3 Reasons to Vote for Cellebrite for a 2015 Forensic 4:Cast Award

For as long as the Forensic 4:cast Awards have existed, Cellebrite’s UFED tools have been named Phone Forensic Tool of the Year. Being nominated among some of the greatest products in the industry, we couldn’t be more proud that the forensic community recognizes our continuing efforts to deliver the best, most innovative and  functional mobile forensic tools for seven years running.

Thanks to you, Cellebrite’s nominations include:

  • UFED Touch for phone forensic hardware of the year
  • UFED 4PC for phone forensic software of the year
  • Digital forensic organization of the year

Will you vote for us this year? Here are a few reminders why Cellebrite deserves the Forensic 4:cast Awards.

1. We’ve got your back.

Cellebrite has always been known for its breadth of support for new devices, but in 2014 we deepened our support for both smartphones and the apps installed on them. We improved our automated decoding, so you can spend more time analyzing data than figuring out how to decode it; brought our device profile support up to more than 14,000; and added decoding support for 25 prepaid Android devices—including Tracfone models that stumped investigators for years.

2. We make data analysis as simple or as complex as you need.

The visual analytics we include in tools like UFED Physical/Logical Analyzer and UFED Link Analysis give you a basic, at-a-glance look at key people, places, and communications via Project Analytics, Timelines, Maps, and Graphs. These help you immediately visualize your data and focus on only that which is most relevant to your case.

When you need to get “into the weeds” with the data—at the device memory level—you can do that too. Locate, carve, and validate data using advanced search functions like regular expressions and searches for strings, dates, codes, numbers, ICCID, SMS formats, etc., and import your JTAG and chip-off extractions into UFED Physical Analyzer for decoding.

3. We give you the tools you need not just to extract and analyze the data, but also to testify about your process with confidence.

Tools with as much functionality as ours deserve investigators who can put them to good use, so in 2014 we stepped up our training and certification program. We are now the first and only digital forensic vendor to deliver courses not only in person, but also online, and more than 4,000 practitioners earned their Cellebrite certifications through the end of 2014.

Vote for us today!


Bypassing Locked Devices: Q&A from Cellebrite’s webinar


Last month we hosted two webinar sessions on “Bypassing Locked Devices”, led by Mr. Yuval Ben-Moshe, Cellebrite’s Senior Director for Forensic Technologies. In these sessions, Yuval presented the challenges and solutions to bypassing locked devices, including Cellebrite’s proprietary boot loaders among other methods used to tackle locked devices.

The webinar is available for viewing at the bottom of this post. Meanwhile, participants asked a number of good questions, which we’ve compiled in this blog—including some that we didn’t have time to answer during the webinar.

Note: If you don’t see your question answered below, please leave a comment at the end of this post!

Basics of mobile device user lock bypass

Q: Using the UFED, can you gain access to the phone where the wrong passcode has been entered too many times and is now locked?

A: This depends on the device and the locking mechanism used by it. If the device is supported by a boot loader or JTAG, than the data can be extracted regardless of any locking mechanism or the number of times a wrong password was used.

Q: How far off is user lock bypass support for iPhone 5 and Blackberry devices?

A: Forensic extraction of data from iPhone 5 is achievable using of the .plist file from the paired computer. With locked Blackberry, at this point in time, examiners must rely mainly on chip-off or JTAG methods for specific models.

Q: If the element file is deleted, will it affect the function of the original pattern passcode?

A: This question refers to a method called disabling. The device will remain in a lock disabled mode until a new password can be configured via the device’s set-up menus.

Q: If an extraction fails or is interrupted, can I still parse the extracted content if it is incomplete?

A: A physical extraction that was interrupted cannot be decoded, because a full binary image is required in order for the decoding to reconstruct the full file system.

Q: Can the UFED bypass iOS 7+ with a user lock and a SIM lock?

A: Bypassing locked devices depends on the device hardware and not the iOS version running on it. That is, if iOS 7 is running on iPhone 4, physical extraction is achievable; however, if iOS 7 is running on iPhone 4s or a newer model, than a .plist file is required to enable data extraction.

Q: If a device employs a biometric lock, how does the UFED tackle the lock?

A: Bypassing a biometric lock depends on the device model. For example, for the iPhone 5, the UFED can bypass the biometric lock using the .plist file.

Sync devices and .plist files

Q: The webinar presents the paired computer method for iOS devices showing the Windows 7 path on a PC. Is there a specific location path for Apple MAC computers?

A: The path for the .plist file on Mac computers is: ~/Library/Application Support/MobileSync/Backup/

Q: Does the .plist appear on the user’s iCloud?

A: The .plist file is used for the communication between the device and the computer; hence, it does not appear in the user’s iCloud data.

Q: How do you employ the .plist file?

A: The process of using the .plist file is very simple: UFED will automatically detect the iOS device as being locked and request the .plist file.

Boot loaders and clients

Q: Will injecting a client or boot loader lead to evidence tampering?

A: The boot loader is uploaded onto the device’s RAM and is then deleted when the device powers off or restarts. Therefore, it is does not tamper with the evidence. In contrast, a client may write some data onto the device’s flash memory, yet it is still considered a forensically sound process if the investigator specifically documents what was written and on which partition/folder.

Q: If an extraction fails, is the client left on the device?

A: In some cases, when the extraction is interrupted abruptly, the UFED may not have enough time to uninstall the client, and some files may be left on the device. In this case, UFED provides a specific function to delete the client. This capability is under the UFED ‘Device Tools’ menu.

Q: Does the UFED Classic include the boot loader function?

A: The UFED Classic is also capable of tackling locked devices. However, it may not support the latest modern devices due to technical limitations with hardware. It is highly recommended to trade up the UFED Classic for a more advanced model, such as the UFED Touch or UFED 4PC.

User locks on prepaid devices

Q: Can the UFED bypass disabled data ports in burner phones?  JTAG/chip-off are options, but unlocking with a manufacturer code is possible. Can you support unlocking burner phones?

A: The UFED is able to bypass the locking mechanism for many low-end phones, a.k.a “burner phones” using a boot loader. While JTAG and chip-off are valid options, we recommend you first try unlocking the device with a UFED, since these methods are more complicated, time-consuming, potentially destructive, and expensive.

Q: How does the UFED bypass a prepaid phone with a locked data port?

A: Bypassing a user lock depends on the device itself.  If the data port is disabled, then the JTAG or chip-off methods are applicable here.

View the full webinar below:

Leave a comment if you have a question that was not answered above, or in the webinar itself!

Join us one month from today at Mobile Forensics World!

Techno Security Conference   Computer Security ConferenceThe agenda is set and we’re hoping to see you a month from now! As the Host Sponsor of Mobile Forensics World 2013 at Myrtle Beach, SC, Cellebrite has obtained unlimited FREE VIP registrations* — a $1395 value — for this year’s conference being held on June 2 – 5, 2013. Why should you grab one?

Technical education

During MFW, plan to learn how to:

  • Explain probative smartphone and tablet evidence to attorneys as John Carney, CTO of Carney Forensics, describes issues with mobile security and forensics.
  • Decode unsupported iOS apps as Joe Church, Founder/Owner of Digital Shield, discuss the apps’ different data structures and methods.
  • Analyze gang members’ and terrorists’ communications towards curbing violence. Sgt. Dan Morrissey, of the Sacramento County (CA) Sheriff’s Office, will describe how his team applies link analysis.
  • Understand how terrorists communicate via mobile device and social media apps. Majid Hassan, Director of CAPIT, will go in-depth on how mobile devices are more than IED triggers.
  • Verify commercial tools’ malware scanning utilities via Linux Ubuntu’s free built-in capability Carlos Cajigas and Pete McGovern of EPYX Forensics will provide a step by step process.
  • Recover and analyze PC backups as Gilad Sahar, Cellebrite’s Decoding Research Team Leader, compares this type of data with data from a full physical extraction.
  • Access valuable data on locked Android devices that have been subjected to zero-day attacks with Nadav Horesh, Cellebrite Extraction Research Team Leader.

Finally, don’t miss this year’s panel. Six months after the release of the “Mobile Forensic Trends for 2013” white paper, join industry subject matter experts as they talk live about the predictions they made and the latest trends they see in “Trends in Mobile Forensics: Midyear Review.”

Cellebrite presentations

In our company track, we’ll cover how Cellebrite’s UFED Series supports mobile forensics in the lab, on the battlefield, or anywhere in between. We’ll also present how to use automated link analysis tools like UFED Link Analysis to get more actionable leads in an investigation; forensic support for name-brand and knock-off smartphones manufactured with Chinese chipsets; an in-depth demo of UFED Touch extracting and decoding smartphone and tablet evidence; and finally, how Cellebrite engineers develop password bypass solutions beyond the bootloader.

Monday’s Night at the Arcade!

Monday evening, we’re co-hosting a party out on the veranda. Together with Techno Security Host Sponsor Nuix, we’re offering food, an open bar, games including air hockey and an X-Box tournament (with prizes), and raffles. Come to network and win!

Also be sure to register for our two-part lunch & learn, “Collect with Cellebrite – Process with Nuix.”

Pre-Conference Certification Training

We’re also pleased to offer pre- and post-conference training. From Friday, May 31st through Sunday, June 2nd, Digital Shield Inc. will hold Cellebrite’s 3-Day Ultimate Certification Course. Click here to register for this class.

Starting Wednesday, June 5th and ending Thursday, June 6th, H11 Digital Forensics presents Cellebrite Certified CHINEX Training.  Click here to register for this training.

Register using our FREE conference passes!

To register for one of the free VIP passes, visit the following online registration:


Select the Sponsor/VIP Pass – NO IPAD option, enter “0” for amount paid and enter “Cellebrite-VIP” in the Promotional Code section of the form.

The full agenda for Mobile Forensics World and Techno Security is available at http://www.thetrainingco.com/agenda/agenda.cgi?c=TS-2013 For any attendees who hold a CISSP, CISA or CISM certification, this conference also provides 32 CEU credits.

We look forward to seeing you in Myrtle Beach this June!

*Travel and hotel expenses will be your responsibility. The conference hotel fills quickly each year, and you must be registered for the conference to reserve rooms at the hotel.