UFED Physical/Logical Analyzer 4.2 offers efficiency improvements, decryption and enhanced decoding

PA42exclusive

 

 

 

 

The new Physical/Logical Analyzer release, version 4.2, is chock full of features and device support. From more efficient location mapping processes to improved decoding, this latest release is designed to accelerate your investigations and enable you to drill more deeply and intuitively into data from more than 15,000 devices.

Deeper location data analysis, more efficient workflows

UFED Physical/Logical Analyzer 4.2 offers a number of new enhancements with regard to location data. These enhancements offer more flexibility and efficiency by allowing you to access highly visual information more easily.

First, new offline map support offers maps view even when an Internet connection is not available or you are analyzing data at a workstation that is required to remain offline. Second, you can also now zoom in to locations in map view and see related event details. When you want to explore deeper relationships between locations, timelines, and analyzed data, you can jump from location information to its source event or timeline and vice versa.

Location information also allows you the ability to examine attached images, videos, audio, text, and other files identified during the data analysis process. The Data Files category in the project tree enables you to view and filter attachments within data files, locate the associated attachment event, and view its metadata and location information.

Do you frequently share your extracted UFDR reports with others using UFED Reader? Now, include the UFED Reader executable within the report output folder. This saves time for report recipients in locating, downloading, and using the UFED Reader application.

New app decoding and analysis functionality

UFED Physical/Logical Analyzer 4.2 also keeps pace with investigator demand for greater visibility into app data. Besides newly added support for apps installed on Android, iOS, and Windows Phone® devices, as well as updated support for 40 Android and 63 iOS app versions, the new release offers additional decoding and some decryption support, as well as improvements in the way app data—particularly chat app data—is displayed.

Added to analytics that show the most frequently used apps, app usage data now includes information about the last time a user launched a particular app, as well as for how long they used it. Also for the first time, view the number of messages per chat, which can help validate chats extracted using other tools that do not thread messages. Additionally, location data for chat messages is now available for export into all report formats.

Other apps-related support includes decryption of KeepSafe and WeChat apps, together with decoding support for WhatsApp VoIP call logs on Android devices. New WhatsApp support also includes the Read, Delivered and Played timestamps of outgoing WhatsApp messages for iOS, Android and BlackBerry® 10 devices. In addition, Twitter group chat messages are now displayed in Chats.

New device support includes physical extractions, decryption, and decoding

Disable the user lock for 159 Samsung Android models using SPR and SPM methods, depending on the device’s firmware version. In addition, Physical extraction with lock bypass and decoding is now supported for 58 LG Android devices released with Android version 4.2.x and above.

Decryption is now possible for physical extractions from generic Android and Samsung devices running Android 4.2 and below using a known password. Similarly, extract BlackBerry device backup data as part of file system extraction, and then decrypt the backup data with known BlackBerry ID credentials you retrieve via UFED Physical Analyzer.

Device information decoding is newly enhanced for all device types. For BlackBerry 10 this includes username, device model, PIN, IMEI, and device name; for Windows Phone devices, the information includes IMEI, IMSI, MEID, mobile operator ID, country, MAC address, and OS version. Device information for Android devices now includes the decoded Tethering ID and password, while iOS device product name and product type information are now included under device information.

Saving time in a death investigation

One Minnesota (US)-based detective working a death investigation used Physical Analyzer 4.2 to unlock a pattern locked Samsung Galaxy S5 (SM-G900V). Facing a lengthy and destructive chip-off extraction because the device did not appear to be supported for JTAG extraction, the investigator was able to run the device against a pre-release copy of Physical Analyzer 4.2. The extraction worked, and the investigator was able to use that evidence to continue building his case.

To learn more about how the new UFED Physical/Logical Analyzer 4.2 can help accelerate your investigations, download our release notes today!

New UFED release broadens decoding for extractions from prepaid, damaged devices

With the release of UFED Physical Analyzer 3.9.7, Cellebrite now offers improved decoding for the binary files resulting from JTAG extractions. This means that rather than have to carve or manually decode the image file, examiners can now save time with an automated process.*

JTAG (Joint Test Action Group) forensics is an advanced method of mobile data extraction. By taking advantage of a device’s test access ports (TAPs)—included in every mobile device model to aid in manufacturers’ quality assurance processes—examiners can unlock the device in order to gain access to raw data stored on the memory chip, and can thus obtain a full physical image of the memory.

Because it is non-destructive and affords the opportunity to access data from devices that have been altered or damaged in some way that makes them inaccessible using conventional mobile forensic extraction tools the JTAG technique is growing in popularity, with a number of examiners undergoing training to become proficient in the procedure.

The additional decoding support, made possible with generic chains, is now available for 110 tested devices, including Samsung, HTC, LG, ZTE, Nokia, Huawei, Casio, Pantech, and Kyocera models. Examiners can gain access to a rich set of data such as call logs, SMS, MMS, emails, media files, apps data, and locations.

Access the JTAG binary extraction files in UFED Physical Analyzer by using the “Open (Advanced)” feature and selecting the extraction and the appropriate JTAG chain. You can find step by step guidance, in Chapter 3, section 3.4.2.3 of the UFED Physical Analyzer manual.

JTag2

*Manual decoding is still valuable as a validation method for forensic examinations.

Convert GPS coordinates to physical addresses

See where your subjects are visiting, and how often they’re visiting, without having to manually convert GPS coordinates to physical locations. UFED Logical/Physical Analyzer now enables you to convert single or multiple latitude/longitude coordinates, in bulk, to their corresponding nearest address. It also allows you to search based on that information, using an advanced search capability.

Additional device and decoding support

The new UFED release, 3.0.7, includes physical extraction with lock bypass from an additional 40 devices including: Samsung Galaxy S4 and Note III families, and HTC devices. Additional device extraction support using the Android backup method is included, along with file system and logical extractions from Nokia Asha devices.

The new UFED Physical Analyzer release includes additional decoding support for physical extractions from 26 new devices, file system extractions from 25 new devices, usernames and passwords from the browser on Android devices, locations in deleted photo metadata from iOS devices running iOS 7 and above, and deleted call log, contact and calendar content from Microsoft® EDB embedded database within Windows® Phone devices. In addition, decryption support is now available for the WhatsApp backup database, identifiable by the .crypt7 backup file extension, which contains chat messages.

The Telegram and Instagram apps are newly supported for both Android and iOS devices. Decoding support for the Waze app is new for Android and updated for iOS devices; Facebook Messenger, Line, QQ, Skype, Twitter, WeChat, and Vkontakte, along with other apps, have been updated for Android and iOS as well.

For a full rundown of device and app support, view our release notes. Cellebrite is also offering a webinar on JTAG decoding and analysis in July. Register for the webinar here!

 

UFED Physical Analyzer 3.7 closes decoding gap; UFED Logical Analyzer improves logical iOS extractions

What good is a physical extraction without decoding? Well, it will still give you data—if you know how to carve. This can be a time-consuming process, and still may not get you all you need. Preferable is for automatic decoding to streamline the forensic examination, reconstructing the file system so that you can spend more time on analysis.

With the release of UFED Physical Analyzer 3.7, Cellebrite introduces decoding for more than 500 new devices which previously had only physical extraction support. These include:

  • iPhone decoding, now with decryption support for encrypted file systems; new plist and bplist parsers; and deleted apps list recovery, so that these apps are now shown in the installed application table with a “deleted ” attribute .
  • Support for 200 new Android devices with Android ID, Bluetooth MAC, IMEI, time zone and language locale shown in the “device info” section of the extraction summary folder.
  • Full decoding for non-encrypted BlackBerry .bbb backup files, which supports the new Blackberry PC backup format. Decryption is also included for all devices through OS 6.x, together with enhanced string carver options for devices without decoding.
  • New Nokia decoding support includes 30 BB5 devices with Symbian OS and non-Symbian OS. Nokia Symbian support includes an enhanced parser for content databases; decoding existing and deleted contacts, SMS, MMS and call logs; and decoding support for content in multiple languages.
  • More than 40 new Samsung feature devices have been added, along with more than 20 enhanced LG devices and deleted contacts recovery support for Motorola V series devices.
  • 90 new devices with Chinese chipsets can now be decoded, including recovery of the additional format variants of the device passcodes.

New release also includes UFED Logical Analyzer 3.7

The latest version also includes new features in UFED Physical Analyzer and UFED Logical Analyzer, together with new Android and iOS apps decoding. Among the new features: backward compatibility with UFED Report Manager file formats (URP) (as our Analyzer applications replace UFED Report Manager) and the ability to see whether an iPhone is jailbroken or an Android is rooted.

Both UFED Physical Analyzer and UFED Logical Analyzer can now perform advanced logical extraction from iOS devices. Data now includes contacts, SMS, MMS, app information, emails from jailbroken devices, databases and multimedia files.

Both pieces of software are now certified to run on Microsoft Windows 8. And don’t forget the new Android password carver included in UFED Physical Analyzer, courtesy of the CCL Group.

For more information, download our release notes!