Speed Cloud Data Extractions from Anywhere

In our socially-driven world, it’s not surprising that Facebook, Kik and Instagram posts, as well as other cloud data sources have the power to break criminal cases wide open. The challenge for forensic examiners is getting to that data quickly. Together with mobile device data, these sources often capture the details and critical connections investigators and prosecutors need to solve a wide variety of crimes. UFED Cloud Analyzer, the first tool of its kind, removes the roadblocks and red tape involved in getting access from cloud service providers, reducing valuable time and cost to investigations.

“Social media data is a headache to access from application providers, but is so critical now to forensics investigations,” said Sgt. Andrew Weaver, Hartford, C.T., Police Department. “It can takes months to receive data with a warrant and then we do, it’s challenging to review and uncover pertinent details – not to mention time consuming. UFED Cloud Analyzer gives us access to this data quickly so we don’t lose valuable investigation time waiting.”

Part of the UFED Pro Series exclusive and powerful investigative tool automatically collects both existing cloud data and metadata without the need for credentials, because the tool impersonates the phone in order to perform the extraction. It then packages this data in a forensically sound manner either in the field or the lab. This allows investigators to search, filter and sort data to quickly identify “Who?, When?, Where?” details to speed investigations from anywhere.

Extraction Criteria Definition

UFED Cloud Analyzer Retrieved Google Location Data as Key Evidence for an Investigation

The forensic practitioners already using this new tool are not only reaping its considerable rewards, but singing its praises.

“While assisting a local law enforcement agency with a recent criminal investigation, we were able to utilize Cellebrite UFED Cloud Analyzer to remotely collect Google location data pursuant to a search warrant,” said Jim KempVanEe, Director of Digital Forensics.

LogicForce Consulting, Nashville, Tenn. “Within minutes of collecting the location data, we were able to confirm for the investigators that the suspect’s phone was within feet of the 12 year old victim’s home and we was able to trace the suspect’s movements after he left the scene.  All of this while another search warrant for location data sat idle at Google waiting to be processed.  Great tool – thank you Cellebrite!”

Cloud Analyzer with Google Maps icon2

Extract Insights Faster with New, Faster Capabilities

In the latest release of this tool, the capability to decode a cloud data account package from an Android device via a logical extraction just got even faster and more actionable. Investigators can now decide upfront which data should be extracted, selecting specific files and directories from cloud storage services including Google Drive and Dropbox. You can also now select a specific portion of email messages to access – headers only, headers and body without attachments, etc., helping to reduce investigative cycles.

Other key enhancements include the ability to:

  • Extract detailed location information from a suspect or victim’s private Google Location History, stored on Google cloud servers, allowing investigators to track all timestamped movements minute by minute
  • Track and analyze a suspect’s Facebook Likes and Events to get a better understanding of a suspect or victim’s interests, opinions and daily activities
  • Gain access to more Twitter connections, including pending requests either requested or received, to dive deeper into a suspect’s relationships
  • Reveal changes and/or discrepancies in images, videos and files stored in Google Drive and Dropbox

To learn more about how the UFED Cloud Analyzer and the UFED PRO Series can help you solve more cases quickly and accelerate investigations by gaining instant access to cloud data, contact your Cellebrite sales representative or visit http://www.cellebrite.com/Mobile-Forensics/Applications/ufed-cloud-analyzer

banner1

 

New UFED release 4.2.2 offers exclusive support, impressive breakthroughs and enhanced decoding

With the release of UFED Physical/Logical Analyzer 4.2.2, Cellebrite offers new decoding features designed to improve investigative efficiency from 1,128 additional device profiles and enriched degree of decoded data from 873 app versions.

Exclusive support for the latest and popular Samsung devices

Samsung contributes to the highly fluid mobile market by introducing ever smaller and lighter mobile device models every few months. The quick adoption of these devices by felons leaves investigators to encounter additional challenges during the investigation. Cellebrite enables access to all data, including deleted data, from the newest Samsung Android devices available in the market today. Cellebrite supports physical extraction while bypassing the user lock using the forensic recovery partition method, and decoding from 33 Samsung Android devices, including Samsung Galaxy S5, S6 and Note 4 family of devices.

Cellebrite’s UFED replaces the device’s original recovery partition with Cellebrite’s custom forensic recovery partition. The original recovery partition on the Android device can be considered as an alternative boot partition that may also change the user data partition, while Cellebrite’s recovery image does not affect any of the user data.

Support for next generation smart watches

Android wear may be a new concept, but with nearly $7M sales just last year, many independent research groups anticipate a huge growth in the wearable space is in the next upcoming years. With the rate of new devices entering the market by Samsung and others, Cellebrite ensures that investigators remain ahead with the most advanced extraction and decoding technology to support these new trending devices.

UFED enables physical extraction while bypassing lock, and decoding support from the most popular next generation smart watches including LG smart watch LG G WATCH R™ (W110) and the previously released Samsung Galaxy Gear SM-V700.

New app decoding and decryption support

Apps provide a rich source of data to investigations. 59% of our users say that 3rd-party apps data matter the most in investigations. Cellebrite provides updated support for 843 app versions in this release, as well as decoding support for new apps, such as Facebook Messenger (decoding of the call logs of the voice calling feature and the new video calling/chatting feature). Additional decryption is also available for UFED 4.2.2, UFED Physical Analyzer is now able to decrypt and decode Android Backup (Android 5.x) with a known password as part of the file system extraction.

Download the release notes to see a full list of apps and version numbers.

Now higher resolution view in offline maps feature

In UFED version 4.2 we introduced the latest offline maps feature which enables you to view extracted locations on a worldwide map without internet connection. This feature has been improved, enabling you to view extracted locations on a regional map, and zoom in at an even higher resolution of 15x to view streets for better indication and view of the location without internet access for the following continents: USA, Canada, Europe, Japan and Korea, Middle East, Africa, London, Los Angeles, New York, Paris, Singapore and Tokyo.

 Untitled

You asked for it, we developed it!

UFED Physical/Logical Analyzer 4.2.2 keeps pace with investigator demand and provides the option to redact the image thumbnail from the PDF, Word and HTML report. You would use this option with cases involving sensitive images, such as child abuse.

Untitled2

3 Reasons to Vote for Cellebrite for a 2015 Forensic 4:Cast Award

For as long as the Forensic 4:cast Awards have existed, Cellebrite’s UFED tools have been named Phone Forensic Tool of the Year. Being nominated among some of the greatest products in the industry, we couldn’t be more proud that the forensic community recognizes our continuing efforts to deliver the best, most innovative and  functional mobile forensic tools for seven years running.

Thanks to you, Cellebrite’s nominations include:

  • UFED Touch for phone forensic hardware of the year
  • UFED 4PC for phone forensic software of the year
  • Digital forensic organization of the year

Will you vote for us this year? Here are a few reminders why Cellebrite deserves the Forensic 4:cast Awards.

1. We’ve got your back.

Cellebrite has always been known for its breadth of support for new devices, but in 2014 we deepened our support for both smartphones and the apps installed on them. We improved our automated decoding, so you can spend more time analyzing data than figuring out how to decode it; brought our device profile support up to more than 14,000; and added decoding support for 25 prepaid Android devices—including Tracfone models that stumped investigators for years.

2. We make data analysis as simple or as complex as you need.

The visual analytics we include in tools like UFED Physical/Logical Analyzer and UFED Link Analysis give you a basic, at-a-glance look at key people, places, and communications via Project Analytics, Timelines, Maps, and Graphs. These help you immediately visualize your data and focus on only that which is most relevant to your case.

When you need to get “into the weeds” with the data—at the device memory level—you can do that too. Locate, carve, and validate data using advanced search functions like regular expressions and searches for strings, dates, codes, numbers, ICCID, SMS formats, etc., and import your JTAG and chip-off extractions into UFED Physical Analyzer for decoding.

3. We give you the tools you need not just to extract and analyze the data, but also to testify about your process with confidence.

Tools with as much functionality as ours deserve investigators who can put them to good use, so in 2014 we stepped up our training and certification program. We are now the first and only digital forensic vendor to deliver courses not only in person, but also online, and more than 4,000 practitioners earned their Cellebrite certifications through the end of 2014.

Vote for us today!

 

UFED Physical/Logical Analyzer 4.2 offers efficiency improvements, decryption and enhanced decoding

PA42exclusive

 

 

 

 

The new Physical/Logical Analyzer release, version 4.2, is chock full of features and device support. From more efficient location mapping processes to improved decoding, this latest release is designed to accelerate your investigations and enable you to drill more deeply and intuitively into data from more than 15,000 devices.

Deeper location data analysis, more efficient workflows

UFED Physical/Logical Analyzer 4.2 offers a number of new enhancements with regard to location data. These enhancements offer more flexibility and efficiency by allowing you to access highly visual information more easily.

First, new offline map support offers maps view even when an Internet connection is not available or you are analyzing data at a workstation that is required to remain offline. Second, you can also now zoom in to locations in map view and see related event details. When you want to explore deeper relationships between locations, timelines, and analyzed data, you can jump from location information to its source event or timeline and vice versa.

Location information also allows you the ability to examine attached images, videos, audio, text, and other files identified during the data analysis process. The Data Files category in the project tree enables you to view and filter attachments within data files, locate the associated attachment event, and view its metadata and location information.

Do you frequently share your extracted UFDR reports with others using UFED Reader? Now, include the UFED Reader executable within the report output folder. This saves time for report recipients in locating, downloading, and using the UFED Reader application.

New app decoding and analysis functionality

UFED Physical/Logical Analyzer 4.2 also keeps pace with investigator demand for greater visibility into app data. Besides newly added support for apps installed on Android, iOS, and Windows Phone® devices, as well as updated support for 40 Android and 63 iOS app versions, the new release offers additional decoding and some decryption support, as well as improvements in the way app data—particularly chat app data—is displayed.

Added to analytics that show the most frequently used apps, app usage data now includes information about the last time a user launched a particular app, as well as for how long they used it. Also for the first time, view the number of messages per chat, which can help validate chats extracted using other tools that do not thread messages. Additionally, location data for chat messages is now available for export into all report formats.

Other apps-related support includes decryption of KeepSafe and WeChat apps, together with decoding support for WhatsApp VoIP call logs on Android devices. New WhatsApp support also includes the Read, Delivered and Played timestamps of outgoing WhatsApp messages for iOS, Android and BlackBerry® 10 devices. In addition, Twitter group chat messages are now displayed in Chats.

New device support includes physical extractions, decryption, and decoding

Disable the user lock for 159 Samsung Android models using SPR and SPM methods, depending on the device’s firmware version. In addition, Physical extraction with lock bypass and decoding is now supported for 58 LG Android devices released with Android version 4.2.x and above.

Decryption is now possible for physical extractions from generic Android and Samsung devices running Android 4.2 and below using a known password. Similarly, extract BlackBerry device backup data as part of file system extraction, and then decrypt the backup data with known BlackBerry ID credentials you retrieve via UFED Physical Analyzer.

Device information decoding is newly enhanced for all device types. For BlackBerry 10 this includes username, device model, PIN, IMEI, and device name; for Windows Phone devices, the information includes IMEI, IMSI, MEID, mobile operator ID, country, MAC address, and OS version. Device information for Android devices now includes the decoded Tethering ID and password, while iOS device product name and product type information are now included under device information.

Saving time in a death investigation

One Minnesota (US)-based detective working a death investigation used Physical Analyzer 4.2 to unlock a pattern locked Samsung Galaxy S5 (SM-G900V). Facing a lengthy and destructive chip-off extraction because the device did not appear to be supported for JTAG extraction, the investigator was able to run the device against a pre-release copy of Physical Analyzer 4.2. The extraction worked, and the investigator was able to use that evidence to continue building his case.

To learn more about how the new UFED Physical/Logical Analyzer 4.2 can help accelerate your investigations, download our release notes today!

New time-saving features arrive in UFED Physical Analyzer 4.1

With the release of UFED Physical/Logical Analyzer 4.1, Cellebrite offers new decoding and reporting features designed to improve investigative efficiency and enrich the degree of decoded data.

New, faster, and enhanced decoding

To start with, decoding extractions that are saved to a network drive is now up to 25% faster. New decoding support is available for a number of device models and data. These include JTAG extractions from seven new devices, as well as chip-off extractions from BlackBerry® devices running OS 10. Decoded BlackBerry 10 data includes several apps in addition to device data.

UFED Physical/Logical Analyzer 4.1 also improves on decoded location data from iOS devices. The device information now includes whether the device location service status is turned on or off, as well as whether location services were enabled for each app (and, if enabled, when it was last used). Additionally, UFED Physical Analyzer now displays recent and frequently visited locations tracked by iOS devices and maintained solely on the device.

New and updated app decoding is also available in UFED Physical/Logical Analyzer 4.1. This includes enhanced data carving from unallocated space for the ooVoo, Skype, VKontakte, and Odnoklassniki apps, and decrypted SnapChat pictures.

Also included is decoding for contacts and chats from the HeyTell and Truecaller Android and iOS apps, as well as bookmarks, web history, and emails from the Firefox app for Android. Updated decoding is available for a total of 34 Android apps and 30 iOS apps, including multiple app versions. Download the release notes to see a full list of apps and version numbers.

Efficiencies in reporting

Reporting also sees an improvement in speed, by up to 50% depending on report content for PDF and UFDR report processing. New reporting functionality allows you to export chat messages in conversation format, within PDF reports. As with previous version, select and unselect specific chats to include. Additionally, you can now include image thumbnails in PDF, Word, and HTML reports.

Another new feature stands to reduce confusion around daylight saving date and time stamps vs. UTC or standard times. UFED Physical/Logical Analyzer 4.1 includes a database containing start/end dates and times for countries that use daylight saving (DST). This data is available through 2018 and takes into account locations that do not adhere to DST. You can set a unified time zone for the project timestamps for the software to automatically adjust for DST.

Remember: End of life announcement for Windows XP

Following the recent announcement that Microsoft has officially ceased support for Windows XP on April 8, 2014, Cellebrite recommends installing UFED Series Software Products on 64-bit versions of Windows 7 and above. By February 28, 2015, the UFED Series will no longer support Windows XP.

IMPORTANT: This does not affect UFED Touch systems running on Windows 2009 Embedded Standard. The Windows Embedded Standard 2009 Operating System End of Life is scheduled for January 8, 2024.

For further information about the Windows XP end of life, please contact support@cellebrite.com.

Download the full release notes for additional details about these decoding and reporting features!

New time saving workflow capabilities in UFED 4.0: Translation, automated data carving, and more

UFED Release 4.0Efforts to obtain evidence and intelligence from mobile devices can be stymied by inefficiencies such as extra layers of work process, lack of access to a full range of tools, and other challenges both small and large.

UFED 4.0 continues Cellebrite’s track record of developing features that improve investigative workflows and save you time both in the lab environment and the field. Among the most significant time savers we’ve added to UFED Touch, UFED 4PC, and UFED Physical/Logical Analyzer: better Android data carving, language translation, a UFED Touch data preview capability, and better workflows overall.

Simple, efficient language translation

Reduce challenges associated with foreign language translation, including the need to rely on another person, or to copy/paste into an online tool. Either one takes time you may not have, and errors—especially with short words—can alter the meaning of content.

UFED Physical/Logical Analyzer 4.0 contains an offline translation solution that accurately translates both short and long words. Use it to translate selected content on demand, and to use filters in your language of choice. The translation engine keeps the source language, which you can see in the user interface, and you can include both the translation and the original source text in your report.

The UFED translation engine currently supports 13 languages, including English. Choose five free of charge when you access all the language packs from your my.cellebrite.com account. If you need more than five languages, you can purchase them directly from Cellebrite. Be sure to let us know if you need access to languages apart from what we offer!

Faster, more powerful data carving from Android unallocated space

Enhanced automated carving from Android devices’ unallocated space gives you access to much more—in some cases, double or triple the amount—of deleted data than previous data carving features allowed. Owing to a new algorithm, the carving process is now also faster.

While manual data carving is still an important part of forensic validation processes, Cellebrite redesigned the automatic data carving functionality to achieve more deleted data with greater precision, by dramatically reducing false positive and duplicate results.

Learn more about data carving when you take the Cellebrite Certified Physical Analyst course.

Save time in the field: Preview logical extraction data in UFED Touch

UFED Touch users may find themselves needing to preview evidence to decide whether a mobile device is worthy of deeper examination, or they need intelligence to decide an immediate course of action. UFED Touch now offers the option to view an HTML report that includes general device Information and the logical extraction data on the touch screen—without requiring a laptop.

Newly included in logical extractions, and therefore viewable with UFED Touch, are web history and web bookmarks. From iOS devices, the new UFED 4.0 feature extends logical extraction and preview capabilities to app data.

Balance time savings with process: capture images and snapshots with UFED Camera

Sometimes, taking screenshots of a mobile device is the only way to capture its evidence. This could be because you have no UFED with you in the field, or the device or certain data on the device isn’t supported for extraction with the equipment you have.

With UFED Camera, our new manual evidence collection feature, collect evidence by taking pictures or videos of a device. A single report contains any extracted information together with screenshots or video.

The ability to take screenshots can be important in the field, helping to substantiate a police officer’s, border patrol agent’s, or corporate internal investigator’s documentation of what s/he saw on the device during an initial scroll-through. (Remember to get consent or have another form of legal authority to show for it.)

In the lab, taking screenshots can help you to validate device extraction results – to show that the evidence in an extraction file existed on the evidence device.

For more details on these and other new and enhanced decoding and app support capabilities—including support for iPhone 6, 6Plus, & other Apple devices running iOS 8—download our release notes!

GPS Forensics and Link Analysis in Cellebrite’s August Webinars

webinar_header

LATAM customers! Did you know that Cellebrite’s exclusive capability to perform TomTom triplog files decryption and decoding can help you add vital evidentiary data to your investigation?

Join us for the upcoming webinars on GPS Forensics and TomTom Trip-Log Decryption, which will be hosted by our forensics solutions experts in Spanish and Portuguese, and will include a Q&A session.

GPS Forensics and TomTom Trip-Log Decryption (en español)

Speaker: Carlos Silva

Date: August 06, 2014 11:00 BRST (UTC-3:00)

Register here for the webinar on GPS Forensics and TomTom Trip-Log Decryption in Spanish!

GPS Forensics and TomTom Trip-Log Decryption (em Português)

Speaker: Frederico Bonincontro

Date: August 15, 2014 11:00 BRST (UTC-3:00)

Register here for the webinar on GPS Forensics and TomTom Trip-Log Decryption in Portuguese!

Link Analysis: Identify connections between suspects, victims, and others in less time

Did you miss our previous webinar on the UFED Link Analysis? Cellebrite will be hosting an additional live English-language webinar this month.

Speaker: Shahaf Rozanski

Date: August 20, 2014 06:00 UTC, 15:30 UTC

Learn how field investigators use UFED Link Analysis to rapidly visualize key relationships between entities and identify the connections and communication methods between multiple mobile devices. Join Cellebrite’s Forensics Senior Product Manager, Shahaf Rozanski, as he presents real world use case scenarios from a wide range of crime categories. The webinar will include a Q&A session.

Register here for the webinar on UFED Link Analysis!

Would you like to receive a webinar on our forensics solutions in your language? Leave us a comment and we’ll arrange it for you!

To view a past webinar, please visit the Webinars section on our website:  http://www.cellebrite.com/corporate/webinars

New UFED release broadens decoding for extractions from prepaid, damaged devices

With the release of UFED Physical Analyzer 3.9.7, Cellebrite now offers improved decoding for the binary files resulting from JTAG extractions. This means that rather than have to carve or manually decode the image file, examiners can now save time with an automated process.*

JTAG (Joint Test Action Group) forensics is an advanced method of mobile data extraction. By taking advantage of a device’s test access ports (TAPs)—included in every mobile device model to aid in manufacturers’ quality assurance processes—examiners can unlock the device in order to gain access to raw data stored on the memory chip, and can thus obtain a full physical image of the memory.

Because it is non-destructive and affords the opportunity to access data from devices that have been altered or damaged in some way that makes them inaccessible using conventional mobile forensic extraction tools the JTAG technique is growing in popularity, with a number of examiners undergoing training to become proficient in the procedure.

The additional decoding support, made possible with generic chains, is now available for 110 tested devices, including Samsung, HTC, LG, ZTE, Nokia, Huawei, Casio, Pantech, and Kyocera models. Examiners can gain access to a rich set of data such as call logs, SMS, MMS, emails, media files, apps data, and locations.

Access the JTAG binary extraction files in UFED Physical Analyzer by using the “Open (Advanced)” feature and selecting the extraction and the appropriate JTAG chain. You can find step by step guidance, in Chapter 3, section 3.4.2.3 of the UFED Physical Analyzer manual.

JTag2

*Manual decoding is still valuable as a validation method for forensic examinations.

Convert GPS coordinates to physical addresses

See where your subjects are visiting, and how often they’re visiting, without having to manually convert GPS coordinates to physical locations. UFED Logical/Physical Analyzer now enables you to convert single or multiple latitude/longitude coordinates, in bulk, to their corresponding nearest address. It also allows you to search based on that information, using an advanced search capability.

Additional device and decoding support

The new UFED release, 3.0.7, includes physical extraction with lock bypass from an additional 40 devices including: Samsung Galaxy S4 and Note III families, and HTC devices. Additional device extraction support using the Android backup method is included, along with file system and logical extractions from Nokia Asha devices.

The new UFED Physical Analyzer release includes additional decoding support for physical extractions from 26 new devices, file system extractions from 25 new devices, usernames and passwords from the browser on Android devices, locations in deleted photo metadata from iOS devices running iOS 7 and above, and deleted call log, contact and calendar content from Microsoft® EDB embedded database within Windows® Phone devices. In addition, decryption support is now available for the WhatsApp backup database, identifiable by the .crypt7 backup file extension, which contains chat messages.

The Telegram and Instagram apps are newly supported for both Android and iOS devices. Decoding support for the Waze app is new for Android and updated for iOS devices; Facebook Messenger, Line, QQ, Skype, Twitter, WeChat, and Vkontakte, along with other apps, have been updated for Android and iOS as well.

For a full rundown of device and app support, view our release notes. Cellebrite is also offering a webinar on JTAG decoding and analysis in July. Register for the webinar here!

 

JTAG decoding, bypassing device locks, and link analysis in Cellebrite’s July webinars

webinar_header

Link Analysis: Identify connections between suspects, victims, and others in less time

On July 1, learn how field investigators use UFED Link Analysis to rapidly visualize key relationships between entities and identify the connections and communication methods between multiple mobile devices. Join Cellebrite Forensics Solutions Specialist Lee Papathanasiou for a 60-minute live webinar that details how link analysis methodology:

  • Helps you visualize communication links using multiple mobile devices’ rich data sets, including mutual contacts, calls, SMSs, MMS, emails, chats, application transactions, Bluetooth devices, locations, and more.
  • Filters data by time, date, number of contact times, and categories, and drills down to specific events.
  • Pinpoints whether entities were at the same place at the same time.
  • Allows you to share findings with colleagues and other investigators.

The webinar, including a Q&A session, will present real world use case scenarios from a wide range of crime categories. The session will also touch on key practical features of UFED Link Analysis, including timelines, advanced filters, and much more.

Register here for the July 1 webinar on UFED Link Analysis!

Bypassing Locked Devices: Learn How to Tackle One of the Biggest Challenges in Mobile Forensics

Pattern locks and passwords are becoming increasingly sophisticated and hard to crack, even for forensic examiners. Attempting to gain access to a locked device, especially with a complex pattern lock or passcode, is often only possible by using advanced forensic tools and techniques.

Don’t remain locked out from your evidence. Join Cellebrite’s forensic technical director, Yuval Ben-Moshe, for this 45-minute live webinar to learn about the UFED’s unrivaled ability to bypass locked phones without jailbreaking, rooting or flashing. You will learn:

  • Various methods to bypass locked devices, and a live demo of password extractions using the UFED.
  • How to use the extracted password to bypass other devices owned by the same person.
  • Physical extraction while bypassing any type of lock from 470 Android devices, including Cellebrite’s first to market capabilities for Samsung Galaxy S4 family.
  • Bypassing locks from counterfeit devices and phones manufactured in China.
  • How to run a plug-in that reveals pattern locks in Physical Analyzer.

Register here for the July 10 webinar on user lock bypass and extraction!

Automated JTAG Extraction Decoding with UFED Physical Analyzer

The growing popularity of JTAG forensics requires a great deal of resources and investment to obtain raw data stored on the device’s memory chip. It can take many hours for an examiner to transform the raw data into human interpretable evidence.

Cellebrite’s newly introduced decoding capabilities reduce the amount of time examiners have to spend on manually decoding, or carving, the large volume of extracted data. Join Cellebrite’s engineering product manager, Ronen Engler, for a 45-minute session on how you can take advantage of the UFED for JTAG decoding:

  • Easily import the binary file from a JTAG extraction into the UFED Physical Analyzer to draw accurate conclusions and report data.
  • Access this rich set of data to discover common artifacts, such as call logs, SMS, media files, e-mails, chats and locations.
  • Drill down into the binary file’s hex code through advanced search capabilities for finer grained information.
  • Decode the extractions from the widest range of devices, including popular Samsung, HTC, and LG, using a series of automated plug-ins and chains.

Register for the July 24 webinar to learn about Cellebrite’s efficient and cost-effective solution to decode and obtain forensically sound data from previously inaccessible devices.

DIY app forensics: What does it take?

Digital evidence from the millions of apps currently available in the Google Play Store is frequently material to criminal and civil cases and investigations. Yet app evidence is time consuming and costly to decode, analyze, and produce while facing deadlines and a backlog of cases.

What’s in app support? At Mobile Forensics World this year, you have a chance to find out. On Tuesday, June 3, John Carney and Don Huettl, of Minneapolis (Minnesota, US)-based Carney Forensics, are presenting a two-part lecture and live demo on what it took for them to develop plugin support for the Burner Android app. We took the time to sit down with John and get the story behind the lectures.

Cellebrite: What first drove you to start developing plug-ins to support third party apps?

John Carney: We’ve seen a dramatic change in mobile phone architecture in recent years as smart phone and tablet makers rely on apps as basic building blocks.

This makes for an industry challenge faced by tools vendors and examiners alike.  Over one million iOS apps and one million Android apps are available today through app stores, but automated forensic analysis is supported for only a few hundred.

And, even though scripting capabilities exist for examiners to develop their own forensic app support, very few are decoding apps and writing the scripts and plug-ins to probe their device evidence.  We wanted to attempt to show examiners a path forward and how to get involved.

CB: How did you come to choose this particular app?

JC: Mobile messaging apps are an extremely interesting family of mobile apps that phone users are shifting to in great numbers all over the world as they abandon traditional text messaging offered through the service providers.

We noticed examples of these apps that support message deletion and user-specified retention periods after which they are deleted.  Snapchat is perhaps the best example.  TigerText is another.  We chose to support Burner.

We wanted to see if we could find message evidence after the message was deleted or “burned”, and to support a new app that the tools vendors did not support.  Cellebrite now supports Burner on iOS, but ours is the only Burner plug-in or script available for Android.

CB: What challenges did you face at the outset?

JC: We had to choose a reasonably interesting app that was supportable and an app platform that made sense for us. We made our determination using three criteria:

  1. We wanted to add something of value to existing app support. For example, because GoSMSPro uses the same core data structures that UFED already supports to decode other SMS, we found there was really no work to be done.
  2. The app data couldn’t be too difficult to acquire. It would be fruitless to try to support an app whose data is encrypted.
  3. Along similar lines, we wanted to support an app that would give us plenty of artifacts to uncover. Some app developers, who are experienced with writing secure apps, do a lot of garbage collection and data wiping along the way. They don’t leave much behind as a result.

Burner, as it turned out, gave us an almost “Sherlock Holmesian” opportunity—after the phone number is burned, we found we had a shot at finding artifacts left behind, and we did!

Then, we had to construct a development environment that gave us about half a dozen features that would make our research, development and testing flow more easily. Basically, we built a “nest” for doing productive work: in the short term, nimble, fast, cost effective results, and for the long term, investment in future development.

For example, virtual phone support—Android emulators—allowed for experimentation across makes and models without a significant cost outlay. We could then create two virtual phones and have them call and text each other from a single platform.

For another example, platform virtualization allows us to take advantage of various computing architectures. Developers can use Mac, Windows or Linux platforms for full flexibility in the development environment.

Another challenge was that we had to learn how to decode mobile apps evidence, which proved to be one of our most critical challenges. We also had to learn how Cellebrite encodes phone evidence for reporting our results, and advanced analytic options like timelines, maps, and activity analytics.

On the other hand, having looked at other plug-in writing environments, we can say that UFED Physical Analyzer offers the best support for developers. It is equipped with advanced SQLite and plist decoding, highly modular decoding chains, and it provides an excellent debugger. We don’t have to worry about flash translation layers, reconstructing file systems, or parsing common phone data structures.

We wanted to be 80% done with plug-in development from the moment we started, and UFED gave us that level of advanced and broad-based support in a way that many other tools do not.

CB: What did you find you needed in terms of resources (time, team members, etc.)?

JC: We needed a skilled software engineer with digital forensics training who understood object-oriented development and who could quickly learn Python.  Don Huettl had those skills and was also a clever designer who constructed a highly innovative development environment. Don came to us as part of an internship with a degree program from a nearby academic institution, where I serve on the advisory board. In addition to the right people, we needed time to decode our app, and write and test our Python code.  We also had to learn how to present our project so that examiners could understand and appreciate what we had done.

This took several iterations of slide decks, including a comprehensive live demo of our development environment. Don shows how we decode the app, take the script and turn it into a plug-in, put it on a decoding chain, perform the examination, and then create a report—all in a way that anyone could understand, even if they don’t have a background in scripting.

Documentation is key to this process. It’s good scientific practice anyway, but in this case, it provides the framework for learning how to do this. Besides documentation of our own methods, we found that the Iron Python libraries and .NET libraries were critical to our success, and important for sharing with the community. Finally, we found that we needed more than one UFED Physical Analyzer license to support the decoding, development, and testing of our plug-in.

CB: What skills did you and your team members already have, and what skills needed to be developed or sourced?

JC: We had software architecture, design, and engineering skills.  I was a software engineer and architect in a former life and an experienced mobile device forensics examiner for the past five years.

Don was an experienced software engineer who learned computer and mobile forensics and got certified during his degree program.  He was looking for a challenging internship.  We didn’t need any more skills than that.

CB: What technical challenges did you face at various stages in the project?

JC: We had to learn how to decode mobile apps including SQLite app databases and how to expose other artifacts and files in our mobile app.

We had to find phone emulators for Android phone models and learn how they worked and what didn’t work. The quality of the emulators and how many features they support or don’t support figured into this research.

For example, creating two different virtual devices—different makes and models—with a full range of functionality might mean that different VOIP apps, or forwarding rather than simply sending and receiving text messages, crash the emulator. We had to figure out how to work around the bugs.

We also had to learn how UFED Physical Analyzer organizes and structures phone data for presentation to examiners. In other words, we had to figure out how to plug the examination results back into UFED PA so that reporting and analytics would work on the back end.

We had to learn and develop debugging techniques for perfecting our Python script and plug-in. Even for a software engineer with plenty of experience, the debugger, which provides an atomic level look at code execution and data, is important to figure out why something isn’t working.

Fortunately, the UFED’s support for the debugging environment in Python shell made this trial and error process much easier.

CB: What have you learned thus far about the plug-in development process?

JC: We’ve learned that the process is very dependent on the specific mobile app that we have targeted to support.  We have to become experts on our app. This involves understanding the app’s user model, what the app’s purpose is, what it does and doesn’t do, and so forth.

Decoding the app, in turn, requires understanding the connection between the user model and the data model. You can’t have just a passing knowledge of the app and expect to be able to write a plug-in; you need to understand the app at the same level as its own developer.

We’ve learned that encryption and cleansed data are not our friends as we attempt to acquire and report phone evidence.

We’ve learned that leveraging UFED in our work is like standing on the shoulders of a giant.  Physical Analyzer helps us with decoding, reporting, and debugging.  And all of the various pre-existing UFED plug-ins acquire, translate, reconstruct, and prepare mobile app data for us so that we can do our best work.

We’ve learned that we have to document our process and our code so that we can remain nimble, grow our team, and develop quality plug-ins.

CB: What will you be exploring in future research and development?

JC: Many app families are interesting to us including personal navigation, spyware and malware, and also payment. We want to explore additional mobile apps that have not been decoded and automated by any of the tools vendors yet, but that are desperately needed by examiners.

Because we’ve only developed one plug-in, we don’t yet have a quantitative idea what kind of time commitment is required for different kinds of apps.

However, understanding that mobile examiners are busy people, it may become possible and necessary for people to plug in to the process at different points and share their skills and aptitudes. Rather than developing “cradle to grave” plug-ins, in other words, one person might focus on decoding, another on script testing, etc.

We also want to construct a development environment for iOS including iDevice emulators so that we can develop multi-platform app plug-ins.

Join John and Don for their two-part presentation in Oleander A on Tuesday, June 3. From 11:00 – 11:50 a.m., John will present “A Case Study in Mobile App Forensics Plug-in Development – Examiners/Developers to the Rescue (Part 1). From 4:30 – 5:20 PM, Don will present “A Case Study in Mobile App Forensics Plug-in Development – Build Your Own Plug-ins (Part 2). We hope to see you there!