UFED 5.0 drastically decreases your time to evidence by drilling into the data that’s most crucial

Sifting through data is a very time consuming process- the average US smartphone user takes up 10.8GB of storage capacity on their device*, and taking into account different data recovery options in UFED Physical Analyzer, this process may take up to several hours to complete. UFED 5.0 came out with major time-savers that drastically decrease your investigation time, and lets you focus on the data that is most crucial to your investigation. Version 5.0 brings five crucial industry-first features, and support for 19,203 device profiles and 1,528 app versions.

Merge multiple extractions in a single unified report and avoid deduplicates

You asked for it, we developed it. With UFED Physical Analyzer 5.0, you now have the ability to merge multiple extractions from multiple devices into a single unified project, which can include logical, physical and file system extractions. The extracted data is presented under one project tree, and provides a unified extraction summary with device info per extraction, the ability to drill down to each extraction, and an indication of the original extraction source. If required, you also have the option to combine extractions from different devices. 

merge mult files

 

This powerful feature saves you time not only by combining the extractions, but also by removing deduplications (duplicate or redundant information), and grouping together similar and duplicate records for quick and efficient analysis. The following extraction types may be grouped together: Logical, advanced logical file system, physical, SIM card, JTAG, SD Card, and UFED Camera Evidence.

Here is what one investigator had to say about this new capability: “Being able to instantly navigate to where each piece of data is located in the memory dump is an outstanding feature. This saves hours of time on each complex investigation.”

Validate your data the right way

The latest validation process saves you time and resources by providing you with the most effective and most efficient way to perform a real and accurate validation process, by validating the decoded data with the original source file; Thus, reducing your need to use other mobile forensic tools for additional extractions to compare and validate the results.

Every recovered artifact has a source that it originally derived from, and can be used to later to validate the data. If previously you spent time manually searching for the original source, UFED Physical Analyzer 5.0 now tracks back the automatically decoded content to its source.

Every extracted record now includes the file source information in a table view or in the right pane with device information. Each link points to the offset data and includes the source file name, which can be included in a UFED report when testifying in court. For example, using UFED Physical Analyzer 5.0, an examiner can easily see from the original source file that a recovered SMS was a deleted artifact, since it was recovered from the memory of the device. That SMS is also visible and highlighted in the hex viewer, when clicking on the file source information link. (The db file where the SMS came from is also displayed in the right pane).

2

 

 

 

 

 

 

Focus on relevant media files with the common image filter

An additional time saver added to version 5.0 is the new automatic filter feature. UFED Physical Analyzer 5.0 saves massive investigation time by automatically filtering out common or known images, allowing you focus on the images you need to get to the evidence quick, rather than wasting time reviewing thousands of images that are default device icons, or images that come as part of app installation.

The MD5 hash value is available for every extracted media file, and is visible in the user interface and in the report output, as part of the decoding process.

How would you use this feature? Say you have 200 hash values of indecent images in your own database, you can easily create a watch list for all the hash values from your database, and run the watchlist to find a match search for the same images on the device. In case of a match, a nude photo will be detected on the device. Alternatively, you can export the hash values from the device into excel, and run a match on your database, as well as expand your list with new hash values belonging to suspicious nude photos.

As presented in the image below, if previously you had to review 24998 images, you now have 900 less images to review.

ReviewMediaFiles_Hash_Calculation-Recovered

 

 

 

 

To view all images, click on filter reset or remove the auto-filter option in the Settings.

 

Access blocked application data with file system extraction

Version 5.0 introduces another industry-first capability, providing you access to blocked application data when physical extraction is not available for the specific device. The introduction of new app versions also introduce new challenges, such that they are no longer available for backup using the Android backup method, since they are blocked for backup service. UFED overcomes this limitation with a new option called APK downgrade method, also available via file system extraction. This method temporarily downgrades the app (or .apk file) to an earlier version that is compatible for Android backup. UFED will present the list of apps installed on the device, and the ones available for downgrade. Open the extraction in UFED Physical Analyzer to decode both intact and deleted apps data.

Popular supported apps include WhatsApp, Facebook, Facebook Messenger, Line, Telegram, Gmail, KIK and more.

Extract data using Temporary root (ADB) and enhanced bootloader method

Temporary root (ADB) solution has been enhanced to support 110 Android devices running OS 4.3 – 5.1.1, for file system and physical extraction methods, (when ADB is enabled). Logical extraction of apps data is also available for the listed devices using the temporary root solution. As part of your examination, you need to gain access to all the data stored on a mobile device.  This is achievable via a physical extraction, which is the most comprehensive solution, and provides the richest set of data. As part of our ongoing efforts, you are now able to perform a physical extraction for the selected 110 devices using the ADB method instead of manually rooting the device using an external tool.  Third party tools provide a permanent root, while Cellebrite’s temporary root solution is removed after restart, and assures forensically-sound extractions.

The bootloader method has been further enhanced in version 5.0. This unique lock bypass solution is now available for 27 additional devices (APQ8084 chipset), including Galaxy Note 4, Note Edge, and Note 4 Duos.

Version 5.0 also introduces physical extraction and decoding support for a new family of TomTom devices; as well as file system and logical extraction and decoding is also available for recently launched devices, including iPhone SE, Samsung Galaxy S7, and LG G5.

Watch the video below to learn more about UFED 5.0 release highlights.

Download our release notes for full details about version 5.0 capabilities.