How our forensic R&D makes the previously impossible, possible

Before we launched our HTC and Motorola user lock bypass, our forensic customers had to go to through a painstaking process to recover data from these Android devices: obtain a search warrant to serve on Google, either to recover backup data or to obtain or reset the device user lock. In some cases, such as with a phone that was turned off, they may even have had to serve paper on the carrier as well.

This process could lead to delays because it could take days or even weeks to secure the paperwork and reach a law enforcement liaison. The providers’ success was limited by the type and complexity of the user lock—if they agreed to comply at all. This could slow down or altogether halt investigations’ progress.

Thanks to our work on this bypass, a number of happy customers have been able to access critical evidence which they previously could not. Said Deputy Steven Mueller of the Defiance County (Ohio) Sheriff’s Office and the Northwest Ohio Technology Crimes Unit: “I was given a HTC PD15100 in December with a pattern lock. I was unable to acquire it then. Today with the updates it is being acquired as I write this.” Mueller later updated us that he and his team were able to successfully carve graphics files from the image.

To learn more about how to perform user lock bypass and file system or physical extraction on HTC Android devices, see our new video:

UFED 1.8.5.0: Double the Android devices supported for physical extraction

Our first update of 2013 offers something a lot of our clients have been awaiting for a long time: user lock bypass enabling physical extraction on HTC and Motorola devices. The new capability adds 109 Android™ models to our list—more than double what we previously offered via bypass methods.

To be more precise, we’ve added this capability to 66 HTC and 35 Motorola devices, including HTC’s Evo, Incredible, Wildfire and Desire models along with Motorola’s Milestone, Droid Razr and Razr Maxx. (A full listing is available in our release notes, downloadable here.)

We’ve also extended our Samsung Galaxy series user lock bypass method from the Galaxy S and S2 to the Galaxy S3 (international model GT-i9300) and Galaxy Note II. This capability is available on the UFED Touch Ultimate, although the UFED Classic still supports physical and file system extraction on unlocked Galaxy S3 and Note II.

The new support relies on our well-known proprietary user lock bypass methods, which work even when USB debugging is disabled. These methods provide the deep access to mobile devices that forensic examiners need to complete their extractions of existing, hidden and deleted data. User lock bypass is now supported on a total of 229 Android smartphone models.

Additional extraction support

We’re also pleased to report that we now support physical, file system and logical extraction for Apple devices running iOS 6.1, which was released only last week. Our physical and file system extractions support iPhone 3GS/4 and iPod Touch 4G devices, and include decoding, simple and complex passcode bypass, simple passcode recovery, and real-time decryption. (Note: To get this capability, you must update the new EPR via the UFED Physical Analyzer.)

Our file system and logical extractions support iPhone 3GS/4/4S/5, iPad2/3/4/mini, and iPod Touch 4G/5G.

Finally, we now support file system extraction from any device—Nokia, HTC, Samsung, Huawei and ZTE—running Windows Phone 7.5 and 8. Extract existing and deleted data from these devices via the “File system > smartphones” in the UFED menu.

Get your UFED update at my.cellebrite.com! (Not a user? Visit us at ufedseries.com to learn more!)

Anticipating mobile forensics trends for 2013

Predictions abound this time of year. We’ve seen plenty for the mobile device, information security, and even digital forensics industries overall—but nothing for mobile forensics. We decided to ask a panel of six “power” Cellebrite customers for where they envision the field going this year.

Eoghan Casey, co-founder of CASEITE and a SANS Senior Instructor; John Carney, Chief Technology Officer at Carney Forensics; Cindy Murphy, computer crimes detective at the Madison (Wisconsin Police Department); Gary Kessler, associate professor, Embry-Riddle Aeronautical University; Heather Mahalik, mobile forensics technical lead at Basis Technology and a SANS Certified Instructor; and Paul Henry, principal at vNet Security and a SANS Senior Instructor all weighed in on trends in law enforcement, law, regulatory issues, and of course, mobile technology. Here’s what they told us:

Apps forensics comes into its own this year

“Whether it’s mobile messaging, personal navigation, social media or improving productivity – apps are going to dominate smartphones and tablets in 2013,” said Carney. “The ability to extract critical data stored in apps will become the new measuring stick by which investigators gauge the superiority of mobile forensics tools.”

Smartphone platforms are still fluid

Android took 75% of the global market in Q3 of 2012, iOS dominates the bulk of bandwidth usage, and BlackBerry—whose new sales are still in steep decline—remains a legacy device which mobile examiners can continue to expect to see in their labs. And Windows Phone 8 may gain strength. Mahalik and Carney both foresaw a need for better forensic support for the platform this year.

Mobile forensics meets BYOD

“Bring your own device” spread rapidly across enterprises in 2012, and continues. Carney says this means “contending with more devices that contain both personal and corporate evidence as well as an increase in legal challenges related to device access and privacy during corporate investigations.”

Expect more mobile malware

Malware is already rampant on Android devices, and this trend won’t decline. “The intended uses of mobile malware will be very similar to non-mobile malware – steal money, steal information and invade privacy,” says Murphy, who expects law enforcement to have to contend with it particularly in stalking, domestic violence and even child exploitation cases.

Regulatory and legislative landscape remains uncertain

Few lawmakers and judges understand the nature of mobile technology, yet they’re scrutinizing them much more closely than they did computers, according to Kessler. “This speaks to the need for greater education regarding the scope and possibilities of mobile forensics and what it means for privacy and pretrial discovery,” he says. Even so, look for mobile devices and the data they contain to take center stage in both civil and criminal investigations, as more civil litigators begin to realize their importance.

Click here to access “The Year Ahead for Mobile Forensics: Cellebrite’s Panel Predictions for 2013”