A low tech solution to a high tech problem

Det. Zach NeemannLast month, Det. Zach Neemann, one of our customers in the Deschutes County (Oregon) Sheriff’s Office Digital Forensics Lab, was attempting to analyze a Samsung Galaxy SIII SGH-I747 GSM AT&T cellular telephone running Android V 4.0.4. Even though USB debugging was enabled, during physical and file system extractions, the UFED Touch would disconnect after about a minute of the screen being timed out.

Neemann assumed it was because the phone was going to “sleep” or “hibernation” mode. As long as he continued to touch the screen every few minutes, the phone did not go to sleep and the imaging continued. “However, I really did not want to sit there for the next two to three hours, touching the screen,” he told us.

An in-depth examination of the Accessibility, Security, Battery, Power Saving, Display and other settings showed no feature to keep the phone awake. Neemann could turn off the screen lock, but the screen timeout limit was 10 minutes, and this model—unlike others—did not have the option to disable the screen lock permanently.

Tricking a Samsung Galaxy S3's Smart StayFacing the possibility that he would have to keep touching the screen every 10 minutes for the next two hours, Neemann located a feature called “Smart Stay” which stated that it would disable the screen timeout if the device detected that the user’s face was watching the screen. “At this point I took a picture of myself with my phone, and printed it,” he said. “Then I taped it to the back of my chair, propped the phone up and set the screen timeout to 30 seconds.

“While observing the phone I found that an eye icon appear in the task bar every thirty seconds,” Neemann said. “This appeared to look for my face and then disable the screen time out.  I was then able to capture the entire physical image without the cell phone going to sleep. The imaging process worked perfectly, after this fix.”

Tricking a Samsung Galaxy S3's Smart ScanThe following morning, Neemann did further testing with the Samsung phone. He learned that the facial sensor comes on in designated intervals, anywhere from every 15 seconds to 10 minutes depending on how the user configures it.

“We removed the photo and pointed it to the back of the chair, to a white background, to a beige background and to a black background,” Neemann told us. “We also tried just the back of the hand and a combination of a white background with black square in the middle. It did NOT work for any of those backgrounds. The only way it properly recognized the facial pattern was to point it toward an actual picture.”

Fortunately, the device wasn’t so picky that it would only work on one face: Neemann tested it with images of two different males and one female, and all of them prevented the screen from timing out.

Have you ever tested your way out of an especially tricky problem with a mobile device? Leave us a comment!

UFED 1.8.5.0: Double the Android devices supported for physical extraction

Our first update of 2013 offers something a lot of our clients have been awaiting for a long time: user lock bypass enabling physical extraction on HTC and Motorola devices. The new capability adds 109 Android™ models to our list—more than double what we previously offered via bypass methods.

To be more precise, we’ve added this capability to 66 HTC and 35 Motorola devices, including HTC’s Evo, Incredible, Wildfire and Desire models along with Motorola’s Milestone, Droid Razr and Razr Maxx. (A full listing is available in our release notes, downloadable here.)

We’ve also extended our Samsung Galaxy series user lock bypass method from the Galaxy S and S2 to the Galaxy S3 (international model GT-i9300) and Galaxy Note II. This capability is available on the UFED Touch Ultimate, although the UFED Classic still supports physical and file system extraction on unlocked Galaxy S3 and Note II.

The new support relies on our well-known proprietary user lock bypass methods, which work even when USB debugging is disabled. These methods provide the deep access to mobile devices that forensic examiners need to complete their extractions of existing, hidden and deleted data. User lock bypass is now supported on a total of 229 Android smartphone models.

Additional extraction support

We’re also pleased to report that we now support physical, file system and logical extraction for Apple devices running iOS 6.1, which was released only last week. Our physical and file system extractions support iPhone 3GS/4 and iPod Touch 4G devices, and include decoding, simple and complex passcode bypass, simple passcode recovery, and real-time decryption. (Note: To get this capability, you must update the new EPR via the UFED Physical Analyzer.)

Our file system and logical extractions support iPhone 3GS/4/4S/5, iPad2/3/4/mini, and iPod Touch 4G/5G.

Finally, we now support file system extraction from any device—Nokia, HTC, Samsung, Huawei and ZTE—running Windows Phone 7.5 and 8. Extract existing and deleted data from these devices via the “File system > smartphones” in the UFED menu.

Get your UFED update at my.cellebrite.com! (Not a user? Visit us at ufedseries.com to learn more!)