Physical extraction & decoding, decryption breakthroughs headline UFED 4.1 release

With the release of UFED 4.1 and UFED Physical Analyzer 4.1.1, Cellebrite kicks off 2015 with breakthrough capabilities designed to solve some of investigators’ most challenging problems: Windows Phone 8, Jelly Bean/KitKat, and prepaid device extractions, as well as WhatsApp database encryption.

Physical extraction & decoding for Nokia Lumia, Android 4.2-4.4.3

Investigators who encounter Nokia Lumia devices can now circumvent the need for JTAG processes to bypass user locks and retrieve deleted data. Although Microsoft announced late last year that it will produce all Lumia models going forward, Nokia sold 17 million Lumia devices in 2013, and 90% of Windows Phone users own Lumia devices. With that in mind, UFED now supports user lock bypass, physical extraction and decoding of many of the most popular Lumia models, including 810, 820, 920, and others based on Windows Phone 8.0 and 8.1 operating systems.

New physical and file system extraction and decoding, along with improved password unlocking and extraction, is also available for Android devices running OS 4.2 (Jelly Bean) through 4.4.3 (KitKat). Devices such as the Samsung Galaxy series (S5, Nexus, Note 3, S3 Mini etc.) along with other leading vendors and models including LG, Motorola, and Sony are included in this release.

Prepaid device support for Tracfone, Samsung E1200R

Also solved: prepaid Android devices with locked or damaged ports, in particular Tracfone models popular in North America. Unlike other prepaid models that can be extracted using “paid” profile equivalents, Tracfone models do not have USB ports, and investigators could not get critical evidence. Cellebrite now offers an option to load a client over these devices’ Bluetooth connection, so that investigators can perform logical extractions.

New physical extraction and decoding support is now available for the internationally popular “burner” Samsung E1200R feature phone.

WhatsApp database decryption

Cellebrite’s first-of-the-year breakthroughs aren’t limited to extraction and decoding. We’re also introducing decryption for WhatsApp’s newly encrypted chat history database. For databases using the .crypt8 file extension, UFED Physical Analyzer 4.1.1 decrypts full content from WhatsApp, one of the world’s most popular messaging apps with 700 million monthly active users as of January 2015.

An easier-to-use interface

Rounding out Cellebrite’s update this month is a new, better organized home screen, which now groups extraction tools and other utilities into distinct areas. Users can now opt to extract a mobile device, SIM card, or USB device; operate UFED Camera; or access UFED device tools, rather than have to search for these capabilities within the pool of vendor icons.

Additionally, a new search screen supports three device identification methods: a simpler auto detect, a free text global device search, and a manual device search similar to the previous home screen (selecting vendor followed by model). The new interface offers better accuracy for investigators who need to search on an exact model number rather than, say, “iPhone 5.”

Learn more about UFED 4.1 and UFED Physical Analyzer 4.1.1 – download the release notes here!

Decryption, decoding and new functionality for UFED analytical software

UFED Physical Analyzer and UFED Logical Analyzer 3.8 bring a host of new decoding and decryption support, along with new functionality.

Apple and BlackBerry decryption capabilities

Depending on the user’s Apple account type (and not defined or controlled by the user), emails on devices running iOS 5.0 or higher may be encrypted with “elliptic curve.” In previous UFED Physical Analyzer versions, those emails were presented within the analyzed data section with an encrypted body. The new capability, available in file system and physical extractions performed via UFED Physical Analyzer, will present the encrypted email body for current emails.

Decryption of the BlackBerry WhatsApp database provides access to messages that were not previously accessible. The solution is applicable for cases in which the database was stored on the mobile device or SD card.

To decrypt the WhatsApp database, perform a physical or file system extraction from the BlackBerry device. These extractions should be opened using the open advanced function:

  • Click “Select a UFED extraction” and select the .ufd file of the physical extraction
  • Click “Zip file” and select the file system extraction (.zip file)
  • Click Finish

Other new support includes faster decryption and better handling of large encrypted iTunes backup files. With this release we are also offering decryption of BlackBerry’s REMF files.

Decoding support in UFED Physical Analyzer

UFED Physical Analyzer 3.8 adds decoding support for 142 new devices, including HTC, LG, Motorola and Nokia models, in addition to a number of models within the Samsung Galaxy family. Enhanced Android decoding support is also newly available for Samsung M9xx family and Motorola devices with NVidia chipsets.

Full support is also added for both iOS and Android versions of the Google Chrome, ooVoo, QQ, KeepSafe, and Yahoo! Email apps, as well as the iOS apps Facebook Poke, Find My Friends, and vBrowse; and Android apps drug vokrug, Sygic, Snapchat, Navfree, LinkedIn, Vaulty, My People, and the native email app on HTC devices.

UFED Physical Analyzer 3.8 also improves decoding of BlackBerry Messenger (BBM) attachments.

Enhanced Nokia Symbian device decoding includes information about the device, connected Bluetooth devices, cookies, wifi networks, installed apps, notes, WhatsApp and OVI maps apps, and email. The update also improves decoding of SMS, MMS and call logs, and allows for carving of deleted SMS from unallocated areas.

Finally, enhanced decoding is available on a number of feature Samsung and LG phones, including call log decoding from 57 Samsung and 30 supported LG CDMA devices, as well as SMS decoding from select Samsungs.

New functionality for UFED Physical/Logical Analyzer software

A new built-in viewer allows you to view all extracted locations on a map. The map function is based on Bing maps and requires an internet connection. (Note: KML files are still exportable to Google Earth.) The new function requires internet access and is only available to UFED Physical/Logical Analyzer users who have a valid, up-to-date license.

UFED Physical Analyzer now also enables users to verify a list of potential complex passwords from locked Apple devices, rather than entering single passwords one at a time. The verification does not affect Apple’s incorrect password locking mechanism. In addition, both UFED Physical Analyzer and UFED Logical Analyzer enable users to provide a plist file from the lockdown directory available on the suspect PC, instead of unlocking the Apple device before the extraction.

Finally, UFED Physical/Logical Analyzer now features a new “push” notification that will inform you when a new version is waiting for you.  If you are not connected to the internet, the notification will appear every three months.

Download the release notes here!

UFED Physical Analyzer 30-day Trial

New Device Support with UFED 1.9.0.0; New Language Support with UFED Link Analysis 1.8

Following on our release of UFED Physical Analyzer 3.7 just a couple of weeks ago, we’re pleased to release a new firmware version for both UFED Touch and UFED Classic, as well as a new UFED Link Analysis version.

New UFED firmware means new device support

UFED Touch and UFED Classic 1.9.0.0 now offer logical extraction from Samsung Galaxy S4 devices, and from the HTC One, logical along with file system extraction and decoding with user lock bypass. (Watch our video below for details on the HTC One extraction.)

Physical extraction and decoding with user lock bypass is now available for HUAWEI and ZTE devices running any Android OS version. This is possible with proprietary client software. To perform this type of extraction with your UFED Classic, update the EPR file before proceeding.

UFED CHINEX now enables physical extraction with decoding and user lock bypass from additional selected Alcatel devices. Using the UFED Ultimate interface, you can either select the specific model you’re working with, or one of two generic options offered.

Because these options cover different families of devices which are not included in the device list, but can be extracted using the same methods as already-supported devices, you should use the two options in sequential order.

Physical extraction with user lock bypass is now available for selected LG devices; decoding will be added in the future. To perform this extraction, the device boot partition is replaced without affecting the user partition.

UFED Classic Logical extraction enhancement

Cellebrite has improved UFED Classic Logical’s performance by enabling email extraction as part of the logical extraction process. This increases the amount of data available via logical extraction and is therefore beneficial in examinations where time is critical.

Customers who have recently purchased UFED Classic systems, but have not yet budgeted for UFED Touch upgrades, may find this improvement valuable as the number of smartphones they encounter increases.

Multilingual support for UFED Link Analysis

Released May 29, the UFED Link Analysis user interface is now available in 10 different languages besides English: Chinese, Dutch, French, German, Hebrew, Italian, Japanese, Portuguese, Russian and Spanish.

You can select the display language you prefer from the application settings. The language selection will be saved for future sessions as well.

Find our full UFED release notes here.

Cellebrite is at the SANS Mobile Device Security Summit this week!

Mobile Device Security Summit 2013  Anaheim  CAIn Anaheim (California) this week at the Disneyland Resort, IT and security architects, auditors, security analysts, inspectors general and other information security professionals are converging on the SANS Mobile Device Security Summit to discuss the policies, architectures and security controls that are becoming necessary to secure bring your own device (BYOD) environments.

Along with the case studies and other topics being presented, Cellebrite is presenting a Lunch & Learn. Director of Forensic Sales Sonny Farinas and Technical & Sales Engineer Lee Papathanasiou will speak about smartphone forensics including:

  • Cellebrite’s current extraction support & the unique R&D challenges faced when developing physical extraction and password bypass around Android, iOS, & BlackBerry platforms.
  • Overview of UFED Physical Analyzer’s decoding support including application data, location data, and malware detection

The Lunch & Learn will be held in the Magic Kingdom Ballroom 1. We are also exhibiting at the Sleeping Beauty Pavilion today and tomorrow from 9am to 5pm. If you’re in Anaheim, please stop by and say hello!

Unable to join the summit? All approved presentations will be available online following the Summit at https://files.sans.org/summits/mobile13.

UFED Physical Analyzer 3.7 closes decoding gap; UFED Logical Analyzer improves logical iOS extractions

What good is a physical extraction without decoding? Well, it will still give you data—if you know how to carve. This can be a time-consuming process, and still may not get you all you need. Preferable is for automatic decoding to streamline the forensic examination, reconstructing the file system so that you can spend more time on analysis.

With the release of UFED Physical Analyzer 3.7, Cellebrite introduces decoding for more than 500 new devices which previously had only physical extraction support. These include:

  • iPhone decoding, now with decryption support for encrypted file systems; new plist and bplist parsers; and deleted apps list recovery, so that these apps are now shown in the installed application table with a “deleted ” attribute .
  • Support for 200 new Android devices with Android ID, Bluetooth MAC, IMEI, time zone and language locale shown in the “device info” section of the extraction summary folder.
  • Full decoding for non-encrypted BlackBerry .bbb backup files, which supports the new Blackberry PC backup format. Decryption is also included for all devices through OS 6.x, together with enhanced string carver options for devices without decoding.
  • New Nokia decoding support includes 30 BB5 devices with Symbian OS and non-Symbian OS. Nokia Symbian support includes an enhanced parser for content databases; decoding existing and deleted contacts, SMS, MMS and call logs; and decoding support for content in multiple languages.
  • More than 40 new Samsung feature devices have been added, along with more than 20 enhanced LG devices and deleted contacts recovery support for Motorola V series devices.
  • 90 new devices with Chinese chipsets can now be decoded, including recovery of the additional format variants of the device passcodes.

New release also includes UFED Logical Analyzer 3.7

The latest version also includes new features in UFED Physical Analyzer and UFED Logical Analyzer, together with new Android and iOS apps decoding. Among the new features: backward compatibility with UFED Report Manager file formats (URP) (as our Analyzer applications replace UFED Report Manager) and the ability to see whether an iPhone is jailbroken or an Android is rooted.

Both UFED Physical Analyzer and UFED Logical Analyzer can now perform advanced logical extraction from iOS devices. Data now includes contacts, SMS, MMS, app information, emails from jailbroken devices, databases and multimedia files.

Both pieces of software are now certified to run on Microsoft Windows 8. And don’t forget the new Android password carver included in UFED Physical Analyzer, courtesy of the CCL Group.

For more information, download our release notes!

How our forensic R&D makes the previously impossible, possible

Before we launched our HTC and Motorola user lock bypass, our forensic customers had to go to through a painstaking process to recover data from these Android devices: obtain a search warrant to serve on Google, either to recover backup data or to obtain or reset the device user lock. In some cases, such as with a phone that was turned off, they may even have had to serve paper on the carrier as well.

This process could lead to delays because it could take days or even weeks to secure the paperwork and reach a law enforcement liaison. The providers’ success was limited by the type and complexity of the user lock—if they agreed to comply at all. This could slow down or altogether halt investigations’ progress.

Thanks to our work on this bypass, a number of happy customers have been able to access critical evidence which they previously could not. Said Deputy Steven Mueller of the Defiance County (Ohio) Sheriff’s Office and the Northwest Ohio Technology Crimes Unit: “I was given a HTC PD15100 in December with a pattern lock. I was unable to acquire it then. Today with the updates it is being acquired as I write this.” Mueller later updated us that he and his team were able to successfully carve graphics files from the image.

To learn more about how to perform user lock bypass and file system or physical extraction on HTC Android devices, see our new video:

UFED 1.8.5.0: Double the Android devices supported for physical extraction

Our first update of 2013 offers something a lot of our clients have been awaiting for a long time: user lock bypass enabling physical extraction on HTC and Motorola devices. The new capability adds 109 Android™ models to our list—more than double what we previously offered via bypass methods.

To be more precise, we’ve added this capability to 66 HTC and 35 Motorola devices, including HTC’s Evo, Incredible, Wildfire and Desire models along with Motorola’s Milestone, Droid Razr and Razr Maxx. (A full listing is available in our release notes, downloadable here.)

We’ve also extended our Samsung Galaxy series user lock bypass method from the Galaxy S and S2 to the Galaxy S3 (international model GT-i9300) and Galaxy Note II. This capability is available on the UFED Touch Ultimate, although the UFED Classic still supports physical and file system extraction on unlocked Galaxy S3 and Note II.

The new support relies on our well-known proprietary user lock bypass methods, which work even when USB debugging is disabled. These methods provide the deep access to mobile devices that forensic examiners need to complete their extractions of existing, hidden and deleted data. User lock bypass is now supported on a total of 229 Android smartphone models.

Additional extraction support

We’re also pleased to report that we now support physical, file system and logical extraction for Apple devices running iOS 6.1, which was released only last week. Our physical and file system extractions support iPhone 3GS/4 and iPod Touch 4G devices, and include decoding, simple and complex passcode bypass, simple passcode recovery, and real-time decryption. (Note: To get this capability, you must update the new EPR via the UFED Physical Analyzer.)

Our file system and logical extractions support iPhone 3GS/4/4S/5, iPad2/3/4/mini, and iPod Touch 4G/5G.

Finally, we now support file system extraction from any device—Nokia, HTC, Samsung, Huawei and ZTE—running Windows Phone 7.5 and 8. Extract existing and deleted data from these devices via the “File system > smartphones” in the UFED menu.

Get your UFED update at my.cellebrite.com! (Not a user? Visit us at ufedseries.com to learn more!)

Anticipating mobile forensics trends for 2013

Predictions abound this time of year. We’ve seen plenty for the mobile device, information security, and even digital forensics industries overall—but nothing for mobile forensics. We decided to ask a panel of six “power” Cellebrite customers for where they envision the field going this year.

Eoghan Casey, co-founder of CASEITE and a SANS Senior Instructor; John Carney, Chief Technology Officer at Carney Forensics; Cindy Murphy, computer crimes detective at the Madison (Wisconsin Police Department); Gary Kessler, associate professor, Embry-Riddle Aeronautical University; Heather Mahalik, mobile forensics technical lead at Basis Technology and a SANS Certified Instructor; and Paul Henry, principal at vNet Security and a SANS Senior Instructor all weighed in on trends in law enforcement, law, regulatory issues, and of course, mobile technology. Here’s what they told us:

Apps forensics comes into its own this year

“Whether it’s mobile messaging, personal navigation, social media or improving productivity – apps are going to dominate smartphones and tablets in 2013,” said Carney. “The ability to extract critical data stored in apps will become the new measuring stick by which investigators gauge the superiority of mobile forensics tools.”

Smartphone platforms are still fluid

Android took 75% of the global market in Q3 of 2012, iOS dominates the bulk of bandwidth usage, and BlackBerry—whose new sales are still in steep decline—remains a legacy device which mobile examiners can continue to expect to see in their labs. And Windows Phone 8 may gain strength. Mahalik and Carney both foresaw a need for better forensic support for the platform this year.

Mobile forensics meets BYOD

“Bring your own device” spread rapidly across enterprises in 2012, and continues. Carney says this means “contending with more devices that contain both personal and corporate evidence as well as an increase in legal challenges related to device access and privacy during corporate investigations.”

Expect more mobile malware

Malware is already rampant on Android devices, and this trend won’t decline. “The intended uses of mobile malware will be very similar to non-mobile malware – steal money, steal information and invade privacy,” says Murphy, who expects law enforcement to have to contend with it particularly in stalking, domestic violence and even child exploitation cases.

Regulatory and legislative landscape remains uncertain

Few lawmakers and judges understand the nature of mobile technology, yet they’re scrutinizing them much more closely than they did computers, according to Kessler. “This speaks to the need for greater education regarding the scope and possibilities of mobile forensics and what it means for privacy and pretrial discovery,” he says. Even so, look for mobile devices and the data they contain to take center stage in both civil and criminal investigations, as more civil litigators begin to realize their importance.

Click here to access “The Year Ahead for Mobile Forensics: Cellebrite’s Panel Predictions for 2013”