analyzed with our unique boot loader physical extraction, while other models can be supported with JTAG, chip-off, or In-System Programming (ISP).  We always welcome feedback via Technical Support for obscure mobile devices that you frequently encounter and we do not support.  Often times, minimal effort from our researchers is required to make the necessary additions to our UFED device coverage, all the while helping you solve more crimes.

Q: How does Android APK Downgrade work within UFED, and are there any risks to this method?

A: UFED downgrades encrypted Android apps in the device itself over Android Debug Bridge, by pushing an APK package to it, since it’s possible to then have an older version of the app do the interpretation of the newer inaccessible data. Within the UFED 4PC/Touch, connect to the device, and downgrade the app to an earlier version to extract the app database. There are some risks to this method since it makes changes to the device, thus, it’s advised to use as a last resort. If you know that a suspect is utilizing an application, and the extraction of all the other databases from the device do not produce any fruitful evidence, this method is recommended.  For example, if you believe that there was communication taking place via WhatsApp, then it’s important to squeeze out every last little bit of evidence from the device.

Click here to start your free trial for UFED Physical Analyzer.

View the full webinar below:

Save critical investigation time with UFED Reader: Q&A from Cellebrite’s webinar

In the past several years, cases involving computer hard drive forensics have declined while mobile forensics have risen, increasing demand to analyze digital evidence off mobile devices. Typically, the forensic lab examiner will generate reports with all the extracted data from the device and send it over to the investigator, who has to review all the data in order to find the relevant piece. This may mean sifting through hundreds, even thousands of pages from several devices in order to find the needle in the haystack.  In some cases, the investigator may discover that you need additional data that was not even supplied.

In a recent webinar, we presented the UFED Reader, a free and easy to use digital tool that helps you review the report files generated from analyzed data of a physical, file system, or logical extraction by UFED Physical Analyzer and UFED Logical Analyzer.

blog nov 23

The webinar is available for viewing at the bottom of this post. Meanwhile, participants asked a number of good questions, which we’ve compiled in this blog- including some that we didn’t have time to answer during the webinar.

Q: Can UFED Physical Analyzer create a .ufdr file that contains all the artifacts, including pictures, videos, SMS, MMS, etc.?

A: UFED Reader is able to create massive .ufdr files, even from phone dumps that are over 16 gig.

Q: Where is the UFED Reader file located?

A: UFED Reader executable file can either be forwarded from the forensics lab with a report, or it can easily be downloaded from the customer portal at my.cellebrite.com.

Q: Can I also see shared data between different reports using the reader?

A:  You can open different reports using the reader, it can be different reports of the same device or even reports related to different devices. However, each project is handled separately. You can perform searches on all projects but the views are separated. SMS’s, contacts, locations, all these are presented per project, also the timeline and reports are not shared. If you need to see connections and links, it is recommended to use UFED link Analysis; which enables you to open up to 100 data sources, and see the links between different data extractions.

Q: For multi-jurisdictional investigations how can you import an XRY file for parsing by a UFED?

A: While UFED Reader cannot open XRY reports, UFED Link Analysis has the ability to open external reports, and provides a joint view of both Cellebrite and XRY reports.

Q: Can you generate a report containing only bookmarked items?

A: Yes, UFED Reader provides you with an option to include entity ‘bookmarks only’ which incorporates bookmarked items only in the report output. Bookmarking highlights the evidence that is relevant to the case, and UFED Reader provides the option to include in the report only the artifacts that are important for that investigation. As a result, the report generated is concise, short and protects personal data that is not relevant to the case.

Q: Which mobile device operating systems are supported by the UFED Reader?

A: Cellebrite supports all known and familiar operation systems, and all devices that can be extracted and decoded using the UFED Series (including Touch/4PC/Logical/Physical) Analyzer) can be opened by the UFED Reader- meaning any .ufdr report generated can be opened by the UFED Reader.

Q: Are there chat-threading capabilities within the UFED Reader module?

A: In the Chats view, you will see a list of chat messages extracted from the device, including third-party app, such as Whatsapp or Snapchat messages. This view provides information about the chat, such as start date and time, participants, source and number of messages, which are also listed chronologically on the right pane in full detail (including body of messages and attachments). The conversation view layout option is also available for easier and better tracking over the communication between two or more parties. You can search for messages within a chat, select the messages to include within a report, print, or export the conversation.

Q: Is it possible to see restored deleted information from mobile devices?

A: Cellebrite has the ability to extract and decode deleted information from mobile devices, and these items are included in the.ufdr report, and presented in UFED Reader with a red ‘x’ icon next to the artifact.

Q: Can UFED extract logical and physical data from Windows Phone 8 and new Android-SM using MTP (media transfer protocol) instead of UMS (mass storage)?

A: For Windows Phone 8 using the logical extraction method, you can extract contacts via Bluetooth and Multimedia data via USB (MTP protocol). Physical extraction is available for selective Nokia Lumia (out of the box WP8) models. For Android devices, using logical extraction method, you can extract Multimedia data for newer Android devices, via USB (MTP protocol).

View the full webinar below:

 Leave a comment if you have a question that was not answered above, or in the webinar itself!

Bypassing Locked Devices: Q&A from Cellebrite’s webinar

{195d00af-385d-48ae-8c04-032a86166edf}_bypassing_webinar_header

Last month we hosted two webinar sessions on “Bypassing Locked Devices”, led by Mr. Yuval Ben-Moshe, Cellebrite’s Senior Director for Forensic Technologies. In these sessions, Yuval presented the challenges and solutions to bypassing locked devices, including Cellebrite’s proprietary boot loaders among other methods used to tackle locked devices.

The webinar is available for viewing at the bottom of this post. Meanwhile, participants asked a number of good questions, which we’ve compiled in this blog—including some that we didn’t have time to answer during the webinar.

Note: If you don’t see your question answered below, please leave a comment at the end of this post!

Basics of mobile device user lock bypass

Q: Using the UFED, can you gain access to the phone where the wrong passcode has been entered too many times and is now locked?

A: This depends on the device and the locking mechanism used by it. If the device is supported by a boot loader or JTAG, than the data can be extracted regardless of any locking mechanism or the number of times a wrong password was used.

Q: How far off is user lock bypass support for iPhone 5 and Blackberry devices?

A: Forensic extraction of data from iPhone 5 is achievable using of the .plist file from the paired computer. With locked Blackberry, at this point in time, examiners must rely mainly on chip-off or JTAG methods for specific models.

Q: If the element file is deleted, will it affect the function of the original pattern passcode?

A: This question refers to a method called disabling. The device will remain in a lock disabled mode until a new password can be configured via the device’s set-up menus.

Q: If an extraction fails or is interrupted, can I still parse the extracted content if it is incomplete?

A: A physical extraction that was interrupted cannot be decoded, because a full binary image is required in order for the decoding to reconstruct the full file system.

Q: Can the UFED bypass iOS 7+ with a user lock and a SIM lock?

A: Bypassing locked devices depends on the device hardware and not the iOS version running on it. That is, if iOS 7 is running on iPhone 4, physical extraction is achievable; however, if iOS 7 is running on iPhone 4s or a newer model, than a .plist file is required to enable data extraction.

Q: If a device employs a biometric lock, how does the UFED tackle the lock?

A: Bypassing a biometric lock depends on the device model. For example, for the iPhone 5, the UFED can bypass the biometric lock using the .plist file.

Sync devices and .plist files

Q: The webinar presents the paired computer method for iOS devices showing the Windows 7 path on a PC. Is there a specific location path for Apple MAC computers?

A: The path for the .plist file on Mac computers is: ~/Library/Application Support/MobileSync/Backup/

Q: Does the .plist appear on the user’s iCloud?

A: The .plist file is used for the communication between the device and the computer; hence, it does not appear in the user’s iCloud data.

Q: How do you employ the .plist file?

A: The process of using the .plist file is very simple: UFED will automatically detect the iOS device as being locked and request the .plist file.

Boot loaders and clients

Q: Will injecting a client or boot loader lead to evidence tampering?

A: The boot loader is uploaded onto the device’s RAM and is then deleted when the device powers off or restarts. Therefore, it is does not tamper with the evidence. In contrast, a client may write some data onto the device’s flash memory, yet it is still considered a forensically sound process if the investigator specifically documents what was written and on which partition/folder.

Q: If an extraction fails, is the client left on the device?

A: In some cases, when the extraction is interrupted abruptly, the UFED may not have enough time to uninstall the client, and some files may be left on the device. In this case, UFED provides a specific function to delete the client. This capability is under the UFED ‘Device Tools’ menu.

Q: Does the UFED Classic include the boot loader function?

A: The UFED Classic is also capable of tackling locked devices. However, it may not support the latest modern devices due to technical limitations with hardware. It is highly recommended to trade up the UFED Classic for a more advanced model, such as the UFED Touch or UFED 4PC.

User locks on prepaid devices

Q: Can the UFED bypass disabled data ports in burner phones?  JTAG/chip-off are options, but unlocking with a manufacturer code is possible. Can you support unlocking burner phones?

A: The UFED is able to bypass the locking mechanism for many low-end phones, a.k.a “burner phones” using a boot loader. While JTAG and chip-off are valid options, we recommend you first try unlocking the device with a UFED, since these methods are more complicated, time-consuming, potentially destructive, and expensive.

Q: How does the UFED bypass a prepaid phone with a locked data port?

A: Bypassing a user lock depends on the device itself.  If the data port is disabled, then the JTAG or chip-off methods are applicable here.

View the full webinar below:

Leave a comment if you have a question that was not answered above, or in the webinar itself!

GPS Forensics and Link Analysis in Cellebrite’s August Webinars

webinar_header

LATAM customers! Did you know that Cellebrite’s exclusive capability to perform TomTom triplog files decryption and decoding can help you add vital evidentiary data to your investigation?

Join us for the upcoming webinars on GPS Forensics and TomTom Trip-Log Decryption, which will be hosted by our forensics solutions experts in Spanish and Portuguese, and will include a Q&A session.

GPS Forensics and TomTom Trip-Log Decryption (en español)

Speaker: Carlos Silva

Date: August 06, 2014 11:00 BRST (UTC-3:00)

Register here for the webinar on GPS Forensics and TomTom Trip-Log Decryption in Spanish!

GPS Forensics and TomTom Trip-Log Decryption (em Português)

Speaker: Frederico Bonincontro

Date: August 15, 2014 11:00 BRST (UTC-3:00)

Register here for the webinar on GPS Forensics and TomTom Trip-Log Decryption in Portuguese!

Link Analysis: Identify connections between suspects, victims, and others in less time

Did you miss our previous webinar on the UFED Link Analysis? Cellebrite will be hosting an additional live English-language webinar this month.

Speaker: Shahaf Rozanski

Date: August 20, 2014 06:00 UTC, 15:30 UTC

Learn how field investigators use UFED Link Analysis to rapidly visualize key relationships between entities and identify the connections and communication methods between multiple mobile devices. Join Cellebrite’s Forensics Senior Product Manager, Shahaf Rozanski, as he presents real world use case scenarios from a wide range of crime categories. The webinar will include a Q&A session.

Register here for the webinar on UFED Link Analysis!

Would you like to receive a webinar on our forensics solutions in your language? Leave us a comment and we’ll arrange it for you!

To view a past webinar, please visit the Webinars section on our website:  http://www.cellebrite.com/corporate/webinars

JTAG decoding, bypassing device locks, and link analysis in Cellebrite’s July webinars

webinar_header

Link Analysis: Identify connections between suspects, victims, and others in less time

On July 1, learn how field investigators use UFED Link Analysis to rapidly visualize key relationships between entities and identify the connections and communication methods between multiple mobile devices. Join Cellebrite Forensics Solutions Specialist Lee Papathanasiou for a 60-minute live webinar that details how link analysis methodology:

  • Helps you visualize communication links using multiple mobile devices’ rich data sets, including mutual contacts, calls, SMSs, MMS, emails, chats, application transactions, Bluetooth devices, locations, and more.
  • Filters data by time, date, number of contact times, and categories, and drills down to specific events.
  • Pinpoints whether entities were at the same place at the same time.
  • Allows you to share findings with colleagues and other investigators.

The webinar, including a Q&A session, will present real world use case scenarios from a wide range of crime categories. The session will also touch on key practical features of UFED Link Analysis, including timelines, advanced filters, and much more.

Register here for the July 1 webinar on UFED Link Analysis!

Bypassing Locked Devices: Learn How to Tackle One of the Biggest Challenges in Mobile Forensics

Pattern locks and passwords are becoming increasingly sophisticated and hard to crack, even for forensic examiners. Attempting to gain access to a locked device, especially with a complex pattern lock or passcode, is often only possible by using advanced forensic tools and techniques.

Don’t remain locked out from your evidence. Join Cellebrite’s forensic technical director, Yuval Ben-Moshe, for this 45-minute live webinar to learn about the UFED’s unrivaled ability to bypass locked phones without jailbreaking, rooting or flashing. You will learn:

  • Various methods to bypass locked devices, and a live demo of password extractions using the UFED.
  • How to use the extracted password to bypass other devices owned by the same person.
  • Physical extraction while bypassing any type of lock from 470 Android devices, including Cellebrite’s first to market capabilities for Samsung Galaxy S4 family.
  • Bypassing locks from counterfeit devices and phones manufactured in China.
  • How to run a plug-in that reveals pattern locks in Physical Analyzer.

Register here for the July 10 webinar on user lock bypass and extraction!

Automated JTAG Extraction Decoding with UFED Physical Analyzer

The growing popularity of JTAG forensics requires a great deal of resources and investment to obtain raw data stored on the device’s memory chip. It can take many hours for an examiner to transform the raw data into human interpretable evidence.

Cellebrite’s newly introduced decoding capabilities reduce the amount of time examiners have to spend on manually decoding, or carving, the large volume of extracted data. Join Cellebrite’s engineering product manager, Ronen Engler, for a 45-minute session on how you can take advantage of the UFED for JTAG decoding:

  • Easily import the binary file from a JTAG extraction into the UFED Physical Analyzer to draw accurate conclusions and report data.
  • Access this rich set of data to discover common artifacts, such as call logs, SMS, media files, e-mails, chats and locations.
  • Drill down into the binary file’s hex code through advanced search capabilities for finer grained information.
  • Decode the extractions from the widest range of devices, including popular Samsung, HTC, and LG, using a series of automated plug-ins and chains.

Register for the July 24 webinar to learn about Cellebrite’s efficient and cost-effective solution to decode and obtain forensically sound data from previously inaccessible devices.