In the past several years, cases involving computer hard drive forensics have declined while mobile forensics have risen, increasing demand to analyze digital evidence off mobile devices. Typically, the forensic lab examiner will generate reports with all the extracted data from the device and send it over to the investigator, who has to review all the data in order to find the relevant piece. This may mean sifting through hundreds, even thousands of pages from several devices in order to find the needle in the haystack. In some cases, the investigator may discover that you need additional data that was not even supplied.
In a recent webinar, we presented the UFED Reader, a free and easy to use digital tool that helps you review the report files generated from analyzed data of a physical, file system, or logical extraction by UFED Physical Analyzer and UFED Logical Analyzer.
The webinar is available for viewing at the bottom of this post. Meanwhile, participants asked a number of good questions, which we’ve compiled in this blog- including some that we didn’t have time to answer during the webinar.
Q: Can UFED Physical Analyzer create a .ufdr file that contains all the artifacts, including pictures, videos, SMS, MMS, etc.?
A: UFED Reader is able to create massive .ufdr files, even from phone dumps that are over 16 gig.
Q: Where is the UFED Reader file located?
A: UFED Reader executable file can either be forwarded from the forensics lab with a report, or it can easily be downloaded from the customer portal at my.cellebrite.com.
Q: Can I also see shared data between different reports using the reader?
A: You can open different reports using the reader, it can be different reports of the same device or even reports related to different devices. However, each project is handled separately. You can perform searches on all projects but the views are separated. SMS’s, contacts, locations, all these are presented per project, also the timeline and reports are not shared. If you need to see connections and links, it is recommended to use UFED link Analysis; which enables you to open up to 100 data sources, and see the links between different data extractions.
Q: For multi-jurisdictional investigations how can you import an XRY file for parsing by a UFED?
A: While UFED Reader cannot open XRY reports, UFED Link Analysis has the ability to open external reports, and provides a joint view of both Cellebrite and XRY reports.
Q: Can you generate a report containing only bookmarked items?
A: Yes, UFED Reader provides you with an option to include entity ‘bookmarks only’ which incorporates bookmarked items only in the report output. Bookmarking highlights the evidence that is relevant to the case, and UFED Reader provides the option to include in the report only the artifacts that are important for that investigation. As a result, the report generated is concise, short and protects personal data that is not relevant to the case.
Q: Which mobile device operating systems are supported by the UFED Reader?
A: Cellebrite supports all known and familiar operation systems, and all devices that can be extracted and decoded using the UFED Series (including Touch/4PC/Logical/Physical) Analyzer) can be opened by the UFED Reader- meaning any .ufdr report generated can be opened by the UFED Reader.
Q: Are there chat-threading capabilities within the UFED Reader module?
A: In the Chats view, you will see a list of chat messages extracted from the device, including third-party app, such as Whatsapp or Snapchat messages. This view provides information about the chat, such as start date and time, participants, source and number of messages, which are also listed chronologically on the right pane in full detail (including body of messages and attachments). The conversation view layout option is also available for easier and better tracking over the communication between two or more parties. You can search for messages within a chat, select the messages to include within a report, print, or export the conversation.
Q: Is it possible to see restored deleted information from mobile devices?
A: Cellebrite has the ability to extract and decode deleted information from mobile devices, and these items are included in the.ufdr report, and presented in UFED Reader with a red ‘x’ icon next to the artifact.
Q: Can UFED extract logical and physical data from Windows Phone 8 and new Android-SM using MTP (media transfer protocol) instead of UMS (mass storage)?
A: For Windows Phone 8 using the logical extraction method, you can extract contacts via Bluetooth and Multimedia data via USB (MTP protocol). Physical extraction is available for selective Nokia Lumia (out of the box WP8) models. For Android devices, using logical extraction method, you can extract Multimedia data for newer Android devices, via USB (MTP protocol).
View the full webinar below:
Leave a comment if you have a question that was not answered above, or in the webinar itself!