Access Evidence From 95%+ Of Android Devices Fast

Cellebrite’s ground-breaking technology and new physical extraction solution, Advanced ADB, extends evidence access from thousands of Android devices.

Cellebrite has done it again. On March 15, 2017, Cellebrite was the first in the industry to provide a unique physical extraction solution, Advanced ADB, as part of its UFED 6.1 release, for thousands of Android devices. To be more specific, Cellebrite’s new Advanced ADB method supports more than 95% of the Android devices in the market running any version from 4.3-7.1. Yes 95%! Generally, this capability works on unlocked devices with a security patch level up to November 2016. But, due to the widely fragmented variety of Android devices, a few exceptions may apply.

Several Android devices that this unique physical extraction method supports are:
Samsung Galaxy S7, Samsung Galaxy S7 Edge, Samsung Galaxy Note 5, Samsung Galaxy S6, Samsung Galaxy Note 4, LG G4, LG G5, LG Nexus 5X, LG V20, Sony Xperia Z5, Xiaomi Redmi 3S, Huawei Nexus 6P, HTC Desire 825 and more!

So what does this mean for you? Well, if and when you encounter an Android device in any of your investigations, rest assured that it is more than likely to be supported by Cellebrite’s Advanced ADB physical extraction method.  Doesn’t that solve a lot of problems, worries, backlog?

Here’s how it works:

The Advanced ADB method can be accessed in one of two ways from UFED 6.1:

  1. Via the mobile device – Mobile device -> Browse manually -> Search for Smart Phones -> Android -> Physical Extraction -> Advanced ADB.
  1. From within the specific device profile – Physical Extraction -> Advanced ADB.

And if the device supports a SD card, it’s pretty straight forward.

The extraction can also be performed directly from the phone to any USB storage device, when the device does not have a SD card. To do this, you will need extraction cables OTG 501 and 508. View the UFED 6.1 release notes to understand how you can receive the cables.

Check out the video below to see a step by step tutorial on how to perform the Advanced ADB physical extraction method.

To get Cellebrite UFED 6.1 with Advanced ADB, visit our landing page to learn more.

Solve more cases with access to more applications using unique engines

Applications contain key pieces of information that can provide great insights to an investigation. Most of the databases stored on mobile devices (iOS & Android) are SQLite databases. SQLite is a powerful and relatively simple way to store data. When extracting all SQLite databases from a mobile device, you will note that most of the databases are decoded by UFED Physical Analyzer, (which provides support for more than 200 unique apps and 3,000 app versions). However, there are still some databases that are unfamiliar or are not supported. With 2.4 million apps* available on the market today, there isn’t a single mobile forensics tool that can support all these third-party applications.

Cellebrite’s SQLIte wizard

With the release of UFED Physical Analyzer 6.0, we announced a new capability that enables you to access even more data from apps, including unsupported apps. In short, you can access any information stored on mobile devices, reduce time to evidence and close more cases with the new UFED PA.

As an examiner or an investigator, one of your challenges is to get as much information possible out of a mobile device. In many cases, the potential evidence may reside inside a third-party app that’s installed on the device. When this app is not supported by any mobile forensic solution, the alternative is to manually analyze and investigate the content of the app’s database.

With the new and unique SQLite wizard, you can visually map additional data from different databases, build queries and map database fields to supported models, (such as call logs, instant messages and other generic events).

I’ll take you through a step-by-step tutorial on how to recover data from a database using this tool.

SQLite wizard flow

 

 

 

If you know that a specific application was used on the device, but it was not automatically parsed during the decoding process, you can look into the database’s content and extract the data.

The database in the project tree (under data files), includes a list of all the databases available, with an indication that specifies if it was decoded by Cellebrite. We suggest that you filter out all the decoded databases, and focus on manually decoding the non-decoded databases that you feel may be important for the investigation.

Alternatively, you also have the option to manually decode a database that was already decoded. And why? There are new developments for applications all the time- for example, WhatsApp recently added video chat, and while Cellebrite is on the task to provide support for this new feature in upcoming releases, you may require this specific record immediately, so manually decoding the database will provide you with instant access to potential evidence.

Untitled-1

Let’s assume that you want to extract data from the mmssms.db (database on an Android device), which you suspect may contain critical evidence. First, start the manual decoding process by selecting this database. Within the database viewer pane above, you can see that the selected database has a total number of 362 records, so plenty of information there.

To get started, open the SQLite wizard:

SQLite wizard_home

The SQLite wizard allows you to include deleted data. Selecting this option increases the chances of false positive records, and in many cases, the interesting data or potential evidence may be found as deleted.

Build query:

The list of database tables is available on the left pane. Select the “sms” table with 112 potential records.

Drag the database table to the work area. You have the option to drag several tables and even create relationships between tables (or join in SQLite language). An SQLite query is automatically generated. Alternatively, you can also write your own SQLite query. To see your build queryquery results, click on the preview button.

Map data:
To map the selected data, you need to select one of the existing data models (e.g: call logs, instant messages) or a generic model. For the mmssms.db database, which holds SMS info, you should select the SMS Messages model. Now drag the field types to the correct columns. (See how the screen should look like below before you drag and drop).

Before mapping:

before mapping

 

After mapping:

after mappingSome columns have special formatting options that allow you to convert enum, lookup, XML/plist and timestamp formats to help map the relevant fields and columns, and also make the information readable by selecting the timestamp global format, for example, or customizing your own format.

Run Query:

Now that you completed the mapping process, run the query created in a way that new records are added to the SMS Messages model.

run query

For the the SMS Messages model, there were 207 records as part of the decoding, and after running the manual query there are 319 records available. Therefore, by using the SQLite wizard, I was able to recover a total of 112 new records!

The new records can be treated just like any other decoded record, I can tag, filter, search and include those in my report output. The manual queries can be saved for future use, where you can auto run it as part of the automatic decoding process, and recover huge amount of data that you would otherwise would not be able to access.

new records

Fuzzy methods

In addition to the manual SQLite query tool, we developed another tool to enrich your investigation with valuable data from unsupported database sources, using the Fuzzy model plugin. This innovative solution identifies new data sources, handles and parses unknown databases and endless application databases – some of which are supported by Cellebrite and some are not. Information is being automatically analyzed using a heuristic process and a unique set of rules.

This solution scans and analyzes all the databases and all tables within the databases, and automatically maps the records into a known model ( such as email, IM, call logs etc.).

There are two types of fuzzy models:

  1. Fuzzy objects – View extracted data from any database which has not being decoded by UFED Physical Analyzer’s parsers. This model holds information regarding a certain artefact such as contact, account etc.
  2. Fuzzy events – View extracted events such as messages, call logs etc.

For each one of these models, you can see the list of results presented in a table and the database view pane, which displays the contents of database files that were found in the extraction.

Once the decoding process is complete, you can run the Fuzzy plugin directly from the main menu (Tools àRun Fuzzy model plugin).

The results are presented under Analyzed data in the project tree. Any record in these two tables can indicate a potentially relevant piece of evidence. To find more details, it is recommended to analyze the source database.

Records with a timestamp are also available in the timeline view, which allows you to track and view events in a chronological order to quickly understand the chain of events.

 

*https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/

Python Script to Map Cell Tower Locations from an Android Device Report in Cellebrite

Recently Ed Michael showed me that Cellebrite now parses cell tower locations from several models of Android phones. He said that this information has been useful a few times but manually finding and mapping the cell tower locations by hand has been a pain in the butt. I figured that it should be easy enough to automate and Anaximander was born.

Anaximander consists of two python 2.7 scripts. One you only need to run once to dump the cell tower location information into a SQLite database and the second script you run each time to generate a Google Earth KML file with all of the cell tower locations on it. As an added bonus, the KML file also respects the timestamps in the file so modern versions of Google Earth will have a time slider bar across the top to let you create animated movies or only view results between a specific start and end time.

Step one is to acquire the cell tower location. For this we go to http://opencellid.org/ and sign up for a free API. Once we get the API key (instantly) we can download the latest repository of cell phone towers.

mappic

Currently the tower data is around 2.2 GB and contained in a CSV file. Once that file downloads you can unzip it to a directory and run the dbFill.py script from Anaximander. The short and simple script creates a SQLite database named “cellTowers.sqlite” and inserts all of the records into that database. The process should take 3-4 minutes and the resulting database will be around 2.6 GB.

Once the database is populated, the next time you dump an Android device with Cellebrite and it extracts the cell towers from the phone, you’ll be ready to generate a map.

From The “Cell Towers” section of your Cellebrite results, export the results in “XML”. Place that xml file and the Anaximander.py file in the same directory as your cellTowers.sqlite database and then run Anaximander.py –t <YourCellebriteExport.xml> . The script will start parsing through the XML file to extract cell towers and query the SQLite database for the location of the tower. Due to the size of the database the queries can take a second or two each so the script can take a while to run if the report contains a large number of towers.

output

Ed was kind enough to provide two reports from different Android devices and both parsed with no issues. Once the script is finished it will let you know how many records it parsed and that it generated a KML file.

done

This is what the end results look like.

mapresults

The script can be downloaded from: https://github.com/azmatt/Anaximander

This is the first version and there are several improvements to make but I wanted to get a working script out to the community to alleviate the need for examiners to map the towers one at a time. Special thanks again to Ed Michael for the idea for this (and one other) script as well as for providing test data to validate the script.

Follow my blog for up to date digital forensics news and tips: http://digitalforensicstips.com/

About Matt:

Matt performs technical duties for the U.S. government and is a Principal at Argelius Labs, where he performs security assessments and consulting work. Matt’s extensive experience with digital forensics includes conducting numerous examinations and testifying as an expert witness on multiple occasions.

A recognized expert in his field with a knack for communicating complicated technical issues to non-technical personnel, Matt routinely provides cyber security instruction to individuals from the Department of Defense, Department of Justice, Department of Homeland Security, Department of Interior, as well as other agencies, and has spoken frequently at information security conferences and meetings. Matt is a member of the SANS Advisory Board and holds 11 GIAC certifications. Among them: GREM, GCFA, GPEN, GCIH, GWAPT, GMOB and GCIA.

 

 

TomTom Triplog Decryption: Provided by Cellebrite Advanced Investigative Services

Global Positioning Systems (GPS) fall into the category of wireless communications that hold a considerable amount of evidence that can be used in an investigation. People’s whereabouts are recorded in “second-by-second” detail on their TomTom navigation system and retrieving this type of information can provide powerful digital evidence for your case.

In recent years, the law enforcement community has seen a dramatic increase in the use of GPS devices as an instrument of a crime or as a “witness device” collecting and logging positional data while the crime is being carried out. TomTom and Garmin units are by far the most popular devices law enforcement have been encountering. The sales of portable navigation devices are at an all-time high.

Last year, more than forty million portable GPS devices like TomTom’s GO series or Garmin’s Nuvi series were sold worldwide.* In Europe, TomTom is the most widely used navigation system; and the big market share (47%) could be attributed to the TomTom built-in installation in vehicles. Forensic analysis of vehicle movements records can provide evidence of considerable value in crime detection. (While Cellebrite does not provide data extraction from built-in systems, we support decoding of chip-off data extractions from them, and then decryption of the triplogs).

Cellebrite supports a select list of TomTom devices, which can be found here. Aside from extracting timestamped GPS locations from the trip log files using unique decryption technology, Cellebrite also provides decoding support for contacts, calls and locations. Forensic analysis of such records can provide evidence of considerable value in crime detection.

Upon setting up a TomTom device for the first time, it prompts the user for permission to collect information from the navigation device. The information or triplogs shared is used to improve maps and other services offered by TomTom, such as traffic information related to where the user is. (These services are disabled if a user chooses not to share the information).

If the user accepts, his or her TomTom device is set to log all trips in dedicated binary files known as triplogs. These files are saved in the device file system under a directory named STATDATA. The triplogs collected illustrate a breadcrumb trail of where the person travelled to with the navigation system in very high resolution. TomTom triplogs are encrypted in order to protect user privacy, but also accumulate additional encryption obstacles to the ones that already exist.

Cellebrite offers a unique decryption service to our customers, as part of Cellebrite Advanced Investigative Services, that enables the extraction of timestamps and locations from the triplog files that reside in the STATDATA folder. The triplog files hold complete trip GPS information (including latitude and longitude), and thousands of locations, in a resolution of 1 to 5 seconds.

TomTom Triplogs

How can I send Cellebrite these triplogs?

Using UFED Physical Analyzer, open the extraction and then select Tools,TomTom menu, select Export to save the XML file generated from the triplogs, and submit to Cellebrite via CAIS. The decrypted data will be sent back to you within a few days, and ready to be imported into UFED Physical Analyzer- where the triplogs can be viewed in detail (3 second log when device was active). A kml-file can then be generated and viewed in Google Earth and other similar applications.

UFED Physical Analyzer enables TomTom extraction and decoding of the following information: home, favorites, recent, user entered, locations, last journey, location, date & time, routes, GPS fixes (also deleted), deleted locations (of all categories), as well as recovery of geotag visualization of location based data on Google Earth/Maps.

UFED Physical Analyzer has also been equipped with a covert feature that enables silent activation of triplog files, which means that you can connect a TomTom device to the UFED system and activate the logging feature. As soon as this is carried out, the device will start saving triplogs, once TomTom is in use again.

Send us an email to learn how Cellebrite Advanced Investigative Services can help with your encrypted triplog files, along with Google Earth KML files.

Watch the webinar below to learn how you can use UFED Physical Analyzer to extract TomTom files:

References

*http://www.forensicfocus.com/tomtom-gps-device-forensics

Discover Best Practices and Advanced Decoding with UFED Physical Analyzer: Q&A from Cellebrite’s webinar

In a recent webinar, Dan Embury, our CAIS Technical Director, provided participants with tips and tricks, and best practices to help them get the most out of UFED Physical Analyzer. Overviews include Android custom recovery, Android UFS-based device unlocking, BlackBerry 10 backup encryption, Android backup APK downgrade, Apple iOS jailbreaking overview, as well as decrypting and decoding TomTom trip log files.

The webinar is available for viewing at the bottom of this post. During the webinar, participants asked a number of good questions, which we’ve compiled in this blog.

Note: If you don’t see your question answered below, please leave a comment at the end of this post!

Q: Can you confirm that TomTom decryption is not included in UFED Physical Analyzer

A: The decryption itself is not included in UFED Physical Analyzer. It requires offline processing, utilizing a large number of computers and processors. Ultimately, exportation of TomTom decryption in XML format can be forwarded to Cellebrite, and we will do the decryption. The decrypted results are then provided back to you to analyze in UFED Physical Analyzer, using the TomTom import function.  Please contact CAIS@cellebrite.com for more details and to submit your encrypted trip logs.

Q: WhatsApp recently announced that they have encrypted chat and voice chat, can UFED extract WhatsApp data after the WhatsApp upgrade?

A: In general, messages while in-transit are encrypted however this does not affect data-at-rest (forensics) stored in the WhatsApp databases. Cellebrite will release a solution in the coming days to decrypt the new WhatsApp encryption key – crypt9.

Q: When retrieving the BlackBerry encryption key using BlackBerry ID and password, how does this work?

A: Within UFED Physical Analyzer, you may retrieve the key associated with a BlackBerry ID using known credentials and decrypt the backup data from BlackBerry devices.

How to use: Open a file system extraction of a BlackBerry 10 device.  During the decoding process, a window is displayed: Enter the BlackBerry ID credentials and select Get Backup key (to retrieve a key, an Internet connection is required in order to communicate with the BlackBerry company servers).

You can save the key for future usage by selecting the Save button. If an Internet connection is not available, you can retrieve a key on any instance of Physical Analyzer connected to the Internet. Go to Tools and select Retrieve BlackBerry 10 Backup Key.

Enter the BlackBerry ID credentials and select Get Backup key. Click Save and load the key from the UFED Physical Analyzer disconnected from the network to continue with the decoding process.

Q: Are new Android devices encrypting the information in a unique fashion for each device?

A: The results of ongoing research both at Cellebrite and within the forensic community are exposing what sort of evidence can be extracted from these newer devices. The processors that are being integrated into Android, iOS, and BlackBerry devices are very powerful integrated circuits.  Since there has been such a focus on security over the past few years, these chips contain dedicated cryptography functionality to perform background tasks without impacting the user experience, all the while making security easier to implement and stronger against attack.

Q: Do you plan to incorporate jailbreaking into the product?

A: At this point in time, we do not plan on incorporating older jailbreaking methods into the UFED.  The best resource to find viable jailbreaks can be found at http://canijailbreak.com

Q: Are you recommending that we jailbreak all iPhones when possible in order to extract the maximum amount of data?

A: If your agency permits jailbreaking and the investigation warrants the additional effort to jailbreak the exhibit, then by all means, maximal effort should be expended to seek the truth and extract all evidence possible.  You simply don’t know what evidence you may be missing, whether inculpatory or exculpatory.  Major cases, cold case homicides, missing persons, and other exigent circumstances may justify jailbreaking, but always seek permission from stakeholders and test the method on a matching sample device.

Q: In iOS, how did you get emails using Methods 1 and 2 on an iPhone 5S?

A: The test case from the webinar was an iPhone5,2 (A1429) which is an iPhone 5, not an iPhone 5S.  Performing a jailbreak enables a Method 3 extraction to pull protected emails from the file system.  The emails pulled using Method 1 and 2 were from web-based emails that were clearly not protected with the file system.

Q: In your experience what is the success rate for jailbreaking phones?

A: From our research, the jailbreak will either work or not work, depending on a number of factors, including if the user upgraded the iOS firmware in the past using OTA (over-the-air).  The various jailbreaking teams work hard to prevent any adverse effects, but since the “first-to-finish” concept seems to apply for each iOS version, not a lot of effort is put into solving corner cases that would apply to forensics, versus the typical consumer not caring if the device needs to be reset prior to the jailbreak.

Q: Has Cellebrite been able to bypass the iOS pin on iPhones?

A: Cellebrite has the unique unlocking services provided by Cellebrite Advanced Investigative Services (CAIS).  The current offering is for iOS 8 running on the iPhone 4S, 5, and 5c, as well as associated iPad and iPod touch models.  The service helps investigators in important cases for which traditional mobile forensic tools do not have support.  Ongoing efforts by our leading team of researchers is continuing for newer models and those running iOS 9.  Please contact CAIS@cellebrite.com for more details.

Q: Does Cellebrite plan on including Android custom recovery partition flashing in the UFED?

A: The upcoming UFED release will add custom recovery for Samsung Galaxy S6, S6 Edge, and Note 5 to allow physical extraction while bypassing lock for models without locked boot loaders, such as Global models and those offered by Sprint, T-Mobile, and US Cellular.  Cellebrite’s UFED replaces the device’s original recovery partition with Cellebrite’s custom forensic recovery partition based on Team Win Recovery Project (TWRP).  Cellebrite’s recovery image does not affect any user data.  It is recommended to use the Forensic Recovery Partition method when other physical extraction methods (e.g. Bootloader) are not successful, or not available (i.e. if the Android’s firmware version is not supported).  For other carriers, including AT&T, Cricket, and Verizon, please contact CAIS@cellebrite.com for more details.

Q: Couldn’t a backup of the device give you the ability to go back to the starting point if custom recovery fails?

A: Unfortunately, it is not possible to do a backup of the device when there is a user lock code set and Android Debug Bridge (ADB) is disabled.  Cellebrite’s fully tested custom forensic recovery partition methods should not fail or cause any adverse effects (e.g. boot loop, etc.)

Q: Do you know if Windows 10 phones are encrypted at the chip level?

A: Research into less popular handsets can be performed if sufficient demand comes from our customers.  Some previous Lumia Windows 8/8.1 can be analyzed with our unique boot loader physical extraction, while other models can be supported with JTAG, chip-off, or In-System Programming (ISP).  We always welcome feedback via Technical Support for obscure mobile devices that you frequently encounter and we do not support.  Often times, minimal effort from our researchers is required to make the necessary additions to our UFED device coverage, all the while helping you solve more crimes.

Q: How does Android APK Downgrade work within UFED, and are there any risks to this method?

A: UFED downgrades encrypted Android apps in the device itself over Android Debug Bridge, by pushing an APK package to it, since it’s possible to then have an older version of the app do the interpretation of the newer inaccessible data. Within the UFED 4PC/Touch, connect to the device, and downgrade the app to an earlier version to extract the app database. There are some risks to this method since it makes changes to the device, thus, it’s advised to use as a last resort. If you know that a suspect is utilizing an application, and the extraction of all the other databases from the device do not produce any fruitful evidence, this method is recommended.  For example, if you believe that there was communication taking place via WhatsApp, then it’s important to squeeze out every last little bit of evidence from the device.

Click here to start your free trial for UFED Physical Analyzer.

View the full webinar below:

UFED 5.0 drastically decreases your time to evidence by drilling into the data that’s most crucial

Sifting through data is a very time consuming process- the average US smartphone user takes up 10.8GB of storage capacity on their device*, and taking into account different data recovery options in UFED Physical Analyzer, this process may take up to several hours to complete. UFED 5.0 came out with major time-savers that drastically decrease your investigation time, and lets you focus on the data that is most crucial to your investigation. Version 5.0 brings five crucial industry-first features, and support for 19,203 device profiles and 1,528 app versions.

Merge multiple extractions in a single unified report and avoid deduplicates

You asked for it, we developed it. With UFED Physical Analyzer 5.0, you now have the ability to merge multiple extractions from multiple devices into a single unified project, which can include logical, physical and file system extractions. The extracted data is presented under one project tree, and provides a unified extraction summary with device info per extraction, the ability to drill down to each extraction, and an indication of the original extraction source. If required, you also have the option to combine extractions from different devices. 

merge mult files

 

This powerful feature saves you time not only by combining the extractions, but also by removing deduplications (duplicate or redundant information), and grouping together similar and duplicate records for quick and efficient analysis. The following extraction types may be grouped together: Logical, advanced logical file system, physical, SIM card, JTAG, SD Card, and UFED Camera Evidence.

Here is what one investigator had to say about this new capability: “Being able to instantly navigate to where each piece of data is located in the memory dump is an outstanding feature. This saves hours of time on each complex investigation.”

Validate your data the right way

The latest validation process saves you time and resources by providing you with the most effective and most efficient way to perform a real and accurate validation process, by validating the decoded data with the original source file; Thus, reducing your need to use other mobile forensic tools for additional extractions to compare and validate the results.

Every recovered artifact has a source that it originally derived from, and can be used to later to validate the data. If previously you spent time manually searching for the original source, UFED Physical Analyzer 5.0 now tracks back the automatically decoded content to its source.

Every extracted record now includes the file source information in a table view or in the right pane with device information. Each link points to the offset data and includes the source file name, which can be included in a UFED report when testifying in court. For example, using UFED Physical Analyzer 5.0, an examiner can easily see from the original source file that a recovered SMS was a deleted artifact, since it was recovered from the memory of the device. That SMS is also visible and highlighted in the hex viewer, when clicking on the file source information link. (The db file where the SMS came from is also displayed in the right pane).

2

 

 

 

 

 

 

Focus on relevant media files with the common image filter

An additional time saver added to version 5.0 is the new automatic filter feature. UFED Physical Analyzer 5.0 saves massive investigation time by automatically filtering out common or known images, allowing you focus on the images you need to get to the evidence quick, rather than wasting time reviewing thousands of images that are default device icons, or images that come as part of app installation.

The MD5 hash value is available for every extracted media file, and is visible in the user interface and in the report output, as part of the decoding process.

How would you use this feature? Say you have 200 hash values of indecent images in your own database, you can easily create a watch list for all the hash values from your database, and run the watchlist to find a match search for the same images on the device. In case of a match, a nude photo will be detected on the device. Alternatively, you can export the hash values from the device into excel, and run a match on your database, as well as expand your list with new hash values belonging to suspicious nude photos.

As presented in the image below, if previously you had to review 24998 images, you now have 900 less images to review.

ReviewMediaFiles_Hash_Calculation-Recovered

 

 

 

 

To view all images, click on filter reset or remove the auto-filter option in the Settings.

 

Access blocked application data with file system extraction

Version 5.0 introduces another industry-first capability, providing you access to blocked application data when physical extraction is not available for the specific device. The introduction of new app versions also introduce new challenges, such that they are no longer available for backup using the Android backup method, since they are blocked for backup service. UFED overcomes this limitation with a new option called APK downgrade method, also available via file system extraction. This method temporarily downgrades the app (or .apk file) to an earlier version that is compatible for Android backup. UFED will present the list of apps installed on the device, and the ones available for downgrade. Open the extraction in UFED Physical Analyzer to decode both intact and deleted apps data.

Popular supported apps include WhatsApp, Facebook, Facebook Messenger, Line, Telegram, Gmail, KIK and more.

Extract data using Temporary root (ADB) and enhanced bootloader method

Temporary root (ADB) solution has been enhanced to support 110 Android devices running OS 4.3 – 5.1.1, for file system and physical extraction methods, (when ADB is enabled). Logical extraction of apps data is also available for the listed devices using the temporary root solution. As part of your examination, you need to gain access to all the data stored on a mobile device.  This is achievable via a physical extraction, which is the most comprehensive solution, and provides the richest set of data. As part of our ongoing efforts, you are now able to perform a physical extraction for the selected 110 devices using the ADB method instead of manually rooting the device using an external tool.  Third party tools provide a permanent root, while Cellebrite’s temporary root solution is removed after restart, and assures forensically-sound extractions.

The bootloader method has been further enhanced in version 5.0. This unique lock bypass solution is now available for 27 additional devices (APQ8084 chipset), including Galaxy Note 4, Note Edge, and Note 4 Duos.

Version 5.0 also introduces physical extraction and decoding support for a new family of TomTom devices; as well as file system and logical extraction and decoding is also available for recently launched devices, including iPhone SE, Samsung Galaxy S7, and LG G5.

Watch the video below to learn more about UFED 5.0 release highlights.

Download our release notes for full details about version 5.0 capabilities.

Exclusive support for additional Motorola Androids highlights 4.5 release

Motorolla Exclusive Banner2

With the release of UFED 4.5, Cellebrite announces support for 18,290 device profiles and 1,270 app versions. The recent release brings industry first access to 11 additional Motorola Android devices, logical extraction via Bluetooth from any Android, and enhanced decoding support for the latest versions of all UFED supported applications running on iOS and Android devices.

Logical extraction via Bluetooth

Version 4.5 introduces a quicker and more efficient workflow, providing users with the option to perform a logical extraction via Bluetooth from any Android device. Extracting via Bluetooth is an effective solution to recover data from devices with damaged USB ports, as well as from prepaid devices (such as TracFone Android), which come with locked USB ports.

As illustrated in the image below, to use this option, select Use Bluetooth under Select Content Types.

UseBluetooth (1)

 

 

 

 

                                 Physical ADB method for rooted Android devices

Physical ADB method is now available for pre-rooted Android devices, when the physical extraction method is not supported. Using the ADB method, users can now perform physical extraction from rooted Android devices.                                                A few notes regarding rooted devices and ADB…

What is rooting? To “root” a device means to gain administrative rights on the file system on Android operated devices. A device can be rooted as part of recovery partition or fully rooted following rooting process.

What is ADB and how does it work? ADB, or Android Debugging Bridge, is a built-in protocol within the Android operating system. This protocol enables developers to connect to an Android-based device and perform low-level commands used for development. In UFED, the protocol to perform an extraction of Android Devices.

 Updated app support

Following recent news regarding ISIS terrorists using the Telegram app to carry out their activities, version 4.5 keeps pace with industry demands by providing enhanced decoding support for Telegram’s latest version running on iOS and Android devices. Updated support is also available for 134 Android and 43 iOS app versions.

Improved Functionality for UFED Physical Analyzer and UFED Logical Analyzer

Version 4.5 also introduces improvements for the ruggedized frontline tool, UFED InField Kiosk, enabling users to encrypt mobile forensic reports and UFDR files using a password. Users can open encrypted reports using the password, view the reports with UFED Physical Analyzer and UFED Logical Analyzer. Password-protected reports can also easily be shared with other other investigators over a network using UFED Reader.

Additional enhancements include new offline map packages for the following regions: Minsk, India, Germany, Australia and New Zealand, Scandinavia. (The Offline maps feature was introduced in version 4.2. This feature enables you to view extracted locations on a worldwide map without internet connection).

Learn more about UFED 4.5 – download the release notes here!

Save critical investigation time with UFED Reader: Q&A from Cellebrite’s webinar

In the past several years, cases involving computer hard drive forensics have declined while mobile forensics have risen, increasing demand to analyze digital evidence off mobile devices. Typically, the forensic lab examiner will generate reports with all the extracted data from the device and send it over to the investigator, who has to review all the data in order to find the relevant piece. This may mean sifting through hundreds, even thousands of pages from several devices in order to find the needle in the haystack.  In some cases, the investigator may discover that you need additional data that was not even supplied.

In a recent webinar, we presented the UFED Reader, a free and easy to use digital tool that helps you review the report files generated from analyzed data of a physical, file system, or logical extraction by UFED Physical Analyzer and UFED Logical Analyzer.

blog nov 23

The webinar is available for viewing at the bottom of this post. Meanwhile, participants asked a number of good questions, which we’ve compiled in this blog- including some that we didn’t have time to answer during the webinar.

Q: Can UFED Physical Analyzer create a .ufdr file that contains all the artifacts, including pictures, videos, SMS, MMS, etc.?

A: UFED Reader is able to create massive .ufdr files, even from phone dumps that are over 16 gig.

Q: Where is the UFED Reader file located?

A: UFED Reader executable file can either be forwarded from the forensics lab with a report, or it can easily be downloaded from the customer portal at my.cellebrite.com.

Q: Can I also see shared data between different reports using the reader?

A:  You can open different reports using the reader, it can be different reports of the same device or even reports related to different devices. However, each project is handled separately. You can perform searches on all projects but the views are separated. SMS’s, contacts, locations, all these are presented per project, also the timeline and reports are not shared. If you need to see connections and links, it is recommended to use UFED link Analysis; which enables you to open up to 100 data sources, and see the links between different data extractions.

Q: For multi-jurisdictional investigations how can you import an XRY file for parsing by a UFED?

A: While UFED Reader cannot open XRY reports, UFED Link Analysis has the ability to open external reports, and provides a joint view of both Cellebrite and XRY reports.

Q: Can you generate a report containing only bookmarked items?

A: Yes, UFED Reader provides you with an option to include entity ‘bookmarks only’ which incorporates bookmarked items only in the report output. Bookmarking highlights the evidence that is relevant to the case, and UFED Reader provides the option to include in the report only the artifacts that are important for that investigation. As a result, the report generated is concise, short and protects personal data that is not relevant to the case.

Q: Which mobile device operating systems are supported by the UFED Reader?

A: Cellebrite supports all known and familiar operation systems, and all devices that can be extracted and decoded using the UFED Series (including Touch/4PC/Logical/Physical) Analyzer) can be opened by the UFED Reader- meaning any .ufdr report generated can be opened by the UFED Reader.

Q: Are there chat-threading capabilities within the UFED Reader module?

A: In the Chats view, you will see a list of chat messages extracted from the device, including third-party app, such as Whatsapp or Snapchat messages. This view provides information about the chat, such as start date and time, participants, source and number of messages, which are also listed chronologically on the right pane in full detail (including body of messages and attachments). The conversation view layout option is also available for easier and better tracking over the communication between two or more parties. You can search for messages within a chat, select the messages to include within a report, print, or export the conversation.

Q: Is it possible to see restored deleted information from mobile devices?

A: Cellebrite has the ability to extract and decode deleted information from mobile devices, and these items are included in the.ufdr report, and presented in UFED Reader with a red ‘x’ icon next to the artifact.

Q: Can UFED extract logical and physical data from Windows Phone 8 and new Android-SM using MTP (media transfer protocol) instead of UMS (mass storage)?

A: For Windows Phone 8 using the logical extraction method, you can extract contacts via Bluetooth and Multimedia data via USB (MTP protocol). Physical extraction is available for selective Nokia Lumia (out of the box WP8) models. For Android devices, using logical extraction method, you can extract Multimedia data for newer Android devices, via USB (MTP protocol).

View the full webinar below:

 Leave a comment if you have a question that was not answered above, or in the webinar itself!

Exclusive bootloader method support for the latest Samsung devices headline UFED 4.4 release

Bootloader banner

With the release of UFED 4.4, Cellebrite announces support for 17,638 device profiles and 1,092 app versions. UFED 4.4 introduces the exclusive bootloader method designed to solve some of investigators’ most challenging problems for unlocking and extracting data from leading Samsung Android devices. Also including decoding support for new devices and OS updates, including iPhone 6S/6S Plus, iOS 9.1, and Android Marshmallow.

New unlocking & physical extraction support for Androids using the unique bootloader method

In previous version 4.2.6, we announced the release of the enhanced bootloader method, which enables you to obtain additional data when performing a physical extraction while bypassing user lock from Samsung devices.

As part of our ongoing efforts to provide the best physical extraction capabilities for the latest Android devices, version 4.4 introduces an enhanced bootloader to support newer phone firmware versions, and includes 12 additional Samsung devices. You can now obtain additional data by performing a physical extraction using the enhanced bootloader method for 85 popular Samsung Android devices running Android 5.x. This unique solution supports the following Samsung families: Galaxy S3, S4, S5, Note 3 and Note 4.

What is the bootloader method?

Physical extraction using the boot loader method is the recommended method to recover data from Android devices. When the device is in boot loader mode during extraction, the operating system does not run, and therefore, the device cannot connect to the mobile network. It bypasses any user lock is forensically sound.

New tutorial video is available below.

Cellebrite now supports new iPhone 6S/6S Plus and Android v6.0 Marshmallow

Recent device launches and updated operating system are also supported with UFED 4.4.  Users can now perform file system, logical (including applications data), advanced logical extraction, and decoding from,iPhone 6S and 6S Plus devices and iOS 9.1. UFED 4.4 also provides file system and extraction support for the latest Android v6.0 Marshmallow with limitations. Following recent changes made in Android 3rd party apps, including Facebook, WhatsApp and Snapchat, data from these apps can no longer be extracted when performing file system and logical extractions when using Android backup method. We recommend two options in order to overcome this limitation: Perform a physical extraction (when available), or root the device to extract data.

iPhone6 banner for blog

Extend your investigation capabilities with enhanced support for new apps for iOS and Android

UFED 4.4 keeps pace with investigator demand for more app support, and greater visibility into app data. This version introduces newly added support for some of the most popular apps installed on both Android and iOS, including: Google Drive, Google Tasks, Google Translate, Inbox, One Drive ,Pinterest, Runtastic, Yandex Browser, Yandex Maps; One Note and VIPole are available for Android.

With 300 million active users using Dropbox, 250 million using Microsoft’s OneDrive, 240 million using Google Drive*, and 100 million users on Pinterest, (the third most popular social network in the US)**. We are bound to believe that high number of people using these apps on their devices, may also hold the evidence you need for your investigation.

Updated support is also available for 53 Android and 61 iOS app versions.

New decoding method process for WhatsApp data 

App_whatsappIn UFED 4.2.6, we introduced a new capability to decrypt WhatsApp data. Using a third-party script, you can manually extract the WhatsApp key (on non-rooted Android devices), and use it in UFED Physical Analyzer to decode and decrypt the data. During the process, the WhatsApp version will be temporary downgraded to an earlier version, so that the key can be .extracted and used to decode the WhatsApp database. The current WhatsApp version will be restored at the end .of the extraction process.

A new step-by-step process is now available in MyCellebrite.

Learn more about UFED 4.4– download the release notes here!

* http://expandedramblings.com/index.php/google-app-statistics/

**http://marketingland.com/pinterest-says-it-has-100-million-monthly-active-users-143077

Speed Cloud Data Extractions from Anywhere

In our socially-driven world, it’s not surprising that Facebook, Kik and Instagram posts, as well as other cloud data sources have the power to break criminal cases wide open. The challenge for forensic examiners is getting to that data quickly. Together with mobile device data, these sources often capture the details and critical connections investigators and prosecutors need to solve a wide variety of crimes. UFED Cloud Analyzer, the first tool of its kind, removes the roadblocks and red tape involved in getting access from cloud service providers, reducing valuable time and cost to investigations.

“Social media data is a headache to access from application providers, but is so critical now to forensics investigations,” said Sgt. Andrew Weaver, Hartford, C.T., Police Department. “It can takes months to receive data with a warrant and then we do, it’s challenging to review and uncover pertinent details – not to mention time consuming. UFED Cloud Analyzer gives us access to this data quickly so we don’t lose valuable investigation time waiting.”

Part of the UFED Pro Series exclusive and powerful investigative tool automatically collects both existing cloud data and metadata without the need for credentials, because the tool impersonates the phone in order to perform the extraction. It then packages this data in a forensically sound manner either in the field or the lab. This allows investigators to search, filter and sort data to quickly identify “Who?, When?, Where?” details to speed investigations from anywhere.

Extraction Criteria Definition

UFED Cloud Analyzer Retrieved Google Location Data as Key Evidence for an Investigation

The forensic practitioners already using this new tool are not only reaping its considerable rewards, but singing its praises.

“While assisting a local law enforcement agency with a recent criminal investigation, we were able to utilize Cellebrite UFED Cloud Analyzer to remotely collect Google location data pursuant to a search warrant,” said Jim KempVanEe, Director of Digital Forensics.

LogicForce Consulting, Nashville, Tenn. “Within minutes of collecting the location data, we were able to confirm for the investigators that the suspect’s phone was within feet of the 12 year old victim’s home and we was able to trace the suspect’s movements after he left the scene.  All of this while another search warrant for location data sat idle at Google waiting to be processed.  Great tool – thank you Cellebrite!”

Cloud Analyzer with Google Maps icon2

Extract Insights Faster with New, Faster Capabilities

In the latest release of this tool, the capability to decode a cloud data account package from an Android device via a logical extraction just got even faster and more actionable. Investigators can now decide upfront which data should be extracted, selecting specific files and directories from cloud storage services including Google Drive and Dropbox. You can also now select a specific portion of email messages to access – headers only, headers and body without attachments, etc., helping to reduce investigative cycles.

Other key enhancements include the ability to:

  • Extract detailed location information from a suspect or victim’s private Google Location History, stored on Google cloud servers, allowing investigators to track all timestamped movements minute by minute
  • Track and analyze a suspect’s Facebook Likes and Events to get a better understanding of a suspect or victim’s interests, opinions and daily activities
  • Gain access to more Twitter connections, including pending requests either requested or received, to dive deeper into a suspect’s relationships
  • Reveal changes and/or discrepancies in images, videos and files stored in Google Drive and Dropbox

To learn more about how the UFED Cloud Analyzer and the UFED PRO Series can help you solve more cases quickly and accelerate investigations by gaining instant access to cloud data, contact your Cellebrite sales representative or visit http://www.cellebrite.com/Mobile-Forensics/Applications/ufed-cloud-analyzer

banner1