UFED Physical Analyzer 3.7 closes decoding gap; UFED Logical Analyzer improves logical iOS extractions

What good is a physical extraction without decoding? Well, it will still give you data—if you know how to carve. This can be a time-consuming process, and still may not get you all you need. Preferable is for automatic decoding to streamline the forensic examination, reconstructing the file system so that you can spend more time on analysis.

With the release of UFED Physical Analyzer 3.7, Cellebrite introduces decoding for more than 500 new devices which previously had only physical extraction support. These include:

  • iPhone decoding, now with decryption support for encrypted file systems; new plist and bplist parsers; and deleted apps list recovery, so that these apps are now shown in the installed application table with a “deleted ” attribute .
  • Support for 200 new Android devices with Android ID, Bluetooth MAC, IMEI, time zone and language locale shown in the “device info” section of the extraction summary folder.
  • Full decoding for non-encrypted BlackBerry .bbb backup files, which supports the new Blackberry PC backup format. Decryption is also included for all devices through OS 6.x, together with enhanced string carver options for devices without decoding.
  • New Nokia decoding support includes 30 BB5 devices with Symbian OS and non-Symbian OS. Nokia Symbian support includes an enhanced parser for content databases; decoding existing and deleted contacts, SMS, MMS and call logs; and decoding support for content in multiple languages.
  • More than 40 new Samsung feature devices have been added, along with more than 20 enhanced LG devices and deleted contacts recovery support for Motorola V series devices.
  • 90 new devices with Chinese chipsets can now be decoded, including recovery of the additional format variants of the device passcodes.

New release also includes UFED Logical Analyzer 3.7

The latest version also includes new features in UFED Physical Analyzer and UFED Logical Analyzer, together with new Android and iOS apps decoding. Among the new features: backward compatibility with UFED Report Manager file formats (URP) (as our Analyzer applications replace UFED Report Manager) and the ability to see whether an iPhone is jailbroken or an Android is rooted.

Both UFED Physical Analyzer and UFED Logical Analyzer can now perform advanced logical extraction from iOS devices. Data now includes contacts, SMS, MMS, app information, emails from jailbroken devices, databases and multimedia files.

Both pieces of software are now certified to run on Microsoft Windows 8. And don’t forget the new Android password carver included in UFED Physical Analyzer, courtesy of the CCL Group.

For more information, download our release notes!

Partnership with the CCL Group brings new Android password carver to UFED Physical Analyzer

As useful as our Android pattern/PIN/password lock bypass is to so many of our customers, at times, the password itself is needed. Perhaps a forensics examiner wants to validate extraction results manually, or believes the same password protects a different device.

Still, not all physical extractions are automatically decoded. Without the file system reconstruction that decoding provides, examiners must manually carve the password from wherever it is stored within the device’s operating system. This can add time to the forensic process, especially if the examiner must refer the device to a specialist. It might even be impossible if the examiner lacks carving skills, or the access to an expert who has them.

With our soon-to-be-released UFED Physical Analyzer 3.7, we’re pleased to introduce a new Android password carver—thanks to the efforts of the CCL Group, the United Kingdom’s largest private digital forensics company. Having produced 300 scripts as part of its digital forensics research and development efforts, last year CCL Group’s lab developed a Python code that could carve a numeric password from an Android physical extraction or from third-party image files.

The premise, as they explained in their blog:

As with the pattern lock the code is sensibly not stored in the plain, instead being hashed before it is stored. The hashed data (both SHA-1 and MD5 hash this time) are stored as an ASCII string in a file named passcode.key which can be found in the same location on the file system as our old friend gesture.key, in the /data/system folder.

However, unlike the pattern lock, the data is salted before being stored. This makes a dictionary attack unfeasible – but if we can reliably recover the salt it would still be possible to attempt a brute force attack.

The CCL developers made their code openly available for other researchers to dig into. Cellebrite’s co-CEO and Chief Technology Officer, Ron Serber, believed that the code was a natural fit within the UFED Physical Analyzer platform.

However, the code was written independently of our infrastructure. With CCL’s permission and partnership, we rewrote the Python code so that it could be used within our platform. On its own or as part of a plugin chain, the carver enables recovery of numeric passwords from physical image files extracted by UFED, JTAG, chip-off or other tools.

We’re introducing the carver together with UFED Physical Analyzer 3.7 in just a few days. Current license holders will receive an email with download links; if you’re not a current customer, please download our free UFED Physical Analyzer 30-day demo.