Balancing data actionability with forensic soundness

The ability to extend mobile evidence collection capabilities into the field has a great many benefits. Reducing costs associated with overtime, outsourcing, and diminished forensic lab productivity renders a field-based solution an investment rather than an additional cost. Reducing the risk of human error in data analysis is attractive, too, as automated tools help to improve field-level decision-making about cases.

Even so, decentralizing mobile forensics also carries its own risks. Will field personnel handle mobile device evidence the right way, including securing proper legal authority? Will they follow policy and standard operating guidelines when it comes to extracting and preserving mobile device evidence?

The legalities around field-based mobile device extraction have yet to be determined in many countries, but authorities can ensure compliance with organizational policy and overall forensic best practices by using permission management and auditing features. These kinds of capabilities take into account that not everyone needs the same level of access to mobile device evidence, depending on the types of cases they are investigating as well as the offense severity.

With the UFED Field Series, as well as the UFED Pro Series, permission management functionality allows agency administrators to define and configure user authentication settings to ensure that only users with the right credentials can access the application. An encrypted permission management file that contains usernames and profiles can be imported into multiple UFED InField applications.

Not only credentials, but also extraction privileges can be assigned. Certain investigators may be able to have access only to logical and SIM card extractions, while forensic lab examiners can access full physical extractions as well.

In addition, administrators can define content types available from logical extractions. Some investigators may be granted extraction permissions only for images and videos, for example, while others can access messaging in addition to images and videos.

These privileges can be based on user roles and/or training and certification levels. For example, investigators who have received the Cellebrite Certified Logical Operator (CCLO) or the Cellebrite UFED Field Operator (CUFO) certifications, or completed the coursework without receiving the certifications, can be assigned as many or as few extraction privileges as an administrator deems necessary for their role.

On the flip side of granting access to mobile extractions and data is tracking what the logged-in users do once they’re in the system. With UFED InField, an activity log maintains a list of all transactions including extraction start and end times; transaction type, duration, and status; device owner, vendor, model, and name; case ID and crime type; and who seized the device. Administrators can use this log to audit usage and ensure accountability among users.

The UFED Field Series solutions promote the treatment of mobile devices as crime scenes, so that the evidence they contain is fully preserved from seizure all the way through search and analysis. It offers organizations the “technology” component of a three-pronged approach that Cellebrite encourages towards implementing legally defensible field-based extractions for personnel who do not specialize in mobile forensics. By combining the UFED Field Series with training, policy, and standard operating guidelines*, organizations can reduce risk while meeting the need for improved access to actionable mobile device data in the field.  To learn more, download our solution brief today.

Umbrella - blog banner

*We recommend you work with your prosecutors and administrators to develop policy and appropriate training, including processes for obtaining written consent and search warrants (either traditional or electronic, if your jurisdiction allows).

New UFED release delivers improved workflow, permission management, a new mobile app, and more

The new UFED 3.0 release is designed with front-line investigators in mind. From a new permission management and user authentication capability, to a much more streamlined extraction workflow and a mobile app that’s accessible from any iOS or Android device, the new UFED promises to make your work more efficient by getting you the data you need faster.

New user authentication and permission management

Many labs are struggling with backlog and the need for front-line investigators to get quicker access to information in order to begin or complete an investigation. However, doing so within the “right to know, need to know” boundaries of both legal authority and internal standard operating procedures and policies is important to retain community trust—whether you work in law enforcement or in the corporate environment.

The new UFED Permission Manager standalone application allows an administrator to create profiles and manage user accounts, including usernames and passwords, which enable users to perform specific extraction activities. Each profile contains access permissions, including operation rights per extraction type, content types and more.

Once these are created, the administrator can then export the users and profiles into an encrypted permission management file, and in turn into multiple UFED Touch and UFED 4PC units. This file activates user authentication, ensuring that only users with the right credentials can access the UFED and perform the extraction types they have permission to perform.

New smoother workflow

Customers have been asking for a more efficient extraction workflow, and we’re pleased to deliver it in UFED 3.0! Now start your extraction process in UFED Touch or UFED 4PC by selecting the device vendor, before proceeding to the specific device selection screen. The UFED interface then provides a list of supported actions for that device.

After installing the update, the UFED Touch/4PC application will notify you about the new workflow and provide instructions on first usage.

The new smoother workflow includes an Auto Detect feature. Connect a device and push the AutoDetect button on the main screen; AutoDetect will run automatically on UFED 4PC when the UFED Device Adapter is connected.

autodetect

New UFED Phone Detective mobile app

While in the field, use the UFED Phone Detective mobile application to look up extraction and decoding capabilities—as well as whether lock bypass is supported—for all device profiles supported by UFED hardware and software. Use your my.cellebrite.com credentials to login, then search by vendor and model.

Android_en_generic_rgb_wo_60

 

 

Download_on_the_App_Store_Badge_US-UK_135x40

 

New device, decoding and app support

New device support includes logical extraction for BlackBerry 10, physical extraction for a number of new Samsung devices, and Advanced Logical extraction for iOS 7.0.6/6.1.6.

New decoding support is available for enhanced locations decoding from file system and physical extraction of iPhone 4 running iOS 7.x, along with enhanced decoding of application permission to include permissions to location services. Enhanced decoding of contact list, call log, calendar, and tasks is now supported on Windows Mobile 6/6.5 physical extractions, as well as backup decoding from the latest devices running Android version 4.x.

New Android and iOS apps now supported for decoding include Burner (calls, contacts and SMS messages), WeChat, Badoo, BlackBerry Messenger, and Silent Phone. Additional decoding is also newly available for WhatsApp, Facebook, Gmail (for Android) and the new Line version for iOS.

For more information on these new features and support details, as well as a rundown of new UFED Physical/Logical Analyzer functionality, download our release notes here.