New UFED release 4.2.2 offers exclusive support, impressive breakthroughs and enhanced decoding

With the release of UFED Physical/Logical Analyzer 4.2.2, Cellebrite offers new decoding features designed to improve investigative efficiency from 1,128 additional device profiles and enriched degree of decoded data from 873 app versions.

Exclusive support for the latest and popular Samsung devices

Samsung contributes to the highly fluid mobile market by introducing ever smaller and lighter mobile device models every few months. The quick adoption of these devices by felons leaves investigators to encounter additional challenges during the investigation. Cellebrite enables access to all data, including deleted data, from the newest Samsung Android devices available in the market today. Cellebrite supports physical extraction while bypassing the user lock using the forensic recovery partition method, and decoding from 33 Samsung Android devices, including Samsung Galaxy S5, S6 and Note 4 family of devices.

Cellebrite’s UFED replaces the device’s original recovery partition with Cellebrite’s custom forensic recovery partition. The original recovery partition on the Android device can be considered as an alternative boot partition that may also change the user data partition, while Cellebrite’s recovery image does not affect any of the user data.

Support for next generation smart watches

Android wear may be a new concept, but with nearly $7M sales just last year, many independent research groups anticipate a huge growth in the wearable space is in the next upcoming years. With the rate of new devices entering the market by Samsung and others, Cellebrite ensures that investigators remain ahead with the most advanced extraction and decoding technology to support these new trending devices.

UFED enables physical extraction while bypassing lock, and decoding support from the most popular next generation smart watches including LG smart watch LG G WATCH R™ (W110) and the previously released Samsung Galaxy Gear SM-V700.

New app decoding and decryption support

Apps provide a rich source of data to investigations. 59% of our users say that 3rd-party apps data matter the most in investigations. Cellebrite provides updated support for 843 app versions in this release, as well as decoding support for new apps, such as Facebook Messenger (decoding of the call logs of the voice calling feature and the new video calling/chatting feature). Additional decryption is also available for UFED 4.2.2, UFED Physical Analyzer is now able to decrypt and decode Android Backup (Android 5.x) with a known password as part of the file system extraction.

Download the release notes to see a full list of apps and version numbers.

Now higher resolution view in offline maps feature

In UFED version 4.2 we introduced the latest offline maps feature which enables you to view extracted locations on a worldwide map without internet connection. This feature has been improved, enabling you to view extracted locations on a regional map, and zoom in at an even higher resolution of 15x to view streets for better indication and view of the location without internet access for the following continents: USA, Canada, Europe, Japan and Korea, Middle East, Africa, London, Los Angeles, New York, Paris, Singapore and Tokyo.

 Untitled

You asked for it, we developed it!

UFED Physical/Logical Analyzer 4.2.2 keeps pace with investigator demand and provides the option to redact the image thumbnail from the PDF, Word and HTML report. You would use this option with cases involving sensitive images, such as child abuse.

Untitled2

UFED Physical/Logical Analyzer 4.2 offers efficiency improvements, decryption and enhanced decoding

PA42exclusive

 

 

 

 

The new Physical/Logical Analyzer release, version 4.2, is chock full of features and device support. From more efficient location mapping processes to improved decoding, this latest release is designed to accelerate your investigations and enable you to drill more deeply and intuitively into data from more than 15,000 devices.

Deeper location data analysis, more efficient workflows

UFED Physical/Logical Analyzer 4.2 offers a number of new enhancements with regard to location data. These enhancements offer more flexibility and efficiency by allowing you to access highly visual information more easily.

First, new offline map support offers maps view even when an Internet connection is not available or you are analyzing data at a workstation that is required to remain offline. Second, you can also now zoom in to locations in map view and see related event details. When you want to explore deeper relationships between locations, timelines, and analyzed data, you can jump from location information to its source event or timeline and vice versa.

Location information also allows you the ability to examine attached images, videos, audio, text, and other files identified during the data analysis process. The Data Files category in the project tree enables you to view and filter attachments within data files, locate the associated attachment event, and view its metadata and location information.

Do you frequently share your extracted UFDR reports with others using UFED Reader? Now, include the UFED Reader executable within the report output folder. This saves time for report recipients in locating, downloading, and using the UFED Reader application.

New app decoding and analysis functionality

UFED Physical/Logical Analyzer 4.2 also keeps pace with investigator demand for greater visibility into app data. Besides newly added support for apps installed on Android, iOS, and Windows Phone® devices, as well as updated support for 40 Android and 63 iOS app versions, the new release offers additional decoding and some decryption support, as well as improvements in the way app data—particularly chat app data—is displayed.

Added to analytics that show the most frequently used apps, app usage data now includes information about the last time a user launched a particular app, as well as for how long they used it. Also for the first time, view the number of messages per chat, which can help validate chats extracted using other tools that do not thread messages. Additionally, location data for chat messages is now available for export into all report formats.

Other apps-related support includes decryption of KeepSafe and WeChat apps, together with decoding support for WhatsApp VoIP call logs on Android devices. New WhatsApp support also includes the Read, Delivered and Played timestamps of outgoing WhatsApp messages for iOS, Android and BlackBerry® 10 devices. In addition, Twitter group chat messages are now displayed in Chats.

New device support includes physical extractions, decryption, and decoding

Disable the user lock for 159 Samsung Android models using SPR and SPM methods, depending on the device’s firmware version. In addition, Physical extraction with lock bypass and decoding is now supported for 58 LG Android devices released with Android version 4.2.x and above.

Decryption is now possible for physical extractions from generic Android and Samsung devices running Android 4.2 and below using a known password. Similarly, extract BlackBerry device backup data as part of file system extraction, and then decrypt the backup data with known BlackBerry ID credentials you retrieve via UFED Physical Analyzer.

Device information decoding is newly enhanced for all device types. For BlackBerry 10 this includes username, device model, PIN, IMEI, and device name; for Windows Phone devices, the information includes IMEI, IMSI, MEID, mobile operator ID, country, MAC address, and OS version. Device information for Android devices now includes the decoded Tethering ID and password, while iOS device product name and product type information are now included under device information.

Saving time in a death investigation

One Minnesota (US)-based detective working a death investigation used Physical Analyzer 4.2 to unlock a pattern locked Samsung Galaxy S5 (SM-G900V). Facing a lengthy and destructive chip-off extraction because the device did not appear to be supported for JTAG extraction, the investigator was able to run the device against a pre-release copy of Physical Analyzer 4.2. The extraction worked, and the investigator was able to use that evidence to continue building his case.

To learn more about how the new UFED Physical/Logical Analyzer 4.2 can help accelerate your investigations, download our release notes today!

New time-saving features arrive in UFED Physical Analyzer 4.1

With the release of UFED Physical/Logical Analyzer 4.1, Cellebrite offers new decoding and reporting features designed to improve investigative efficiency and enrich the degree of decoded data.

New, faster, and enhanced decoding

To start with, decoding extractions that are saved to a network drive is now up to 25% faster. New decoding support is available for a number of device models and data. These include JTAG extractions from seven new devices, as well as chip-off extractions from BlackBerry® devices running OS 10. Decoded BlackBerry 10 data includes several apps in addition to device data.

UFED Physical/Logical Analyzer 4.1 also improves on decoded location data from iOS devices. The device information now includes whether the device location service status is turned on or off, as well as whether location services were enabled for each app (and, if enabled, when it was last used). Additionally, UFED Physical Analyzer now displays recent and frequently visited locations tracked by iOS devices and maintained solely on the device.

New and updated app decoding is also available in UFED Physical/Logical Analyzer 4.1. This includes enhanced data carving from unallocated space for the ooVoo, Skype, VKontakte, and Odnoklassniki apps, and decrypted SnapChat pictures.

Also included is decoding for contacts and chats from the HeyTell and Truecaller Android and iOS apps, as well as bookmarks, web history, and emails from the Firefox app for Android. Updated decoding is available for a total of 34 Android apps and 30 iOS apps, including multiple app versions. Download the release notes to see a full list of apps and version numbers.

Efficiencies in reporting

Reporting also sees an improvement in speed, by up to 50% depending on report content for PDF and UFDR report processing. New reporting functionality allows you to export chat messages in conversation format, within PDF reports. As with previous version, select and unselect specific chats to include. Additionally, you can now include image thumbnails in PDF, Word, and HTML reports.

Another new feature stands to reduce confusion around daylight saving date and time stamps vs. UTC or standard times. UFED Physical/Logical Analyzer 4.1 includes a database containing start/end dates and times for countries that use daylight saving (DST). This data is available through 2018 and takes into account locations that do not adhere to DST. You can set a unified time zone for the project timestamps for the software to automatically adjust for DST.

Remember: End of life announcement for Windows XP

Following the recent announcement that Microsoft has officially ceased support for Windows XP on April 8, 2014, Cellebrite recommends installing UFED Series Software Products on 64-bit versions of Windows 7 and above. By February 28, 2015, the UFED Series will no longer support Windows XP.

IMPORTANT: This does not affect UFED Touch systems running on Windows 2009 Embedded Standard. The Windows Embedded Standard 2009 Operating System End of Life is scheduled for January 8, 2024.

For further information about the Windows XP end of life, please contact support@cellebrite.com.

Download the full release notes for additional details about these decoding and reporting features!

New time saving workflow capabilities in UFED 4.0: Translation, automated data carving, and more

UFED Release 4.0Efforts to obtain evidence and intelligence from mobile devices can be stymied by inefficiencies such as extra layers of work process, lack of access to a full range of tools, and other challenges both small and large.

UFED 4.0 continues Cellebrite’s track record of developing features that improve investigative workflows and save you time both in the lab environment and the field. Among the most significant time savers we’ve added to UFED Touch, UFED 4PC, and UFED Physical/Logical Analyzer: better Android data carving, language translation, a UFED Touch data preview capability, and better workflows overall.

Simple, efficient language translation

Reduce challenges associated with foreign language translation, including the need to rely on another person, or to copy/paste into an online tool. Either one takes time you may not have, and errors—especially with short words—can alter the meaning of content.

UFED Physical/Logical Analyzer 4.0 contains an offline translation solution that accurately translates both short and long words. Use it to translate selected content on demand, and to use filters in your language of choice. The translation engine keeps the source language, which you can see in the user interface, and you can include both the translation and the original source text in your report.

The UFED translation engine currently supports 13 languages, including English. Choose five free of charge when you access all the language packs from your my.cellebrite.com account. If you need more than five languages, you can purchase them directly from Cellebrite. Be sure to let us know if you need access to languages apart from what we offer!

Faster, more powerful data carving from Android unallocated space

Enhanced automated carving from Android devices’ unallocated space gives you access to much more—in some cases, double or triple the amount—of deleted data than previous data carving features allowed. Owing to a new algorithm, the carving process is now also faster.

While manual data carving is still an important part of forensic validation processes, Cellebrite redesigned the automatic data carving functionality to achieve more deleted data with greater precision, by dramatically reducing false positive and duplicate results.

Learn more about data carving when you take the Cellebrite Certified Physical Analyst course.

Save time in the field: Preview logical extraction data in UFED Touch

UFED Touch users may find themselves needing to preview evidence to decide whether a mobile device is worthy of deeper examination, or they need intelligence to decide an immediate course of action. UFED Touch now offers the option to view an HTML report that includes general device Information and the logical extraction data on the touch screen—without requiring a laptop.

Newly included in logical extractions, and therefore viewable with UFED Touch, are web history and web bookmarks. From iOS devices, the new UFED 4.0 feature extends logical extraction and preview capabilities to app data.

Balance time savings with process: capture images and snapshots with UFED Camera

Sometimes, taking screenshots of a mobile device is the only way to capture its evidence. This could be because you have no UFED with you in the field, or the device or certain data on the device isn’t supported for extraction with the equipment you have.

With UFED Camera, our new manual evidence collection feature, collect evidence by taking pictures or videos of a device. A single report contains any extracted information together with screenshots or video.

The ability to take screenshots can be important in the field, helping to substantiate a police officer’s, border patrol agent’s, or corporate internal investigator’s documentation of what s/he saw on the device during an initial scroll-through. (Remember to get consent or have another form of legal authority to show for it.)

In the lab, taking screenshots can help you to validate device extraction results – to show that the evidence in an extraction file existed on the evidence device.

For more details on these and other new and enhanced decoding and app support capabilities—including support for iPhone 6, 6Plus, & other Apple devices running iOS 8—download our release notes!

New UFED release broadens decoding for extractions from prepaid, damaged devices

With the release of UFED Physical Analyzer 3.9.7, Cellebrite now offers improved decoding for the binary files resulting from JTAG extractions. This means that rather than have to carve or manually decode the image file, examiners can now save time with an automated process.*

JTAG (Joint Test Action Group) forensics is an advanced method of mobile data extraction. By taking advantage of a device’s test access ports (TAPs)—included in every mobile device model to aid in manufacturers’ quality assurance processes—examiners can unlock the device in order to gain access to raw data stored on the memory chip, and can thus obtain a full physical image of the memory.

Because it is non-destructive and affords the opportunity to access data from devices that have been altered or damaged in some way that makes them inaccessible using conventional mobile forensic extraction tools the JTAG technique is growing in popularity, with a number of examiners undergoing training to become proficient in the procedure.

The additional decoding support, made possible with generic chains, is now available for 110 tested devices, including Samsung, HTC, LG, ZTE, Nokia, Huawei, Casio, Pantech, and Kyocera models. Examiners can gain access to a rich set of data such as call logs, SMS, MMS, emails, media files, apps data, and locations.

Access the JTAG binary extraction files in UFED Physical Analyzer by using the “Open (Advanced)” feature and selecting the extraction and the appropriate JTAG chain. You can find step by step guidance, in Chapter 3, section 3.4.2.3 of the UFED Physical Analyzer manual.

JTag2

*Manual decoding is still valuable as a validation method for forensic examinations.

Convert GPS coordinates to physical addresses

See where your subjects are visiting, and how often they’re visiting, without having to manually convert GPS coordinates to physical locations. UFED Logical/Physical Analyzer now enables you to convert single or multiple latitude/longitude coordinates, in bulk, to their corresponding nearest address. It also allows you to search based on that information, using an advanced search capability.

Additional device and decoding support

The new UFED release, 3.0.7, includes physical extraction with lock bypass from an additional 40 devices including: Samsung Galaxy S4 and Note III families, and HTC devices. Additional device extraction support using the Android backup method is included, along with file system and logical extractions from Nokia Asha devices.

The new UFED Physical Analyzer release includes additional decoding support for physical extractions from 26 new devices, file system extractions from 25 new devices, usernames and passwords from the browser on Android devices, locations in deleted photo metadata from iOS devices running iOS 7 and above, and deleted call log, contact and calendar content from Microsoft® EDB embedded database within Windows® Phone devices. In addition, decryption support is now available for the WhatsApp backup database, identifiable by the .crypt7 backup file extension, which contains chat messages.

The Telegram and Instagram apps are newly supported for both Android and iOS devices. Decoding support for the Waze app is new for Android and updated for iOS devices; Facebook Messenger, Line, QQ, Skype, Twitter, WeChat, and Vkontakte, along with other apps, have been updated for Android and iOS as well.

For a full rundown of device and app support, view our release notes. Cellebrite is also offering a webinar on JTAG decoding and analysis in July. Register for the webinar here!

 

JTAG decoding, bypassing device locks, and link analysis in Cellebrite’s July webinars

webinar_header

Link Analysis: Identify connections between suspects, victims, and others in less time

On July 1, learn how field investigators use UFED Link Analysis to rapidly visualize key relationships between entities and identify the connections and communication methods between multiple mobile devices. Join Cellebrite Forensics Solutions Specialist Lee Papathanasiou for a 60-minute live webinar that details how link analysis methodology:

  • Helps you visualize communication links using multiple mobile devices’ rich data sets, including mutual contacts, calls, SMSs, MMS, emails, chats, application transactions, Bluetooth devices, locations, and more.
  • Filters data by time, date, number of contact times, and categories, and drills down to specific events.
  • Pinpoints whether entities were at the same place at the same time.
  • Allows you to share findings with colleagues and other investigators.

The webinar, including a Q&A session, will present real world use case scenarios from a wide range of crime categories. The session will also touch on key practical features of UFED Link Analysis, including timelines, advanced filters, and much more.

Register here for the July 1 webinar on UFED Link Analysis!

Bypassing Locked Devices: Learn How to Tackle One of the Biggest Challenges in Mobile Forensics

Pattern locks and passwords are becoming increasingly sophisticated and hard to crack, even for forensic examiners. Attempting to gain access to a locked device, especially with a complex pattern lock or passcode, is often only possible by using advanced forensic tools and techniques.

Don’t remain locked out from your evidence. Join Cellebrite’s forensic technical director, Yuval Ben-Moshe, for this 45-minute live webinar to learn about the UFED’s unrivaled ability to bypass locked phones without jailbreaking, rooting or flashing. You will learn:

  • Various methods to bypass locked devices, and a live demo of password extractions using the UFED.
  • How to use the extracted password to bypass other devices owned by the same person.
  • Physical extraction while bypassing any type of lock from 470 Android devices, including Cellebrite’s first to market capabilities for Samsung Galaxy S4 family.
  • Bypassing locks from counterfeit devices and phones manufactured in China.
  • How to run a plug-in that reveals pattern locks in Physical Analyzer.

Register here for the July 10 webinar on user lock bypass and extraction!

Automated JTAG Extraction Decoding with UFED Physical Analyzer

The growing popularity of JTAG forensics requires a great deal of resources and investment to obtain raw data stored on the device’s memory chip. It can take many hours for an examiner to transform the raw data into human interpretable evidence.

Cellebrite’s newly introduced decoding capabilities reduce the amount of time examiners have to spend on manually decoding, or carving, the large volume of extracted data. Join Cellebrite’s engineering product manager, Ronen Engler, for a 45-minute session on how you can take advantage of the UFED for JTAG decoding:

  • Easily import the binary file from a JTAG extraction into the UFED Physical Analyzer to draw accurate conclusions and report data.
  • Access this rich set of data to discover common artifacts, such as call logs, SMS, media files, e-mails, chats and locations.
  • Drill down into the binary file’s hex code through advanced search capabilities for finer grained information.
  • Decode the extractions from the widest range of devices, including popular Samsung, HTC, and LG, using a series of automated plug-ins and chains.

Register for the July 24 webinar to learn about Cellebrite’s efficient and cost-effective solution to decode and obtain forensically sound data from previously inaccessible devices.

DIY app forensics: What does it take?

Digital evidence from the millions of apps currently available in the Google Play Store is frequently material to criminal and civil cases and investigations. Yet app evidence is time consuming and costly to decode, analyze, and produce while facing deadlines and a backlog of cases.

What’s in app support? At Mobile Forensics World this year, you have a chance to find out. On Tuesday, June 3, John Carney and Don Huettl, of Minneapolis (Minnesota, US)-based Carney Forensics, are presenting a two-part lecture and live demo on what it took for them to develop plugin support for the Burner Android app. We took the time to sit down with John and get the story behind the lectures.

Cellebrite: What first drove you to start developing plug-ins to support third party apps?

John Carney: We’ve seen a dramatic change in mobile phone architecture in recent years as smart phone and tablet makers rely on apps as basic building blocks.

This makes for an industry challenge faced by tools vendors and examiners alike.  Over one million iOS apps and one million Android apps are available today through app stores, but automated forensic analysis is supported for only a few hundred.

And, even though scripting capabilities exist for examiners to develop their own forensic app support, very few are decoding apps and writing the scripts and plug-ins to probe their device evidence.  We wanted to attempt to show examiners a path forward and how to get involved.

CB: How did you come to choose this particular app?

JC: Mobile messaging apps are an extremely interesting family of mobile apps that phone users are shifting to in great numbers all over the world as they abandon traditional text messaging offered through the service providers.

We noticed examples of these apps that support message deletion and user-specified retention periods after which they are deleted.  Snapchat is perhaps the best example.  TigerText is another.  We chose to support Burner.

We wanted to see if we could find message evidence after the message was deleted or “burned”, and to support a new app that the tools vendors did not support.  Cellebrite now supports Burner on iOS, but ours is the only Burner plug-in or script available for Android.

CB: What challenges did you face at the outset?

JC: We had to choose a reasonably interesting app that was supportable and an app platform that made sense for us. We made our determination using three criteria:

  1. We wanted to add something of value to existing app support. For example, because GoSMSPro uses the same core data structures that UFED already supports to decode other SMS, we found there was really no work to be done.
  2. The app data couldn’t be too difficult to acquire. It would be fruitless to try to support an app whose data is encrypted.
  3. Along similar lines, we wanted to support an app that would give us plenty of artifacts to uncover. Some app developers, who are experienced with writing secure apps, do a lot of garbage collection and data wiping along the way. They don’t leave much behind as a result.

Burner, as it turned out, gave us an almost “Sherlock Holmesian” opportunity—after the phone number is burned, we found we had a shot at finding artifacts left behind, and we did!

Then, we had to construct a development environment that gave us about half a dozen features that would make our research, development and testing flow more easily. Basically, we built a “nest” for doing productive work: in the short term, nimble, fast, cost effective results, and for the long term, investment in future development.

For example, virtual phone support—Android emulators—allowed for experimentation across makes and models without a significant cost outlay. We could then create two virtual phones and have them call and text each other from a single platform.

For another example, platform virtualization allows us to take advantage of various computing architectures. Developers can use Mac, Windows or Linux platforms for full flexibility in the development environment.

Another challenge was that we had to learn how to decode mobile apps evidence, which proved to be one of our most critical challenges. We also had to learn how Cellebrite encodes phone evidence for reporting our results, and advanced analytic options like timelines, maps, and activity analytics.

On the other hand, having looked at other plug-in writing environments, we can say that UFED Physical Analyzer offers the best support for developers. It is equipped with advanced SQLite and plist decoding, highly modular decoding chains, and it provides an excellent debugger. We don’t have to worry about flash translation layers, reconstructing file systems, or parsing common phone data structures.

We wanted to be 80% done with plug-in development from the moment we started, and UFED gave us that level of advanced and broad-based support in a way that many other tools do not.

CB: What did you find you needed in terms of resources (time, team members, etc.)?

JC: We needed a skilled software engineer with digital forensics training who understood object-oriented development and who could quickly learn Python.  Don Huettl had those skills and was also a clever designer who constructed a highly innovative development environment. Don came to us as part of an internship with a degree program from a nearby academic institution, where I serve on the advisory board. In addition to the right people, we needed time to decode our app, and write and test our Python code.  We also had to learn how to present our project so that examiners could understand and appreciate what we had done.

This took several iterations of slide decks, including a comprehensive live demo of our development environment. Don shows how we decode the app, take the script and turn it into a plug-in, put it on a decoding chain, perform the examination, and then create a report—all in a way that anyone could understand, even if they don’t have a background in scripting.

Documentation is key to this process. It’s good scientific practice anyway, but in this case, it provides the framework for learning how to do this. Besides documentation of our own methods, we found that the Iron Python libraries and .NET libraries were critical to our success, and important for sharing with the community. Finally, we found that we needed more than one UFED Physical Analyzer license to support the decoding, development, and testing of our plug-in.

CB: What skills did you and your team members already have, and what skills needed to be developed or sourced?

JC: We had software architecture, design, and engineering skills.  I was a software engineer and architect in a former life and an experienced mobile device forensics examiner for the past five years.

Don was an experienced software engineer who learned computer and mobile forensics and got certified during his degree program.  He was looking for a challenging internship.  We didn’t need any more skills than that.

CB: What technical challenges did you face at various stages in the project?

JC: We had to learn how to decode mobile apps including SQLite app databases and how to expose other artifacts and files in our mobile app.

We had to find phone emulators for Android phone models and learn how they worked and what didn’t work. The quality of the emulators and how many features they support or don’t support figured into this research.

For example, creating two different virtual devices—different makes and models—with a full range of functionality might mean that different VOIP apps, or forwarding rather than simply sending and receiving text messages, crash the emulator. We had to figure out how to work around the bugs.

We also had to learn how UFED Physical Analyzer organizes and structures phone data for presentation to examiners. In other words, we had to figure out how to plug the examination results back into UFED PA so that reporting and analytics would work on the back end.

We had to learn and develop debugging techniques for perfecting our Python script and plug-in. Even for a software engineer with plenty of experience, the debugger, which provides an atomic level look at code execution and data, is important to figure out why something isn’t working.

Fortunately, the UFED’s support for the debugging environment in Python shell made this trial and error process much easier.

CB: What have you learned thus far about the plug-in development process?

JC: We’ve learned that the process is very dependent on the specific mobile app that we have targeted to support.  We have to become experts on our app. This involves understanding the app’s user model, what the app’s purpose is, what it does and doesn’t do, and so forth.

Decoding the app, in turn, requires understanding the connection between the user model and the data model. You can’t have just a passing knowledge of the app and expect to be able to write a plug-in; you need to understand the app at the same level as its own developer.

We’ve learned that encryption and cleansed data are not our friends as we attempt to acquire and report phone evidence.

We’ve learned that leveraging UFED in our work is like standing on the shoulders of a giant.  Physical Analyzer helps us with decoding, reporting, and debugging.  And all of the various pre-existing UFED plug-ins acquire, translate, reconstruct, and prepare mobile app data for us so that we can do our best work.

We’ve learned that we have to document our process and our code so that we can remain nimble, grow our team, and develop quality plug-ins.

CB: What will you be exploring in future research and development?

JC: Many app families are interesting to us including personal navigation, spyware and malware, and also payment. We want to explore additional mobile apps that have not been decoded and automated by any of the tools vendors yet, but that are desperately needed by examiners.

Because we’ve only developed one plug-in, we don’t yet have a quantitative idea what kind of time commitment is required for different kinds of apps.

However, understanding that mobile examiners are busy people, it may become possible and necessary for people to plug in to the process at different points and share their skills and aptitudes. Rather than developing “cradle to grave” plug-ins, in other words, one person might focus on decoding, another on script testing, etc.

We also want to construct a development environment for iOS including iDevice emulators so that we can develop multi-platform app plug-ins.

Join John and Don for their two-part presentation in Oleander A on Tuesday, June 3. From 11:00 – 11:50 a.m., John will present “A Case Study in Mobile App Forensics Plug-in Development – Examiners/Developers to the Rescue (Part 1). From 4:30 – 5:20 PM, Don will present “A Case Study in Mobile App Forensics Plug-in Development – Build Your Own Plug-ins (Part 2). We hope to see you there!

New UFED release delivers improved workflow, permission management, a new mobile app, and more

The new UFED 3.0 release is designed with front-line investigators in mind. From a new permission management and user authentication capability, to a much more streamlined extraction workflow and a mobile app that’s accessible from any iOS or Android device, the new UFED promises to make your work more efficient by getting you the data you need faster.

New user authentication and permission management

Many labs are struggling with backlog and the need for front-line investigators to get quicker access to information in order to begin or complete an investigation. However, doing so within the “right to know, need to know” boundaries of both legal authority and internal standard operating procedures and policies is important to retain community trust—whether you work in law enforcement or in the corporate environment.

The new UFED Permission Manager standalone application allows an administrator to create profiles and manage user accounts, including usernames and passwords, which enable users to perform specific extraction activities. Each profile contains access permissions, including operation rights per extraction type, content types and more.

Once these are created, the administrator can then export the users and profiles into an encrypted permission management file, and in turn into multiple UFED Touch and UFED 4PC units. This file activates user authentication, ensuring that only users with the right credentials can access the UFED and perform the extraction types they have permission to perform.

New smoother workflow

Customers have been asking for a more efficient extraction workflow, and we’re pleased to deliver it in UFED 3.0! Now start your extraction process in UFED Touch or UFED 4PC by selecting the device vendor, before proceeding to the specific device selection screen. The UFED interface then provides a list of supported actions for that device.

After installing the update, the UFED Touch/4PC application will notify you about the new workflow and provide instructions on first usage.

The new smoother workflow includes an Auto Detect feature. Connect a device and push the AutoDetect button on the main screen; AutoDetect will run automatically on UFED 4PC when the UFED Device Adapter is connected.

autodetect

New UFED Phone Detective mobile app

While in the field, use the UFED Phone Detective mobile application to look up extraction and decoding capabilities—as well as whether lock bypass is supported—for all device profiles supported by UFED hardware and software. Use your my.cellebrite.com credentials to login, then search by vendor and model.

Android_en_generic_rgb_wo_60

 

 

Download_on_the_App_Store_Badge_US-UK_135x40

 

New device, decoding and app support

New device support includes logical extraction for BlackBerry 10, physical extraction for a number of new Samsung devices, and Advanced Logical extraction for iOS 7.0.6/6.1.6.

New decoding support is available for enhanced locations decoding from file system and physical extraction of iPhone 4 running iOS 7.x, along with enhanced decoding of application permission to include permissions to location services. Enhanced decoding of contact list, call log, calendar, and tasks is now supported on Windows Mobile 6/6.5 physical extractions, as well as backup decoding from the latest devices running Android version 4.x.

New Android and iOS apps now supported for decoding include Burner (calls, contacts and SMS messages), WeChat, Badoo, BlackBerry Messenger, and Silent Phone. Additional decoding is also newly available for WhatsApp, Facebook, Gmail (for Android) and the new Line version for iOS.

For more information on these new features and support details, as well as a rundown of new UFED Physical/Logical Analyzer functionality, download our release notes here.

Decryption, decoding and new functionality for UFED analytical software

UFED Physical Analyzer and UFED Logical Analyzer 3.8 bring a host of new decoding and decryption support, along with new functionality.

Apple and BlackBerry decryption capabilities

Depending on the user’s Apple account type (and not defined or controlled by the user), emails on devices running iOS 5.0 or higher may be encrypted with “elliptic curve.” In previous UFED Physical Analyzer versions, those emails were presented within the analyzed data section with an encrypted body. The new capability, available in file system and physical extractions performed via UFED Physical Analyzer, will present the encrypted email body for current emails.

Decryption of the BlackBerry WhatsApp database provides access to messages that were not previously accessible. The solution is applicable for cases in which the database was stored on the mobile device or SD card.

To decrypt the WhatsApp database, perform a physical or file system extraction from the BlackBerry device. These extractions should be opened using the open advanced function:

  • Click “Select a UFED extraction” and select the .ufd file of the physical extraction
  • Click “Zip file” and select the file system extraction (.zip file)
  • Click Finish

Other new support includes faster decryption and better handling of large encrypted iTunes backup files. With this release we are also offering decryption of BlackBerry’s REMF files.

Decoding support in UFED Physical Analyzer

UFED Physical Analyzer 3.8 adds decoding support for 142 new devices, including HTC, LG, Motorola and Nokia models, in addition to a number of models within the Samsung Galaxy family. Enhanced Android decoding support is also newly available for Samsung M9xx family and Motorola devices with NVidia chipsets.

Full support is also added for both iOS and Android versions of the Google Chrome, ooVoo, QQ, KeepSafe, and Yahoo! Email apps, as well as the iOS apps Facebook Poke, Find My Friends, and vBrowse; and Android apps drug vokrug, Sygic, Snapchat, Navfree, LinkedIn, Vaulty, My People, and the native email app on HTC devices.

UFED Physical Analyzer 3.8 also improves decoding of BlackBerry Messenger (BBM) attachments.

Enhanced Nokia Symbian device decoding includes information about the device, connected Bluetooth devices, cookies, wifi networks, installed apps, notes, WhatsApp and OVI maps apps, and email. The update also improves decoding of SMS, MMS and call logs, and allows for carving of deleted SMS from unallocated areas.

Finally, enhanced decoding is available on a number of feature Samsung and LG phones, including call log decoding from 57 Samsung and 30 supported LG CDMA devices, as well as SMS decoding from select Samsungs.

New functionality for UFED Physical/Logical Analyzer software

A new built-in viewer allows you to view all extracted locations on a map. The map function is based on Bing maps and requires an internet connection. (Note: KML files are still exportable to Google Earth.) The new function requires internet access and is only available to UFED Physical/Logical Analyzer users who have a valid, up-to-date license.

UFED Physical Analyzer now also enables users to verify a list of potential complex passwords from locked Apple devices, rather than entering single passwords one at a time. The verification does not affect Apple’s incorrect password locking mechanism. In addition, both UFED Physical Analyzer and UFED Logical Analyzer enable users to provide a plist file from the lockdown directory available on the suspect PC, instead of unlocking the Apple device before the extraction.

Finally, UFED Physical/Logical Analyzer now features a new “push” notification that will inform you when a new version is waiting for you.  If you are not connected to the internet, the notification will appear every three months.

Download the release notes here!

UFED Physical Analyzer 30-day Trial

Using UFED Physical Analyzer to find which (supported) time stamp format is used

A few weeks ago, one of our customers emailed about a PIN locked Samsung SCH-U365 CDMA device. Searching within UFED Physical Analyzer for dates/times on this device, he wanted to find out whether the SMS PDU dates were his only option to choose, or if others might be available.

This particular device uses a Jan 1, 1980 epoch for SMS dates/times. Here’s a tutorial on how to use UFED Physical Analyzer to determine that information:

1) After opening the extraction, open the physical or file system extraction image file.

2) While the image hex viewer is open, select the desired data type (in this case SMS).

3) At the bottom part of the screen you will see a list of all the decoded fields from the selected data type.

4) Select your specific data field of interest to see where it is located in the hex view; in other words, where UFED decoded it from. In this case, it would be the time stamp of an SMS message.

SMS time stamp located in hex code

5) Switch to the “Values” tab and locate the “Date & Time” data type, then open the Epoch list.

6) Move the mouse cursor over the 4 bytes (highlighted in green) that, as earlier seen, are the time stamp.

7) Notice that the “Information Frame” dialog that displays the decoded time stamp (26/11/2012 02:17) matches the Epoch Jan 1, 1980. This is the desired format originally asked about.

Information Frame dialog displays the decoded time stamp

8) To perform a search and locate more potential deleted SMS messages, use the Find option and select the Dates category with “Epoch Jan 1, 1980” as the time stamp format to search for.

Since these are 4 bytes, define the date range that you want to search for in order to reduce false positive results. You can see in the image below that there were more than 5000 results in the test extraction.

To further reduce false positive results and also get more data before and after the result—the SMS text as an example that might be in a fixed offset from the time stamp—use the “Additional data” extraction/filter on the bottom right of the below dialog

additional data extraction/filter

additional data extraction/filter

UFED Physical Analyzer 30-day Trial