UFED PHYSICAL ANALYZER, UFED LOGICAL ANALYZER, UFED READER RELEASE NOTES Version 6.3 | July 2017 HIGHLIGHTS APPS SUPPORT ◼ 2 new apps for Android and iOS: CM Security Master Antivirus (Android) and Private Zone – AppLock ◼ Decoding support – LinkedIn messages for Android devices ◼ Telegram cloned apps for Android – Telegram is an open source app, and in Google Play there are many apps available for download. We have added a generic parser which can decode information from various cloned apps, including Telegram + app and Telegram Plus. ◼ 139 updated application versions FUNCTIONALITY ◼ Quickly identify known media files using Project VIC/CAID ◼ Identify known files using Hash Sets ◼ Carve more locations data from unallocated space and unsupported databases ◼ View locations by classified origin ◼ Disclose even more web history and search terms from additional sources ◼ New conditions functionality in SQLite Wizard ◼ Tag global search results ◼ Notifications center ◼ Export image files in Griffeye format ◼ Recover the deleted participants list from iMessages ◼ Decode Google Archive files ◼ Recover locations history data (iOS) ◼ Decode modified IMEI (Android) ◼ Search using wild cards in Hex viewer ◼ Decode Bluetooth history (iOS) ◼ Decode the FindMyiPhone state ◼ Decode the Advertising ID ◼ Decode the last backup date CHECK OUT OUR NEW VIDEO ON UFED 6.3! Watch video now! https://vimeo.com/222514207/1d01006bfb NOW SUPPORTING DEVICE PROFILES 4,187 APP VERSIONS 22,179 IDENTIFY KNOWN FILES USING MULTIPLE HASH SETS INCLUDING PROJECT VIC/CAID Quickly identify media files by creating databases using Project VIC or CAID hash values, and matching them against existing media files. NEW! BOOST LOCATIONS DATA USING AN INNOVATIVE CARVING SOLUTION Get the most locations data possible from a digital device by using a unique carving method to obtain more data from unallocated space and unfamiliar databases.
Embed
22,179 - Cellebrite modified IMEI (Android) Search using wild cards in Hex viewer Decode Bluetooth history (iOS) Decode the FindMyiPhone state Decode the Advertising ID Decode the
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
◼ 2 new apps for Android and iOS: CM Security MasterAntivirus (Android) and Private Zone – AppLock
◼ Decoding support – LinkedIn messages for Android devices
◼ Telegram cloned apps for Android – Telegram is anopen source app, and in Google Play there are many apps available for download. We have added a generic parser which can decode information from various cloned apps, including Telegram + app and Telegram Plus.
◼ 139 updated application versions
FUNCTIONALITY
◼ Quickly identify known media files using Project VIC/CAID ◼ Identify known files using Hash Sets ◼ Carve more locations data from unallocated space and
unsupported databases ◼ View locations by classified origin ◼ Disclose even more web history and search terms from
additional sources ◼ New conditions functionality in SQLite Wizard ◼ Tag global search results ◼ Notifications center ◼ Export image files in Griffeye format ◼ Recover the deleted participants list from iMessages ◼ Decode Google Archive files ◼ Recover locations history data (iOS) ◼ Decode modified IMEI (Android) ◼ Search using wild cards in Hex viewer ◼ Decode Bluetooth history (iOS) ◼ Decode the FindMyiPhone state ◼ Decode the Advertising ID ◼ Decode the last backup date
CHECK OUT OUR NEW VIDEO ON UFED 6.3!
Watch video now! https://vimeo.com/222514207/1d01006bfb
NOW SUPPORTING
DEVICE PROFILES
4,187 APP VERSIONS
22,179
IDENTIFY KNOWN FILES USING MULTIPLE HASH SETS INCLUDING PROJECT VIC/CAID
Quickly identify media files by creating databases using Project VIC or CAID hash values, and matching them against existing media files.
NEW! BOOST LOCATIONS DATA USING AN INNOVATIVE CARVING SOLUTION Get the most locations data possible from a digital device by using a unique carving method to obtain more data from unallocated space and unfamiliar databases.
Cellebrite Release Notes | UFED v 6.3 | July 2017 | 2
QUICKLY IDENTIFY KNOWN MEDIA FILES USING PROJECT VIC/CAID
Cellebrite is proud to provide you with a capability to quickly identify media related to child exploitation, that can incriminate predators. UFED Physical Analyzer 6.3 enables you to create Hash databases by importing Project VIC/CAID files, and matching them against media recovered as part of the extraction, specified with the appropriate VIC/CAID category. Cellebrite’s Analytics solution offers the complete package to fight against child exploitation.
In partnership with law enforcement agencies, Cellebrite has developed a unique and innovative method, complementing the Project VIC/CAID solution, that enables users to identify and tag suspected child exploitation related media (images and video) within a new Suspected Child Exploitation Media category. Click here for more details.
IDENTIFY KNOWN FILES USING HASH SETS
Identify and upload any csv or text file which contains a list of known hash values, and match it against any file recovered from the device. To start using this capability, follow these steps: Tools ––> Watch list ––> Hash set manager. You can customize the hash sets results both in UI and reports, using the following options – Show, Hide and Redact.
CARVE MORE LOCATIONS DATA FROM UNALLOCATED SPACE AND UNSUPPORTED DATABASES
This unique and innovative solution allows you to decode an even greater amount of locations data from unallocated space and unsupported databases. To start using this feature, open the Device Locations and click the carving icon or start the carving process from: Tools ––> Get more data (carving) ––> Carve locations. The carver allows you to either search for additional locations, up to three of the most visited areas, or any other custom area.
Note: The carving results may produce many false positive events.
FUNCTIONALITY
VIEW LOCATIONS BY CLASSIFIED ORIGIN
UFED Physical Analyzer classifies each recovered location record by its origin: Device and External. In this version, 6.3, you can now view and filter for locations that are related and unrelated to the device user’s activities (This does not mean the device has been in this location). For example: A picture taken by the camera on a digital device is classified as a ‘Device’ location. While a picture received on the device is marked as ‘External’ as the location is related to the image sender. Locations are highlighted with a different color on the map.
Note: Some locations are classified as unknown
DISCLOSE EVEN MORE WEB HISTORY AND SEARCH TERMS FROM ADDITIONAL SOURCES
UFED Physical Analyzer can now carve more search history data from allocated and unallocated memory space, and additional web browsers including Chrome, Samsung browser and Firefox.
Intact and deleted new records from this carving process can be found under the Searched Items model. This capability is relevant to iOS, Android and Windows phone devices.
Cellebrite Release Notes | UFED v 6.3 | July 2017 | 3
NEW CONDITIONS FUNCTIONALITY IN SQLITE WIZARD
In cases where the interpretation of a field is based on another field’s value, you can map that data using the new conditions function. For example: SMS participants table in an SQLite database contains SMS information. In several cases, the same column will contain both From and To values of an SMS message. You can now create a new condition to distinguish between the two different field values.
TAG GLOBAL SEARCH RESULTS
Create tags for all Global Search results items in a touch of a button. We have also enhanced the Global Search UI to provide you with a familiar user experience.
NOTIFICATIONS CENTRE
Never miss a thing with the new automatic notifications that will keep you up to date with new feature and capabilities in UFED Physical Analyzer. In the Notification Centre, you can now view the latest alerts, news, warnings, completed actions and much more. To view Notifications, click on the Bell icon ––> View all notifications.
EXPORT IMAGE FILES IN GRIFFEYE FORMAT
Easily export selected images in Griffeye format (* C4P Index.xml). You can import the exported file into Griffeye using a C4All XML data source.
RECOVER THE DELETED PARTICIPANTS LIST FROM IMESSAGES
We have added support for iOS devices, recovering deleted participants’ information from iMessages.
FUNCTIONALITY (CONT...)
DECODE GOOGLE ARCHIVE FILES
Open and decode Google Archive files using UFED Physical Analyzer (via Advanced Search, or by running the Google Archive Databases chain). This archive file contains important information including: Chrome history and bookmarks, contacts from Google account and Google+, emails from Gmail, search history from Google Play, chats, calls and contacts from Hangout, and played/search history from YouTube.
RECOVER LOCATIONS HISTORY DATA (iOS)
We have enhanced the locations data from iOS devices. You can now decode additional location history records from the maps data plist file. This file is used to sync location history from the iOS device to the cloud service.
DECODE MODIFIED IMEI (ANDROID)
It is possible to change the device IMEI number using flash boxes or other methods. UFED Physical Analyzer version 6.3 can now decode the modified IMEI number (when available) in addition to the previous IMEI number.
Note: There is no indication in UFED Physical Analyzer if the IMEI is original.
SEARCH USING WILD CARDS IN HEX VIEWER
Within the Find tab in Hex viewer, you can now search using wild cards - ? and * (? replaces an octet - 4 bit and * replaces an entire byte).
DECODE BLUETOOTH HISTORY (iOS)
Under the Bluetooth Devices model, you could previously view a list of Bluetooth devices that were connected to the device. We have enhanced the results presented with additional Bluetooth history records for iOS devices (using full File System extraction which is available via Cellebrite Advanced Investigative Services (CAIS)).
DECODE FINDMYIPHONE STATE
Under Device Info, for iOS devices, you can now view if the “’FindMyiPhone” setting is enabled.
Cellebrite Release Notes | UFED v 6.3 | July 2017 | 4
DECODE ADVERTISING ID
Under Device Info, for both iOS and Android devices, you can now view the “Advertising ID” of the device. Using Mobile advertising, mobile app developers can identify who is using their mobile applications.
DECODE LAST BACKUP DATE
Under Device Info, for iOS devices, you can now view the “Last Backup Date” of the device.
FUNCTIONALITY (CONT...)
DID YOU KNOW
UFED Physical Analyzer allows you to convert the BSSID values (wireless networks) into location positions/specific addresses, so that you can easily reveal and track connections to wireless networks, within a specific timeframe. You can also download an offline database or use Cellebrite’s enrichment service from My.Cellebrite (~60 GB). To ease the download of this large database, you can now download split database files (6 files, 10 GB file size) and load the files into UFED Physical Analyzer.
Note: From this version, 6.3, onwards, UFED Physical Analyzer will merge all database files.
SOLVED ISSUES
KNOWN ISSUES
The following issues have been resolved: ◼ A decoding issue of iCloud backup (Apple
production data). ◼ A localization issue of SIM information under
device info in Japanese. ◼ A decoding issue of locations from the Endomondo
app for Android devices. ◼ A decoding issue of call logs from a public pay phone,
the from participant appears as -3. ◼ A decoding failure of the WeChat app version
6.5.4 (Android). ◼ A decoding failure of Samsung GSM GT-E1200i
Keystone 2. ◼ A decoding issue with missing POI of a TomTom
GPS device model Start 25, type no. 4EN52.
Redacted thumbnails are not presented in IE 10; they appear as unavailable due to browser limitation.
APP SUPPORT
iOS
ANDROID
Application Type Decoding FeatureLEO Privacy / Private Zone - AppLock
Files Decryption of private pictures, private videos and private files
Application Type Decoding FeatureCM Security Master Antivirus Tools User account
LEO Privacy / Private Zone - AppLock Files
Private bookmarks, decryption of passcode, accounts, VIP cards, bank cards and private albums (file system)
iOS: NEW AND UPDATED APPS1 NEW App 166 UPDATED Apps
Cellebrite Release Notes | UFED v 6.3 | July 2017 | 7
CRYPTOGRAPHIC HASH VALUES INFORMATIONYou can validate the integrity of Cellebrite’s UFED software files by verifying their cryptographic hash values. This can help you identify whether a file has been changed from its original state.