Reason #3 to vote for Cellebrite for a 2016 Forensic 4:cast Award

There is just less than a week left to cast in your votes for the Forensic 4:cast Awards. In our previous blog posts, we mentioned that Cellebrite deserves an award this year for being consistently first, and often unmatched, bringing critical mobile forensic innovations to your work environment, and for also being the first to provide support for the most popular brands and models.

Here is the third reminder why Cellebrite deserves an award:

Forensically Sound Evidence Every Time

Unlike competitors’ “black box” third-party bootloaders, UFED remains the only mobile forensics solution with custom-designed, read-only bootloaders. By controlling every part of the process, Cellebrite ensures that the bootloading is non-intrusive and that nothing is altered on the device, keeping the data forensically sound. This capability is delivered in proprietary bootloaders that support physical extraction while bypassing locks for mobile devices, which have no alternative solutions. Our custom-designed bootloaders contain a code that is specifically designed to only read the memory chips, not write them, and are thus more flexible, generic, and work with a wider variety of devices. Altogether, they make for a solution that lets you overcome barriers and ovoid data loss or overwrite.

In version 4.2.6, released August 2015, we have enhanced the bootloader method to provide physical extraction support for the latest Samsung Android devices, (including firmware SM-G900V, SM-G900A, SM-N900V, SM-N910V, SM-G860P). With the coming release of UFED 5.1, we will be providing lock bypass and physical extraction support using the enhanced bootloader method for 200 Samsung devices.

If you benefit from our unique capability to perform a physical extraction while bypassing lock, then vote for us today!

Cellebrite’s nominations include:

  • UFED Touch for phone forensic hardware of the year
  • UFED Physical Analyzer/ UFED4PC for phone forensic software of the year
  • Digital forensic organization of the year

ForensicFocus_728x90_4cast_Vote_30mar2016

Advance your forensic expertise with Cellebrite’s new smartphone analysis course

Last week we announced the introduction of a new Advanced Training Pathway designed to enhance professional forensic expertise. The first in this series, the hands-on Cellebrite Advanced Smartphone Analysis (CASA) course, addresses the sometimes complex challenges that come with forensic examination of iOS, Android and Windows Mobile devices.

Those challenges include where and how SQLite databases—whose schemas can vary from device to device—store Android and iOS mobile app data via structures, files and functions; how to defeat passcodes and unlock iOS devices; and how to recover system and user artifacts.

Within the context of smartphones, strategies to obtain the data can include physical or file system extraction with user lock bypass, extracting and decoding device backup files from a synchronized computer, or extraction using JTAG or chip-off methodologies. Over the course of three days (a total of 21 hours), CASA students can expect to learn which of those and other methods work for various device types and families.

The first step in advanced analysis is to get past a device’s user lock. Watch the video below for information on how to do this using UFED solutions—and then be sure to register for the Cellebrite Advanced Smartphone Analysis class at the Cellebrite Learning Center!

Download training white paper

Bypassing Locked Devices: Q&A from Cellebrite’s webinar

{195d00af-385d-48ae-8c04-032a86166edf}_bypassing_webinar_header

Last month we hosted two webinar sessions on “Bypassing Locked Devices”, led by Mr. Yuval Ben-Moshe, Cellebrite’s Senior Director for Forensic Technologies. In these sessions, Yuval presented the challenges and solutions to bypassing locked devices, including Cellebrite’s proprietary boot loaders among other methods used to tackle locked devices.

The webinar is available for viewing at the bottom of this post. Meanwhile, participants asked a number of good questions, which we’ve compiled in this blog—including some that we didn’t have time to answer during the webinar.

Note: If you don’t see your question answered below, please leave a comment at the end of this post!

Basics of mobile device user lock bypass

Q: Using the UFED, can you gain access to the phone where the wrong passcode has been entered too many times and is now locked?

A: This depends on the device and the locking mechanism used by it. If the device is supported by a boot loader or JTAG, than the data can be extracted regardless of any locking mechanism or the number of times a wrong password was used.

Q: How far off is user lock bypass support for iPhone 5 and Blackberry devices?

A: Forensic extraction of data from iPhone 5 is achievable using of the .plist file from the paired computer. With locked Blackberry, at this point in time, examiners must rely mainly on chip-off or JTAG methods for specific models.

Q: If the element file is deleted, will it affect the function of the original pattern passcode?

A: This question refers to a method called disabling. The device will remain in a lock disabled mode until a new password can be configured via the device’s set-up menus.

Q: If an extraction fails or is interrupted, can I still parse the extracted content if it is incomplete?

A: A physical extraction that was interrupted cannot be decoded, because a full binary image is required in order for the decoding to reconstruct the full file system.

Q: Can the UFED bypass iOS 7+ with a user lock and a SIM lock?

A: Bypassing locked devices depends on the device hardware and not the iOS version running on it. That is, if iOS 7 is running on iPhone 4, physical extraction is achievable; however, if iOS 7 is running on iPhone 4s or a newer model, than a .plist file is required to enable data extraction.

Q: If a device employs a biometric lock, how does the UFED tackle the lock?

A: Bypassing a biometric lock depends on the device model. For example, for the iPhone 5, the UFED can bypass the biometric lock using the .plist file.

Sync devices and .plist files

Q: The webinar presents the paired computer method for iOS devices showing the Windows 7 path on a PC. Is there a specific location path for Apple MAC computers?

A: The path for the .plist file on Mac computers is: ~/Library/Application Support/MobileSync/Backup/

Q: Does the .plist appear on the user’s iCloud?

A: The .plist file is used for the communication between the device and the computer; hence, it does not appear in the user’s iCloud data.

Q: How do you employ the .plist file?

A: The process of using the .plist file is very simple: UFED will automatically detect the iOS device as being locked and request the .plist file.

Boot loaders and clients

Q: Will injecting a client or boot loader lead to evidence tampering?

A: The boot loader is uploaded onto the device’s RAM and is then deleted when the device powers off or restarts. Therefore, it is does not tamper with the evidence. In contrast, a client may write some data onto the device’s flash memory, yet it is still considered a forensically sound process if the investigator specifically documents what was written and on which partition/folder.

Q: If an extraction fails, is the client left on the device?

A: In some cases, when the extraction is interrupted abruptly, the UFED may not have enough time to uninstall the client, and some files may be left on the device. In this case, UFED provides a specific function to delete the client. This capability is under the UFED ‘Device Tools’ menu.

Q: Does the UFED Classic include the boot loader function?

A: The UFED Classic is also capable of tackling locked devices. However, it may not support the latest modern devices due to technical limitations with hardware. It is highly recommended to trade up the UFED Classic for a more advanced model, such as the UFED Touch or UFED 4PC.

User locks on prepaid devices

Q: Can the UFED bypass disabled data ports in burner phones?  JTAG/chip-off are options, but unlocking with a manufacturer code is possible. Can you support unlocking burner phones?

A: The UFED is able to bypass the locking mechanism for many low-end phones, a.k.a “burner phones” using a boot loader. While JTAG and chip-off are valid options, we recommend you first try unlocking the device with a UFED, since these methods are more complicated, time-consuming, potentially destructive, and expensive.

Q: How does the UFED bypass a prepaid phone with a locked data port?

A: Bypassing a user lock depends on the device itself.  If the data port is disabled, then the JTAG or chip-off methods are applicable here.

View the full webinar below:

Leave a comment if you have a question that was not answered above, or in the webinar itself!

JTAG decoding, bypassing device locks, and link analysis in Cellebrite’s July webinars

webinar_header

Link Analysis: Identify connections between suspects, victims, and others in less time

On July 1, learn how field investigators use UFED Link Analysis to rapidly visualize key relationships between entities and identify the connections and communication methods between multiple mobile devices. Join Cellebrite Forensics Solutions Specialist Lee Papathanasiou for a 60-minute live webinar that details how link analysis methodology:

  • Helps you visualize communication links using multiple mobile devices’ rich data sets, including mutual contacts, calls, SMSs, MMS, emails, chats, application transactions, Bluetooth devices, locations, and more.
  • Filters data by time, date, number of contact times, and categories, and drills down to specific events.
  • Pinpoints whether entities were at the same place at the same time.
  • Allows you to share findings with colleagues and other investigators.

The webinar, including a Q&A session, will present real world use case scenarios from a wide range of crime categories. The session will also touch on key practical features of UFED Link Analysis, including timelines, advanced filters, and much more.

Register here for the July 1 webinar on UFED Link Analysis!

Bypassing Locked Devices: Learn How to Tackle One of the Biggest Challenges in Mobile Forensics

Pattern locks and passwords are becoming increasingly sophisticated and hard to crack, even for forensic examiners. Attempting to gain access to a locked device, especially with a complex pattern lock or passcode, is often only possible by using advanced forensic tools and techniques.

Don’t remain locked out from your evidence. Join Cellebrite’s forensic technical director, Yuval Ben-Moshe, for this 45-minute live webinar to learn about the UFED’s unrivaled ability to bypass locked phones without jailbreaking, rooting or flashing. You will learn:

  • Various methods to bypass locked devices, and a live demo of password extractions using the UFED.
  • How to use the extracted password to bypass other devices owned by the same person.
  • Physical extraction while bypassing any type of lock from 470 Android devices, including Cellebrite’s first to market capabilities for Samsung Galaxy S4 family.
  • Bypassing locks from counterfeit devices and phones manufactured in China.
  • How to run a plug-in that reveals pattern locks in Physical Analyzer.

Register here for the July 10 webinar on user lock bypass and extraction!

Automated JTAG Extraction Decoding with UFED Physical Analyzer

The growing popularity of JTAG forensics requires a great deal of resources and investment to obtain raw data stored on the device’s memory chip. It can take many hours for an examiner to transform the raw data into human interpretable evidence.

Cellebrite’s newly introduced decoding capabilities reduce the amount of time examiners have to spend on manually decoding, or carving, the large volume of extracted data. Join Cellebrite’s engineering product manager, Ronen Engler, for a 45-minute session on how you can take advantage of the UFED for JTAG decoding:

  • Easily import the binary file from a JTAG extraction into the UFED Physical Analyzer to draw accurate conclusions and report data.
  • Access this rich set of data to discover common artifacts, such as call logs, SMS, media files, e-mails, chats and locations.
  • Drill down into the binary file’s hex code through advanced search capabilities for finer grained information.
  • Decode the extractions from the widest range of devices, including popular Samsung, HTC, and LG, using a series of automated plug-ins and chains.

Register for the July 24 webinar to learn about Cellebrite’s efficient and cost-effective solution to decode and obtain forensically sound data from previously inaccessible devices.

How our forensic R&D makes the previously impossible, possible

Before we launched our HTC and Motorola user lock bypass, our forensic customers had to go to through a painstaking process to recover data from these Android devices: obtain a search warrant to serve on Google, either to recover backup data or to obtain or reset the device user lock. In some cases, such as with a phone that was turned off, they may even have had to serve paper on the carrier as well.

This process could lead to delays because it could take days or even weeks to secure the paperwork and reach a law enforcement liaison. The providers’ success was limited by the type and complexity of the user lock—if they agreed to comply at all. This could slow down or altogether halt investigations’ progress.

Thanks to our work on this bypass, a number of happy customers have been able to access critical evidence which they previously could not. Said Deputy Steven Mueller of the Defiance County (Ohio) Sheriff’s Office and the Northwest Ohio Technology Crimes Unit: “I was given a HTC PD15100 in December with a pattern lock. I was unable to acquire it then. Today with the updates it is being acquired as I write this.” Mueller later updated us that he and his team were able to successfully carve graphics files from the image.

To learn more about how to perform user lock bypass and file system or physical extraction on HTC Android devices, see our new video: