Solve more cases with access to more applications using unique engines

Applications contain key pieces of information that can provide great insights to an investigation. Most of the databases stored on mobile devices (iOS & Android) are SQLite databases. SQLite is a powerful and relatively simple way to store data. When extracting all SQLite databases from a mobile device, you will note that most of the databases are decoded by UFED Physical Analyzer, (which provides support for more than 200 unique apps and 3,000 app versions). However, there are still some databases that are unfamiliar or are not supported. With 2.4 million apps* available on the market today, there isn’t a single mobile forensics tool that can support all these third-party applications.

Cellebrite’s SQLIte wizard

With the release of UFED Physical Analyzer 6.0, we announced a new capability that enables you to access even more data from apps, including unsupported apps. In short, you can access any information stored on mobile devices, reduce time to evidence and close more cases with the new UFED PA.

As an examiner or an investigator, one of your challenges is to get as much information possible out of a mobile device. In many cases, the potential evidence may reside inside a third-party app that’s installed on the device. When this app is not supported by any mobile forensic solution, the alternative is to manually analyze and investigate the content of the app’s database.

With the new and unique SQLite wizard, you can visually map additional data from different databases, build queries and map database fields to supported models, (such as call logs, instant messages and other generic events).

I’ll take you through a step-by-step tutorial on how to recover data from a database using this tool.

SQLite wizard flow

 

 

 

If you know that a specific application was used on the device, but it was not automatically parsed during the decoding process, you can look into the database’s content and extract the data.

The database in the project tree (under data files), includes a list of all the databases available, with an indication that specifies if it was decoded by Cellebrite. We suggest that you filter out all the decoded databases, and focus on manually decoding the non-decoded databases that you feel may be important for the investigation.

Alternatively, you also have the option to manually decode a database that was already decoded. And why? There are new developments for applications all the time- for example, WhatsApp recently added video chat, and while Cellebrite is on the task to provide support for this new feature in upcoming releases, you may require this specific record immediately, so manually decoding the database will provide you with instant access to potential evidence.

Untitled-1

Let’s assume that you want to extract data from the mmssms.db (database on an Android device), which you suspect may contain critical evidence. First, start the manual decoding process by selecting this database. Within the database viewer pane above, you can see that the selected database has a total number of 362 records, so plenty of information there.

To get started, open the SQLite wizard:

SQLite wizard_home

The SQLite wizard allows you to include deleted data. Selecting this option increases the chances of false positive records, and in many cases, the interesting data or potential evidence may be found as deleted.

Build query:

The list of database tables is available on the left pane. Select the “sms” table with 112 potential records.

Drag the database table to the work area. You have the option to drag several tables and even create relationships between tables (or join in SQLite language). An SQLite query is automatically generated. Alternatively, you can also write your own SQLite query. To see your build queryquery results, click on the preview button.

Map data:
To map the selected data, you need to select one of the existing data models (e.g: call logs, instant messages) or a generic model. For the mmssms.db database, which holds SMS info, you should select the SMS Messages model. Now drag the field types to the correct columns. (See how the screen should look like below before you drag and drop).

Before mapping:

before mapping

 

After mapping:

after mappingSome columns have special formatting options that allow you to convert enum, lookup, XML/plist and timestamp formats to help map the relevant fields and columns, and also make the information readable by selecting the timestamp global format, for example, or customizing your own format.

Run Query:

Now that you completed the mapping process, run the query created in a way that new records are added to the SMS Messages model.

run query

For the the SMS Messages model, there were 207 records as part of the decoding, and after running the manual query there are 319 records available. Therefore, by using the SQLite wizard, I was able to recover a total of 112 new records!

The new records can be treated just like any other decoded record, I can tag, filter, search and include those in my report output. The manual queries can be saved for future use, where you can auto run it as part of the automatic decoding process, and recover huge amount of data that you would otherwise would not be able to access.

new records

Fuzzy methods

In addition to the manual SQLite query tool, we developed another tool to enrich your investigation with valuable data from unsupported database sources, using the Fuzzy model plugin. This innovative solution identifies new data sources, handles and parses unknown databases and endless application databases – some of which are supported by Cellebrite and some are not. Information is being automatically analyzed using a heuristic process and a unique set of rules.

This solution scans and analyzes all the databases and all tables within the databases, and automatically maps the records into a known model ( such as email, IM, call logs etc.).

There are two types of fuzzy models:

  1. Fuzzy objects – View extracted data from any database which has not being decoded by UFED Physical Analyzer’s parsers. This model holds information regarding a certain artefact such as contact, account etc.
  2. Fuzzy events – View extracted events such as messages, call logs etc.

For each one of these models, you can see the list of results presented in a table and the database view pane, which displays the contents of database files that were found in the extraction.

Once the decoding process is complete, you can run the Fuzzy plugin directly from the main menu (Tools àRun Fuzzy model plugin).

The results are presented under Analyzed data in the project tree. Any record in these two tables can indicate a potentially relevant piece of evidence. To find more details, it is recommended to analyze the source database.

Records with a timestamp are also available in the timeline view, which allows you to track and view events in a chronological order to quickly understand the chain of events.

 

*https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/

Python Script to Map Cell Tower Locations from an Android Device Report in Cellebrite

Recently Ed Michael showed me that Cellebrite now parses cell tower locations from several models of Android phones. He said that this information has been useful a few times but manually finding and mapping the cell tower locations by hand has been a pain in the butt. I figured that it should be easy enough to automate and Anaximander was born.

Anaximander consists of two python 2.7 scripts. One you only need to run once to dump the cell tower location information into a SQLite database and the second script you run each time to generate a Google Earth KML file with all of the cell tower locations on it. As an added bonus, the KML file also respects the timestamps in the file so modern versions of Google Earth will have a time slider bar across the top to let you create animated movies or only view results between a specific start and end time.

Step one is to acquire the cell tower location. For this we go to http://opencellid.org/ and sign up for a free API. Once we get the API key (instantly) we can download the latest repository of cell phone towers.

mappic

Currently the tower data is around 2.2 GB and contained in a CSV file. Once that file downloads you can unzip it to a directory and run the dbFill.py script from Anaximander. The short and simple script creates a SQLite database named “cellTowers.sqlite” and inserts all of the records into that database. The process should take 3-4 minutes and the resulting database will be around 2.6 GB.

Once the database is populated, the next time you dump an Android device with Cellebrite and it extracts the cell towers from the phone, you’ll be ready to generate a map.

From The “Cell Towers” section of your Cellebrite results, export the results in “XML”. Place that xml file and the Anaximander.py file in the same directory as your cellTowers.sqlite database and then run Anaximander.py –t <YourCellebriteExport.xml> . The script will start parsing through the XML file to extract cell towers and query the SQLite database for the location of the tower. Due to the size of the database the queries can take a second or two each so the script can take a while to run if the report contains a large number of towers.

output

Ed was kind enough to provide two reports from different Android devices and both parsed with no issues. Once the script is finished it will let you know how many records it parsed and that it generated a KML file.

done

This is what the end results look like.

mapresults

The script can be downloaded from: https://github.com/azmatt/Anaximander

This is the first version and there are several improvements to make but I wanted to get a working script out to the community to alleviate the need for examiners to map the towers one at a time. Special thanks again to Ed Michael for the idea for this (and one other) script as well as for providing test data to validate the script.

Follow my blog for up to date digital forensics news and tips: http://digitalforensicstips.com/

About Matt:

Matt performs technical duties for the U.S. government and is a Principal at Argelius Labs, where he performs security assessments and consulting work. Matt’s extensive experience with digital forensics includes conducting numerous examinations and testifying as an expert witness on multiple occasions.

A recognized expert in his field with a knack for communicating complicated technical issues to non-technical personnel, Matt routinely provides cyber security instruction to individuals from the Department of Defense, Department of Justice, Department of Homeland Security, Department of Interior, as well as other agencies, and has spoken frequently at information security conferences and meetings. Matt is a member of the SANS Advisory Board and holds 11 GIAC certifications. Among them: GREM, GCFA, GPEN, GCIH, GWAPT, GMOB and GCIA.

 

 

Access Historical WhatApp Conversations with UFED Cloud Analyzer

With UFED Cloud Analyzer 5.2, you can unfold suspect’s daily conversations by extracting WhatsApp backup from Android devices. While conversations are stored locally on the device, a WhatsApp user may backup their content to the cloud and later restore it on new devices, or when downloading the app again. Android device users can store the backup on Google Drive- the backup frequency (daily, weekly or monthly) is configured by the user.

You can access the information whatsappstored on Google Drive by utilizing login information from the Android mobile device. The login information contains two elements: the Google login information required to access Google Drive and a device key required to access the WhatsApp messages. If the Google login information has expired, you can use the credentials for the Google account, but to obtain the message you will also need the device key which is available in the account package generated by UFED Physical Analyzer. Without the device key, you can access the WhatsApp backup, however you
will only have access to media files (photos and videos) attached to the message, without the message itself.

whatsappeg

When can this become useful in your case?

  • When WhatsApp content isn’t available on the device- – a suspect or victim may be using a new device, and did not restore the data.
  • When WhatsApp data was deleted from the device.
  • When you don’t have access to the device.
  • Cloud backup may contain more info than in the device information.
  • When the user switches from an iPhone to Android, not all the content is smoothly transferred, since backups act different in iOS and in Android.

Register for a 30-day UFED Cloud Analyzer free trial, and explore how you can extract case-critical information that is only available in the cloud. forensicfocus_ufedcloudtrial_sept2016

TomTom Triplog Decryption: Provided by Cellebrite Advanced Investigative Services

Global Positioning Systems (GPS) fall into the category of wireless communications that hold a considerable amount of evidence that can be used in an investigation. People’s whereabouts are recorded in “second-by-second” detail on their TomTom navigation system and retrieving this type of information can provide powerful digital evidence for your case.

In recent years, the law enforcement community has seen a dramatic increase in the use of GPS devices as an instrument of a crime or as a “witness device” collecting and logging positional data while the crime is being carried out. TomTom and Garmin units are by far the most popular devices law enforcement have been encountering. The sales of portable navigation devices are at an all-time high.

Last year, more than forty million portable GPS devices like TomTom’s GO series or Garmin’s Nuvi series were sold worldwide.* In Europe, TomTom is the most widely used navigation system; and the big market share (47%) could be attributed to the TomTom built-in installation in vehicles. Forensic analysis of vehicle movements records can provide evidence of considerable value in crime detection. (While Cellebrite does not provide data extraction from built-in systems, we support decoding of chip-off data extractions from them, and then decryption of the triplogs).

Cellebrite supports a select list of TomTom devices, which can be found here. Aside from extracting timestamped GPS locations from the trip log files using unique decryption technology, Cellebrite also provides decoding support for contacts, calls and locations. Forensic analysis of such records can provide evidence of considerable value in crime detection.

Upon setting up a TomTom device for the first time, it prompts the user for permission to collect information from the navigation device. The information or triplogs shared is used to improve maps and other services offered by TomTom, such as traffic information related to where the user is. (These services are disabled if a user chooses not to share the information).

If the user accepts, his or her TomTom device is set to log all trips in dedicated binary files known as triplogs. These files are saved in the device file system under a directory named STATDATA. The triplogs collected illustrate a breadcrumb trail of where the person travelled to with the navigation system in very high resolution. TomTom triplogs are encrypted in order to protect user privacy, but also accumulate additional encryption obstacles to the ones that already exist.

Cellebrite offers a unique decryption service to our customers, as part of Cellebrite Advanced Investigative Services, that enables the extraction of timestamps and locations from the triplog files that reside in the STATDATA folder. The triplog files hold complete trip GPS information (including latitude and longitude), and thousands of locations, in a resolution of 1 to 5 seconds.

TomTom Triplogs

How can I send Cellebrite these triplogs?

Using UFED Physical Analyzer, open the extraction and then select Tools,TomTom menu, select Export to save the XML file generated from the triplogs, and submit to Cellebrite via CAIS. The decrypted data will be sent back to you within a few days, and ready to be imported into UFED Physical Analyzer- where the triplogs can be viewed in detail (3 second log when device was active). A kml-file can then be generated and viewed in Google Earth and other similar applications.

UFED Physical Analyzer enables TomTom extraction and decoding of the following information: home, favorites, recent, user entered, locations, last journey, location, date & time, routes, GPS fixes (also deleted), deleted locations (of all categories), as well as recovery of geotag visualization of location based data on Google Earth/Maps.

UFED Physical Analyzer has also been equipped with a covert feature that enables silent activation of triplog files, which means that you can connect a TomTom device to the UFED system and activate the logging feature. As soon as this is carried out, the device will start saving triplogs, once TomTom is in use again.

Send us an email to learn how Cellebrite Advanced Investigative Services can help with your encrypted triplog files, along with Google Earth KML files.

Watch the webinar below to learn how you can use UFED Physical Analyzer to extract TomTom files:

References

*http://www.forensicfocus.com/tomtom-gps-device-forensics

Cellebrite launches actionable forensics data in the field

Police work is mostly about solving cases, and this is not a trivial task. Gathering clues and hints is important to achieve the desired outcome. Everyone today has a mobile device on them wherever they go, and these devices are storing a lot of information (calls, chats, locations, pictures, contacts), leveraging this data for investigation is just common logic.

Researchers conducted on investigation process proved that evidence or clues that are gathered within the first 48 hours are imperative to solving cases, and the statistics shows that when there is no real direction the chances to ever solve the case decreases by 50 percent.

So the need for speed is clear, and providing actionable data extracted from mobile devices is a necessity. How can this be done? A mobile forensic examiner would require years of experience to develop the right skill sets to overcome different technical challenges of obtaining forensically sound evidence. How can we speed the process and move mobile data recovery from the forensic labs, where we have the experts, to the field where we have excellent investigators whom ar not experts in mobile forensics?

This is the exact challenge we faced at Cellebrite when we started planning and designing our UFED InField solution. We have consulted with many of our customers (both digital forensic experts and police investigators), and together we defined the criteria and needs of users for field mobile extraction. There were three main obstacles we needed to address:

  1. Extraction duration – it must be quick and effective, as in the field there is no time for long process.
  2. Simplicity – The users are not technical nor forensic experts, and therefore the flow should be as simple as possible.
  3. Deployment management – When you have a wide deployment of devices across the country to enable investigative teams to perform mobile extraction quickly, you must have a tool to manage the deployment and set flows per the need on the agency.

With new release of UFED InField 5.2, we kept the above three challenges as part of our product design guidelines, and indeed, based on the feedback from our beta customers, we gained a lot of progress.

Meeting all the needs for field forensics is a journey, and together with our customers will continue to research and develop new capabilities to make the experience simplified and efficient as possible.

Join the journey and discussion share your ideas and feedback by posting a comment below. Perhaps together we can help build a safer society.

I am hosting a webinar next week, Wed. June 22nd, on how you can simplify mobile data access in the field to speed investigations. Click here to register.

_ARS6348_NewKiosk_22may2016

 

Reason #3 to vote for Cellebrite for a 2016 Forensic 4:cast Award

There is just less than a week left to cast in your votes for the Forensic 4:cast Awards. In our previous blog posts, we mentioned that Cellebrite deserves an award this year for being consistently first, and often unmatched, bringing critical mobile forensic innovations to your work environment, and for also being the first to provide support for the most popular brands and models.

Here is the third reminder why Cellebrite deserves an award:

Forensically Sound Evidence Every Time

Unlike competitors’ “black box” third-party bootloaders, UFED remains the only mobile forensics solution with custom-designed, read-only bootloaders. By controlling every part of the process, Cellebrite ensures that the bootloading is non-intrusive and that nothing is altered on the device, keeping the data forensically sound. This capability is delivered in proprietary bootloaders that support physical extraction while bypassing locks for mobile devices, which have no alternative solutions. Our custom-designed bootloaders contain a code that is specifically designed to only read the memory chips, not write them, and are thus more flexible, generic, and work with a wider variety of devices. Altogether, they make for a solution that lets you overcome barriers and ovoid data loss or overwrite.

In version 4.2.6, released August 2015, we have enhanced the bootloader method to provide physical extraction support for the latest Samsung Android devices, (including firmware SM-G900V, SM-G900A, SM-N900V, SM-N910V, SM-G860P). With the coming release of UFED 5.1, we will be providing lock bypass and physical extraction support using the enhanced bootloader method for 200 Samsung devices.

If you benefit from our unique capability to perform a physical extraction while bypassing lock, then vote for us today!

Cellebrite’s nominations include:

  • UFED Touch for phone forensic hardware of the year
  • UFED Physical Analyzer/ UFED4PC for phone forensic software of the year
  • Digital forensic organization of the year

ForensicFocus_728x90_4cast_Vote_30mar2016

Introducing Cellebrite’s Advanced Digital Analytics Platform

Today we are excited to announce our new UFED Analytics solutions, a cornerstone of the Cellebrite Unified Digital Forensics Platform. Designed in collaboration with our customers, the new UFED Analytics Platform simplifies the complex by automating the manual, time-intensive tasks associated with analyzing and managing data collected from mobile devices, applications, cloud services and CDRs.

Comprised of three offerings, the solutions act as a force multiplier, empowering examiners, analysts, investigators and prosecutors to simultaneously organize, search, map, visualize and manage large sets of digital data to identify patterns and reveal connections between one or more subjects – or cases – quickly and efficiently. Advanced text, image, video, geolocation and link analysis capabilities deliver the deepest, most accurate insights possible, helping to accelerate investigations.

Cellebrite’s Analytics Product Family components include:

UFED Analytics Desktop: Designed to meet the needs of a single forensic practitioner or investigator, this application simplifies and automates analytical tasks, allowing a user to easily identify the critical relationships that can focus investigations.

UFED Analytics Workgroup: Designed for 50 users or less, UFED Analytics Workgroup delivers a client-server solution that efficiently and effectively manages hundreds of digital data sources.

UFED Analytics Enterprise: This scalable platform supports a complete, end-to-end digital forensics workflow, allowing anywhere from tens to hundreds of users to collaborate on a case or perform cross-case analysis simultaneously.

Expanding beyond the mobile landscape

The time has come for our customers to consider a more efficient approach in order to work cases faster. Sifting through data to search for evidence in PDF reports is like going fishing, and the more mobile devices, the more data, the bigger the report. Investigators can no longer waste their time with manual analytical processes. We now enable investigators to move beyond disparate data repositories and manual analytical processes to a unified investigative platform. With intuitive and streamlined digital forensic data management, case stakeholders can collaborate and act on digital data in real-time.

Read our case study to discover how the McLennan County District Attorney’s investigative process is already benefiting from this new approach.

Banner for Interactive tool  

 

Reason #2 to vote Cellebrite for a 2016 Forensic 4:cast Award

In a previous blog, we mentioned that Cellebrite deserves a Forensic 4:cast Award this year for being consistently first and often unmatched, by bringing critical mobile forensic innovations to your work environment. Just yesterday, we released a solution to decrypt WhatsApp’s new backup database encryption- crypt9, in UFED Physical Analyzer 5.0.2.

We are grateful to the loyal UFED user community and to the digital forensic community for nominating Cellebrite, and would like to ask for your support again by voting for us in the following categories:

  • UFED Touch for phone forensic hardware of the year
  • UFED Physical Analyzer/ UFED4PC for phone forensic software of the year
  • Digital forensic organization of the year

If you haven’t already voted, here is the second reminder why Cellebrite deserves the Forensic 4:cast Awards:

Industry-first support for the most popular brands and models

We get access to more than 100 new handsets per month, which helps us keep pace with device support for the forensic community and capture the next wave of mobile challenges for forensic investigators. UFED 5.0 already supports the new and popular Samsung Galaxy S7 for file system and logical extractions. With approximately 10 releases a year, hundreds of newly supported device profiles are added for each release, including support for new operating system versions, and all supported are tested by Cellebrite’s R & D team. Just recently, with the release of UFED 5.0, we’ve bumped our device profile support up to 19,203.

We continue to innovate the industry, and to expedite your investigation by providing you with unmatched access to case-critical evidence. UFED 5.1, to be released in the coming weeks, is already packed with hot industry-first capabilities, including a new proprietary method to disable user lock for many additional Samsung devices, and lock bypass for popular LG models. Stay tuned!

Does UFED play an important role in your investigations? If you think so, then vote for us today!  

ForensicFocus_728x90_4cast_Vote_30mar2016

 

UFED 5.0 drastically decreases your time to evidence by drilling into the data that’s most crucial

Sifting through data is a very time consuming process- the average US smartphone user takes up 10.8GB of storage capacity on their device*, and taking into account different data recovery options in UFED Physical Analyzer, this process may take up to several hours to complete. UFED 5.0 came out with major time-savers that drastically decrease your investigation time, and lets you focus on the data that is most crucial to your investigation. Version 5.0 brings five crucial industry-first features, and support for 19,203 device profiles and 1,528 app versions.

Merge multiple extractions in a single unified report and avoid deduplicates

You asked for it, we developed it. With UFED Physical Analyzer 5.0, you now have the ability to merge multiple extractions from multiple devices into a single unified project, which can include logical, physical and file system extractions. The extracted data is presented under one project tree, and provides a unified extraction summary with device info per extraction, the ability to drill down to each extraction, and an indication of the original extraction source. If required, you also have the option to combine extractions from different devices. 

merge mult files

 

This powerful feature saves you time not only by combining the extractions, but also by removing deduplications (duplicate or redundant information), and grouping together similar and duplicate records for quick and efficient analysis. The following extraction types may be grouped together: Logical, advanced logical file system, physical, SIM card, JTAG, SD Card, and UFED Camera Evidence.

Here is what one investigator had to say about this new capability: “Being able to instantly navigate to where each piece of data is located in the memory dump is an outstanding feature. This saves hours of time on each complex investigation.”

Validate your data the right way

The latest validation process saves you time and resources by providing you with the most effective and most efficient way to perform a real and accurate validation process, by validating the decoded data with the original source file; Thus, reducing your need to use other mobile forensic tools for additional extractions to compare and validate the results.

Every recovered artifact has a source that it originally derived from, and can be used to later to validate the data. If previously you spent time manually searching for the original source, UFED Physical Analyzer 5.0 now tracks back the automatically decoded content to its source.

Every extracted record now includes the file source information in a table view or in the right pane with device information. Each link points to the offset data and includes the source file name, which can be included in a UFED report when testifying in court. For example, using UFED Physical Analyzer 5.0, an examiner can easily see from the original source file that a recovered SMS was a deleted artifact, since it was recovered from the memory of the device. That SMS is also visible and highlighted in the hex viewer, when clicking on the file source information link. (The db file where the SMS came from is also displayed in the right pane).

2

 

 

 

 

 

 

Focus on relevant media files with the common image filter

An additional time saver added to version 5.0 is the new automatic filter feature. UFED Physical Analyzer 5.0 saves massive investigation time by automatically filtering out common or known images, allowing you focus on the images you need to get to the evidence quick, rather than wasting time reviewing thousands of images that are default device icons, or images that come as part of app installation.

The MD5 hash value is available for every extracted media file, and is visible in the user interface and in the report output, as part of the decoding process.

How would you use this feature? Say you have 200 hash values of indecent images in your own database, you can easily create a watch list for all the hash values from your database, and run the watchlist to find a match search for the same images on the device. In case of a match, a nude photo will be detected on the device. Alternatively, you can export the hash values from the device into excel, and run a match on your database, as well as expand your list with new hash values belonging to suspicious nude photos.

As presented in the image below, if previously you had to review 24998 images, you now have 900 less images to review.

ReviewMediaFiles_Hash_Calculation-Recovered

 

 

 

 

To view all images, click on filter reset or remove the auto-filter option in the Settings.

 

Access blocked application data with file system extraction

Version 5.0 introduces another industry-first capability, providing you access to blocked application data when physical extraction is not available for the specific device. The introduction of new app versions also introduce new challenges, such that they are no longer available for backup using the Android backup method, since they are blocked for backup service. UFED overcomes this limitation with a new option called APK downgrade method, also available via file system extraction. This method temporarily downgrades the app (or .apk file) to an earlier version that is compatible for Android backup. UFED will present the list of apps installed on the device, and the ones available for downgrade. Open the extraction in UFED Physical Analyzer to decode both intact and deleted apps data.

Popular supported apps include WhatsApp, Facebook, Facebook Messenger, Line, Telegram, Gmail, KIK and more.

Extract data using Temporary root (ADB) and enhanced bootloader method

Temporary root (ADB) solution has been enhanced to support 110 Android devices running OS 4.3 – 5.1.1, for file system and physical extraction methods, (when ADB is enabled). Logical extraction of apps data is also available for the listed devices using the temporary root solution. As part of your examination, you need to gain access to all the data stored on a mobile device.  This is achievable via a physical extraction, which is the most comprehensive solution, and provides the richest set of data. As part of our ongoing efforts, you are now able to perform a physical extraction for the selected 110 devices using the ADB method instead of manually rooting the device using an external tool.  Third party tools provide a permanent root, while Cellebrite’s temporary root solution is removed after restart, and assures forensically-sound extractions.

The bootloader method has been further enhanced in version 5.0. This unique lock bypass solution is now available for 27 additional devices (APQ8084 chipset), including Galaxy Note 4, Note Edge, and Note 4 Duos.

Version 5.0 also introduces physical extraction and decoding support for a new family of TomTom devices; as well as file system and logical extraction and decoding is also available for recently launched devices, including iPhone SE, Samsung Galaxy S7, and LG G5.

Watch the video below to learn more about UFED 5.0 release highlights.

Download our release notes for full details about version 5.0 capabilities.