UFED Logical Analyzer
Contents
1. A conversation tab opens displaying related items as a conversation between the sending and receiving parties of the selected item 1 1 ir JANVYE Sc IUO i Select Deselect all 20 messages DV Friend 12 27 2012 1 52 46 PM UTC 0 Let s check D F Mor Konevky 12 27 2012 1 52 23 PM UTC 0 Done M x Mor Konevky 12 27 2012 1 51 50 PM UTC 0 Yummie Friend 12 27 2012 1 51 34 PM UTC 0 di Image jpg 12 27 2012 1 48 53 PM UTC 0 celebrite delivering mobile expertise Chapter 5 Locating and analyzing information 79 3 To translate or delete translated text click and then select Translate all or Delete all translations 4 To print the conversation click i 5 To view a print preview click 6 To export the conversation click the desired output in the conversation tab toolbar Excel ES HTML PDF XML i or Word W 7 To change the order of the conversation click and then select Oldest message first or Newest message first 8 To filter messages enter text in the search box 9 To add or edit bookmarks click 10 Select a check box to include specific messages in the report or select all messages or no messages 5 7 Working with watch lists Run a watch list of keywords against your extracted data to identify and highlight important and relevant information The watch list search can either be activated automatically or run manually on selec2. Dongle not found To use the product with a dongle license plug in the dongle to your computer Software license details loadlicensefile Deactivate software license re se mnor armo ro ila Computer ID Sere BI DIL ore a mm wee ua Copy Help W Sales sales cellebrite com 15 Click Network The following window appears Chapter 2 Installation and activation 25 i RS aaa Network Dongle License Details Your license will expire on June 13 2015 license includes CHINEX iOS Physical GPS Dongle Serial 1660761760 Copy Dongle ID F929 Copy NOTE If a dongle was not found on the network make sure that you have an Internet connection and that a dongle is connected to the network Then click Refresh to search for a network dongle again NOTE By default the network configuration is set to Broadcast If required you can manually connect to the network dongle Click Configure to change the network configuration to Specific host Enter the host name or IP address and the port number 1 5 digits NOTE If there is only one network dongle it will be selected automatically If there are multiple network dongles select the required dongle from the list and click Apply Congratulations your application is now ready 26 celebrite delivering mobile expertise 2 1 4 Moving UFED Logical Analyzer with a software license to another PC In cases where a UFED Logical An
3. Excel fl PDF Choose the format and provide a password Chapter 9 Generating a report 127 11 Select Default sorting to sort the items included in the generated report according to the default sorting set by Cellebrite for each of the Analyzed and Data file types or clear Default sorting to sort the items according to the selected sorting field and the sorting order ascending or descending that was set by the user in each of the data display tables Layout Default sorting General View sorting Default sorting _iPhone 4 _iPhone 4 2 Security Default sorting Word report HTML Report PDF Report 12 For each format chosen for this report you can specify report parameters as follows a Word HTML and PDF Reports 128 celebrite delivering mobile expertise Disable models categorization Select to disable the separation and generate a report in which every data items is generated as a single section without subcategories separation By default a categorized report in which each category in the data items group is generated as a separate section in the report is generated For example when generating a report with SMS select the check box to generate the SMS messages as a single list or clear the check box to break it to a separate list for each category of SMS messages Inbox Outbox Drafts etc Logo Header Text area where you can enter and format cust
4. ee PH Zoom in and out You can also adjust the zoom using the slider E Zoom to fit the tab H Reset the zoom to 100 W Hide image controls 3 Click the File Info tab to view the file information For example the File metadata section includes information such as the Capture Time which is the date and time a photo was taken 4 4 Playing video files To play the video within UFED Logical Analyzer 1 Inthe data table double click the media file that you want to play A new tab opens for the media file 2 Click vu To play the video in the default program e Right click the media file and select Open with default program Chapter 5 Locating and analyzing information 69 Chapter 5 Locating and analyzing information This section describes how to browse search filter bookmark and manage the information in your project 5 1 Searching for information in a data tab In Table View tabs search for a particular item within the data table The search is performed on all the data entries within the table e Inthe Table Search box enter any string The table updates to display only items containing the string you entered 5 2 Using the quick filter Use the quick filter tools to filter data in Table View tabs as follows 70 DL 4 D Ee Show all Only selected Only not selected Deleted Show all Display images above 30KB Display images above 100KB Display images above 500KB Filter images
5. a 2 Click Add field and select a field from the drop down list The fields list comprises the columns in the current data tab 3 In the box that appears for the selected field enter any string or timestamp The tab displays only items that match the filter 4 To add additional filters repeat steps 2 3 ln you place additional filters in the Advanced search the returned results match all specified criteria 5 To clear the string you entered click x 6 To clear all the entered strings click Clear All Chapter 5 Locating and analyzing information 73 7 To remove the field filter click ll 8 To close the advanced filter click Advanced 5 4 Searching for information in all open projects Use the All projects search box in the toolbar to search for information in all open projects 1 Type any string in the All Projects box A list of matching results appear under the All Projects search field The results are sorted by open project Within each open project the results are sorted by categories according to type SMS messages contacts files and so on The number of matching results found in each type category is also displayed shop x Show All 6 blackberry 9800 ebay 3 Samsung GSM_SGH D508 3 2 Click to collapse or expand the projects celebrite 14 delivering mobile expertise 3 Do one of the following e Click next to the project name to view the results of the search i
6. celebrite delivering mobile expertise UFED Logical Analyzer User Manual DZE A Legal Notices Copyright 2014 Cellebrite Mobile Synchronization Ltd All rights reserved This manual is delivered subject to the following conditions and restrictions e This manual contains proprietary information belonging to Cellebrite Mobile Synchronization Ltd Such information is supplied solely for the purpose of assisting explicitly and properly authorized users of the UFED Logical Analyzer e No part of this content may be used for any other purpose disclosed to any person or firm or reproduced by any means electronic or mechanical without the express prior written permission of Cellebrite Ltd e The text and graphics are for the purpose of illustration and reference only The specifications on which they are based are subject to change without notice e Information in this document is subject to change without notice Corporate and individual names and data used in examples herein are fictitious unless otherwise noted Contents Chapter 1 Introduction rrrrrrrrre errare 7 Chapter 2 Installation and activation 9 2 1 Installing UFED Logical Analyzer srren 10 2 1 1 System requirements ssssssssssssereeseeee 10 2 1 2 Software INSTAIATION sssccssssssssssssssssssssssssssssssseetees 11 2 1 3 Activating UFED Logical ANalyZer 19 2 1 4 Moving UFED Logical Analyzer with
7. 3 Select the Include translations check box to include translated data 4 Click OK Chapter 4 Orientation to the workspace 63 The report is generated and a message appears asking if you would like to open it in third party software 5 Click Yes or No The file is opened in the default third party software NOTE When exporting to EML a file is created for each email 4 2 3 2 Text view For text based data files view the data as text Text View Hex View File Info e id TaskID 157293 Project Bee SKU UTSTARCOM WWE Generic 557 ROM Ver 1 07 557 5 Customization Id 82287 RCMS Id 124 64 celebrite delivering mobile expertise 4 2 3 3 Table view for data files For data files the table shows the following information m Image Name Path Size Indicates whether to include checked or exclude unchecked the item in the report generated Row number Indicates if the item is bookmarked Indicates whether the data file was deleted or has an unknown status or white document icon A thumbnail of the image or an icon of the file type Image data files only The file name The root path of the data file The size of file Chapter 4 Orientation to the workspace 65 Metadata Additional metadata of the data file Created The creation time stamp of the data file Modified The modification time stamp of the data file Accessed The last
8. Browse to the location where you want to save the project session file 3 To change the file name edit the automatically assigned name in the File name box NOTE To overwrite an earlier session choose the same file name 4 Click Save 3 5 Loading a project session 1 From the Welcome tab open the project that you want to work in 2 In the File menu select Load Project Session 3 In the Open dialog box browse to and select the project session file that you want to open 4 Click Open The session opens Chapter 3 Getting started 3 6 Closing a project e Do one of the following e Inthe File menu select Close e Right click the project name and select Close 3 7 Closing UFED Logical Analyzer e Inthe File menu select Exit 41 42 celebrite delivering mobile expertise 3 8 Keyboard shortcuts Ctrl 0 Ctrl W Ctrl P CtrlH Ctrl T Space Ctrl R Ctrl Tab Ctrl Home Ctrl End Ctrl B Ctrl U Open a file Close a project Open project settings Open IOS wizard Open settings Select or clear check boxes Open the report wizard Switch between open tabs Move the cursor to the beginning of a table Moves the cursor to the end of a table Add an entity bookmark Open the UFED Downloader to connect to UFED Chapter 4 Orientation to the workspace 43 Chapter 4 Orientation to the workspace The workspace contains two main areas the project tree and the data display area to streamline your workf
9. Logical Analyzer be installed m Setup will install UFED Logical Analyzer into the following folder To continue dick Next If you would like to select a different folder dick Browse ogram Files Cellebrite Mobile Synchronization WFED Logical Analyzer At least 311 6 MB of free disk space is required 5 If desired click Browse and set a different installation folder celebrite 16 delivering mobile expertise 6 Click Next Setup UFED Logical Analyzer Which additional tasks should be performed Select the additional tasks you would like Setup to perform while installing UFED Logical Analyzer then dick Next 7 If you do not want a desktop icon clear the Create a desktop icon checkbox Chapter 2 Installation and activation 17 8 Click Next i Setup UFED Logical Analyzer Ready to Install Setup is now ready to begin installing UFED Logical Analyzer on your computer Click Install to continue with the installation or dick Back if you want to review or change any settings Destination location C Program Files Cellebrite Mobile Synchronization UFED Logical Analyzer 9 Click Install The installation begins celebrite delivering mobile expertise NOTE As part of the installation process you may be prompted to enable download and installing of the Microsoft NET 3 5 Framework This installation requires that your computer has Internet access SES EDs Completing the UFED Logic
10. MB717 Phone revision 4 2 1 8C148a IMEI 012262007447230 Serial 5K0501GZ3NR Bluetooth device address b8 ff 61 ec 20 43 WiFi address be ff 61 ec 20 44 Unique Device ID 63a0ef054fb7c2170f1993b Phone Data 58 celebrite delivering mobile expertise e To reopen the tab if closed double click the Extraction Summary tree item The Extraction summary tab can display the following information e Extraction Info Information related to the device extraction Such as Extraction start date time When the extraction started and ended Extraction end date time Unit Identifier The serial number of the device that performed the extraction e g UFED Touch or a unique ID if the extraction was performed by a PC application e g UFED 4PC UFED software version e g 4 1 0 220 Unique ID for each extraction type e Device Info A summary of the specific device info pulled from the extraction file See the Device Info item in Project tree page 44 Selected Manufacturer Manufacturer of the device e g Apple e Device Content Analyzed content divided into the following categories Chapter 4 Orientation to the workspace 59 e Phone Data The types of analyzed device data found in the extraction such as call log contacts SMS messages and so on For the complete list of phone data types see the Analyzed Data item in Project tree page 44 e Data Files The types of standard data files found in the extractio
11. UFED 4PC or UFED Touch together with the UFED camera enables you to collect evidence by taking pictures or videos of a device A screenshot feature captures internal screenshots directly from a Blackberry Android or iOS device These options can be useful as complimentary evidence or in instances when data cannot be extracted from a device This evidence can be displayed in UFED Logical Analyzer together with any notes categories and bookmarks which were added by the examiner For information on capturing camera and screenshot evidence refer to the UFED 4PC or UFED Touch user manuals To import camera or screenshot evidence e Click the Evidence ufd file The Camera Evidence pictures and videos or Phone Evidence screenshots is imported into UFED Logical Analyzer as a new project The evidence includes Phone Evidence or Camera Evidence divided by category as well as entity bookmarks and notes that were added during the extraction An example is displayed next 144 ap Analyzed Data gt li Data Files D RA Carving i Tac 7 a T Installed Applications 1 Images 1 b Instant Messages 1 D B Passwords 1 a SMS Messages 1 Ei Videos 1 O Timeline Watch Lists i Malware Scanner 0 Project Analytics Hex Bookmarks vir Entity Bookmarks 2 Reports cellebrife delivering mobile expertise Chapter 11 Camera and screenshot evidence 145 To import camera and screenshot evidence together with the
12. by extension Show JPEG celebrite delivering mobile expertise Displays all items Displays items that are selected Displays items that are not selected Displays deleted items Show all images Display only small images above 30KB Display only medium sized images above 100KB Display only large images 500 KB Click to enable file type filtering Display JPG or J PEG files Chapter 5 Locating and analyzing information al La ey Show GIF Show BMP Show PNG Metadata filter Capture filter time Translation filter 71 Display GIF files Display BMP files Display PNG files Filter image and video files by Metadata All Without metadata or Has metadata and Location All Has location or Without location Filter image and video files by capture time The maximum range is displayed by default and you can select a specific date and time range Filter translated text to display all text translated text or text that has not been translated NOTE The toolbar items are context sensitive and only appear when relevant data Is displayed M celebrite 5 3 Using the advanced filter Use the advanced filter to filter the list based on a combination of several parameters 1 In the filter toolbar click Advanced Results shop X Images 170 x Welcome x Extraction Summary x Extraction Summary X 7x Ele lle SRE TEEBB_ E a Advanced Filter Aiad x Addfield
13. conversation VIEW vesssssssssssssesssssssssssssssees 17 5 7 Working with watch ISS ssrsrrrrsssssssseeseeeeneee 79 5 7 1 Creating a watch IL uusrrrrrrssssssseseseenennee 80 Ded 2 Editing a watch SE 83 5 7 3 Importing a watch NISC sssrin 84 5 7 4 Exporting a Watch lISt ssssssrssssesseeee 85 5 7 5 Deleting a Watch MISE ssssssssssssssssssssssssssssseeeeeees 87 5 7 6 Running a watch IISt sssssssssssssssssssssssssssssseeeeees 88 5 8 Bookmarking information entity Dodi 90 5 8 1 Creating a new entity DOOKMafk 91 5 8 2 Editing an entity bookmark s es 92 5 8 3 Deleting an entity DOOKMAFK ssssrrrrrere 92 5 Chapter 6 Translating decoded data 93 6 1 USING the FEACUIE esssssssssssssssssssssssssssssesssssssiesssssssseeesee 94 6 2 Updating your license with the selected VAIO WAG CS chicks cc 94 6 2 1 Selecting languages in MyCellebrite 95 6 2 2 Downloading the translation paCK 100 6 2 3 Translating the decoded data 102 2 ARE OUCIM Octassatsnnrsssssssssssssssineecccnccteeetteaaserananaaiannasadl 104 Chapter 7 Working with project QNalViiSiam na 107 Chapter 8 Scanning for malware 109 8 1 Updating the signature database online 110 8 2 Updating the signature database from file lc ill 112 Chapter 9 Generating a report sssr 119 Chapter 10 Performing ext
14. e Double click Extraction Summary to open a summary of Summary the project in the data display area For more information see Extraction summary tab page 57 Chapter 4 Orientation to the workspace 45 Tree item Device Info Description e Double click Device Info to open a tab in the data display area The Device Info tab provides a list of existing information as well as important identifiers for the device such as SIM card and user lock codes where supported The number of categories and amount of displayed information depends on the device model and manufacturer 46 Tree item Analyzed data celebrite delivering mobile expertise Description The Analyzed Data tree item displays groups of analyzed data that are related to device specific features such as contacts SMS messages call logs and so on The available information and what is displayed depends on the device features content and application version For example SMS messages are categorized according to the folders used by the messaging feature of the device such as Drafts Inbox Outbox Sent and so on Email messages are categorized according to the account through which they were sent or received An uncategorized folder contains messages that cannot be categorized in any of the found accounts or account folders Inbox Outbox Drafts and so on The following information types may be displayed in Analyzed Data e Personal information Ca
15. in the report Add a Total column to the report that displays the total number of items that were excluded from the report Show extended deleted state Include the state Intact Deleted or Unknown of deleted items in the generated report When not selected logs only the state of deleted items as Yes and is left empty for other states Number of lines for email preview Set the maximum number of lines from each email message to appear in the report Display full email body Display the entire message body Number of messages per chat Set the maximum number of lines per chat message to appear in the report Display all chat messages Display all chat messages in the report Split HTML report Set each section of the report to start on a new page 4 For PDF reports set the following Default folder enter the path to the folder where you want to save reports you generate for this report type Select Default sorting to set sort the items included in the generated report according to the default sorting set by Cellebrite for each of the Analyzed and Data file types or clear Default sorting to sort the items according to the selected sorting field and the sorting order ascending or descending that was set by the user in each of the data display tables Chapter 12 Settings 165 e Calculate SHA 2 256 bit hash and Calculate MD5 128 bit hash Select which calculated MD5 and SHA256 hash keys to add to each Data Files item in t
16. item Is selected press the space bar to select or clear the check box which indicates if the item should be included or excluded from the report e To select all items at once check the box in the column header table view and timeline or check the Select all check box thumbnail view Sorting columns Sort each column alphabetically or by time e Clickthe column header to toggle the order Re ordering the columns For your convenience you can change the order of the columns Your preference Is retained for the duration of the session e Drag the desired column to the desired location Hide or show columns e Right click the column header and select the column name in the list Viewing more information For data tabs containing textual information by default the right pane is open displaying the selected item s information celebrite 62 delivering mobile expertise e To close or open the right pane click La Exporting data 1 To ne dataina particular tab click the desired output in the toolbar Excel ES HTML ld PDF XML i KML location data only or EML email data only The Export Dialog Window appears Gi ror e im IT File name Report Save to C Users jonathank Documents My Reports Report sub directory iPhone4G 2014 10 28 10 54 20 E Include translations 2 Do oneofthe following e Enterthepath where you want to save the report e Click and browse to and select the desired location
17. mobile expertise Chapter 9 Generating a report 119 Chapter 9 Generating a report 1 You can generate a report of the information in the project UFED Logical Analyzer provides a report wizard to help you through the steps of creating a report Do one of the following e Select Report gt Generate Report from the application menu e Click Generate Report in the Extraction Summary tab e Double click Reports in the project tree celebrite 120 delivering mobile expertise The Generate Report window appears General File name Report Save to C Users jonathank Documents My Reports Report sub directory 2014 07 31 15 28 58 Project _iPhone 4 Format Case Information Case number Case name Evidence number Examiner name Department Location Notes 2 In the File Name select the name for the new report you want to create 3 In the Save to select the folder in which you want to all reports to be created This folder can be used for all reporting as each report will occupy a separate sub folder 4 In the Report sub directory select a name for the folder where you want all selected reports to be created The default is the current date and time Chapter 9 Generating a report 121 5 In the Project select the project or projects you want to include in this report Only projects that are already opened in UFED Logical Analyzer are available for reporting General General Re
18. of unique contacts based on type c XML and UFED Report package e There are NO additional settings required for either of these reports If the report formats requested only include XML and or UFED report then no further input is required 13 Click Finish NOTE Finish is unavailable until all the required fields are filled A yellow warning Icon is displayed next to all required fields that are not yet complete When the report is successfully generated you are prompted to open the generated report file The file opens using the associated application to the file format installed in the workstation 130 celebrite delivering mobile expertise Once a report has been generated for the project it can be accessed from the Reports section in the project tree Double click on any of the generated reports to open it in the associated application installed in the workstation Right click any of the generated reports to open the report file or select Open containing folder to browse the files and folders of the report Chapter 10 Performing extractions 131 Chapter 10 Performing extractions 10 1 Performing advanced logical extraction Perform an advanced logical extraction from UFED Logical Analyzer to extract more information than from logical extraction using the UFED unit Perform an advanced logical extraction from the following devices e iPhone 2G 3G 3GS 4 4s 5 5s 5c e iPad 1 2 3 4 mini e iPod Touch 1G 2G 3G 4G e iPo
19. that contains a list of Keywords which can then be used as watch list keywords This option will import the keywords without any formatting and will look to find all data types by default 1 In the main toolbar click amp The Watch List Editor appears 2 Click and select Import 3 Browse to the location where your watch list is saved select the CSV file and click Open Chapter 5 Locating and analyzing information The watch list appears in the Watch List Editor An example is displayed next Rav Enter text to filter q Entry Value Match case Whole word Color ACID HEAD E Ms X ANGEL DUST E L N K BAG E n X BALLOON E E x BRICK m m X BROWNIES E D E x CANDY E E EE x CANDYMAN E Oo EE x COKE m D B x COOKER E E xX CUT E oO E x 5 7 4 Exporting a watch list Export watch lists to save the watch list as a csv file for later use or to share with others 85 celebrite delivering mobile expertise 86 1 Inthe Watch List Editor select the watch list that you want to export 2 Click ba Name Type n Total Size Hard Disk Drives 3 ACER C Favorite Links E Documents Recent Places 7S e RE Desktop More 226 GB free of 325 GB mc on ED Folders 4 RE Desktop gt jay Papus gt Local Disk Q gt i Public gt gai Computer Devices with Removable Storage 7 gt Network gt E Control Panel i DVD RW Drive E e ii den Folder
20. 0000000 2 To clearthe log in the Trace window click Clear 3 To close the Trace window click The Trace window can be hidden or displayed e To pin the Trace window open click Chapter 13 Reference 179 e To unpin the Trace window click e To view the Trace window when hidden select or mouse over the tab 13 3 Tools menu Read Data from UFED Watch List Editor Malware Scanner Translation TomTom Settings Project Settings Enables data extraction directly to the computer Opens the Watch List Editor from where you can create manage and run your watch lists See Working with watch lists page 79 Opens the Malware Scanner sub menu from where you can run malware detection on your extraction and update the signature database Downloads the translation pack from the Internet installs the translation pack from a file or displays the supported languages See Translating decoded data page 93 Opens the TomTom sub menu from where you can export the TomTom extraction file and import the returned xml file Access the application settings window See Settings page 143 Set unified time zone and case information for each project See Setting project settings page 169 celebrite 180 delivering mobile expertise 13 4 Extract menu IOS Device Extraction Starts iOS Device Extraction to perform extractions from iOS devices See Performing advanced logical extraction page 131 Extract GPS
21. 109 112 Using the advanced filter 72 Using the quick filter 69 V View menus 177 Viewing image files 60 67 Viewing the trace window 178 W Welcome tab 55 177 Working in data tabs 60 Index Working in the Project Tree area 52 Working with Project Analytics 107 Working with watch lists 49 79 179
22. 12 3 Additional report fields Add New amp Restore default settings Name General Settings Examiner name kig ae Data Files Department Location Additional Report Fields 4 ae Report Defaults 157 158 celebrite delivering mobile expertise Optional information is user defined information presented at the beginning of the report It usually includes information about the case investigator and organization details Every optional information record consists of the following Name The name of the report field Required Indicates if the field must be filled in order to generate the report Type The types of entry String or List Default value Default content You can add new report fields and edit and delete fields as desired 12 3 1 Adding a new report field 1 Click Add New A new row is added to the table 2 Inthe Name column enter the name label to be displayed 3 Select Required if this field must be filled in order for the user to generate the report 4 In the Type list select one of the following e String for text entry fields e List fora specified list of options 5 In the Default Value box set the default content Chapter 12 Settings 159 e For String type type the default string For a multi line string click LA enter the default string in the Option Editor then click Save ke Option Editor I ax Edit the default value text Cancel Sa
23. 17 55 AM UTC 0 Duration 00 00 05 Type Incoming Country code Network code Source Is video Parties 039260923 Berkner Dima 53 54 celebrite delivering mobile expertise There are four tab types e Welcome tab e Extraction Summary tab e Data tabs with sub tabs that present a particular view depending on the data e Timeline tab The data display area also displays additional windows such as the Trace window Timeline view and Watch list results To close a tab e Do one ofthe following e Click onthe tab header e Click atthe top right of the data display area To jump to a specific tab e Atthe top right of the data display area click and select the desired tab from the open tabs list Chapter 4 Orientation to the workspace 55 4 2 1 Welcome tab The Welcome tab Is automatically displayed in the data display area when the application is launched and displays a list of recently opened files Welcome X Extraction Summary X Call Log 6 X SMS Messages 4 x baie Welcome to Logical Analyzer G amp Open 48 Settings 6230 New Format D Cellebrite sam 6230 New Format ufd 2 2012 9 57 AM Browse 4 Each file in the list is displayed as a framed information group that contains the following items e Device picture A thumbnail image of the device from the application resources if available When unavailable a general placeholder image Is used e Filename The name
24. 2118450 2014_08_27 001 I EvidenceCollection ufdx To associate camera and screenshot evidence with an extraction type If you have multiple extraction types as well as camera evidence the Associate evidence with project screen appears Please choose which project should be associated with the evidence GT i9205 Samsung Galaxy Mega 6 3 Samsung GSM_GT i9205 Samsung Galaxy Mega 6 3 e Select the required extraction and click Associate Chapter 12 Settings 147 Chapter 12 Settings The Settings window provides a set of functional and behavioral setup options used to fine tune and control the functionality and usability of the application The settings in the Settings window apply to all the projects open in UFED Logical Analyzer NOTE Changes to settings are lost when you close UFED Logical Analyzer To save the settings configuration see Saving settings page 169 e To access the Settings window do one of the following e Select Tools gt Settings e Click The Settings window appears 148 12 1 General settings Set general application settings in the General Settings tab Localization Interface Language General Settings Translation Language Show translation by default Always shift timestamps to this time zone Pak db Data Files m Export cv Additional Report Fields Encoding Separator Dump Sessions Report Defaults Suggest restoring a session file when its corresponding dump i
25. 26 W Calendar 192 192 Y MMS Messages 27 27 Y Call Log 114 114 W Notes 42 42 4 Chats 180 180 W Searched Items 5 5 F Configurations 304 304 W SMS Messages 3188 3188 Examiner Calculate SHA 2 256 bit hash E Calculate MDS 128 bit hash Include translations Analytics v Activity Analytics 1398 1398 v Analytics Emails 1123 1123 Analytics Phones 598 598 Previous Cancel a Extraction analyzed data and data files to be included in the report b Examiner Calculate SHA 2 256 bit hash and Calculate MD5 128 bit hash Select which calculated MD5 and SHA256 hash keys to add to each Data Files item in the generated report This selection is for the whole report and applies to all projects within the report TIP To shorten the report generation process of large projects do not select these options 126 celebrite delivering mobile expertise c Analytics this section appears when there is Analytics available in the project Select the relevant Analytics item s to include them in the report 10 The security screen is presented Password protection can be put on PDF WORD and Excel reports General Report Dataset _iPhone 4 _iPhone 4 2 Security Layout Default sorting Word report HTML Report PDF Report Security Password Confirm password eeeeeee Apply to W Word
26. Computer 3 Browse to the location where you want to save your watch list and click Select Folder 4 The watch list is exported It will be saved by default as name of watch list csv Chapter 5 Locating and analyzing information 5 7 5 Deleting a watch list 1 Inthe Watch List Editor select the watch list that you want to delete 2 Click LJ 3 Click Yes The watch list is deleted 87 celebrite 88 delivering mobile expertise 5 7 6 Running a watch list You can run watch lists on open projects 5 7 6 1 Running a watch list on particular projects When you run a watch list from the Watch List Editor you can select which watch lists to run and on which projects you want to run them 1 In the toolbar click to open the Watch List Editor and select the watch list you want to run 2 Click amp A list of open projects appears 3 Select the open project s that you want to run the search on NOTE A tick mark shows that the selected watch list is currently active for the project 4 Click Apply UFED Logical Analyzer searches for keywords in the selected project s When complete the watch list results appear in the Watch Lists tree item lf the watch list is assigned to only particular information types see Creating a watch list page 80 only matches to those types appear in the watch list results Chapter 5 Locating and analyzing information 89 5 7 6 2 Running a watch list on your curre
27. FED Logical Analyzer For an overview of the workspace see Orientation to the workspace page 43 celebrite 30 delivering mobile expertise 3 2 Opening a file for analysis UFED Logical Analyzer can open UFD files created by the UFED device with Logical modules XML files created by the UFED Physical Analyzer and UFDR files 1 Do one ofthe following e Inthe Welcome tab click Open e Drag and drop the UFD file into UFED Logical Analyzer e From the application toolbar click er e From the application menu select File gt Open Chapter 3 Getting started 31 Favorite Links Name Date modified Type E Documents ey iPhone 4 GSM 4 3 2 4 3 3 File System T E Recent Places More Folders Desktop Papus di Public pi Computer amp ACER C ca DATA D 2 Do oneofthe following e Browse to the location of the file select it and click Open e Drag and drop the file on UFED Logical Analyzer The data analysis process begins and runs for several seconds At the end of the process a new project is added to the Project Tree and the Extraction summary appears in the data display area celebrite 32 delivering mobile expertise 3 3 Extracting data to PC 1 Do one ofthe following e Connect the UFED unit to your PC using a USB to mini USB cable utilizing the port marked PC located on the top of your UFED unit Your PC may prompt you to install drivers refer to the UFED Touch User Ma
28. Mass Storage Device Reads and saves data from GPS and mass storage devices connected to the workstation via USB connection 13 5 Report menu Generate Report Generates a report summary of all information found by the analysis process See Generating a report Chapter 13 Reference 13 6 Help menu Supported Apps Manual Activate Online Bing Maps Start UFED Link Analysis Demo Show License Details Zip Log Files Zip Log Files With System Information About 181 Lists the supported applications and verified versions for Android and IOS devices Opens the user manual in PDF format Activates Bing maps so that you can view locations on a map It requires Internet access and a valid UFED Logical Analyzer license Starts the UFED Link Analysis application Displays the current soft or hardware dongle license information and enables you to Activate or load a new license software or dongle Display information about previous dongles that were connected to this workstation Deactivate a soft license Get direct access via email to Cellebrite support and sales Zips the log files and opens the folder where the zipped log files are saved Zips the log files and includes detailed information about the operating system drivers application data event logs etc This information can be used to analyze report cases Provides information about the installed UFED Logical Analyzer version celebrite 182 delivering mobil
29. Ukrainian ui celebrite delivering mobile expertise 6 1 Using the feature To use this feature you need do the following e Update your license with the selected translation languages e Download the translation pack e Translate the decoded data 6 2 Updating your license with the selected languages You can select up to five languages for free from the My Products page in MyCellebrite If additional languages are required you can purchase the Basic Language Package You cannot change a language after saving but you can request additional languages NOTE If you want to translate to a language other than English you should select it as well After updating your product license with the selected languages you can use the following procedure to review the languages included in the translation license Chapter 6 Translating decoded data 6 2 1 Selecting languages in MyCellebrite To select languages 1 Log in to MyCellebrite and select the My Products tab The following window appears w Active Products man PC O IZA WDP 5UD ZVI K2X 62A L72 UFED Physical Expires on Jul 29 2015 Basic Languages 4 Expires on Jul 29 2015 UFED Logical Expires on Jul 29 2015 UFED 4PC Expires on Jul 29 2015 UFED Logical Analyzer Expires on Jul 29 2015 UFED Phone Detective Expires on Nov 2 2015 G 2 Select and click Select Languages The following window appears celebrite 96 delivering mobile expertise Device Languages f
30. Welcome Screen Trace Window Open a file for analysis using the standard analysis process Displays a list of recent projects Closes the currently active project Saves the active project information generated by the user as a UFED Logical Analyzer session file pas See Saving a project session Loads a UFED Logical Analyzer session file pas onto an open project in the project tree Closes the UFED Logical Analyzer and all active sessions Displays the Welcome tab See Welcome tab page 55 Show hide the trace panel at the bottom of the data display area 178 celebrite delivering mobile expertise 13 2 1 Viewing the trace window Show the Trace window at the bottom of the data display area to view a log of the actions performed in your session by you or by UFED Logical Analyzer such as plug in activation 1 Inthe View menu select Trace Window The Trace window appears below the data display area Trace window vX Clear Numeric file found numeric 0x0026 0x04F9 Numeric file found numeric 0x0027 0x1213 Numeric file found numeric 0x0027 0x1214 Numeric file found numeric 0x0027 0x1215 Numeric file found numeric 0x0026 0x04FA Numeric file found numeric 0x0027 0x1216 Numeric file found numeric 0x0027 0x1217 Numeric file found numeric 0x0027 0x1218 Numeric file found numeric 0x0026 0x04FB Numeric file found numeric 0x0027 0x1219 Numeric file found numeric 0x0027 0x121A v 0000
31. a software license to another PC eessssssssssssssssssssessssssee 26 2 1 5 Enabling connectivity with Windows I ania 27 Chapter 3 Getting Started smsssrrrrrrrraa 29 3 1 Start UFED Logical Analyzer sssr 29 3 2 Opening a file for ANALYSIS ssssssssssssssseesssssssssssesessssee 30 DCA ENIAC data to PCs 32 3 4 SAVING a project SESSION sserssrrrsrrersererrsrrerrereererrernns 39 3 5 Loading a project SESSION aceesssssssssssssssssssssssssssssssssseee 40 SO ClOSI Gs A OO CGE seeen 41 3 7 Closing UFED Logical Analyzer srr 41 3 8 Keyboard SMO CUS irirrericcarensicccinnetacennenicrianenicacniiziannit 42 Chapter 4 Orientation to the workspace 43 4L PFOJECELeS m 44 4 1 1 Working in the project tree area 52 4 2 Data display AFCA scessssssssssssssssssssssssssssssssssssesssssssssseesses 53 4 2 1 Welcome bici 55 4 2 2 Extraction summary tab verses 57 4 2 3 Data tabs 59 4 3 VIEWING IMAGE files sssrin 67 AA Playing video TES cessssssssssssssssssssssssssssssssssssssessssssssssset 68 Chapter 5 Locating and analyzing NOMAT saaien 69 5 1 Searching for information in a data tab 69 Contents 5 2 USINO Me quick TMCS iii 69 5 3 USING the advanced filter sssssssssssssssessssssssssssesssssee 72 5 4 Searching for information in all open DIO CCS ii 73 5 5 Timeline VIEW cssssssssssssssssssssssssssssssssssssessssssssssssssssssesseeesessee 74 5 6 ACCESSING
32. a filesitem in Project tree page 44 The entity bookmarks you create are managed in the Entity Bookmarks tree item The number of entity bookmarks in the project is shown in brackets next to the section name e Double click Entity Bookmarks to list the entity bookmarks in a tab in the data display area Selected entity bookmarks are included in reports that you generate e Double click any entity bookmark to go to the bookmarked item in the appropriate display tab For example double click an entity bookmark to an SMS message to open the list of SMS messages in an Analyzed Data display tab with the bookmarked item highlighted e Hoverovera T to display the bookmark name and description e To print or export just the entity bookmarks list click the desired output in the Entity Bookmarks tab toolbar Excel ES HTML PDF 8 orXML S Chapter 5 Locating and analyzing information 91 5 8 1 Creating a new entity bookmark Entity bookmarks can be added to items in Table view 1 Select the item you want to bookmark 2 Click The Add Edit Bookmark dialog box appears ij Add Edit Bookmark Name Description Type Call Log Created 22 Jul 12 4 04 02 PM 3 Enteraname and a description to the new entity bookmark then click OK 92 celebrite delivering mobile expertise A new entity bookmark pointing to the selected item is added to the entity bookmarks list of the project The bookmarked item record is mark
33. access time stamp of the data file Bookmark Note Details of the bookmark In addition indicators are displayed to show attachments indicate video calls and to show even direction 66 celebrite delivering mobile expertise 4 2 3 4 Table view for analyzed data For analyzed data table view tabs display a list of all the events of a specific type Call Log Contacts SMS messages and so on that were found during the data analysis process facial Parties 0526765424 O oO Ny DAD a 4 N b aut A O x rd Z v W 9 iv x v v iv oe 0547265478 032535522 0546512487 0543774742 038582555 0576761249 0527623485 0546608889 0508159490 111 0526765424 Pet store Slater Paul Table Search Call Timestamp Duration Type Country code Network code Source Is video 07 Jan 04 9 42 00 PM Outgoing Partes 0526765424 Chapter 4 Orientation to the workspace 67 4 3 Viewing image files 1 Double click an image in a data display tab A new tab opens containing the image The tab is divided into two sub tabs Image view and File Info 1 7 2_embedded 2 jpg X Welcome X Extraction Summary X Extraction Summary X Call Log 12 X 2 In the Image view tab use the image controls A Ny no When the image is enlarged navigate the image celebrite delivering mobile expertise 68 f9 GY Rotate image clockwise and anti clockwise
34. ad the definitions msd file When you download the definitions msd file to this computer in the future the Malware Definitions Downloader updates the file instead of downloading the entire file Make sure that you do not delete the definitions msd file from this computer 9 In UFED Physical Analyzer select Tools gt Malware Scanner gt Update signature database Chapter 8 Scanning for malware 115 E Update Malware Signature Database You must install the signature database before using the malware scanning for the first time Click Update from server to update it from the network Click Update from file if you already downloaded the database Idle 0 Update from server Update from file 10 Click Update from file celebrite 1 16 delivering mobile expertise iPhone 4 65M 4 5 2 4 3 5 File Bi Organize saa Views MI NewFolder Favorite Links Date modified iP ed CL dida eter se E RP iPhone 4 05M 4 3 2 4 3 3 File System TG Recent Places RI Desktop More Folders E Desktop Papus Public ji Computer amp ACER C ca DATA Ds on 11 Browse to the malware definitions database file msd and click Open 12 Click Start Chapter 8 Scanning for malware 117 The database is populated Update Malware Signature Database L pdate finished tr _ TG 13 Click Close You can now scan the project for malware 118 celebrite delivering
35. after the logo image e Show totals for items not in the report Add a Total column to the report that displays the total number of items that were excluded from the report 168 celebrite delivering mobile expertise Show extended deleted state Include the state Intact Deleted or Unknown of deleted items in the generated report When not selected logs only the state of deleted items as Yes and is left empty for other states Number of lines for email preview Set the maximum number of lines from each email message to appear in the report The report includes links to text files containing the entire email Display full email body Set to display the entire message body Number of messages per chat Set the maximum number of lines per chat message to appear in the report Display all chat messages Display all chat messages in the report 7 For XML reports set the following Default folder enter the path to the folder where you want to save reports you generate for this report type Select Default sorting to set sort the items included in the generated report according to the default sorting set by Cellebrite for each of the Analyzed and Data file types or clear Default sorting to sort the items according to the selected sorting field and the sorting order ascending or descending that was set by the user in each of the data display tables Calculate SHA 2 256 bit hash and Calculate MD5 128 bit hash Select which
36. ails Load license file Deactivate software license Computer ID SERS STE Q Help e Sales sales cellebriteusa com 9 In MyCellebrite paste the copied Computer ID Computer ID 10 Click Download Now to download your application license key to your PC The license key will also be sent to your registered MyCellebrite email address 11 In the application click Load license file in the Cellebrite Product Licensing window 12 Select the License file and click Open A message appears to indicate that the software license was updated successfully Computer ID TREE SOL VI TICINO DIO Copy Your software license has been successfully updated Help e Sales sales cellebriteusa com celebrite 24 delivering mobile expertise 13 Click Close Congratulations your application is now ready 2 1 3 4 Using a network dongle The Network dongle is connected to your organization s network and contains licenses for all the applications purchased To use UFED Logical Analyzer with a network dongle DEED Netwon Donges 14 Start the UFED application If the network dongle is connected to the network the application starts and the user can start working immediately celebrite e UFED If the network dongle is not recognized the Cellebrite Product Licensing window appears gt Cellebrite Product Licensing License source Network Dongle license details Show dongle log
37. al Analyzer Setup Wizard Setup has finished installing UFED Logical Analyzer on your computer The application may be launched by selecting the installed icons Click Finish to exit Setup mi F Launch UFED Logical Analyzer mt g i mobile data secured Chapter 2 Installation and activation 19 10 If you intend to activate the application using a hardware license key dongle provided by Cellebrite select Install Hasp Dongle Drivers NOTE You must have administrative rights to install the HASP dongle drivers 11 To start UFED Logical Analyzer at the end of the installation select Launch UFED Logical Analyzer 12 Click Finish 2 1 3 Activating UFED Logical Analyzer Activate UFED Logical Analyzer in one of the following ways e Using alicense dongle e Using a software license e Using anetwork dongle 2 1 3 1 New version notification Cellebrite will inform you when a newer version of your software Is available If you are connected to the internet you will receive this notification when the new version is available If you are not connected to the internet the notification will appear every 3 months celebrite delivering mobile expertise 2 1 3 2 Using a license dongle Use the UFED dongle provided with your UFED kit The dongle contains licenses for all the applications purchased To use UFED Logical Analyzer with a dongle 1 Connect the dongle to a USB port on your computer The license is aut
38. alyzer and follow the license activation steps For more information see Activating UFED Logical Analyzer page 19 2 1 5 Enabling connectivity with Windows Vista Perform the following procedure to enable the UFED unit to connect to PCs running the Windows Vista operating system 1 Go to the Cellebrite Physical Analyzer Drivers cbrtucbl folder 2 Double click USB_Cable_DRV exe 3 Follow the on screen instructions 28 celebrite delivering mobile expertise Chapter 3 Getting started 29 Chapter 3 Getting started UFED Logical Analyzer provides powerful presentation and analysis tools for the extracted device data and simplifies the task of navigating through the device s data types UFED Logical Analyzer assists you in the complex tasks of intelligence gathering investigative research and providing legal evidence in the form of reports The application is designed to utilize the UFED unit s logical extraction in a clear and concise way enabling investigators to use powerful search tools to parse and decode relevant information Asacompleting step the application enables you to generate reports of your findings and export them in various file formats such as UFDR HTML PDF Excel xlsx and XML 3 1 Start UFED Logical Analyzer To Start UFED Logical Analyzer do one of the following e Double click the UFED Logical Analyzer desktop shortcut e Select Start gt Programs gt Cellebrite Mobile Synchronization gt U
39. alyzer installation that has been activated by a software license needs to be moved to another PC you must first deactivate remove the license from the computer 1 In UFED Logical Analyzer go to Help gt Show License Details The Cellebrite Product Licensing window appears 2 Click Deactivate software license The Software License Deactivation window appears 3 Click Copy to copy the computer ID 4 Go to http my cellebrite com deactivation and log in to your MyCellebrite account If you do not have an account click Register now and create a user Then return to http my cellebrite com deactivation You are directed to the Deactivation wizard 5 6 7 8 Paste the copied computer ID and click Next Click Download and download the deactivation file to your computer In UFED Logical Analyzer go to Help gt Show License Details Click Select Deactivation File and select the deactivation file that you downloaded in step 6 mere oe Chapter 2 Installation and activation 27 Your license is deactivated and UFED Logical Analyzer creates a deactivation file The Software License Deactivation window informs you that the deactivation file has been created 9 Return to the Deactivation wizard in http my cellebrite com deactivation 10 Click Choose File and upload the deactivation file created by UFED Logical Analyzer 11 Click Finish 12 To get your new UFED Logical Analyzer license go to http my cellebrite com logicalan
40. calculated MD5 and SHA256 hash keys to add to each Data Files item in the generated report Do not select these options to shorten the report generation process of large projects Include translations Select to include any translated text in the report Chapter 12 Settings 169 12 5 Saving settings Save your settings to reuse later or to share with another user 1 In the Settings window click Save Configuration 2 In the Save As window browse to the location where you want to save your settings configuration and click Save The settings are saved as a UFED Logical Analyzer Settings Configuration File cnf 12 6 Loading settings Load your saved settings configuration 1 Inthe Settings window click Load Configuration 2 In the Open window browse to the location where your settings configuration is saved select the configuration cnf and click Open The settings are applied in the Settings window 12 7 Setting project settings Set unified time zone and case information for each project 170 celebrite delivering mobile expertise 12 7 1 Setting a unified time zone for the project During extraction one time stamp per event is extracted For outgoing events the time stamp is typically taken from one of the following sources e User defined device time where the device time has been manually set by the user timestamps are displayed without the unified time UTC e Network defined device t
41. ce owner s PC In order to use the plist option run as administrator Chapter 10 Performing extractions 135 4 Choose aMethod of Advanced Logical extraction Depending on whether the device is jailbroken and or encrypted different methods of extraction are made available a Method 1 Extraction of a rich set of data including SMSs MMSs application data and locations Call logs email body and attachments are not extracted Extended extraction time b Method 2 Extraction of a set of data including call logs SMSs MMSs application data and locations This decoding process may require entering the iTunes backup password c Method 3 Extraction of the richest set of data including call logs SMSs MMSs emails application data and locations In addition the application indicates a specific recommended method per iTunes backup configuration and jailbroken status 136 celebrite For a jailbroken iOS device this screen is displayed 105 Advanced Logical 3 8 Choose an extraction method Connect gt Prepare gt Extract data The device iPad with i05 4 3 3 is Jailbroken A rich set of data can be extracted Extraction of a rich set of data including SMSs MMSs applications data and locations Call logs are not extracted Extended extraction time Method 1 Method 2 Extraction of a set of data including call logs SMSs MMSs applications data and locations Extraction of the richest set of da
42. ch 27 2011 cal March 28 2010 isl March 29 2009 fis March 30 2008 al End October 28 2018 aj October 29 2017 j October 30 2016 a l October 25 2015 j October 26 2014 j October 27 2013 j October 28 2012 j October 30 2011 ffs October 31 2010 _ ra October 25 2009 ffs October 26 2008 Fa x KKK KK Xx X KK X celebrite delivering mobile expertise 3 To change the start and end dates for daylight saving time click Daylight Saving Time Chapter 12 Settings 173 a For the year that you want to change use the calendar to select the start and end dates or edit the dates directly You can use the button to remove certain years b Click Back to last saved data to reset the table to the last time that you saved the data click Back to original data to return the table to its default settings or click Save to save the table with any changes that you made 4 Click OK The project is recalculated according to the selected unified time zone and the new time zone is applied to the network defined time stamps Time stamps of events displayed in UFED Logical Analyzer windows and any subsequently generated reports reflect the selected unified time zone 12 7 2 Setting the case information Case information settings are saved with the project The case number appears with the extraction information on the Welcome tab 1 Dooneof
43. d Nano 5G celebrite 132 delivering mobile expertise 10 1 1 Performing advanced logical extraction 1 Select Extract gt iOS Device Extraction or click El to start iOS Device Extraction 2 Click Advanced Logical extraction iOS Device Data Extraction Wizard Choose an extraction type Advanced Logical extraction Physical mode Chapter 10 Performing extractions 133 3 Follow the displayed instructions to power on the iOS device and connect the device to your computer then click Next Connect gt Prepare gt Extract data Cable 110 Make sure the device is on Connect the device to your computer Back to start NOTE If the connected device and not recognized disconnect the device and reconnect it to a USB port at the rear of the PC celebrite 134 delivering mobile expertise If the iOS device is locked the Locked Device screen is displayed If the plist file for the locked device is available from the device owner s PC then this plist file can be loaded in the Locked Device screen and then click Retry If the device is locked and no plist file is available then click Close NOTE To use the plist file you need to run the UFED application as an administrator Connect gt Prepare gt Extract data The iOS device is locked To extract from this device you must either unlock the device or load the plist file then click Retry The plist file may be available in the lockdown folder of the devi
44. delivering mobile expertise 10 Make sure that the media types that you want to include in the extraction are marked with J To cancel the extraction of a particular multimedia type click J onthe multimedia name 11 Click OK The extraction process continues When complete the Phone Extraction Summary window appears on the UFED Touch unit On the PC in UFED Logical Analyzer the following message appears Extraction Completed ji Extraction completed Would you like to open the extraction 12 Click Yes The extraction opens in UFED Logical Analyzer and the Extraction Summary screen is displayed Chapter 3 Getting started 39 3 4 Saving a project session Save the project session to save your work on the project enabling you to close UFED Logical Analyzer and restart your session at a later time The saved session file pas includes User selection in the Analyzed Data and Data Files tables Entity bookmarks Watch list results Opened tabs Generated reports Unified time zone settings Case Information settings A project session can also be created for extractions performed by third party tools NOTE Saved project sessions do not contain defined settings For more information on how to save your settings see Saving settings page 169 40 celebrite delivering mobile expertise To save a project session 1 Inthe File menu select Save Project Session The Save As dialog box appears 2
45. e online Update the signature database before the first time you use the malware scanner in order to populate the database and thereafter in order to keep the signature database up to date NOTE Once the signature database is populated you can run the malware scanner using the existing database It is strongly recommended that you update the signature database on a regular basis In order to keep it current 1 In the Tools menu select Malware Scanner gt Update signature database Chapter 8 Scanning for malware Update from web Click Update from web if you are connected to the Internet Update from file Click Update from file after you downloaded the signature database For more information click here Installation progress Update from web Update from file 2 Click Update from server The database is populated ka Update Malware Signature Database Update finished 3 Click Close You can now scan the project for malware 111 celebrite 1 12 delivering mobile expertise 8 2 Updating the signature database from file offline Update the signature database from file when you are working on a computer that does not have an internet connection NOTE Once the signature database is populated you can run the malware scanner using the existing database It is strongly recommended that you update the signature database on a regular basis in order to keep it current 1 In Windows Explore
46. e expertise A Activating UFED Logical Analyzer 19 27 Adding a new data file type 154 Adding a new report field 158 160 Additional report fields 123 157 B Bookmarking information 90 Bookmarking information 50 C Closing a project 41 Closing UFED Logical Analyzer 41 Conversation view 77 Cover Page gt 1 Creating a new entity bookmark 91 Index Creating a watch list 80 88 89 D Data display area 53 Data files 59 151 Data files filtering methods 153 Data tabs 59 Daylight saving time 149 Deleting a data file type 156 Deleting a report field 160 Deleting a watch list 87 Deleting an entity bookmark 92 Dongle 20 E Editing a report field 160 Editing a watch list 83 184 Editing an entity bookmark 92 Editing an existing data file record 156 Enabling connectivity with Windows Vista 27 Exporting a watch list 85 Extract menu 180 Extracting Data to PC 32 Extraction from iOS devices 180 Extraction summary tab 44 57 F File menus 177 G General settings 148 Generating a Report Report Wizard 119 Getting started 29 celebrite H Helo menu 181 l Image capture 143 Importing a watch list 84 Installation and Activation 9 Installing UFED Logical Analyzer 10 12 Introduction 7 L Launching UFED Logical Analyzer 29 Loading a project session 40 Loading settings 169 Locating and analyzing infor
47. ed witha 5 8 2 Editing an entity bookmark 1 Select one of the following e Anentity bookmark record from the list of Entity Bookmarks in the project tree e A bookmarked item marked with 37 2 Click in the Table view toolbar The Add Edit Bookmark dialog box appears 3 Edit the name or description then click OK 5 8 3 Deleting an entity bookmark 1 Select one of the following e Anentity bookmark record from the list of Entity Bookmarks in the project tree e A bookmarked item marked with 7 2 Click in the Table view toolbar The bookmark is deleted Chapter 6 Translating decoded data 93 Chapter 6 Translating decoded data Translate the content in your extractions that are in foreign languages without having to wait fora translator to become available or to use Internet based tools The Translation feature enables you to translate decoded data on demand so that an investigator can understand the information available in an extraction The Translation feature is an offline translation solution where you do not need to be connected to the Internet You can select single multiple or all table entries for translation Both the original and the translated text can be included in the report The lists of supported languages are as follows Chinese Simplified Japanese requires additional payment Chinese Traditional Korean Dutch Polish German Portuguese Hebrew Russian Italian Spanish French
48. el and iOS version Method 1 Extraction of a rich set of data including call logs SMSs MMSs applications data data files and notes The decoding process will require the password for iTunes backup Method 2 Extraction of a rich set of data including SMSs MMSs applications data and data files Some data types are not extracted More info Extended extraction time Recommended if the password is unknown Back to start Chapter 10 Performing extractions Foranon jailbroken non encrypted iOS this screen is displayed i05 Advanced Logical 3 9 fc Hoose an extraction method Connect Prepare gt Extract data The iTunes backup of this device iPhone with iOS 7 0 4 is not encrypted The data extracted by each method will vary based on the device model and i05 version Extraction of a rich set of data including call logs SMSs MMSs applications data data files and notes Recommended Extraction of a rich set of data including SMSs MMSs applications data and data files Some data types are not extracted More info Extended extraction time Back to start 139 celebrite 140 delivering mobile expertise NOTE The extraction time will depend on the amount of data on the iOS device and on the method chosen A method2 extraction from a heavily used device could take several HOURS to complete 5 Choose the location to save the extracted data Ensure that there is enough disk space on y
49. eos e Double click Timeline to open the device events organized by time in the data display area The Timeline tab displays the device s time stamped events such as calls SMS MMS and so on in a sequential view Chapter 4 Orientation to the workspace 49 Tree item Watch lists Description Watch lists are lists of keywords that you create and then use to search and identify events and Items of interest in the extracted data e Expand Watch lists to see a list of watch lists that have been run in the current session For more information see Working with watch lists page 79 50 Tree item Entity bookmarks celebrite delivering mobile expertise Description The entity bookmarks you create are managed in the Entity Bookmarks section of the project tree The number of entity bookmarks in the project is shown in brackets next to the section name e Double click Entity Bookmarks to list the entity bookmarks in a tab in the data display area e Double click any entity bookmark to go to the bookmarked item in the appropriate display tab For example double click an entity bookmark to an SMS message to open the list of SMS messages in an Analyzed Data display tab with the bookmarked item highlighted For more information see Bookmarking information entity bookmarks page 90 Chapter 4 Orientation to the workspace 51 Tree item Reports Project Analytics Description To open a report that
50. extracted data e Click the EvidenceCollection ufdx file The Camera Evidence pictures and videos Phone Evidence screenshots and the extracted data are imported into UFED Logical Analyzer as a single project The evidence includes Phone Evidence and Camera evidence as well as categories entity bookmarks and notes that were added during the extraction An example is displayed next 4 Sd Analyzed Data Contacts 4 wJ User Dictionary 1 I Gay Data Files b X Carving Tags PE Camera Evidence 4 b Instant Messages 1 b E Maps 1 D fe Passwords 1 b SD SMS Messages 1 4 iS Phone Evidence 3 b E CallLog 1 b S Chats 1 gt E Other 1 Timeline T e Malware Scanner I Project Analytics nie Entity Bookmarks 3 S Reports 146 celebrite delivering mobile expertise NOTE Drag and drop the EvidenceCollection ufdx file into UFED Logical Analyzer to open multiple extractions which were performed for a particular device That is all extractions in the folder will be opened Each extraction ufd file in the folder can also be opened individually An example folder with multiple extractions and a UFDX file is displayed next dL CaptureScreenshots 2014 08_27 001 Samsung GSM Samsung GT i5510M Galaxy 7 FileSystemDump Samsung GSM GT i5510M Galaxy 2014 08_27 001 A Physical Samsung GSM GT i5510M Galaxy 2014_08_27 001 JL UFED Samsung GSM GT i5510M Galaxy 35621004
51. gram select it from the list and then click Uninstall Change or Repair Organize Uninstall Publisher Chapter 6 Translating decoded data 101 To view the translation pack version number e Click Help gt About The following screen appears U series Galivering mobile expertise UFED Logical Analyzer 2014 Cellebrite Mobile Synchronization Ltd All rights reserved UFED Logical Analyzer Version 4 0 0 148 Copyright Cellebrite 2014 Translation pack version 1 0 0 0 celebrite 102 delivering mobile expertise 6 2 3 Translating the decoded data By default the target language is set to the same language as the interface language If required you change the target language to a different language To change the translation language 1 Select Tools gt Settings The following screen appears f setings Localization Interface Language E English Translation Language English lY Show translation by default Always shift timestamps to this time zone UTC Dublin Edinburgh Lisbon vY ata Files Daylight Saving Time 2 Select the translation language That is the language to which you want to translate the text You can only select one target language To request additional translation languages select Get more languages 3 Selectthe Show translation language by default check box to display translations by default Clear this check b
52. h of the Analyzed and Data file types or clear Chapter 12 Settings 167 Default sorting to sort the items according to the selected sorting field and the sorting order ascending or descending that was set by the user in each of the data display tables e Calculate SHA 2 256 bit hash and Calculate MD5 128 bit hash Select which calculated MD5 and SHA256 hash keys to add to each Data Files item in the generated report Do not select these options to shorten the report generation process of large projects e Include translations Select to include any translated text in the report e Disable models categorization Select to disable the separation and generate a report in which every data items is generated as a single section without subcategories separation By default a categorized report in which each category in the data items group Is generated as a separate section in the report is generated For example when generating a report with SMS select the check box to generate the SMS messages as a single list or clear the check box to break it to a separate list for each category of SMS messages Inbox Outbox Drafts etc e Logo Header Enter and format custom text to appear in the report header before the logo image e Logo Click Select Image File to add the logo image to appear in the report header Supported file formats are BMP PG GIF and PNG e Logo Footer Enter and format custom text to appear in the report footer
53. has already been generated for the project e Double click the report in the Reports tree item The report opens in the application associated with the report format e fno reports have been generated for the project double click the Reports tree item to open the Generate Report dialog box For more information on generating a report see Generating a report The Project Analytics tree item provides you with a comparative analysis overview You can open an Activity Analytics tab showing an overview of all device activity as well as tabs that each focus on the phone email WhatsApp Skype Gmail and BlackBerry Messenger activities For more information see Setting project settings page 169 52 celebrite delivering mobile expertise 4 1 1 Working in the project tree area Open the tree items to drill down and locate specific information e Clickto expand orto collapse tree items e Double click a tree item to open detailed information in the data display area e Click E atthe top of the project tree to expand all the items in the tree e Click at the top of the project tree to collapse all the items in the tree Chapter 4 Orientation to the workspace 4 2 Data display area Double click an item to display it in a tab A new tab is opened for each item Welcome X Extraction Summary x Call Log 6 x SMS Messages 4 X Mio mje w id a 7 Table Search Ch Parties Call Timestamp 03 Oct 09 2
54. he desired separator in the Separator list 150 celebrite delivering mobile expertise To set UFED Logical Analyzer to automatically verify images on project load e Select Automatically verify images on project load To have UFED Logical Analyzer offer to load a session when opening its corresponding extraction e Select Suggest restoring a session file when its corresponding dump is loaded To select all entities in all views by default e Select Check all entities by default Selected entities are included in reports that you generate To determine the number of digits required for phone number uniqueness e Inthe Analytics area select the desired number of digits from the Number of digits to determine phone number uniqueness Chapter 12 Settings 12 2 Data files ae Data Files Additional Report Fields la Extensions Signature filter jpg Jpeg gif png bmp fae fs a IC SE I aee fee Pair e oe 151 152 celebrite delivering mobile expertise The Data Files settings determine the different file and tagging groups under the Data Files and Tags tree items and the types of files filtered in each group Every data file record contains the following settings Active Indicates whether to display checked or hide unchecked this group of data files in the project tree Description A descriptive name for the type of data files to be used as the group name under the Data files tree ite
55. he generated report Do not select these options to shorten the report generation process of large projects e Include translations Select to include any translated text in the report e Disable models categorization select to disable the separation and generate a report in which every data items is generated as a single section without subcategories separation By default a categorized report in which each category in the data items group Is generated as a separate section in the report is generated For example when generating a report with SMS select the check box to generate the SMS messages as a single list or clear the check box to break it to a separate list for each category of SMS messages Inbox Outbox Drafts etc e Logo Header Enter and format custom text to appear in the report header before the logo image e Logo Click Select Image File to add the logo image to appear in the report header Supported file formats are BMP PG GIF and PNG e Logo Footer Enter and format custom text to appear in the report footer after the logo image e Show totals for items not in the report Add a Total column to the report that displays the total number of items that were excluded from the report e Show extended deleted state Include the state Intact Deleted or Unknown of deleted items in the generated report When not selected logs only the state of deleted items as Yes and is left empty for other states 166 ce
56. ice IP 192 168 3 140 i DNS Addresses 192 168 31 celebrite 76 delivering mobile expertise e Click to group orungroup the events by date In graphic view the events are displayed in agraph enabling you to quickly identify activity spikes that may be of interest Welcome x Extraction Summary X Time Line 3521 x 7x Table View Graphic View i a RE 09 AM 10 AM 11 AM 12 PM 01 PM 15 46 17 5 16 2011 11 0604 AM Chapter 5 Locating and analyzing information 77 e To scroll forwards and backwards in the timeline use the KS amp and buttons You can increase or decrease the level of detail in the Timeline Graph View e To increase the time resolution click Ea e To decrease the time resolution click Ea Events that occur within close proximity are flagged in groups e Click to open another timeline view tab for the group of events 5 6 Accessing conversation view Communication based data such as call logs email SMS and MMS messages and so on can be displayed in a conversation view layout for easier and better tracking over the communication between two or more parties You can search for messages within a chat select the messages to include within a report by default all chat messages are included print or export the conversation To access and use conversation view 1 In acommunication based data table select one of the records 2 Click
57. ime where the device time is automatically set by the network timestamps are displayed with the unified time UTC For incoming events the time stamp is typically taken from the network defined time the time stamp assigned by the network timestamps are displayed with the unified time UTC Network defined time stamps are subject to the time zones in which the event occurred Apply a unified time zone to the project to recalculate all network defined time stamps according to the selected time zone in order to consolidate the events and view them sequentially in UFED Logical Analyzer To apply a unified time zone to the project 1 Do one ofthe following e Inthe project Extraction Summary tab click Project settings Chapter 12 Settings 171 e Click Time zone Time zone settings UTC Original UTC value x Daylight Saving Time 2 From the Time zone settings UTC list select e Original UTC value to show time stamps as recorded without unification e Oneofthe time zones UTC 12 00 to UTC 13 00 to recalculate network defined time stamps according to the time zone offset NOTE User defined time stamps are not included in these recalculations and are displayed as recorded 172 UTC 00 00 London x Start March 25 2018 RA March 26 2017 al March 27 2016 al March 29 2015 Hl March 30 2014 Gal March 31 2013 tal March 25 2012 RA Mar
58. ith a list of the languages The translated content appears below the original text under the heading Translation For more information on reports see Generating a reporton page 119 To include the translated text in reports 1 Go to Tools gt Settings gt General Settings gt Report Defaults 2 Select the Include translation check box Chapter 6 Translating decoded data 105 Default folder Ci Users jonathank Documents My Reports Default sorting Calculate SHA 2 256 bit hash Calculate MDS 128 bit hash To include translated text In exports 1 Clickan Export option ES Dego w 2 Select the Include translation check box File name Report Save to C Users jonathank Documents My Reports Report sub directory _iPhone 2014 07 31 14 40 41 Include translations celebrite 106 delivering mobile expertise Chapter 7 Working with project analytics 107 Chapter 7 Working with project analytics Project Analytics enables you to view the extraction data in terms of the number of communication events between the device and other parties identified by phone number or other user identity such as email address Skype handle and so on The analysis enables you to easily and efficiently identify communication patterns between the device and other parties For example Parties most communicated with via all tyoes of communication methods Parties most commu
59. lear Default sorting to sort the items according to the selected sorting field and the sorting order ascending or descending that was set by the user in each of the data display tables Calculate SHA 2 256 bit hash and Calculate MD5 128 bit hash Select which calculated MD5 and SHA256 hash keys to add to each Data Files item in the generated report Do not select these options to shorten the report generation process of large projects Include translations Select to include any translated text in the report Unprintable characters placeholder Set the placeholder character to replace the unprintable characters Output File Format Set the output file format of the spreadsheet file to either XLSX The current Excel file format XLS The legacy file format of Excel ODS The spread file format of OpenOffice The excel report is compatible with OpenOffice Select to ensure the Excel report can be opened in OpenOffice Chapter 12 Settings 163 Generate Contact Identification Data Select to add a sheet to the Excel report that provides a list of unique contacts based on type 3 For HTML reports set the following Default folder enter the path to the folder where you want to save reports you generate for this report type Select Default sorting to set sort the items included in the generated report according to the default sorting set by Cellebrite for each of the Analyzed and Data file types or clear Default sor
60. lebrite delivering mobile expertise Number of lines for email preview Set the maximum number of lines from each email message to appear in the report Display full email body Display the entire message body Number of messages per chat Set the maximum number of lines per chat message to appear in the report Display all chat messages Display all chat messages in the report 5 For UFED report packages set the following Default folder enter the path to the folder where you want to save reports you generate for this report type Select Default sorting to set sort the items included in the generated report according to the default sorting set by Cellebrite for each of the Analyzed and Data file types or clear Default sorting to sort the items according to the selected sorting field and the sorting order ascending or descending that was set by the user in each of the data display tables Calculate SHA 2 256 bit hash and Calculate MD5 128 bit hash Select which calculated MD5 and SHA256 hash keys to add to each Data Files item in the generated report Do not select these options to shorten the report generation process of large projects 6 For Word reports set the following Default folder enter the path to the folder where you want to save reports you generate for this report type Select Default sorting to set sort the items included in the generated report according to the default sorting set by Cellebrite for eac
61. lendar contacts notes call log user dictionaries user accounts e Messaging items SMS MMS email instant messages chat The number in parenthesis designates the number of items each category contains Chapter 4 Orientation to the workspace 47 Tree item Data files Description The Data files tree item sorts the extracted data into common or known file formats used by devices and computers such as images videos audio or text files In the Project Tree the information is displayed in the following categories e Images Files that were recognized as image file formats e Videos Files that were recognized as video file formats e Audio Files that were recognized as audio file formats e Text Files that were recognized as text file formats e Databases Data structures that were recognized as databases e Applications Files that were recognized as application files such as apk jar dex So exe files etc e Documents Files that were recognized as document file formats such as doc docx pdf xlsx ppt files etc 48 Tree item Tags Timeline celebrite delivering mobile expertise Description You can create additional data file groups For more information see Managing data files settings page 154 Certain file types are identified and tagged in the extracted data There are eight default tags Applications Audio Configurations Databases Documents Images Text and Vid
62. low Logical Analyzer File View Tools Report Help Lai R M ROA Welcome x Extraction Summary X E iPhone 26 36 3GS Extraction Summary Project settings E Generate Report 29 Extraction Summary pa Device Info PO Analyzed Data iPhone 2G 3G 3GS celtebrite UFED Reports Call Log 3 Report type 7 U SARIS 128 an Extraction start date time 2011 06 12T16 08 28 DO lessages Bra Extraction end date time 2011 06 12T16 13 35 GP Data files Connection Type USB Cable Images 12 Selected Manufacturer Apple El Videos 5 Selected Device Name iPhone 2G 3G 3GS J Audio 1 Unit Version Software 1 1 7 0 UFED Full Image 1 0 2 7 Tiny In E Tet Unit Identifier 5609045 Databases a Configurations Rif Applications H S Tags Detected model MB717 Phone revision 4 2 1 801482 Time Line 50 IMEI 012262007447230 Serial SKOSOLGZ3NR f Watch Lists 0 Bluetooth device address ORE WiFi address OS hELec20 44 i ia Project Analytics Unique Device ID 6330ef054f67c2170f1993b uy Entity Bookmarks 0 IA Reports The workspace contains the following components 1 Application menu bar celebrite 44 delivering mobile expertise 2 3 4 5 Application toolbar Project tree Data display area All projects search w u 4 1 Project tree The Project Tree area displays the following extracted information structure of each project opened for analysis Tree item Description Extraction
63. lowing screen appears Dongle License Details Show previous dongle details Dongle not found To use the product with a dongle license plug in the dongle to your computer Software License Details Deactivate software license LIC_LicenseWillExpireOn July 29 2015 Physical Analyzer license includes No extra features Computer ID IZA WDP 5UD ZVI K2X 62A L72 Copy Load license file lt 1 Support support cellebriteusa com pong Sales sales cellebriteusa com 99 celebrite 100 delivering mobile expertise 6 2 2 Downloading the translation pack You can download the Translation pack from the application or from your my cellebrite com account The Translation pack includes a version number which enables you to track the version installed on the computer To download the translation pack 1 Select Tools gt Translation 2 Select one of the following options e Download translation pack Downloads the translation pack this option is not available if there is no Internet connection e Install translation pack from file Installs the translation pack from a file Select this option if there is no Internet connection 3 Follow the on screen instructions to install the Translation pack NOTE To uninstall the Translation pack go to the Windows Uninstall page and select the Language Translation Package Publisher Cellebrite Mobile Synchronization from the list Uninstall or change a program To uninstall a pro
64. m Extensions The file extensions to be used to filter the data files of this group Signature filter The header and or footer signatures to be used to filter the data files of this group Tag As The tag name to be applied to the data file and used to list the files under Tags in the project tree Chapter 12 Settings 153 12 2 1 Data files filtering methods Groups can be filtered using one or more of the following methods e Signature filter A signature filter is a definition of the file header and or footer to be searched in order to detect a file type and associate it with a specific Date File group The header and or footer can be configured in a defined range from the beginning and end of the file respectively by using the offset parameter For example a JPEG image starts with the header FF D8 FF and ends with the footer FF D9 Entering this information in the Header and Footer fields of the signature creates a signature that identifies J PEG images e Extension filter An extension filter is a list of common file extensions that are associated with file formats that belong to the specific data file group For example the different image file formats can be filtered by the file extensions jpg jpeg gif ong or bmp celebrite 154 delivering mobile expertise 12 2 2 Managing data files settings Add new types of data files and edit and delete existing data file types 12 2 2 1 Adding a new data file ty
65. mation 69 M Managing data files settings 47 154 Moving the software license 26 N Network dongle 24 New version notification 19 O Obtaining a copy of UFED Logical Analyzer 11 Opening a file for analysis 30 Orientation to the workspace 29 43 P Performing advanced logical extraction 131 132 Performing extractions 131 Playing video or audio files 68 Project tree 44 58 59 90 R Reference 177 Index Report defaults 123 161 Report menu 180 Running a watch list 88 Running a watch list on particular projects 88 Running a watch list on your current project 89 S Saving a project session 39 Saving settings 39 147 169 Scanning for malware 109 screenshots 143 Searching for information in a data tab 69 Searching for information in all open projects 73 Selecting languages 95 Setting a unified time zone for the project 170 186 Setting project settings 51 169 179 Setting the case information 123 173 Settings 147 179 Shortcuts 42 Software installation 11 Software license 21 System requirements 10 T Table view for analyzed data 66 Table view for data files 64 Text view 63 Timeline view 74 Tools menu 179 Translating decoded data 93 celebrite delivering mobile expertise U ufdx file 145 146 Updating the signature database online 109 110 Updating the signature database from file offline e
66. n such as images videos audio and text files See Data files page 151 To display the relevant information in a new tab in the data display area e Click any of the tree items 4 2 3 Data tabs Data tabs show files of a specific type such as call log contacts SMS messages and so on Each type of data file has several data display modes Image files Image View and File Info Video files File Info Audio files File Info Text files File Info 60 celebrite delivering mobile expertise Databases Database View and File Info Document files File Info Data tabs display the data in a variety of sub tabs depending on the data type Text view View text files as text Table view A list of all the files of a specific type images videos audio text and so on that were found during the data analysis process Folder view View the folder structure of the data files paths in the reconstructed file system for data files only Image view View the image See Viewing image files page 67 Thumbnail view View images by thumbnail for images only File Info View information about the file 4 2 3 1 Working in data tabs Selecting items Select items in the data display area to include them in any report you generate By default all items are selected Chapter 4 Orientation to the workspace 61 e To select multiple items hold the SHIFT or CTRL keys consecutive and nonconsecutive selection e When an
67. n that extraction in a tab in the data display area e Select Show All from the top of the quick results list to display a results tab in the data display area listing all the matching search results The matching string in each item is colored in red As in the quick results list the results tab lists the results by type 5 5 Timeline view Timeline view is a powerful tool that enables you to analyze data in chronological order to identify the order of events and make connections between them Timeline view has two views table and graphic Chapter 5 Locating and analyzing information 75 In table view the events are displayed in a table organized by date and time Time Line 3521 x Timestamp eE nd UL A 303 3 i O 5 16 POT 13 2 insatedappications 16 05 2011 0857211 j pf 16 05 2011 09 02 29 L 05 2011 09 02 53 Lite 16 05 2011 09 05 2711 SSS 1 rete son conde a a se Ylo instant Messages 16 05 2012 09 06 28 L I TE du SMSMessages 16 05 2011 10 59 15 L Ma stage s0ovati snsson Ifaa svismessages 16 05 2011 1100 041L alu N e anys osu can OL 5 22 2011 103 i DI loco 22 05 2011 13304101 laratinns ii Service Name 22 03 2011 13 30 4211 b ij Domain Router Address 192 1 68 3 1 l MAC Address OO1E E5 45 AD 92 H Cellular WAN li Timestamp 21 03 2011 13 03 37 UTC 0 Dev
68. nalyzer 2 Sign into your MyCellebrite account 22 celebrite delivering mobile expertise If you don t have an account click Register now create a user and then go back to the required UFED application link You will be directed to the product activation window 3 Click to download the application and save the file to a PC 4 Extract the zip file click the installation file and install the software using the Setup Wizard Restart the PC if required 5 Repeat step 1 to go to the application link 6 In the Activation method box if you purchased UFED 4PC select Activation code or if you purchased UFED Touch select UFED Touch UFED Classic Activation Method Activation Code v Activation Method UFED Touch UFED Classic v 7 Depending on the product you purchased continue as follows e UFED 4PC in the Activation Code field enter the Activation code provided with the UFED 4PC kit Activation Code Activation Code e UFED Touch In the Choose Serial Number field select the UFED serial number displayed on the UFED Touch unit or UFED Touch License Activation screen Serial Number Please select serial number v Chapter 2 Installation and activation 23 8 Next obtain your Computer ID do not close the MyCellebrite page while performing this step e Start the application The Cellebrite Product Licensing window appears e Click Copy to copy the Computer ID displayed in the window Software license det
69. nicated with via phone calls SMS and MMS If the device user exchanged a large number of phone calls SMS and emails with a certain contact it is easy to see the volume of this communication Communication events are listed by volume per type The following communication events are supported Phones Lists outgoing incoming and missed calls and sent received and draft SMS and MMS Emails Lists emails sent received drafts and emails of unknown status WhatsApp Lists messages sent received and drafts Skype Lists calls SMS and chat messages BlackBerry Messenger Lists chat messages celebrite 108 delivering mobile expertise Project analytics runs automatically when you open an extraction file To view project analytics 1 Click amp next to the Project Analytics tree item to view the analytics results displayed in the Project Analytics tree item 2 Double click the Project Analytics tree item to open a tab that displays the top five activities per contact 3 To view a comparative overview of all communication events double click the Activity Analytics tree item The view Is sorted in descending order based on the total number of events iu Meicome x Earacion Summary X Acavny Ansiyocs 162 x Phones 84 x Q Advanced 4 To view the events by communication identifier double click the desired identifier tree item 5 Click the column header to sort the information in
70. nt project When you run a watch list from the project tree you can select which watch lists to run on the project that you are currently working in If you have more than one project open the selected watch lists run on the project that you last clicked in in the project tree 1 Inthe toolbar click lt A list of watch lists appears 2 Select the watch list s that you want to run on the project you are currently working in NOTE A tick mark Y shows that the watch list is currently active for the project 3 Click Apply on the project that is in focus in the project tree NOTE When you click from the toolbar you can only run the watch list s on the project that you last clicked in in the project tree UFED Logical Analyzer searches for keywords in the selected project s When complete the watch list results appear in the Watch Lists tree item If the watch list is assigned to only particular information types see Creating a watch list page 80 only matches to those types appear in the watch list results e celebrite delivering mobile expertise 5 8 Bookmarking information entity bookmarks An entity bookmark is a quick reference pointer you can create on individual items e An Analyzed Data item such as a call from the call log a contact record an email message etc See the Analyzed Data item in Project tree page 44 e A Data Files item such as an image file a video file a text file and so on See the Dat
71. nual e Connect your UFED unit to your PC using the UFED to PC cable U 441 provided in the UFED Standard and ruggedized kits Your PC may prompt you to install drivers refer to the UFED Touch User Manual Figure 1 UFED to PC cable 2 Connect the source device using the appropriate cable to the left USB port of the UFED device 3 On the UFED unit Chapter 3 Getting started 33 a From the Main Menu do one of the following Fora logical extraction select Logical Extraction For a file system extraction select File System Extraction b Select the manufacturer of the device from the Select Model menu c Select the model of the device 4 On the PC click Start gt UFED Logical Analyzer to open UFED Logical Analyzer The UFED Logical Analyzer application opens 5 Click the Read Data from UFED icon in the application toolbar celebrite 34 delivering mobile expertise The UFED Downloader window appears UFED Dyrwnlboader Prete on Stail bo connect to the UFED Total downloaded ike E lapsed ime Download pathi CADocuments and Setting RivkaB My DocumertsiMy UFED Extractions E Open target folde 6 In the Download path area click sin and browse to the desired location forthe extraction Tip Click Open Target Folder to display the content of the selected target folder 7 On the UFED Touch unit in the Select Extract Location screen select PC Chapter 3 Getting started 35 8 F
72. of the opened file without the file extension 56 celebrite delivering mobile expertise File path The file system path to the file location Device model The identified device manufacturer and model or BINARY if the opened file was a binary extraction Case name If the report was given a case name the name is shown The name can be defined in the project settings Date and time The date and time stamp in which the file was last opened Browse link A direct link to the file in the system Remove recent item Click to remove the item from the Welcome tab You can do the following Click on a framed item to open the files for decoding Click Browse to go directly to the file associated with it in the file system Close the Welcome tab To reopen it go to View gt Show Welcome Chapter 4 Orientation to the workspace 57 4 2 2 Extraction summary tab The Extraction Summary tab is displayed automatically whenever you open a new extraction for analysis Welcome X Extraction Summary x SMS M s 47 x vx Extraction Summary E Generate Report iPhone 2G 3G 3GS cellebrite UFED Reports Report type Phone Extraction start date time 2011 06 12T16 08 28 Extraction end date time 2011 06 12T16 13 35 Connection Type USB Cable Selected Manufacturer Apple Selected Device Name iPhone 2G 3G 3GS Unit Version Software 1 1 7 0 UFED Full Image 1 0 2 7 Tiny In Unit Identifier 5609045 Detected model
73. ollow the prompts in the UFED Touch unit until prompted to start the download procedure 9 On the PC in UFED Logical Analyzer click Start in the UFED Downloader window The data transfer from the device to the PC starts UFED Downloader Downloading fle Physical BlackBerry GSM 9105 Peal 36 2012_05_24 002 Attachmeni body_0 be Size 1 bytes Total downloaded files 1 Elapsed time 00 00 01 Downed pathr Documents and Settings Rivkab Wy Documents My UFED Extractions COTTE Adranced i UFED Ready Stating i Dowriosding fe Freacal BlackBeny GSM 9106 Feal 35 2002 06 24 002 Atteachmertsimage cand jpg Size i Current file Dovmioaded 64138 bytes 1006 D Current fle Downloaded 128521 bytes 100 D Curani fle Downloaded 132504 bytes 100 Current fle Downloaded 249591 bytes 1 00 D Downloading fle Phyacal BlackBeny GSM 9105 Pearl 35 2012_05_ 24 JO02 Aachmerts boek Clit Sine 1 bea 4 36 celebrite delivering mobile expertise During the extraction process the Extraction in Progress screen appears on the UFED unit j UFED TOLICH ents dela ma m ndi I a rt i a Be 06 Peer dI Lr Gai A ei Geach bp 1 100 Chapter 3 Getting started 37 On the UFED unit you are prompted to select the types of multimedia to include in the extraction u Multimedia Selection Please select multimedia types to transfer Total Ra mm 3 7 MB 00 00 09 i celebrite 38
74. om text to appear in the report header before the logo image Logo Click Select Image File to add the logo image to appear in the report header Supported file formats are BMP J PG GIF and PNG Logo Footer Enter and format custom text to appear in the report footer after the logo image Show totals for items not in the report Add a Total column to the report that displays the total number of items that were excluded from the report Show extended deleted state Include the state Intact Deleted or Unknown of deleted items in the generated report When not selected logs only the state of deleted items as Yes and Is left empty for other states Number of lines for email preview Set the maximum number of lines from each email message to appear in the report Display full email body Display the entire message body Chapter 9 Generating a report 129 Number of messages per chat Set the maximum number of messages per chat message to appear in the report Display all chat messages Display all chat messages in the report Font Family for PDF reports only Split HTML report for HTML reports only Ensure that each section of the report starts on anew page b Excel all formats and ODS report e The excel report is compatible with OpenOffice Select to ensure the Excel report can be opened in OpenOffice e Generate Contact Identification Data Select to add a sheet to the Excel report that provides a list
75. omatically located When the dongle is recognized by the operating system the application can read the license 2 Start UFED Logical Analyzer Congratulations your application is now ready UFED Dongle If a license dongle is not found 1 When starting for the first time or when a license dongle is not found the Cellebrite Product Licensing window appears Chapter 2 Installation and activation 21 Cellebrite Product Licensing License source Network Dongle license details Showdonglelog Dongle not found To use the product with a dongle license plug in the dongle to your computer Software license details ___Loadlicense file Deactivate software license sr nor a Do eroe Computer ID Sori DIL Ser TREAT Copy 2 Help W Sales sales cellebrite com 2 Ifyou connected the dongle to a USB port on your computer and it still does not work contact support cellebrite com NOTE The HASP dongle drivers must be installed in order to use a hardware license key If the drivers were not installed during the UFED software installation process you can run the installation process again and select Install Haso Dongle Drivers at the end of the process 2 1 3 3 Using the application with a software license The first time you open the application you must activate the license To use UFED Logical Analyzer with a software license 1 Go to the following link https my cellebrite com logicala
76. or IZAWDPSUDZVIK2X62AL72 Choose up to 5 languages for translating decoded data Tip If you want to translate to a language other than English you should select it as well You cannot change a language after saving but you don t have to choose all 5 right now Select Language a Select Language Select Language Select Language Select Language Need more languages Next Cancel 3 Select up to five translation languages and click Next The following window appears For additional languages click Need more languages and complete the form Chapter 6 Translating decoded data Device Languages for IZAWDPSUDZVIK2X62AL72 Selected Languages Dutch German Italian Please note You cannot change a language after saving 4 Click Save The following window appears 97 celebrite 98 delivering mobile expertise Device Languages for IZAWDPS5UDZVIK2X62AL72 What s next 1 Update the license for your product 2 Download the language pack You don t need to do this if you installed it on this product before Close 5 Update the license for the product and download the language package Chapter 6 Translating decoded data After updating your product license with the selected languages you can use the following procedure to view the languages included in the translation license To view the translation license languages e Select Tools gt Translation gt Show supported languages The fol
77. our chosen location You can save it locally on the computer or to any removable storage device or to a network location E 105 Advanced Logical 3 choose Where to save the extraction Connect gt Prepare gt Extract data My documents My UFED Extractions O Desktop O Browse Chapter 10 Performing extractions 141 6 Click Next to continue 7 A progress bar will be shown Wait forthe extraction process to complete Osti ET traction in progress Connect gt Prepare gt Extract data Extraction completed x Extraction size 16 9 MB Time elapsed 00 04 Open in UFED Physical Analyzer Open file location Back to start NOTE The duration varies depending on the extraction method the device model the amount of data on the device the extracting computer and other parameters The advanced logical extraction is saved to the selected location as a UFD file and a TAR file Open the advanced logical extraction in UFED Logical Analyzer to access all extracted information celebrite 142 delivering mobile expertise 8 Select one of the following options Open in UFED Analyzer Loads the extraction file in UFED Logical Analyzer Open file location Opens the folder that contains the extraction files Back to start Returns to the extraction methods screen Finish close iOS Device Extraction Chapter 11 Camera and screenshot evidence 143 Chapter 11 Camera and screenshot evidence
78. ox so that the translation will not appear when you translate text To see the translation select View translated Chapter 6 Translating decoded data 103 To translate decoded data 1 Click to select the data that you want to translate berpr fung in verschiedenen Sprachen 2 Click the Translate button or right click and select Translate selected or click and then select one of the following options e Translate all Translate all entries in the specified view e Translate selected Translate the select text only NOTE If required use the Delete translation option to delete the translated text The translated text is indicated by a yellow bar 7 Checkup of different languages To view the original text 3 Right click the text and select View source or click the View source button The original text is indicated by with a gray bar berpr fung in verschiedenen Sprachen celebrite 104 delivering mobile expertise To filter text e Click and then select one of the following options e All to display all text e Translated to display text that has been translated e Not translated to display text that has not been translated 6 2 4 Reporting When creating reports or exporting data you can specify whether to include the translated text or not If you choose to display the translated text within the report the summary table will include an additional entry called Translated languages w
79. pe 1 Inthe Data Files settings click A new row Is added to the list 2 Select Active to display the added data type in the Data Type tree item 3 Click in the new row s Description box and type a file type description 4 If applicable in the Extensions box enter the file extensions commonly used by your data file type in the format xxx and separated by Chapter 12 Settings 155 5 If applicable in the Signature filter box click and do any of the following Data Signature Dialog o 2 Use Name Header Footer JPG Files xFFxD8 xFFxD9 PNG Files x89PNG BMP Files BM GIF Files GIFS e Click Lo to add a filtering signature that identifies your data file type e Click 7 to edit an existing signature filter e Click x to delete a signature filter celebrite 156 delivering mobile expertise 6 If applicable click in the Tag As box click and select a tag name from the list 7 To change the order of the data file types use the arrows iig 8 To clear the list of data file types you added leaving only the default types click Restore default 12 2 2 2 Editing an existing data file record 1 Clickthe row of the data file type that you want to edit 2 Double click in the column and row that you want to change and update the existing settings as desired 12 2 2 3 Deleting a data file type 1 Clickthe row of the data file type that you want to delete 2 Click 26 Chapter 12 Settings
80. port Dataset z File name Report _iPhone 4 Save to C Users jonathank Documents My Reports _iPhone 4 2 Report sub directory 2014 07 31 15 32 32 x Project _iPhone 4 _iPhone 4 2 ecurity Format Phone i _iPhone 4 2 Layout Case Information Close Default sorting Case number Case name Evidence number Examiner name Department Location Notes Cancel 122 celebrite delivering mobile expertise 6 In the format field choose which of the available formats you want for the report More than one format can be chosen and a report for each format will be generated General Report Dataset _iPhone 4 _iPhone 4 2 Security Layout Default sorting Word report HTML Report PDF Report General File name Save to Report sub directory Project Format Case Information Case number Case name Evidence number Examiner name Department Location Notes Report C Users jonathank Documents My Reports 2014 07 31 15 32 32 _iPhone 4 iPhone 4 2 Word report HTML Report PDF Report XML Report Word report Excel Workbook xlsx Open Document spreadsheet ods Excel 97 2003 xls HTML Report PDF Report UFED Report Package XML Report Close Chapter 9 Generating a report 123 7 In the case information fields you can provide the following Case number Case name Evidence number Examiner name Departmen
81. r in the main UFED Physical Analyzer directory copy the BitDefenderUpdater directory to an external storage device 2 Transfer the BitDefenderUpdater directory to a computer that has internet connection without proxy settings 3 In the BitDefenderUpdater directory double click Malware Definitions Downloader exe Chapter 8 Scanning for malware 113 4 Malware Definitions Downloader Ready to download malware definitions There are new malware definitions Click Download to start downloading the definitions They will be stored in the same location as the Downloader Select the computer operating system on which the UFED Physical Analyzer is installed O 32 Bit O 64 Bit 4 Select the computer operating system of the computer on which UFED Physical Analyzer is installed 5 Click Download celebrite 1 14 delivering mobile expertise 4 Malware Definitions Downloader Download completed successfully Copy the definitions file to a storage device if it s not already on one connect it back to the computer running Physical Analyzer and continue there Open containing folder 6 Click Open containing folder 7 Copy the definitions msd file to an external storage device and transfer it to the computer on which UFED Physical Analyzer is installed 8 Click Close to close the Malware Definitions Downloader NOTE To streamline your workflow and save time it is recommended that you always use the Same computer to downlo
82. ractions 131 10 1 Performing advanced logical extraction 131 6 10 1 1 Performing advanced logical dici 132 Chapter 11 Camera and screenshot VG SIC Gs sacecosscececasecosscensctsncscacenecasacaoasapnctmacaoatagncnians 143 Chapter 12 SettingS uss 147 12 1 General settings wrsssssssssssssssssssssssssssssssssssssssssssssssssssen 148 12 2 Data GCS iasennnsmennasemnsminemennncnniaen 151 12 2 1 Data files filtering METNOS esssssssssssssssssssssee 153 12 2 2 Managing data files settings sr 154 12 3 Additional report fields sssri 157 12 3 1 Adding a new report field srr 158 12 3 2 Deleting a report field sssrin 160 12 3 3 Editing a report field sssri 160 12 4 Report defaultS s ssrsersersrrsrrerserrrsrrersernrsrrereerenrenrnrnns 161 12 5 Saving Settings cssssssssssssssssssssssssssssssssssssssessssssssssssses 169 12 0 NO ACUI SEO Serena 169 12 7 Setting project settings sesser 169 celebrite delivering mobile expertise 12 7 1 Setting a unified time zone for the DO 170 12 7 2 Setting the case information srn 173 Chapter 13 Reference sss 177 PLC licia 177 13 2 VIEW MENU vesssssssssssssssssssssssssssssssssssssssssssssssssssssssssseessesees 177 13 2 1 Viewing the trace WINdOW sssrin 178 13 3 00SCI i a 179 13 4 Extract MENU sssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssee 180 13 5 Report MENU sssssssssssssssssssssssssssssssssssssssssssssssssssssssss
83. s loaded Views Check all entities by default Map Use maps Decoding Recover deleted data via carving from unallocated space celebrite delivering mobile expertise Chapter 12 Settings 149 To set the interface language of UFED Logical Analyzer e Inthe Language list select the desired language To set the translation language e Select the Translation Language That is the language to which you want to translate the text You can only select one Translation Language To request additional translation languages select Get more languages e Select the Show translation language by default check box to display translations by default Clear this check box so that the translation will not appear when you translate text To see the translation select View translated To shift timestamps to a particular time zone 1 From the Time zone settings UTC list select e Original UTC value to show time stamps as recorded without unification e Oneof the time zones UTC 12 00 to UTC 13 00 to recalculate network defined time stamps according to the time zone offset 2 To change the start and end dates for daylight saving time click Daylight Saving Time For more information on how to change the time zone settings see Setting a unified time zone for the project page 170 To set the encoding and separator of exported CSV files 1 In the Export area select the desired encoding option from the Encoding list 2 Select t
84. se 2 1 Installing UFED Logical Analyzer 2 1 1 System requirements running at 1 6 GHz or higher Microsoft Windows Vista Windows 7 or Windows 8 Recommended Minimum Memory RAM 4GB 4GB 8GB 4GB Space requirements 500 MB of free disk space for installation Microsoft Net version 4 0 NOTE Windows XP 64 bit requires installation of a Net 2 0 hotfix Additional requirements NDP20 KB913384 X64 exe from http archive msdn microsoft com KB913384 Release ProjectReleas es aspx Releaseld 771 By February 28 2015 the UFED Series will no longer support Windows XP Chapter 2 Installation and activation 11 If you intend to activate the application using a hardware license key Permissions dongle provided by Cellebrite you must have administrative rights over the computer NOTE To enable extraction to a PC with Windows Vista Operating System follow the procedure in Enabling connectivity with Windows Vista page 27 2 1 2 Software installation 2 1 2 1 Obtaining a copy of UFED Logical Analyzer A copy of the latest UFED Logical Analyzer application installer can be obtained from the following sources e Downloaded from the MyCellebrite site e Downloaded from the link provided in the release notes celebrite 12 delivering mobile expertise 2 1 2 2 Installing UFED Logical Analyzer NOTE Before you begin ensure that cable U 441 is not attached to your computer 1 Double click the setup file Select Se
85. sset 180 13 6 Help MENU sa sssoovssessonsnnenovasussnonnvsnssenennznpvssananonvvstansnnnntnet 183 Chapter 1 Introduction 7 Chapter 1 Introduction Welcome to UFED Logical Analyzer UFED Logical Analyzer is an application that reads UFED files UFED dump files ufd and UFED report xml files created as part of the logical extraction and UFED report package ufdr generated from analyzed data of a logical extraction by UFED Logical Analyzer UFED Logical is made up of two components e The UFED device with Logical modules used to create logical extraction from mobile devices or SIM cards which can then be saved to a USB disk drive SD memory card or directly to your PC e UFED Logical Analyzer application which enables investigators to perform in depth analysis of data extracted as part of a logical extraction The UFED Logical workflow consists of two steps e Logical extraction using the UFED hardware e Analysis and reporting using UFED Logical Analyzer UFED Logical Analyzer enables you to open UFED reports perform your own search and analysis on the analyzed information and perform actions such as search generate reports create entity bookmarks and more celebrite delivering mobile expertise Chapter 2 Installation and activation Chapter 2 Installation and activation This chapter describes the installation and activation process of UFED Logical Analyzer on your PC celebrite 10 delivering mobile experti
86. t Location NOTE Default settings for these fields See Setting the case information page 173 See Additional report fields page 157 and Report defaults page 161 for other defaults Additionally the last 10 values entered in these fields is also available in the drop down 8 Your form should now look like this example 124 General Report Dataset _iPhone 4 _iPhone 4 2 Security Layout Default sorting Word report HTML Report PDF Report i Update settings General File name Save to Report sub directory Project Format Case Information Case number Case name Evidence number Examiner name Department Location Notes Report C Users jonathank Documents My Reports 2014 07 31 15 32 32 _iPhone 4 iPhone 4 2 Word report HTML Report PDF Report XML Report 1001 Case 1001 1001 01 1a JK Homicide NY Case notes for 1001 celebrite delivering mobile expertise Chapter 9 Generating a report 125 9 From the following screen select the data to include in the report General Report Dataset iPhone 4 E Select Deselect All Extraction Dann m 2C0t Report Dataset iPhone 4 Enter text to filter iPhone 4 2 Application Usage 33 33 u Installed Applications 60 60 E ly Applications 13 13 v IP Connections 151 151 Audio 68 68 v Locations 45064 45064 ly Bluetooth Devices 2 2 W Maps 26
87. ta including call logs SMSs MMSs emails applications Method 3 data and locations recommended Back to start delivering mobile expertise Chapter 10 Performing extractions 137 For a jailbroken encrypted iOS device this screen is displayed r TTT m _ F i E ios Advanced Logical 3 8 la Choose an extraction method Connect gt Prepare gt Extract data The device iPhone with iOS 4 0 2 is jailbroken and iTunes backup is encrypted The data extracted by each method will vary based on the device model and iOS version Method 1 Extraction of a rich set of data including call logs SMSs MMSs applications data data files and notes The decoding process will require the password for iTunes backup Method 2 Extraction of a rich set of data including SMSs MMSs applications data and data files Some data types are not extracted More info Extended extraction time Extraction of the richest set of data including call logs SMSs MMSs emails applications data and locations Recommended Back to start celebrite 138 delivering mobile expertise For a non jailbroken encrypted iOS device this screen is displayed r iOS Advanced Logical 3 8 Ea aca Choose an extraction method Connect gt Prepare gt Extract data The iTunes backup of this device iPod with iOS 4 3 5 is encrypted The data extracted by each method will vary based on the device mod
88. ted decoded data 80 5 7 1 Creating a watch list 1 Dooneofthe following e Inthe toolbar click e Inthe Tools menu select Watch List Editor The Watch List Editor appears Enter text to filter celebrite delivering mobile expertise Chapter 5 Locating and analyzing _Information Click ck Lt and select New i si Enter description F Enter text to filter Q Created on 04 10 2012 Last modified on 3 In the Watch list name box enter a name for the watch list 81 celebrite delivering mobile expertise 4 To set the watch list to find keywords only in data types in the project click Find in and select the desired data types dl 4 F amp Analyzed Data I sms Messages N Web Bookmarks he Chats Contacts RIE call Log Emails Calendar Ii Locations Fo Journeys Instant Messages gt GPs Fixes me MMS Messages a Log Entries Bluetooth Devices E Notes LU Web History Cookies mo Application Usage Chapter 5 Locating and analyzing information 83 When you run the watch list only selected data types are checked for matches 5 In the Enter description box enter a general description for the watch list optional 6 To set the watch list to run automatically when you open projects click Auto activate 7 Click New to add anew keyword A new keyword row appears in the Keywords list 8 For each keyword set the following as desired Entry Val
89. the column NOTE Project analysis information can be included in a report For more information see Generating a report Chapter 8 Scanning for malware 109 Chapter 8 Scanning for malware Run malware detection on your extraction to search for malware When you scan for malware UFED Physical Analyzer uses the last used signature database If this is the first time you are using the malware scanner or if you want to update the database before you scan follow the steps in Updating the signature database online page 110 lf you are working on a computer without an internet connection follow the steps in Updating the signature database from file offline page 112 1 Select Tools gt Malware Scanner gt Scan Malware or click 7 es Malware Scanner File systems Archive The definitions database was last updated on 11 Oct 12 12 50 PM Scan Cancel 2 Select the file system s that you want to scan and click Scan celebrite 1 10 delivering mobile expertise UFED Physical Analyzer scans the project for malware The results are displayed under the Malware Scanner tree item 3 Double click the Malware Scanner tree item to open a data display tab The data shown includes the malware type and malware information such as the name e To include the results in a report select Infected Files in the Report Dataset area For more information see Error Reference source not found 8 1 Updating the signature databas
90. the following e Inthe project Extraction Summary tab click Project settings e Click celebrite 174 delivering mobile expertise 2 Click Case Information Add New a Restore default settings PANEN O Name Required DefaultValue General Settings Case number Case name Case Information Evidence number Notes 3 ClickAdd New Some case information fields appear by default 4 Set the parameters for the default information fields a In the Name column enter the relevant information for example case number name or notes b Select Required if this field must be filled c In the Type list select one of the following String for text entry fields Chapter 12 Settings 175 List for a specified list of options d In the Default Value box set the default content For String type type the default string For a multi line string click enter the default string in the Option Editor then click OK Fora List type click enter the list items with each item on a separate line then click OK 5 To add more information fields click Add New and repeat step 3 6 To remove the custom entries click xj 7 To restore the default settings click Restore default settings celebrite 176 delivering mobile expertise Chapter 13 Reference 177 Chapter 13 Reference 13 1 File menu Open Recent Close Save Project Session Load Project Session Exit 13 2 View menu Show
91. ting to sort the items according to the selected sorting field and the sorting order ascending or descending that was set by the user in each of the data display tables Calculate SHA 2 256 bit hash and Calculate MD5 128 bit hash Select which calculated MD5 and SHA256 hash keys to add to each Data Files item in the generated report Do not select these options to shorten the report generation process of large projects Include translations Select to include any translated text in the report Disable models categorization select to disable the separation and generate a report in which every data items is generated as a single section without subcategories separation By default a categorized report in which each category in the data items group Is generated as a separate section in the report is generated For example when generating a report with SMS select the check box to generate the SMS messages as a single list or clear the check box to break it to a separate list for each category of SMS messages Inbox Outbox Drafts etc Logo Header Enter and format custom text to appear in the report header before the logo image 164 celebrite delivering mobile expertise Logo Click Select Image File to add the logo image to appear in the report header Supported file formats are BMP J PG GIF and PNG Logo Footer Enter and format custom text to appear in the report footer after the logo image Show totals for items not
92. tup Language Chapter 2 Installation and activation 13 2 Select the desired language and click OK to continue E Setup UFED Logical Analyzer UFED Logical Analyzer a g i mobile date secured Welcome to the UFED Logical Analyzer Setup Wizard This will install Cellebrite UFED Logical Analyzer 3 5 on your computer Itis recommended that you dose all other applications before Click Next to continue or Cancel to exit Setup celebrite 14 delivering mobile expertise 3 Click Next 5 Setup UFED Logical Analyzer Please read the following important information before continuing Please read the following License Agreement You must accept the terms of this agreement before continuing with the installation INSTALLING AND OR USING CELLEBRITE S UFED PHYSICAL EXTRACTION AND ALYZER PC APPLICATION YOU LICENSEE ARE CONSENTING TO BE BOUND a AND ARE BECOMING A PARTY TO THIS LICENSE AND WARRANTY AGREEMENT TT SE READ CAREFULLY PRIOR TO INSTALLATION If you do not agree to the terms and conditions herein set forth please do not install or use this product in y way For the purposes of this Agreement the term UFED Software means RITES UFED PHYSICAL EXTRACTION AND ANALYZER PC APPLICATION in I accept the agreement Chapter 2 Installation and activation 15 4 Select accept the agreement and click Next E Setup UFED Logical Analyzer Select Destination Location Where should UFED
93. ue Enter the keyword Match case Select to match the case of the keyword Whole word Select to match the whole keyword Color Click and select the color you want matched keywords to be shown in 9 Do one of the following e Click Apply to save the watch list and keep the Watch List Editor open e Click OK to save the watch list and close the Watch List Editor e Click Cancel to close the Watch List Editor without saving your changes 5 7 2 Editing a watch list 1 Inthe Watch List Editor select the watch list that you want to edit 2 Edit the watch list parameters and keywords that you want to change 3 To filter the keyword list to locate a particular keyword type the keyword in the Enter text to filter box 84 celebrite delivering mobile expertise 4 To edit a keyword click the relevant keyword in the list and make the desired changes 5 To delete a keyword click 4 6 When you have finished making changes do one of the following e Click Apply to save the watch list and keep the Watch List Editor open e Click OK to save the watch list and close the Watch List Editor e Click Cancel to close the Watch List Editor without saving your changes 5 7 3 Importing a watch list The export and import functions enable you to share watch lists and receive watch lists from your colleagues Import existing watch lists csv files that were saved from or created by UFED Logical Analyzer You can also import a CSV file
94. ve e Fora List type click 7 enter the list items with each item on a separate line then click Save celebrite 160 delivering mobile expertise 12 3 2 Deleting a report field x e To delete a report field click 12 3 3 Editing a report field e To edita report field perform steps 2 5 of Adding a new report field page 158 changing the parameters to suit your needs Chapter 12 Settings 12 4 Report defaults The Report Defaults settings enable you to edit the report presentation Default folder C Users jonathank Documents My Reports General Settings F Def i DA E Default sorting Data Files Calculate SHA 2 256 bit hash E Calculate MDS 128 bit hash Additional Fields J Include translations CCL A PDF Report _ E Defaults CCL A Disable models categorization Logo Header will Appear before the logo X 2a Res I UA Ni Logo Will appear in the report s cover page Save Configuration 161 162 celebrite delivering mobile expertise NOTE Scroll down to see all the fields 1 Inthe Report type list select the report type that you want to edit 2 For Excel reports set the following Default folder enter the path to the folder where you want to save reports you generate for this report type Select Default sorting to set sort the items included in the generated report according to the default sorting set by Cellebrite for each of the Analyzed and Data file types or c
Download Pdf Manuals
Related Search