HIGHLIGHTS DEVICE SUPPORT ◼ Bootloader-based physical extraction for 17 MTK Android devices running the following MediaTek chipsets: MT6735 and MT6753. ◼ Physical extraction and decoding from 26 popular Motorola Android devices. ◼ Following the previous announcement in version 5.1, we have added physical extraction while bypassing user lock for 18 additional Huawei devices, running HiSilicon chipsets. ◼ Logical extraction and decoding is enabled for the new Google Pixel Android devices (Apps data not included). APPS SUPPORT ◼ 26 new Applications supported for iOS and Android devices. ◼ Facebook Messenger: Decoding supported for multiple users of a single device. ◼ 569 updated application versions. FUNCTIONALITY ◼ Pinpoint your subjects’ locations with more accuracy. ◼ Organize and review case evidence with enhanced searching, filtering and grouping capabilities. ◼ Analyze more data in Timeline view quicker. ◼ Identify critical case information up to 50% faster. ◼ Improved direction visuals for clearer chat conversations. ◼ Identify recorded audio files for iOS devices. ◼ Decoding shortcuts for common external extractions. ◼ View platform indication for chat messages. ◼ View description of powering events. ◼ Enhanced decoding of more data from iOS devices. FORENSIC DEVICE PROFILES Logical extraction Physical extraction* File system extraction Extract/disable user lock Total 121 93 101 50 365 v 5.4 8,906 4,677 4,800 2,471 *Including GPS devices 20,854 Total UFED TOUCH2, UFED TOUCH, UFED 4PC, UFED PHYSICAL ANALYZER, UFED LOGICAL ANALYZER, UFED READER RELEASE NOTES Version 5.4 | November 2016 NOW SUPPORTING DEVICE PROFILES +2,851 APP VERSIONS 20,854 Physical extraction while bypassing lock from 3,928 devices A BRAND NEW USER INTERFACE Due to popular demand, we are excited to introduce the new interface for UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader 5.4. We have redesigned the user interface to deliver a more intuitive user experience. WE’VE ADDED SUPPORT TO MORE MOTOROLA ANDROID DEVICES! Physical extraction and decoding from 26 popular Motorola Android devices (up to and including OS 5.0.1). EXPAND YOUR EVIDENCE REACH WITH ACCESS TO EVEN MORE CHINESE ANDROID DEVICES! Bootloader-based physical extraction from 17 MTK Android devices. PINPOINT YOUR SUBJECTS’ LOCATIONS WITH MORE ACCURACY! To fully utilize the large volume of locations data available in a mobile device, UFED Physical Analyzer 5.4 allows you to convert the BSSID values (wireless networks) and cell towers into location positions/specific addresses, in order for you to reveal and track connections to wireless networks and cell tower stations, within a specific timeframe.
10
Embed
RELEASE NOTES UFED PHYSICAL ANALYZER, …...Motorola Android devices. Following the previous announcement in version 5.1, we have added physical extraction while bypassing user lock
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
HIGHLIGHTS
DEVICE SUPPORT
◼ Bootloader-based physical extraction for 17 MTK Androiddevices running the following MediaTek chipsets: MT6735 and MT6753.
◼ Physical extraction and decoding from 26 popularMotorola Android devices.
◼ Following the previous announcement in version 5.1, we have added physical extraction while bypassing user lock for 18 additional Huawei devices, running HiSilicon chipsets.
◼ Logical extraction and decoding is enabled for the newGoogle Pixel Android devices (Apps data not included).
APPS SUPPORT
◼ 26 new Applications supported for iOS andAndroid devices.
◼ Facebook Messenger: Decoding supported formultiple users of a single device.
◼ 569 updated application versions.
FUNCTIONALITY
◼ Pinpoint your subjects’ locations with more accuracy. ◼ Organize and review case evidence with enhanced
searching, filtering and grouping capabilities. ◼ Analyze more data in Timeline view quicker. ◼ Identify critical case information up to 50% faster. ◼ Improved direction visuals for clearer chat conversations. ◼ Identify recorded audio files for iOS devices. ◼ Decoding shortcuts for common external extractions. ◼ View platform indication for chat messages. ◼ View description of powering events. ◼ Enhanced decoding of more data from iOS devices. FORENSIC DEVICE PROFILES
Physical extraction while bypassing lock from 3,928 devices
A BRAND NEW USER INTERFACEDue to popular demand, we are excited to introduce the new interface for UFED Physical
Analyzer, UFED Logical Analyzer and UFED Reader 5.4.
We have redesigned the user interface to deliver a more intuitive user experience.
WE’VE ADDED SUPPORT TO MORE MOTOROLA ANDROID DEVICES! Physical extraction and decoding from 26 popular Motorola Android devices (up to and including OS 5.0.1).
EXPAND YOUR EVIDENCE REACH WITH ACCESS
TO EVEN MORE CHINESE ANDROID DEVICES!Bootloader-based physical extraction from 17 MTK Android devices.
PINPOINT YOUR SUBJECTS’ LOCATIONS WITH MORE ACCURACY!
To fully utilize the large volume of locations data available in a mobile device, UFED Physical Analyzer 5.4 allows you to convert the BSSID values (wireless networks) and cell towers into location positions/specific addresses, in order for you to reveal and track connections to wireless networks and cell tower stations, within a specific timeframe.
Cellebrite Release Notes | v 5.4 |November 2016 | 2
INTRODUCING A NEW USER INTERFACE
We have launched a new and user friendly interface for UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader 5.4.
Following customer feedback, we have redesigned the user interface by exposing all the functions in a clearer and intuitive way, with a more modern look and feel for a greater user experience.
The new interface has given UFED Physical Analyzer, UFED Logical Analyzer and UFED Reader a much more appealing and sleeker look, making each function easily accessible and intuitive.
We have also refreshed the brand with new iconography that we’re excited to share with you!
Cellebrite Release Notes | v 5.4 |November 2016 | 3
◼ Pinpoint your subjects’ locations with more accuracy UFED Physical Analyzer 5.4 enables you to extract more locations data from mobile devices by converting BSSID (wireless network) and cell tower values into physical locations (longitude and latitude GPS coordinates).
The BSSID represents the wireless network MAC address.
This solution is free of charge and available offline for a limited time.
To start using the BSSID feature: Download the BSSID database. Login to MyCellebrite, and download the BSSID database from the Download page (~60 GB). The database holds millions of BSSID records of wireless networks worldwide.
To install the BSSID database: In UFED Physical Analyzer, go to Tools, select the BSSID (wirelesses networks) and cell towers database, then select Install. In the installation window, load the Offline BSSID database. (The loading process takes some time to complete).
You can enrich the BSSID and cell tower values by generating an XML report with BSSID and cell tower values (via the Export function), and sending the report via email to [email protected]. The enriched report will be sent back to you and you can import the new values into your UFED Physical Analyzer (via the Import function) and continue your investigation.
Note1: You can place the BSSID database in a shared network and allow any UFED Physical Analyzer station to connect to this database.
Note2: The BSSID database will require an update. From time to time it is recommended to install an updated database.
◼ Tag items of interestYou can now tag items for future reference using one or more labels via HotKeys. The new tags function can be configured at the application level – add, delete and edit tags according to your needs.
Note: The tagging functionality has replaced the bookmarks functionality.
◼ Organize and review case evidence with enhancedsearching, filtering and grouping capabilities With version 5.4 you can now group and list information such as image and video data files under predefined categories, in order to handle and review case evidence more efficiently.
The new searching and filtering tools replace the previous Advanced Search functionality - offering cutting-edge capabilities that help narrow the search criteria with robust filters, giving you the data you need for your investigation in the palm of your hand.
Under any table view, click on the table header, and the available sorting and filtering information will be presented, providing intuitive usability, and a look and feel that is similar to common spreadsheet software, such as Microsoft Excel.
UFED PHYSICAL ANALYZER AND UFED LOGICAL ANALYZER FUNCTIONALITY
Cellebrite Release Notes | v 5.4 |November 2016 | 4
◼ Analyze more data in Timeline view quickerThe Timeline view allows you to analyze data in a chronological order, for a quicker data analysis. Version 5.4 includes contact and data file events such as images, videos and audio.
In addition, records with different timestamps are now presented in the Timeline, event per timestamp. For example, a picture taken is one event, and when deleted, is a separate event. You can control which data file items are included in the Timeline view.
◼ Identify critical case information up to 50% fasterThe watch list process has been drastically improved (by up to 50%), providing faster and more efficient capacities to run a list of keywords on your extracted data. This will make it easier to identify and highlight critical information.
◼ Improved direction visuals for clearer chat conversations When the device owner is known, the direction of incoming and outgoing chat messages is shown. (Similar to conversation views within SMS or WhatsApp.)
◼ Identify recorded audio files for iOS devicesRecorded audio files are now shown in the Recording node under Analyzed data. You can view recorded files, meta data and the recording time.
◼ Decoding shortcuts for common external extractionsEasily decode frequently used external extractions. This is now available directly from the main menu: iTunes backup, iCloud Apple production, BlackBerry 10 backup and ADB backup.
◼ View platform indication for chat messagesToday, applications such as WhatsApp, Skype and Facebook Messenger can be used from both mobile and PC platforms. For each IM message, you can now view the platform type and know if it was sent/read from a mobile app or a computer.
◼ View description of powering eventsWhen the device is switched on or off, these events are stored on the device. The powering events model includes the description of the event as well. For example, the device is turned off due to battery state.
◼ Enhanced decoding of more data from iOS devicesWe have enhanced decoding capabilities for even more data types including location data, wireless networks, cell towers, web history and search history for iOS devices.
◼ Backup Android PIN number (can be used to unlock thedevice when the pattern lock or face lock is unknown) and iCloud account info can now be decoded and shown under Device Info.
SOLVED ISSUES
◼ UFED: Improved physical mass storage extraction (USB Drive and other mass storage devices)
◼ Email body information is now presented within the right pane in UFED Reader.
◼ A decoding issue with Samsung SGH- T199 JTAG has beenresolved - now parsing call logs and phonebook data.
◼ A decoding issue with the physical extraction of iPhone 4has been resolved - now properly parsing video content.
◼ A decoding issue with calls from Samsung CDMA_SCH-U485 Intensity 3 device has been resolved.
◼ The correct status of SMS messages is now presented in the Timeline with DF report.
◼ A decoding of SMS messages from Nokia Lumia RM-1134 device has been resolved.
◼ A decoding of contacts from iPhone 6 plus devices has been resolved.
◼ An issue with generating large PDF reports has been resolved. ◼ A decoding failure when opening Nokia Lumia RM-974 JTAG
dump has been resolved. ◼ Advanced Logical extraction of iPad 1 (A1219) now
successfully completes. ◼ An issue with the hash value verification function has
been resolved. ◼ An issue when running Malware Scanner has been resolved. ◼ An issue with updating the Malware definitions offline is
now resolved. ◼ An issue with Meta data decoding for video files has
been resolved. ◼ A decoding issue with SMS messages for Nokia 105 RM-1133
has been resolved. ◼ A decoding issue with SD Card 64GB has been resolved. ◼ Decoding of data files from the physical extraction of the
Samsung GT-E1205Y device has been resolved. ◼ A crashing issue when opening Tomtom decryption has
been resolved. ◼ A crashing issue when opening Nokia Lumia 640
(RM-1072) chip-off dump, has been resolved. ◼ The out of memory when trying to decrypt Twitter app
issue has been resolved. ◼ A failure issue with the Advanced Logical extraction of
iPhone 6 plus devices running iOS 9.3.5, has been resolved. ◼ When renaming a merged project, the new name is now
presented in the UFED Reader. ◼ The column “Attachment Source App” is now included in any
report format. ◼ A decoding issue with BBM app for physical extraction of Sony
Xperia D6603 device, has been resolved.
Cellebrite Release Notes | v 5.4 |November 2016 | 5
Application Type Decoding FeatureµTorrent®- Torrent Downloader
Video player Searched items
AppLock Tools User account, password and file system
Callgram messaging
Communication Calls
Chatous Social Network User account, contacts and chats
CM Security Browser
Communication Bookmarks and web history
CM Locker Tools Password and locationsGBWhatsApp Communication User account, locations,
contacts, chats and callsGoogle Calendar Tools Locations, user account and
calendarGrindr Social Network User account, contacts,
chats and file systemGroupMe Communication User account, contacts and
chatsHike Messenger Communication User account, contacts,
locations and chatsHushed Communication User account, contacts,
chats and callsimo Communication User account, locations and
chatsKeeper Tools Password, notes and file
systemLINK Communication Chats, locations, user
account and contactsLOCX Applock Tools Password and file systemMessenger and Chat Lock
Tools Password
MobileVOIP Cheap calls
Tools SMS and user account
My Tracks Travel Locations, Journeys and searched items
POF (Plenty of Fish) Social Network User accountSayHi Dating User account, password,
contacts and chatsSignal Private Messenger
Communication Chats and contacts
Taxify Navigation User account and locationsYeti - Campus Stories
Social Network User account, instant messages and locations
ANDROID
iOS
Application Type Decoding FeatureChatous Social Network User account, contacts and
chatsGoogle app Tools Searched items, Web history
and user accountGrindr Social Network User account, contacts,
locations and file systemGroupMe Communication User account, contacts,
locations and chatsHike Messenger Communication User account, contacts,
locations and chatsHushed Communication User account, contacts,
chats and callsimo Communication User account, chats and
contactsKeeper Tools Password, notes and file
systemLINK Communication Chats, locations, user
account and contactsMobileVOIP Cheap calls
Tools Call, SMS and User account
Spy Calc Photo & Video Password and file systemPOF (Plenty of Fish) Social Network User account and passwordSayHi Dating User account, contacts,
locations and chatsTaxify Navigation User account and locationsYeti - Campus Stories
Social Network User account, instant messages, locations and searched items
KNOWN LIMITATIONS
◼ Extraction of encrypted backups via the Advanced logicalextraction process for devices running iOS 10.2 Beta, is currently not supported.
APP SUPPORT
Cellebrite Release Notes | v 5.4 |November 2016 | 6
PARTIAL FILE SYSTEM EXTRACTION WHILE BYPASSING LOCK
86 NEW devices supported
Samsung CDMA SM-T818V Galaxy Tab S3, SM-G530R7 Galaxy Grand Prime, SCH-R530C Galaxy S III, SPH-D710 Galaxy S II Epic 4G, SCH-L710 Galaxy S III, SCH-N719 Galaxy Note II, SCH-R830 Axiom, SPH-L900 Galaxy Note II, SM-N900R4 Galaxy Note 3, SCH-R950 Galaxy Note II, SCH-R970X Galaxy S4, GT-N8010 Galaxy Note 10.1