What’s New in UFED 5.0: Q&A from Cellebrite’s Webinar

Earlier this month we hosted a webinar entitled, “What’s new in UFED Touch, 4PC, Physical Analyzer, Logical Analyzer 5.0?” The webinar provided attendees with insights on the latest features and capabilities introduced in version 5.0, including unique extraction capabilities such as temporary root (ADB) solution for Androids, and detailed demo’s on merging multiple extractions into a single project, removing deduplications, and a new and effective validation process, as well as filtering out common images, and other industry-first capabilities that helps you drill into the data that’s most crucial to your investigation.

During the webinar, we received an array of excellent, intuitive questions from participants. A selection of these questions, with corresponding answers, have been compiled into this blog.

The webinar is available for viewing at the bottom of this post.

Note: If you don’t see your question answered below, please leave a comment at the end of this post and we will try to provide you with an answer ASAP.

Q&A – Let’s begin!

Q: Which fields are used to determine duplicated messages for Chat, MMS and SMS?

A: We have set of rules for deduplication. For the analyzed data (SMS, emails, chats), we identify key values for duplication for each model/content type and based on that we remove duplicates and merge items. For data files (text, images, video and more), duplicates are based on hash value calculation.

Q: After the deduplication process completes, are there any reports or items showing that there was a duplication?

A: You can find an indication of deduplicates in any table in the UI. There is also a filter available to filter this information, and there is also an indication in all report formats.

Q: Sometimes physical extractions of a single project contain duplicate messages due to garbage collection, etc.  Is there a way to detect and remove duplicates from a single project?

A: Indeed. Version 5.0 automatically remove duplicates of a single project/extraction as well.

Q: Is the application able to create a hash of the whole Image or project?

A: UFED Touch/4PC 5.0 creates a hash of the whole Image of any physical extraction. UFED Physical Analyzer 5.0 enables you may review this MD5/Sha-256 value and validate/verify it.

Q: I see that you didn’t include merged data when you were gooing through the reporting feature, is there a reason why you would include this information.

A: By default, the merged items are not included in report as we assume that the main items are the most important. You may change this default values and include the merged items as well.

Q: Is there a way to get a summary of all contacts that are on a phone?  The Contacts area doesn’t always capture the contacts from apps (i.e. Whatsapp, Viber, etc.).  I find that I need to extract SMS/MMS/Chats/CallLog and then combine the logs together for a contacts summary.

A: All contacts recovered are presented under the contacts node in the tree, including contacts recovered from 3rd party apps. We do plan to merge SMS, IM, MMS and chats (all messaging events) into a unified view, it is planned in one of the coming versions of UFED Physical Analyzer.

Q: Using the upgraded UFED Touch and Physical Analyzer, I have noticed that looking at results for a logical extraction for some phones deleted data is shown. Can we actually get some deleted during logical extractions now?

A: Deleted information from apps can be recovered as part of logical extraction.

Q: When you change the name of the extraction, does it change the name of extraction file that is placed in the folder?
A: No, the name change is only for viewing and reporting purposes

Q: Since WhatsApp is now encrypted, can UFED 5.0 extract WhatsApp encrypted data?
A: Messages while in-transit are encrypted however this does not affect data-at-rest (forensics) stored in the WhatsApp databases. On top of that, WhatsApp have recently started using a new encryption key – crypt9. We are working to provide a solution for this encryption.

Q: Can UFED Physical Analyzer 5.0 pull data (pictures and videos) from SnapChat, or only text messages?
A: For both iOS and Android devices, media files are extracted as well.

Q: Is there a specific order as to when you have to do the ADB and APK backup and downgrade?
A: It is recommended to use the APK downgrade as a last resort, after other extraction methods have been exhausted (including JTAG and chip-off), since it’s an intrusive method, which requires APK installation on the device.

Q: Why do some of the recovered passwords display as clear data, while most of them are encoded?

A: In many cases, the passwords are stored as tokens, this is why you can’t see clear data. Private data is stored encrypted as tokens. When the password is first entered, it is sent to the server for storage. Every time the password needs to be checked then the public key encrypted password gets sent to the backend server and decrypted by the private key. In PA, you can see these encrypted values.

Q: If you use the time zone support, does it make any changes to the extraction or is it just for easier viewing?
A: For easier viewing and reporting, no change is done to the original

Q: About the timestamp option, can you explain about the options in the settings? When does it prompt when device time zone is detected?

A: To automatically adjust timestamps to UTC+0. Select the Automatically adjust timestamps to UTC+0 check box. This setting is recommended when working on multiple extractions so that all records will be presented according to the same adjusted time zone offset.

In case a time zone is detected as part of decoding, a pop up window will be presented, suggesting you to automatically adjust the time stamp. Alternatively, you can change it in the general settings. When the Automatically adjust timestamps according to the device’s time zone check box is selected, all timestamps will be adjusted to the mobile device time zone, including report outputs.

View the full webinar below.

 

Exclusive support for additional Motorola Androids highlights 4.5 release

Motorolla Exclusive Banner2

With the release of UFED 4.5, Cellebrite announces support for 18,290 device profiles and 1,270 app versions. The recent release brings industry first access to 11 additional Motorola Android devices, logical extraction via Bluetooth from any Android, and enhanced decoding support for the latest versions of all UFED supported applications running on iOS and Android devices.

Logical extraction via Bluetooth

Version 4.5 introduces a quicker and more efficient workflow, providing users with the option to perform a logical extraction via Bluetooth from any Android device. Extracting via Bluetooth is an effective solution to recover data from devices with damaged USB ports, as well as from prepaid devices (such as TracFone Android), which come with locked USB ports.

As illustrated in the image below, to use this option, select Use Bluetooth under Select Content Types.

UseBluetooth (1)

 

 

 

 

                                 Physical ADB method for rooted Android devices

Physical ADB method is now available for pre-rooted Android devices, when the physical extraction method is not supported. Using the ADB method, users can now perform physical extraction from rooted Android devices.                                                A few notes regarding rooted devices and ADB…

What is rooting? To “root” a device means to gain administrative rights on the file system on Android operated devices. A device can be rooted as part of recovery partition or fully rooted following rooting process.

What is ADB and how does it work? ADB, or Android Debugging Bridge, is a built-in protocol within the Android operating system. This protocol enables developers to connect to an Android-based device and perform low-level commands used for development. In UFED, the protocol to perform an extraction of Android Devices.

 Updated app support

Following recent news regarding ISIS terrorists using the Telegram app to carry out their activities, version 4.5 keeps pace with industry demands by providing enhanced decoding support for Telegram’s latest version running on iOS and Android devices. Updated support is also available for 134 Android and 43 iOS app versions.

Improved Functionality for UFED Physical Analyzer and UFED Logical Analyzer

Version 4.5 also introduces improvements for the ruggedized frontline tool, UFED InField Kiosk, enabling users to encrypt mobile forensic reports and UFDR files using a password. Users can open encrypted reports using the password, view the reports with UFED Physical Analyzer and UFED Logical Analyzer. Password-protected reports can also easily be shared with other other investigators over a network using UFED Reader.

Additional enhancements include new offline map packages for the following regions: Minsk, India, Germany, Australia and New Zealand, Scandinavia. (The Offline maps feature was introduced in version 4.2. This feature enables you to view extracted locations on a worldwide map without internet connection).

Learn more about UFED 4.5 – download the release notes here!

Exclusive bootloader method support for the latest Samsung devices headline UFED 4.4 release

Bootloader banner

With the release of UFED 4.4, Cellebrite announces support for 17,638 device profiles and 1,092 app versions. UFED 4.4 introduces the exclusive bootloader method designed to solve some of investigators’ most challenging problems for unlocking and extracting data from leading Samsung Android devices. Also including decoding support for new devices and OS updates, including iPhone 6S/6S Plus, iOS 9.1, and Android Marshmallow.

New unlocking & physical extraction support for Androids using the unique bootloader method

In previous version 4.2.6, we announced the release of the enhanced bootloader method, which enables you to obtain additional data when performing a physical extraction while bypassing user lock from Samsung devices.

As part of our ongoing efforts to provide the best physical extraction capabilities for the latest Android devices, version 4.4 introduces an enhanced bootloader to support newer phone firmware versions, and includes 12 additional Samsung devices. You can now obtain additional data by performing a physical extraction using the enhanced bootloader method for 85 popular Samsung Android devices running Android 5.x. This unique solution supports the following Samsung families: Galaxy S3, S4, S5, Note 3 and Note 4.

What is the bootloader method?

Physical extraction using the boot loader method is the recommended method to recover data from Android devices. When the device is in boot loader mode during extraction, the operating system does not run, and therefore, the device cannot connect to the mobile network. It bypasses any user lock is forensically sound.

New tutorial video is available below.

Cellebrite now supports new iPhone 6S/6S Plus and Android v6.0 Marshmallow

Recent device launches and updated operating system are also supported with UFED 4.4.  Users can now perform file system, logical (including applications data), advanced logical extraction, and decoding from,iPhone 6S and 6S Plus devices and iOS 9.1. UFED 4.4 also provides file system and extraction support for the latest Android v6.0 Marshmallow with limitations. Following recent changes made in Android 3rd party apps, including Facebook, WhatsApp and Snapchat, data from these apps can no longer be extracted when performing file system and logical extractions when using Android backup method. We recommend two options in order to overcome this limitation: Perform a physical extraction (when available), or root the device to extract data.

iPhone6 banner for blog

Extend your investigation capabilities with enhanced support for new apps for iOS and Android

UFED 4.4 keeps pace with investigator demand for more app support, and greater visibility into app data. This version introduces newly added support for some of the most popular apps installed on both Android and iOS, including: Google Drive, Google Tasks, Google Translate, Inbox, One Drive ,Pinterest, Runtastic, Yandex Browser, Yandex Maps; One Note and VIPole are available for Android.

With 300 million active users using Dropbox, 250 million using Microsoft’s OneDrive, 240 million using Google Drive*, and 100 million users on Pinterest, (the third most popular social network in the US)**. We are bound to believe that high number of people using these apps on their devices, may also hold the evidence you need for your investigation.

Updated support is also available for 53 Android and 61 iOS app versions.

New decoding method process for WhatsApp data 

App_whatsappIn UFED 4.2.6, we introduced a new capability to decrypt WhatsApp data. Using a third-party script, you can manually extract the WhatsApp key (on non-rooted Android devices), and use it in UFED Physical Analyzer to decode and decrypt the data. During the process, the WhatsApp version will be temporary downgraded to an earlier version, so that the key can be .extracted and used to decode the WhatsApp database. The current WhatsApp version will be restored at the end .of the extraction process.

A new step-by-step process is now available in MyCellebrite.

Learn more about UFED 4.4– download the release notes here!

* http://expandedramblings.com/index.php/google-app-statistics/

**http://marketingland.com/pinterest-says-it-has-100-million-monthly-active-users-143077

Using the Lightning to USB cable for iPad 4 extractions

Physical extractions from certain iOS devices may still be on most mobile forensics professionals’ (and their vendors’!) wish lists, but that doesn’t mean you can’t still get good evidence from them.

In this video, learn how to use Cellebrite’s all-new Cable 210 to perform a file system extraction from an iPad 4, whose data port has a different construction from older Apple devices.

The new cable shipped to all customers with a current license. If you need one, contact Cellebrite support.