Balancing data actionability with forensic soundness

The ability to extend mobile evidence collection capabilities into the field has a great many benefits. Reducing costs associated with overtime, outsourcing, and diminished forensic lab productivity renders a field-based solution an investment rather than an additional cost. Reducing the risk of human error in data analysis is attractive, too, as automated tools help to improve field-level decision-making about cases.

Even so, decentralizing mobile forensics also carries its own risks. Will field personnel handle mobile device evidence the right way, including securing proper legal authority? Will they follow policy and standard operating guidelines when it comes to extracting and preserving mobile device evidence?

The legalities around field-based mobile device extraction have yet to be determined in many countries, but authorities can ensure compliance with organizational policy and overall forensic best practices by using permission management and auditing features. These kinds of capabilities take into account that not everyone needs the same level of access to mobile device evidence, depending on the types of cases they are investigating as well as the offense severity.

With the UFED Field Series, as well as the UFED Pro Series, permission management functionality allows agency administrators to define and configure user authentication settings to ensure that only users with the right credentials can access the application. An encrypted permission management file that contains usernames and profiles can be imported into multiple UFED InField applications.

Not only credentials, but also extraction privileges can be assigned. Certain investigators may be able to have access only to logical and SIM card extractions, while forensic lab examiners can access full physical extractions as well.

In addition, administrators can define content types available from logical extractions. Some investigators may be granted extraction permissions only for images and videos, for example, while others can access messaging in addition to images and videos.

These privileges can be based on user roles and/or training and certification levels. For example, investigators who have received the Cellebrite Certified Logical Operator (CCLO) or the Cellebrite UFED Field Operator (CUFO) certifications, or completed the coursework without receiving the certifications, can be assigned as many or as few extraction privileges as an administrator deems necessary for their role.

On the flip side of granting access to mobile extractions and data is tracking what the logged-in users do once they’re in the system. With UFED InField, an activity log maintains a list of all transactions including extraction start and end times; transaction type, duration, and status; device owner, vendor, model, and name; case ID and crime type; and who seized the device. Administrators can use this log to audit usage and ensure accountability among users.

The UFED Field Series solutions promote the treatment of mobile devices as crime scenes, so that the evidence they contain is fully preserved from seizure all the way through search and analysis. It offers organizations the “technology” component of a three-pronged approach that Cellebrite encourages towards implementing legally defensible field-based extractions for personnel who do not specialize in mobile forensics. By combining the UFED Field Series with training, policy, and standard operating guidelines*, organizations can reduce risk while meeting the need for improved access to actionable mobile device data in the field.  To learn more, download our solution brief today.

Umbrella - blog banner

*We recommend you work with your prosecutors and administrators to develop policy and appropriate training, including processes for obtaining written consent and search warrants (either traditional or electronic, if your jurisdiction allows).

Unifying investigative teams from field to lab

Nearly two-thirds of respondents to Cellebrite’s 2015 mobile forensics trends survey rated “important” the ability to extend mobile evidence collection capabilities into the field. The reasons are many: the costs of overtime, outsourcing, and even human errors are mounting, while lab service delivery times diminish.

Improving investigators’ ability to make decisions about their cases, including whether they need to escalate mobile evidence to a forensic lab at all, is the focus for many organizations in both law enforcement and the private sector. This focus reflects a need for in-field mobile device forensic solutions that span field locations: both stationary kiosks at satellite offices or stations, and mobile data extraction devices.

To this end, they seek solutions that provide basic data analytical capabilities: the ability to identify the who, what, where, and when of any given incident using mobile device data in conjunction with field interviews, witness statements, and other investigative activities undertaken in the first hours or days following an incident.

When evidence escalation is required, the solution must be able to route data immediately over a private network to a digital forensics lab at a headquarters, in another jurisdiction, or even in a different country. In other words, the solution must ensure that investigative teams have the technological ability to transfer data back and forth across a truly unified, secure system that promotes full accountability for their actions.

Without these abilities, the workflow falls apart under two circumstances:

  1. When data recipients have to translate the data into a different format so that it will work with a different system, or when senders have to take extra steps—such as transporting data storage media to the recipients—that adds, rather than saves, time.
  2. When it is difficult for managers to track statistics and integrate reports that give them visibility into how their personnel are using the tool, and therefore, make it more efficient for them to help personnel manage caseloads or adjust expectations.

Cellebrite’s UFED Field Series aims to reduce these problems by using an agency’s encrypted network to enable personnel to share extraction statistics, reports and raw data with other personnel or send to a predefined location.

The right infrastructure: local area network (LAN) and/or virtual private network (VPN)

Whether users are in substations, using UFED Field Series solutions installed on the UFED Kiosk, or are mobile, using UFED IX or ILX on laptops or tablets, the ability to send extraction data to a central location for storage or analysis with a single click is an important distinction.

At a minimum, kiosks in substations or satellite offices can be connected to a LAN using a standard RJ-45 cable and their own IP address. With a VPN, a similar capability can be extended to UFED Field IX deployments in vehicles. That way, a laptop or tablet connected to wifi, or to the cellular network via air card, behaves like other endpoint networked devices with its own IP address.

Organizations that do not have reliable infrastructure, such as those in rural locations without 4G or LTE wireless service, may experience bandwidth challenges because even logical extractions, on many smartphones, could be a couple of gigabytes.

In these cases, workarounds such as storing extractions and performing a daily scheduled batch file upload at end of shift may help. Users could also opt to store extraction data on encrypted portable devices such as USB or hard disk media, although this can add time to the overall process.

Streamlining communication via analytics

It is one thing to extract data to provide to other team members, but another to offer them visual analytics that can help them support particularly time-sensitive scenarios. Two scenarios enable this capability.

  1. Deployed in the field on mobile units, UFED Link Analysis allows investigators to create a project merging data from multiple devices, and then to share that project over the network with other investigators at a central or another mobile location.
  2. Deployed at a satellite location such as a police substation on the UFED Kiosk, UFED Link Analysis appears as a “shell” viewer. This data can be stored on a network drive, DVD, or USB for later transfer to other investigators.

While UFED InField is designed to help first responders improve their investigative efficiency by putting mobile evidence collection solidly in their hands, its optimization for a network-enabled environment allows for a seamless transfer of data to lab practitioners when required. To learn more, download our solution brief.

Umbrella - blog banner

How private social data makes a better crime story

Open source intelligence is an undeniably important source of information in a great many investigations, both civil and criminal. Public-facing posts to Facebook, Twitter, Vine, Pinterest, and other services can provide key evidence in cases involving insurance fraud, child exploitation, organized criminal activity, and harassment in or out of the workplace, among others.

However, open source intelligence is limited. People who act one way on public networks may behave very differently in private posts or messages, and may conceal key details in private messages. That means that without the data, investigators lack important context. In a recent survey of Cellebrite customers, nearly two-thirds reflected that data stored off the device and on the cloud was of critical concern to them.

Perhaps the most well-known example of the gap between public and private social data is the wave of street violence that occurred in north London, England in August 2011. As The Guardian reported, Facebook and Twitter only accounted for a small amount of communications around the unrest. Actively monitoring those services, police managed to deter violence in publicly named locations.

“However,” the news article went on to note, “the most powerful and up-to-the-minute rallying appears to have taken place on a more covert social network: BlackBerry Messenger (BBM)…. unlike Twitter or Facebook, many BBM messages are untraceable by the authorities.”

Social network analysis identifies likely sources of private contact

When an investigator considers the likelihood that s/he will need to obtain private social data, interviews with victims, witnesses and suspects are often a good place to start. Interviews can reflect communication patterns—apps and platforms used, modes of contact, etc.—among people involved in a case, and help narrow down the range of content to look for.

Also consider who is important enough for the victim or suspect to share information with. You can get a sense for this network from analyzing activity by the people they most frequently communicate with: those who like or comment on their posts, how frequently, in what context. Unusual communications from a loose acquaintance, depending on timing, can be as important as regular contact with a typical circle of people.

Social network analysis can also reveal relationship conflicts of interest, which can be important in fraud or insider threat cases. People who are not outwardly connected on social media may be communicating via email or private message, in accounts they don’t use to communicate with anyone else.

Public data can provide private leads

Consider, in addition, what is important enough for a victim or suspect to share information about. Images of material goods can indicate money spending habits or even outright crime. Their page likes and follows—the Guardian reported that initial activity related to the riots began on a public Facebook page—can provide clues about interests and activities which they may discuss privately.

Meanwhile, private content that is opposite to public postings, or to what the victim or witness has told you during interviews, can be used as leverage to find out what really happened. These contradictions can exonerate as well as implicate a suspect. And, if the case goes to trial, the contradicting content can impeach a witness’ credibility.

Understand cloud usage trends in your community

It’s important to maintain a strong sense of technological trends ongoing not just in the nation or the world, but in specific regions as well. The Guardian described in a later article how, in London, BlackBerry’s prepaid model allowed teens and lower-income people to afford the devices they used to coordinate their activities, without using cloud services.

Further, while BlackBerry Messenger communications are encrypted, and iOS and Android devices are heading that way as well, most social media services are not. That means that data unrecoverable from apps on the device, may still be available from cloud services themselves.

Even so, with mobile device manufacturers, third-party app developers, and online service providers taking more drastic measures toward improving their customers’ data security, government agents should take the steps they need to secure proper legal authority before accessing subjects’ private data. That could take the form of a search warrant, consent, or other documentation. It also means understanding the difference between true exigency, and the perception of exigency in a high-pressure situation such as a riot.

Don’t miss out on the critical evidence or intelligence that could help make a case. Download our solution brief to learn more about how the UFED PRO Series improves the context of an investigation.

Umbrella - blog banner

Keep your investigations moving forward with cloud-based data

How many of these scenarios have you encountered as an investigator?

  • The suspect used an app for which there is no mobile forensic support. You could manually carve and decode the data from a physical extraction—assuming it is supported by the mobile forensics tools you use—but you lack time, and/or the forensic lab tells you it will be weeks before they can get the data back to you.
  • You serve a search warrant on a cloud data provider, but they ignore your request, and/or they inform the suspect that you’re investigating.
  • The cloud provider is willing to work with you, but they tell you they can’t comply with your search warrant or court order unless it is submitted a certain way. During the weeks it takes you to negotiate and get new paper signed, your victims recant their statement, and your witnesses are much less forthcoming in follow-up interviews.

A case that stalls or halts altogether, while you wait for time-sensitive webmail and/or social media data, means it’s a lot less likely that you’ll be able to find and apprehend a criminal. You need a way to obtain cloud-based evidence much more quickly, and preferably within the first few hours or days of a victim’s initial statement.

Obtaining private cloud data offers additional context for what was going on in a victim’s or suspect’s life during specific timelines. Having this context enables investigators to make informed decisions about how to proceed with a case, how to plan an interview strategy, and which individuals to focus on.

Restricting a search to these timelines, and to certain content types, not only reduces the amount of data you have to go through; it also protects individual privacy by eliminating the content that has nothing to do with the investigation.

Private cloud data access can also help to reduce the risk that you’ll have missed important artifacts from mobile devices and hard drives, especially when devices or apps are partially supported or unsupported for extraction.

Finally, faster access to important evidence reduces the risk of losing witnesses who lose interest before a provider returns data, or because a provider was resistant to being served or tried to inform the suspect. It can also help to identify victims who might not have come forward on their own.

With the proper legal authority, private cloud data can give you the data you need to make a case without adding too much irrelevant data to have to sift through. Download our solution brief now to learn more about how to leverage this capability within the UFED PRO Series as part of your investigations.

Umbrella - blog banner

Link data in graphs, timelines, and maps to save time and accelerate investigations

Link analysis capabilities continue to grow in importance in a great many investigations, from homicide and sexual assault to property and pattern crimes. Read (and watch!) on — and at the end of the post, download our white paper — to learn how UFED Link Analysis can help you save time and effort in finding leads, establishing patterns, and maximizing the insights available for your investigations.

Construct case timelines from multiple mobile devices

Timelines are one of the most important elements of any investigation. Retrace a victim’s or suspect’s steps through the last hours, days, weeks or even months before an incident. Identify a subject’s patterns of behavior: the days and times s/he regularly visits or calls family members, does business, runs errands, etc. These patterns, as well as deviations from them, can be important in small or large ways.

Learn more about how to quickly visualize timelines in UFED Link Analysis in our video:

Import additional data sources for context

One of UFED Link Analysis’ most important features is the ability to import data from other sources; notably, carrier call detail records (CDRs), which can show the towers to which a suspect or victim device connected over a period of time. This can help establish both travel activity and stationary locations. CDRs can also reveal incoming and outgoing calls and, in some cases, text messages (depending on how long they retain the data).

Watch to learn more about pre-set formats and other features that make CDRs easy to import and analyze alongside device data:

Establish suspects’ and victims’ location behavior

Along with timelines, the maps within UFED Link Analysis can be a good way to narrow down a list of potential leads and establish subjects’ normal and abnormal patterns of behavior. Plot geolocation data from wifi access points, cellular towers, GPS apps, images and video to show two or more suspects in the same location at the same time. You can also do the same to show a suspect’s connection to a victim – or exonerate a suspect accused of wrongdoing.

Learn more about how Map View works in our video:

UFED Link Analysis’ versatility only starts with these features. Download our white paper for additional details about putting it to work for your investigations!

LKA_Banner_Blog

 

Bypassing Locked Devices: Q&A from Cellebrite’s webinar

{195d00af-385d-48ae-8c04-032a86166edf}_bypassing_webinar_header

Last month we hosted two webinar sessions on “Bypassing Locked Devices”, led by Mr. Yuval Ben-Moshe, Cellebrite’s Senior Director for Forensic Technologies. In these sessions, Yuval presented the challenges and solutions to bypassing locked devices, including Cellebrite’s proprietary boot loaders among other methods used to tackle locked devices.

The webinar is available for viewing at the bottom of this post. Meanwhile, participants asked a number of good questions, which we’ve compiled in this blog—including some that we didn’t have time to answer during the webinar.

Note: If you don’t see your question answered below, please leave a comment at the end of this post!

Basics of mobile device user lock bypass

Q: Using the UFED, can you gain access to the phone where the wrong passcode has been entered too many times and is now locked?

A: This depends on the device and the locking mechanism used by it. If the device is supported by a boot loader or JTAG, than the data can be extracted regardless of any locking mechanism or the number of times a wrong password was used.

Q: How far off is user lock bypass support for iPhone 5 and Blackberry devices?

A: Forensic extraction of data from iPhone 5 is achievable using of the .plist file from the paired computer. With locked Blackberry, at this point in time, examiners must rely mainly on chip-off or JTAG methods for specific models.

Q: If the element file is deleted, will it affect the function of the original pattern passcode?

A: This question refers to a method called disabling. The device will remain in a lock disabled mode until a new password can be configured via the device’s set-up menus.

Q: If an extraction fails or is interrupted, can I still parse the extracted content if it is incomplete?

A: A physical extraction that was interrupted cannot be decoded, because a full binary image is required in order for the decoding to reconstruct the full file system.

Q: Can the UFED bypass iOS 7+ with a user lock and a SIM lock?

A: Bypassing locked devices depends on the device hardware and not the iOS version running on it. That is, if iOS 7 is running on iPhone 4, physical extraction is achievable; however, if iOS 7 is running on iPhone 4s or a newer model, than a .plist file is required to enable data extraction.

Q: If a device employs a biometric lock, how does the UFED tackle the lock?

A: Bypassing a biometric lock depends on the device model. For example, for the iPhone 5, the UFED can bypass the biometric lock using the .plist file.

Sync devices and .plist files

Q: The webinar presents the paired computer method for iOS devices showing the Windows 7 path on a PC. Is there a specific location path for Apple MAC computers?

A: The path for the .plist file on Mac computers is: ~/Library/Application Support/MobileSync/Backup/

Q: Does the .plist appear on the user’s iCloud?

A: The .plist file is used for the communication between the device and the computer; hence, it does not appear in the user’s iCloud data.

Q: How do you employ the .plist file?

A: The process of using the .plist file is very simple: UFED will automatically detect the iOS device as being locked and request the .plist file.

Boot loaders and clients

Q: Will injecting a client or boot loader lead to evidence tampering?

A: The boot loader is uploaded onto the device’s RAM and is then deleted when the device powers off or restarts. Therefore, it is does not tamper with the evidence. In contrast, a client may write some data onto the device’s flash memory, yet it is still considered a forensically sound process if the investigator specifically documents what was written and on which partition/folder.

Q: If an extraction fails, is the client left on the device?

A: In some cases, when the extraction is interrupted abruptly, the UFED may not have enough time to uninstall the client, and some files may be left on the device. In this case, UFED provides a specific function to delete the client. This capability is under the UFED ‘Device Tools’ menu.

Q: Does the UFED Classic include the boot loader function?

A: The UFED Classic is also capable of tackling locked devices. However, it may not support the latest modern devices due to technical limitations with hardware. It is highly recommended to trade up the UFED Classic for a more advanced model, such as the UFED Touch or UFED 4PC.

User locks on prepaid devices

Q: Can the UFED bypass disabled data ports in burner phones?  JTAG/chip-off are options, but unlocking with a manufacturer code is possible. Can you support unlocking burner phones?

A: The UFED is able to bypass the locking mechanism for many low-end phones, a.k.a “burner phones” using a boot loader. While JTAG and chip-off are valid options, we recommend you first try unlocking the device with a UFED, since these methods are more complicated, time-consuming, potentially destructive, and expensive.

Q: How does the UFED bypass a prepaid phone with a locked data port?

A: Bypassing a user lock depends on the device itself.  If the data port is disabled, then the JTAG or chip-off methods are applicable here.

View the full webinar below:

Leave a comment if you have a question that was not answered above, or in the webinar itself!

A low tech solution to a high tech problem

Det. Zach NeemannLast month, Det. Zach Neemann, one of our customers in the Deschutes County (Oregon) Sheriff’s Office Digital Forensics Lab, was attempting to analyze a Samsung Galaxy SIII SGH-I747 GSM AT&T cellular telephone running Android V 4.0.4. Even though USB debugging was enabled, during physical and file system extractions, the UFED Touch would disconnect after about a minute of the screen being timed out.

Neemann assumed it was because the phone was going to “sleep” or “hibernation” mode. As long as he continued to touch the screen every few minutes, the phone did not go to sleep and the imaging continued. “However, I really did not want to sit there for the next two to three hours, touching the screen,” he told us.

An in-depth examination of the Accessibility, Security, Battery, Power Saving, Display and other settings showed no feature to keep the phone awake. Neemann could turn off the screen lock, but the screen timeout limit was 10 minutes, and this model—unlike others—did not have the option to disable the screen lock permanently.

Tricking a Samsung Galaxy S3's Smart StayFacing the possibility that he would have to keep touching the screen every 10 minutes for the next two hours, Neemann located a feature called “Smart Stay” which stated that it would disable the screen timeout if the device detected that the user’s face was watching the screen. “At this point I took a picture of myself with my phone, and printed it,” he said. “Then I taped it to the back of my chair, propped the phone up and set the screen timeout to 30 seconds.

“While observing the phone I found that an eye icon appear in the task bar every thirty seconds,” Neemann said. “This appeared to look for my face and then disable the screen time out.  I was then able to capture the entire physical image without the cell phone going to sleep. The imaging process worked perfectly, after this fix.”

Tricking a Samsung Galaxy S3's Smart ScanThe following morning, Neemann did further testing with the Samsung phone. He learned that the facial sensor comes on in designated intervals, anywhere from every 15 seconds to 10 minutes depending on how the user configures it.

“We removed the photo and pointed it to the back of the chair, to a white background, to a beige background and to a black background,” Neemann told us. “We also tried just the back of the hand and a combination of a white background with black square in the middle. It did NOT work for any of those backgrounds. The only way it properly recognized the facial pattern was to point it toward an actual picture.”

Fortunately, the device wasn’t so picky that it would only work on one face: Neemann tested it with images of two different males and one female, and all of them prevented the screen from timing out.

Have you ever tested your way out of an especially tricky problem with a mobile device? Leave us a comment!

How well does our BitDefender integration work?

Mobile malware is picking up steam. From malicious apps that send private and personal data to unknown third parties, to sound- and light-activated mobile malware, to mobile malware that can exfiltrate information from Windows PCs, mobile malware increased between 580% and 1000% last year, with tens of thousands of pieces of malware currently in the wild.

That’s why in December, BitDefender’s anti-malware technology was implemented in Cellebrite’s UFED Physical Analyzer software to analyze physical and file system extractions and provide a comprehensive malware report.

The integrated solution helps forensic examiners to pinpoint whether undetected malware aided the commission of crimes. More specifically, BitDefender unpacks apps’ .apk files and looks inside them for infected files. The company regularly and frequently updates its signature files, so each time you run UFED Physical Analyzer’s malware scanner, you get fresh malware signatures to scan images.

At Mobile Forensics World last month, presenters Carlos Cajigas and Pete McGovern with Florida-based EPYX Forensics used open source Linux-based tools to validate our integration of BitDefender mobile malware scanning. Among the tools: AVG and Clam, as well as BitDefender mounted within Linux Ubuntu.

As described in the EPYX blog, Cajigas had already scanned the image of an infected HTC Desire with UFED Physical Analyzer’s BitDefender integration. There, our software identified 331 infections.

After a review of how AVG, Clam, and BitDefender performed against 11,080 known pieces of malware identified from ViruShare.com, a repository of samples, Cajigas ran AVG and Clam against the device’s image. They found only 14 and 19 infections, respectively. As he noted, this can be valuable low-hanging fruit that may be all that is needed to make a case.

Even so, a final scan with BitDefender uncovered 368 suspicious files out of 39,473 total files (including those within the 11,080 .apks); of those, 41 were viruses. Cajigas accounted for the discrepancy between this scan and the initial Physical Analyzer scan by stating that he had performed the first scan several weeks earlier—and that BitDefender had likely updated its signature files since.

Beyond the malware scan

Cajigas points out: “Simply scanning a device only points to the fact that there may be some evil on that image. Reverse engineering can find out if the image is in fact infected, or would be a false positive.”

What counts as a false positive? That depends. “If I root my phone, I will install BusyBox on it,” says Cajigas. “Because most people call it a hacking tool, malware detectors alert on it. But because it was intentionally installed, it’s not in fact malware. This makes it a false positive.”

Several variables determine whether a forensic examiner should move forward in determining whether a malware infection has any bearing on a case. One variable is the severity of charges. Another is what other evidence exists in the case. A case that hinges on mobile device evidence may require additional investigation so as to reduce reasonable doubt.

“If you find malware, how would you be satisfied that the malware you found is not related to the crime?” Cajigas asks. “The only answer is research and investigation.” He recommends pulling any infected .apks into a resource like Anubis, which “sandboxes” .apks for safe exploration. Here, it is possible to see what URLs the .apks are calling, along with any other suspicious behavior.

From there, it may be necessary to reverse engineer the suspected malware. Cajigas says this is an advanced skill which usually involves very specific training. Yet, developing this kind of skill—or finding an expert who has it—could be important to a case.

He offers the example of an .apk that is shown to be a worm. “Later on the examiner might determine that the worm opened a backdoor that calls to a command and control center, which steals information such as the device’s IMEI or ICCID—but does not download child porn,” he explains. This could be very important in a child exploitation case.

As Cajigas’ presentation showed, the addition of BitDefender to UFED Physical Analyzer means that investigators’ ability to identify potential and actual malware is much stronger than it would be if Clam or AVG were all they had to rely on. However, examiners must be able to testify in court about the process they used to detect and then investigate suspicious .apks.

UFED Physical Analyzer 30-day Trial

Using UFED Physical Analyzer to find which (supported) time stamp format is used

A few weeks ago, one of our customers emailed about a PIN locked Samsung SCH-U365 CDMA device. Searching within UFED Physical Analyzer for dates/times on this device, he wanted to find out whether the SMS PDU dates were his only option to choose, or if others might be available.

This particular device uses a Jan 1, 1980 epoch for SMS dates/times. Here’s a tutorial on how to use UFED Physical Analyzer to determine that information:

1) After opening the extraction, open the physical or file system extraction image file.

2) While the image hex viewer is open, select the desired data type (in this case SMS).

3) At the bottom part of the screen you will see a list of all the decoded fields from the selected data type.

4) Select your specific data field of interest to see where it is located in the hex view; in other words, where UFED decoded it from. In this case, it would be the time stamp of an SMS message.

SMS time stamp located in hex code

5) Switch to the “Values” tab and locate the “Date & Time” data type, then open the Epoch list.

6) Move the mouse cursor over the 4 bytes (highlighted in green) that, as earlier seen, are the time stamp.

7) Notice that the “Information Frame” dialog that displays the decoded time stamp (26/11/2012 02:17) matches the Epoch Jan 1, 1980. This is the desired format originally asked about.

Information Frame dialog displays the decoded time stamp

8) To perform a search and locate more potential deleted SMS messages, use the Find option and select the Dates category with “Epoch Jan 1, 1980” as the time stamp format to search for.

Since these are 4 bytes, define the date range that you want to search for in order to reduce false positive results. You can see in the image below that there were more than 5000 results in the test extraction.

To further reduce false positive results and also get more data before and after the result—the SMS text as an example that might be in a fixed offset from the time stamp—use the “Additional data” extraction/filter on the bottom right of the below dialog

additional data extraction/filter

additional data extraction/filter

UFED Physical Analyzer 30-day Trial

Partnership with the CCL Group brings new Android password carver to UFED Physical Analyzer

As useful as our Android pattern/PIN/password lock bypass is to so many of our customers, at times, the password itself is needed. Perhaps a forensics examiner wants to validate extraction results manually, or believes the same password protects a different device.

Still, not all physical extractions are automatically decoded. Without the file system reconstruction that decoding provides, examiners must manually carve the password from wherever it is stored within the device’s operating system. This can add time to the forensic process, especially if the examiner must refer the device to a specialist. It might even be impossible if the examiner lacks carving skills, or the access to an expert who has them.

With our soon-to-be-released UFED Physical Analyzer 3.7, we’re pleased to introduce a new Android password carver—thanks to the efforts of the CCL Group, the United Kingdom’s largest private digital forensics company. Having produced 300 scripts as part of its digital forensics research and development efforts, last year CCL Group’s lab developed a Python code that could carve a numeric password from an Android physical extraction or from third-party image files.

The premise, as they explained in their blog:

As with the pattern lock the code is sensibly not stored in the plain, instead being hashed before it is stored. The hashed data (both SHA-1 and MD5 hash this time) are stored as an ASCII string in a file named passcode.key which can be found in the same location on the file system as our old friend gesture.key, in the /data/system folder.

However, unlike the pattern lock, the data is salted before being stored. This makes a dictionary attack unfeasible – but if we can reliably recover the salt it would still be possible to attempt a brute force attack.

The CCL developers made their code openly available for other researchers to dig into. Cellebrite’s co-CEO and Chief Technology Officer, Ron Serber, believed that the code was a natural fit within the UFED Physical Analyzer platform.

However, the code was written independently of our infrastructure. With CCL’s permission and partnership, we rewrote the Python code so that it could be used within our platform. On its own or as part of a plugin chain, the carver enables recovery of numeric passwords from physical image files extracted by UFED, JTAG, chip-off or other tools.

We’re introducing the carver together with UFED Physical Analyzer 3.7 in just a few days. Current license holders will receive an email with download links; if you’re not a current customer, please download our free UFED Physical Analyzer 30-day demo.