Discover Best Practices and Advanced Decoding with UFED Physical Analyzer: Q&A from Cellebrite’s webinar

In a recent webinar, Dan Embury, our CAIS Technical Director, provided participants with tips and tricks, and best practices to help them get the most out of UFED Physical Analyzer. Overviews include Android custom recovery, Android UFS-based device unlocking, BlackBerry 10 backup encryption, Android backup APK downgrade, Apple iOS jailbreaking overview, as well as decrypting and decoding TomTom trip log files.

The webinar is available for viewing at the bottom of this post. During the webinar, participants asked a number of good questions, which we’ve compiled in this blog.

Note: If you don’t see your question answered below, please leave a comment at the end of this post!

Q: Can you confirm that TomTom decryption is not included in UFED Physical Analyzer

A: The decryption itself is not included in UFED Physical Analyzer. It requires offline processing, utilizing a large number of computers and processors. Ultimately, exportation of TomTom decryption in XML format can be forwarded to Cellebrite, and we will do the decryption. The decrypted results are then provided back to you to analyze in UFED Physical Analyzer, using the TomTom import function.  Please contact CAIS@cellebrite.com for more details and to submit your encrypted trip logs.

Q: WhatsApp recently announced that they have encrypted chat and voice chat, can UFED extract WhatsApp data after the WhatsApp upgrade?

A: In general, messages while in-transit are encrypted however this does not affect data-at-rest (forensics) stored in the WhatsApp databases. Cellebrite will release a solution in the coming days to decrypt the new WhatsApp encryption key – crypt9.

Q: When retrieving the BlackBerry encryption key using BlackBerry ID and password, how does this work?

A: Within UFED Physical Analyzer, you may retrieve the key associated with a BlackBerry ID using known credentials and decrypt the backup data from BlackBerry devices.

How to use: Open a file system extraction of a BlackBerry 10 device.  During the decoding process, a window is displayed: Enter the BlackBerry ID credentials and select Get Backup key (to retrieve a key, an Internet connection is required in order to communicate with the BlackBerry company servers).

You can save the key for future usage by selecting the Save button. If an Internet connection is not available, you can retrieve a key on any instance of Physical Analyzer connected to the Internet. Go to Tools and select Retrieve BlackBerry 10 Backup Key.

Enter the BlackBerry ID credentials and select Get Backup key. Click Save and load the key from the UFED Physical Analyzer disconnected from the network to continue with the decoding process.

Q: Are new Android devices encrypting the information in a unique fashion for each device?

A: The results of ongoing research both at Cellebrite and within the forensic community are exposing what sort of evidence can be extracted from these newer devices. The processors that are being integrated into Android, iOS, and BlackBerry devices are very powerful integrated circuits.  Since there has been such a focus on security over the past few years, these chips contain dedicated cryptography functionality to perform background tasks without impacting the user experience, all the while making security easier to implement and stronger against attack.

Q: Do you plan to incorporate jailbreaking into the product?

A: At this point in time, we do not plan on incorporating older jailbreaking methods into the UFED.  The best resource to find viable jailbreaks can be found at http://canijailbreak.com

Q: Are you recommending that we jailbreak all iPhones when possible in order to extract the maximum amount of data?

A: If your agency permits jailbreaking and the investigation warrants the additional effort to jailbreak the exhibit, then by all means, maximal effort should be expended to seek the truth and extract all evidence possible.  You simply don’t know what evidence you may be missing, whether inculpatory or exculpatory.  Major cases, cold case homicides, missing persons, and other exigent circumstances may justify jailbreaking, but always seek permission from stakeholders and test the method on a matching sample device.

Q: In iOS, how did you get emails using Methods 1 and 2 on an iPhone 5S?

A: The test case from the webinar was an iPhone5,2 (A1429) which is an iPhone 5, not an iPhone 5S.  Performing a jailbreak enables a Method 3 extraction to pull protected emails from the file system.  The emails pulled using Method 1 and 2 were from web-based emails that were clearly not protected with the file system.

Q: In your experience what is the success rate for jailbreaking phones?

A: From our research, the jailbreak will either work or not work, depending on a number of factors, including if the user upgraded the iOS firmware in the past using OTA (over-the-air).  The various jailbreaking teams work hard to prevent any adverse effects, but since the “first-to-finish” concept seems to apply for each iOS version, not a lot of effort is put into solving corner cases that would apply to forensics, versus the typical consumer not caring if the device needs to be reset prior to the jailbreak.

Q: Has Cellebrite been able to bypass the iOS pin on iPhones?

A: Cellebrite has the unique unlocking services provided by Cellebrite Advanced Investigative Services (CAIS).  The current offering is for iOS 8 running on the iPhone 4S, 5, and 5c, as well as associated iPad and iPod touch models.  The service helps investigators in important cases for which traditional mobile forensic tools do not have support.  Ongoing efforts by our leading team of researchers is continuing for newer models and those running iOS 9.  Please contact CAIS@cellebrite.com for more details.

Q: Does Cellebrite plan on including Android custom recovery partition flashing in the UFED?

A: The upcoming UFED release will add custom recovery for Samsung Galaxy S6, S6 Edge, and Note 5 to allow physical extraction while bypassing lock for models without locked boot loaders, such as Global models and those offered by Sprint, T-Mobile, and US Cellular.  Cellebrite’s UFED replaces the device’s original recovery partition with Cellebrite’s custom forensic recovery partition based on Team Win Recovery Project (TWRP).  Cellebrite’s recovery image does not affect any user data.  It is recommended to use the Forensic Recovery Partition method when other physical extraction methods (e.g. Bootloader) are not successful, or not available (i.e. if the Android’s firmware version is not supported).  For other carriers, including AT&T, Cricket, and Verizon, please contact CAIS@cellebrite.com for more details.

Q: Couldn’t a backup of the device give you the ability to go back to the starting point if custom recovery fails?

A: Unfortunately, it is not possible to do a backup of the device when there is a user lock code set and Android Debug Bridge (ADB) is disabled.  Cellebrite’s fully tested custom forensic recovery partition methods should not fail or cause any adverse effects (e.g. boot loop, etc.)

Q: Do you know if Windows 10 phones are encrypted at the chip level?

A: Research into less popular handsets can be performed if sufficient demand comes from our customers.  Some previous Lumia Windows 8/8.1 can be analyzed with our unique boot loader physical extraction, while other models can be supported with JTAG, chip-off, or In-System Programming (ISP).  We always welcome feedback via Technical Support for obscure mobile devices that you frequently encounter and we do not support.  Often times, minimal effort from our researchers is required to make the necessary additions to our UFED device coverage, all the while helping you solve more crimes.

Q: How does Android APK Downgrade work within UFED, and are there any risks to this method?

A: UFED downgrades encrypted Android apps in the device itself over Android Debug Bridge, by pushing an APK package to it, since it’s possible to then have an older version of the app do the interpretation of the newer inaccessible data. Within the UFED 4PC/Touch, connect to the device, and downgrade the app to an earlier version to extract the app database. There are some risks to this method since it makes changes to the device, thus, it’s advised to use as a last resort. If you know that a suspect is utilizing an application, and the extraction of all the other databases from the device do not produce any fruitful evidence, this method is recommended.  For example, if you believe that there was communication taking place via WhatsApp, then it’s important to squeeze out every last little bit of evidence from the device.

Click here to start your free trial for UFED Physical Analyzer.

View the full webinar below:

Cellebrite at SANSFIRE in Washington, DC

Earlier this week at the Washington Hilton in the US capital, we joined the SANSFIRE conference for a Lunch & Learn and Tuesday’s exhibit. Our visitors, most of whom were very familiar with UFED tools, asked many questions about deleted data, encryption, and other advanced topics during both opportunities.

On Monday, our Lunch & Learn covered our Smartphone Drill-Down: OS Extraction, Decoding & Analysis. Forensic engineering product manager Ronen Engler took his audience through locked devices, encrypted and deleted content, databases, and applications as just some of the complications investigators may encounter when examining a smartphone.

Participants asked a lot of questions during the hour, mainly regarding deleted data. What can be recovered? In what cases is deleted really deleted (including when a phone has been wiped)? What about encrypted data and deleted encrypted data?

Ronen has contributed answers and more about these issues in two recent articles: “6 Persistent Challenges with Smartphone Forensics” from DFI News, and “Smartphone Overload” from Law Enforcement Technology (note: this article starts on page 44 of LET’s digital edition).

We’ll be rejoining SANS at the SANS DFIR Summit in Austin, Texas in just a few weeks. There, we’ll be offering a second Lunch & Learn about our new UFED Link Analysis software and how it can help narrow and focus investigations. We hope we’ll see you in Austin!