One-step multiple report formats, Link Analysis integration & more in UFED Physical/Logical Analyzer 3.9

The latest release of UFED Physical/Logical Analyzer (depending on your license) includes new features that respond to a variety of user needs.

First, you can now generate reports in multiple formats for several projects in a single step. Useful for case agents who must supply supervisors, intelligence analysts, translators, and others with the data they extract, this new feature saves time. Simply select the data and the required report formats (e.g. Word, PDF, UFDR etc.), and click “Finish.” This feature is supported in UFED Physical/Logical Analyzer and UFED Reader.

Another new time-saving feature is that you can now open your project in UFED Link Analysis directly from the UFED Physical Analyzer/Logical Analyzer and UFED Reader. If you’re a current UFED Physical/Logical Analyzer user, get a free UFED Link Analysis trial today with your UFED Physical/Logical Analyzer update. The trial will remain active till February 1.

Export SMS and MMS events to EML format directly from the analyzed data table. This is useful for showing all written communications – text messages and emails – together in a single timeline, when imported into third-party applications that support EML files. Each SMS and MMS message gets its own EML file.

Decoding: Devices and data types

Decode new and enhanced data types from various smartphone operating systems. Now supported for BlackBerry devices is the ability to view power-offs. This can be an important indicator of criminal activity; suspects are known to turn off their devices when trying to avoid either real-time detection, or leaving after-the-fact evidence of their travels. If an extraction reveals power-offs you wouldn’t expect during, say, waking hours, or during the subject’s normal patterns of life, that may offer new lines of inquiry for your investigation.

To view the powering log for a BlackBerry device, run the BlackBerry event log plug-in after the chain has been executed. View the data in the “Powering Events” table under “Analyzed Data” or as part of the Timeline.

UFED Physical/Logical Analyzer 3.9 also shows iOS and Android application permissions. Unsafe apps – those infected by malware, or not secured – can give the app permission to view contacts, text messages and other content without a user necessarily knowing it. This may be valuable in cases where a victim isn’t sure how private information was divulged. Find access permission data in the “Installed Applications” table (also available in the right pane).

Decoding support for physical extraction has also been added for 145 devices, including 118 Android devices; for file system extraction for 126 devices, including 97 Android devices; and for feature Samsung GSM and CDMA and LG CDMA devices. The new update also includes application support for the iOS apps Passbook, Wickr, and vBrowse; and Android apps Outlook.com, Google Maps and a new KakaoTalk version with encrypted data.

Find tethering information, iOS 7.0.x keychain decryption, Android data carving, various performance and functionality improvements, and many other features in UFED Physical Analyzer 3.9. If you’re not a current customer, take advantage of your free 30-day trial by clicking the below image:

UFED Physical Analyzer 30-day Trial

How well does our BitDefender integration work?

Mobile malware is picking up steam. From malicious apps that send private and personal data to unknown third parties, to sound- and light-activated mobile malware, to mobile malware that can exfiltrate information from Windows PCs, mobile malware increased between 580% and 1000% last year, with tens of thousands of pieces of malware currently in the wild.

That’s why in December, BitDefender’s anti-malware technology was implemented in Cellebrite’s UFED Physical Analyzer software to analyze physical and file system extractions and provide a comprehensive malware report.

The integrated solution helps forensic examiners to pinpoint whether undetected malware aided the commission of crimes. More specifically, BitDefender unpacks apps’ .apk files and looks inside them for infected files. The company regularly and frequently updates its signature files, so each time you run UFED Physical Analyzer’s malware scanner, you get fresh malware signatures to scan images.

At Mobile Forensics World last month, presenters Carlos Cajigas and Pete McGovern with Florida-based EPYX Forensics used open source Linux-based tools to validate our integration of BitDefender mobile malware scanning. Among the tools: AVG and Clam, as well as BitDefender mounted within Linux Ubuntu.

As described in the EPYX blog, Cajigas had already scanned the image of an infected HTC Desire with UFED Physical Analyzer’s BitDefender integration. There, our software identified 331 infections.

After a review of how AVG, Clam, and BitDefender performed against 11,080 known pieces of malware identified from ViruShare.com, a repository of samples, Cajigas ran AVG and Clam against the device’s image. They found only 14 and 19 infections, respectively. As he noted, this can be valuable low-hanging fruit that may be all that is needed to make a case.

Even so, a final scan with BitDefender uncovered 368 suspicious files out of 39,473 total files (including those within the 11,080 .apks); of those, 41 were viruses. Cajigas accounted for the discrepancy between this scan and the initial Physical Analyzer scan by stating that he had performed the first scan several weeks earlier—and that BitDefender had likely updated its signature files since.

Beyond the malware scan

Cajigas points out: “Simply scanning a device only points to the fact that there may be some evil on that image. Reverse engineering can find out if the image is in fact infected, or would be a false positive.”

What counts as a false positive? That depends. “If I root my phone, I will install BusyBox on it,” says Cajigas. “Because most people call it a hacking tool, malware detectors alert on it. But because it was intentionally installed, it’s not in fact malware. This makes it a false positive.”

Several variables determine whether a forensic examiner should move forward in determining whether a malware infection has any bearing on a case. One variable is the severity of charges. Another is what other evidence exists in the case. A case that hinges on mobile device evidence may require additional investigation so as to reduce reasonable doubt.

“If you find malware, how would you be satisfied that the malware you found is not related to the crime?” Cajigas asks. “The only answer is research and investigation.” He recommends pulling any infected .apks into a resource like Anubis, which “sandboxes” .apks for safe exploration. Here, it is possible to see what URLs the .apks are calling, along with any other suspicious behavior.

From there, it may be necessary to reverse engineer the suspected malware. Cajigas says this is an advanced skill which usually involves very specific training. Yet, developing this kind of skill—or finding an expert who has it—could be important to a case.

He offers the example of an .apk that is shown to be a worm. “Later on the examiner might determine that the worm opened a backdoor that calls to a command and control center, which steals information such as the device’s IMEI or ICCID—but does not download child porn,” he explains. This could be very important in a child exploitation case.

As Cajigas’ presentation showed, the addition of BitDefender to UFED Physical Analyzer means that investigators’ ability to identify potential and actual malware is much stronger than it would be if Clam or AVG were all they had to rely on. However, examiners must be able to testify in court about the process they used to detect and then investigate suspicious .apks.

UFED Physical Analyzer 30-day Trial

Anticipating mobile forensics trends for 2013

Predictions abound this time of year. We’ve seen plenty for the mobile device, information security, and even digital forensics industries overall—but nothing for mobile forensics. We decided to ask a panel of six “power” Cellebrite customers for where they envision the field going this year.

Eoghan Casey, co-founder of CASEITE and a SANS Senior Instructor; John Carney, Chief Technology Officer at Carney Forensics; Cindy Murphy, computer crimes detective at the Madison (Wisconsin Police Department); Gary Kessler, associate professor, Embry-Riddle Aeronautical University; Heather Mahalik, mobile forensics technical lead at Basis Technology and a SANS Certified Instructor; and Paul Henry, principal at vNet Security and a SANS Senior Instructor all weighed in on trends in law enforcement, law, regulatory issues, and of course, mobile technology. Here’s what they told us:

Apps forensics comes into its own this year

“Whether it’s mobile messaging, personal navigation, social media or improving productivity – apps are going to dominate smartphones and tablets in 2013,” said Carney. “The ability to extract critical data stored in apps will become the new measuring stick by which investigators gauge the superiority of mobile forensics tools.”

Smartphone platforms are still fluid

Android took 75% of the global market in Q3 of 2012, iOS dominates the bulk of bandwidth usage, and BlackBerry—whose new sales are still in steep decline—remains a legacy device which mobile examiners can continue to expect to see in their labs. And Windows Phone 8 may gain strength. Mahalik and Carney both foresaw a need for better forensic support for the platform this year.

Mobile forensics meets BYOD

“Bring your own device” spread rapidly across enterprises in 2012, and continues. Carney says this means “contending with more devices that contain both personal and corporate evidence as well as an increase in legal challenges related to device access and privacy during corporate investigations.”

Expect more mobile malware

Malware is already rampant on Android devices, and this trend won’t decline. “The intended uses of mobile malware will be very similar to non-mobile malware – steal money, steal information and invade privacy,” says Murphy, who expects law enforcement to have to contend with it particularly in stalking, domestic violence and even child exploitation cases.

Regulatory and legislative landscape remains uncertain

Few lawmakers and judges understand the nature of mobile technology, yet they’re scrutinizing them much more closely than they did computers, according to Kessler. “This speaks to the need for greater education regarding the scope and possibilities of mobile forensics and what it means for privacy and pretrial discovery,” he says. Even so, look for mobile devices and the data they contain to take center stage in both civil and criminal investigations, as more civil litigators begin to realize their importance.

Click here to access “The Year Ahead for Mobile Forensics: Cellebrite’s Panel Predictions for 2013”